Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mac. Show all posts

New Alert: Windows and Mac Are the Target of a Self-Deleting Ransomware

 

The ransomware epidemic may have been stopped by recent law enforcement operations that disrupted attack infrastructure, led to the arrest of cybercriminals, and broke up some threat groups, but this would be wrong as well. A recent study on the cross-platform, self-deleting NotLockBit ransomware assault has confirmed that the threat is not only still present but is also evolving. Here's what Windows and macOS users should know. 

Pranita Pradeep Kulkarni, a senior engineer of threat research at Qualys, has revealed in a recently published technical deep dive into the NotLockBit ransomware assault family that the threat is not only cross-platform but also sophisticated in using a self-deleting mechanism to mask attacks.

The NotLockBit malware is named after the fact that it "actively mimics the behaviour and tactics of the well-known LockBit ransomware," according to Kulkarni. It targets macOS and Windows systems and illustrates "a high degree of sophistication while maintaining compatibility with both operating systems, highlighting its cross-platform capabilities." The latest investigation revealed that the current evolution of the NotLockBit ransomware has many advanced capabilities: targeted file encryption, data exfiltration and self-deletion mechanisms. 

NotLockBit encrypts files after stealing data and moving it to storage under the attacker's control so that it can be exploited for extortion, just like the majority of ransomware currently. Depending on how sensitive it is, such data can be sold to the highest criminal bidder or held hostage in exchange for publication on a leaked website. 

However, NotLockBit can delete itself to conceal any proof of the cyberattack, unlike other ransomware. According to Kulkarni, "the malware uses unlink activity to remove itself after it has finished operating; this is a self-removal mechanism designed to delete any evidence of its existence from the victim's system." 

Files with extensions like.csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, .vmsd, and .vbox are the main targets of NotLockBit, according to samples examined by Qualys, "because they frequently represent valuable or sensitive data typically found in personal or professional environments.” 

The investigation into NotLockBit ransomware exposed an increasingly sophisticated threat, the report concluded, and one that the researcher said, continues to evolve in order to maximize its impact. “It employs a combination of targeted encryption strategies, deceptive methods like mimicking well-known ransomware families,” Kulkarni concluded, “self-deletion mechanisms to minimize forensic traces.”

Misconfigured Access Controls in NetSuite Stores Cause Major Data Breach

 


Microsoft's apps for MacOS have been exploited by hackers recently to expose a critical vulnerability. It is believed that hackers have been exploiting vulnerabilities in popular applications, such as Microsoft Outlook and Teams, to spy on Mac users. In recent weeks, Cisco Talos' security researchers have revealed how attackers can take advantage of this security breach and gain access to sensitive components like Mac's microphone and camera without the user's consent or knowledge, a division of Cisco Talos that focuses on malware and system vulnerabilities. 

The researchers of Oracle NetSuite have found that there are several thousand NetSuite customers who are inadvertently exposing sensitive company information to unauthenticated users through public-facing stores built using NetSuite SuiteCommerce or NetSuite Site Builder. Possibly, the exposure of custom record types in NetSuite was caused by a lack of understanding about the access controls for these types of record types in this popular SaaS enterprise resource planning platform (ERP) in today's marketplace. 

In terms of Enterprise Resource Planning (ERP) solutions, NetSuite is a widely used SaaS Platform that is widely used for developing and deploying online retail platforms through its SuiteCommerce or SiteBuilder platforms that serve external customers. As a result of these web stores that are hosted on subdomains of the NetSuite tenant, unauthenticated customers can browse, register, and make purchases directly from businesses through those sites. 

This is not a problem with the NetSuite solution itself; it is a problem with the way some access controls have been configured on custom record types (CRTs) that may lead to sensitive customer information being leaked. The most vulnerable data are PII, or personally identifiable information, which includes full addresses and mobile phone numbers of registered customers. In NetSuite, threat actors tend to target Custom Record Types (CRTs) that are controlled using "No Permission Required" access controls. 

This means that unauthenticated users can access data by using NetSuite’s APIs to search for records and records on the cloud. There is, however, one prerequisite that must be met before the attacker can be successful in the attack, and that is knowing what name the CRTs are. Hackers might be able to access sensitive data through a potential problem in NetSuite's SuiteCommerce platform, due to misconfigured access controls to custom record types (CRTs) on NetSuite's platform, according to Aaron Costello, CEO at AppOmni.

To emphasize the point, it is important to recognize that the issue does not have anything to do with a security flaw in the NetSuite product, rather it has more to do with a potential data leak caused by a customer misconfiguration. By that report, the e-commerce sites have been exposed to information about their registered customers, including their addresses and mobile phone numbers. As a result of how Microsoft apps interact with MacOS's Transparency Consent and Control framework (TCC), which is intended to control an application's permissions to comply with the law, there is a vulnerability. 

The TCC ensures that apps are required to request specific entitlements to grant access to certain features, such as the camera, microphone, or location services if they want to use them. A typical application without the necessary entitlements cannot even ask for permission to run, effectively blocking unauthorised access to the application. Cisco Talos has discovered a vulnerability that enables attackers to inject malicious software into Microsoft apps, and then leverage the permissions already granted to those apps to execute malicious code using the software injection. 

As a result, once an attacker modifies an app such as Microsoft Teams or Outlook to inject their code into the app, they are also able to access the camera and microphone on a Mac computer, allowing them to record audio and take photos without the user ever knowing what they are doing. Using an attack scenario outlined by AppOmni, an attacker potentially exploits a CRT in NetSuite that employs table-level access controls with a permission type of "No Permission Required," which enables users who do not have the necessary authentication to access their data through NetSuite's search and record APIs. 

In recent developments, it has been discovered that a significant vulnerability exists in NetSuite stores due to an access control misconfiguration, which has resulted in the exposure of sensitive data. However, for this security breach to be successful, there are several critical prerequisites. The most notable of these is the requirement for the attacker to have prior knowledge of the names of the Custom Record Types (CRTs) in use. 

To mitigate the risks associated with this vulnerability, it is strongly recommended that site administrators take immediate action to enhance access controls on CRTs. This includes setting sensitive fields to "None" for public access, thereby restricting unauthorized access. Additionally, administrators should consider temporarily taking affected sites offline to prevent further data exposure while corrective measures are being implemented. 

One of the most straightforward and effective solutions from a security perspective, as suggested by security expert Costello, involves changing the Access Type of the record type definition. This can be done by setting it to either "Require Custom Record Entries Permission" or "Use Permission List." These changes would significantly reduce the likelihood of unauthorized access to sensitive data.

In a related disclosure, Cymulate has unveiled another significant security concern involving Microsoft Entra ID, formerly known as Azure Active Directory. The issue centres around the potential manipulation of the credential validation process within hybrid identity infrastructures. This vulnerability allows attackers to bypass authentication mechanisms, enabling them to sign in with elevated privileges within the tenant and establish persistence. 

However, the execution of this attack requires that the adversary already possesses administrative access to a server hosting a Pass-Through Authentication (PTA) agent. The PTA agent is a critical module that permits users to sign in to both on-premises and cloud-based applications using Entra ID. The root cause of this vulnerability lies in the synchronization of multiple on-premises domains to a single Azure tenant, which introduces security gaps that could be exploited by attackers.

Counting the Cost: $9.2 Trillion Annual Impact of Cybercrime Looms

 


According to a new Statista Market Insights report, cybercrime is rising at an unprecedented pace. Approximately one-third of the United States' GDP or about 24 times Apple's annual revenue in 2023 will be incurred as a result of cyberattacks, according to a new survey from Statista Market Insights. A similar study from Statista Market Insights found that cybercrime costs have risen by 245% between 2018 and 2020, increasing from $860 billion to $2.95 trillion. 

With the spread of the pandemic, the cost of health care has more than doubled to $5.49 trillion in 2021 and is expected to increase by $1 trillion annually in 2023 to $8.15 trillion. In addition to impacting businesses and governments, cybercrime has become one of the world's largest illegal economies, as well as the everyday people of the world. Cyberattacks are known for causing financial losses such as ransom payments, loss of productivity, system downtime and data theft, among others. 

Contributing factors In terms of attack surfaces, IoT devices are providing cybercriminals with an increasingly large attack surface, increasing the number of potential victims and supplying them with a more relevant attack surface over time. There is no reason for Mac users to be excluded from this. There was an increase of 50% in new Mac malware families in 2023 in Jamf's report. 

The number of instances of malware that can be found within each of these families could be hundreds. With the growing number of users of Macs, cybercriminals are more and more interested in targeting it as an easy target. It is important to keep in mind that geopolitics plays a significant role in cyberattacks as many countries use them for strategic advantage, disruption of critical infrastructure, and intelligence gathering.

A heightened escalation in the number of state-sponsored attacks is taking place as a result of the conflict between Ukraine and Israel. A significant number of cybersecurity jobs have gone unfilled as a result of the skills shortage we're going through today. Due to this shortage, many cybersecurity positions have gone unfilled. It will therefore be more difficult to monitor and defend against specific threats as there will be fewer professionals. 

Moreover, the shortage of skilled professionals can also increase the workload for employees who are already working, so that productivity can be negatively impacted. Further to this, employees are burned out as a result of their jobs. Threat actors count on this. In the world of ransomware-as-a-service (RaaS), there are very few barriers to entry, and this has made it very popular thanks to a combination of tough economic factors, swift financial gains, and little technical knowledge. 

Operators develop the software under this model and affiliates pay to use pre-built tools and packages to launch attacks on the network. Each affiliate pays a fee for each attack they launch. A ransomware attack can be carried out by non-programmers lacking the skills to develop and deploy their ransomware. 

There is no shortage of RaaS kits available on the dark web, but they aren't always the best. Due to a simple lack of awareness, the risks and consequences associated with cyberattacks remain undetected by many individuals and organizations, making them vulnerable to cybercrime. It was found that 40% of Jamf's mobile users and 39% of the organizations in their annual trends report are running on a device that is known to have vulnerabilities, according to the report.

In light of recent incidents regarding a popular Apple device management platform, it has become evident that there remains a notable lack of awareness concerning the security measures necessary to protect Mac devices. Ensuring the security of the Mac is imperative in safeguarding against potential threats such as malware and phishing attacks. Here are some essential steps to bolster the security of the Mac: 

1. Keep the device up-to-date: It is crucial to regularly update the Mac's operating system to incorporate the latest security patches. By staying current with updates, users can effectively address known vulnerabilities that may be exploited by malware.

2. Utilize antivirus software: Despite common misconceptions, Macs are not impervious to malware. Therefore, employing reputable antivirus software is highly recommended. Tools such as Malwarebytes offer free applications for individual users, capable of detecting and removing potential threats. Additionally, MacPaw’s CleanMyMac X now features a malware removal tool powered by MoonLock, enhancing protection against malicious software. 

3. Exercise caution when clicking: Email remains a primary vector for malware distribution, with phishing attacks experiencing a significant rise in success rates. According to recent reports, phishing success rates increased from 1% in 2022 to 9% in 2023. Hence, exercising caution and scepticism when interacting with email links and attachments is essential to mitigate the risk of falling victim to such attacks. 

4. Enable a firewall: Enabling the built-in firewall on the Mac is an effective measure to prevent the acceptance of unauthorized connections and services. By managing both incoming and outgoing connections, the firewall helps fortify the device's defences against potential threats. 

5. Use strong, unique passwords: Employing robust and distinctive passwords is imperative for bolstering the security of the Mac. Avoid using easily guessable passwords, such as common phrases or pet names followed by predictable characters. Instead, opt for complex combinations of letters, numbers, and symbols to enhance password strength and resilience against unauthorized access. 

6. Enable disk encryption: Leveraging features such as FileVault, which encrypts all user data stored on the disk in real-time, enhances the security of sensitive information on the Mac. In the event of device loss or theft, disk encryption ensures that the data remains inaccessible to unauthorized individuals, thereby safeguarding privacy and confidentiality. 

7. Limit user privileges: Restricting user privileges is crucial in preventing unauthorized software installations and minimizing the potential impact of malware infections. By limiting user permissions, users can effectively mitigate the risks associated with malicious activities and enhance overall device security. 

In summary, prioritizing the implementation of robust security measures is paramount in safeguarding the Mac against evolving threats. By adopting proactive strategies such as keeping the device updated, utilizing antivirus software, exercising caution when interacting with emails, enabling firewalls, employing strong passwords, enabling disk encryption, and limiting user privileges, users can significantly enhance the security posture of the Mac and protect against potential vulnerabilities and cyber threats.

Macs Vulnerable to Info-Stealing Malware via Ads and Fake Software

 

As cyber threats continue to evolve, Mac users are increasingly finding themselves in the crosshairs of malicious actors. In recent developments, a new strain of malware has emerged, posing a significant risk to Mac users worldwide. This malware, designed to steal sensitive information, is spread through deceptive ads and fake software, highlighting the importance of vigilance and robust security measures for Mac users. 

The emergence of this info-stealing malware underscores the evolving landscape of cyber threats targeting Mac users. Historically, Macs have been perceived as less susceptible to malware compared to other operating systems like Windows. However, as Mac usage has surged in recent years, cybercriminals have shifted their focus to exploit vulnerabilities in macOS, the operating system powering Mac devices. 

One of the primary vectors for the spread of this malware is through deceptive advertisements and fake software downloads. These ads often masquerade as legitimate offers or updates, enticing users to click on them unsuspectingly. Once clicked, users may inadvertently download malicious software onto their Mac devices, compromising their security and privacy. 

Furthermore, fake software downloads present another avenue for malware distribution. Cybercriminals create counterfeit versions of popular software applications, such as antivirus programs or productivity tools, and distribute them through unofficial channels. Unsuspecting users may download these fake applications, unaware of the malware lurking within. The consequences of falling victim to info-stealing malware can be severe. 

Once installed on a Mac device, this malware can harvest sensitive information, including login credentials, financial data, and personal files. This stolen information can then be used for various malicious purposes, such as identity theft, financial fraud, or extortion. To protect against this growing threat, Mac users must remain vigilant and adopt proactive security measures. 

Firstly, it is essential to exercise caution when encountering online advertisements and software downloads. Users should only download software from trusted sources, such as official app stores or reputable websites, and avoid clicking on suspicious ads or links. Additionally, maintaining up-to-date security software is crucial for detecting and mitigating malware threats. Mac users should invest in reputable antivirus and antimalware solutions that provide real-time protection against emerging threats. 

Regularly updating macOS and installed applications can also patch known vulnerabilities and strengthen overall security. Furthermore, practicing good cybersecurity hygiene is essential for safeguarding personal information and sensitive data. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and avoiding the use of public Wi-Fi networks for sensitive activities. 

In the event of a suspected malware infection, Mac users should take immediate action to mitigate the threat. This may involve running a full system scan using antivirus software, removing any detected malware, and resetting compromised passwords to prevent unauthorized access to accounts. Overall, the rise of info-stealing malware targeting Mac users serves as a stark reminder of the importance of cybersecurity awareness and preparedness. 

By staying informed about emerging threats, adopting proactive security measures, and practicing good cybersecurity hygiene, Mac users can minimize their risk of falling victim to malicious attacks. With cyber threats continuing to evolve, maintaining a vigilant stance against malware remains paramount for protecting personal information and ensuring a safe digital environment.

iLeakage Attack: Protecting Your Digital Security

The iLeakage exploit is a new issue that security researchers have discovered for Apple users. This clever hack may reveal private data, including passwords and emails, and it targets Macs and iPhones. It's critical to comprehend how this attack operates and take the necessary safety measures in order to stay safe.

The iLeakage attack, detailed on ileakage.com, leverages vulnerabilities in Apple's Safari browser, which is widely used across their devices. By exploiting these weaknesses, attackers can gain unauthorized access to users' email accounts and steal their passwords. This poses a significant threat to personal privacy and sensitive data.

To safeguard against this threat, it's imperative to take the following steps:

1. Update Software and Applications: Regularly updating your iPhone and Mac, along with the Safari browser, is one of the most effective ways to protect against iLeakage. These updates often contain patches for known vulnerabilities, making it harder for attackers to exploit them.

2. Enable Two-Factor Authentication (2FA): Activating 2FA adds an extra layer of security to your accounts. Even if a hacker manages to obtain your password, they won't be able to access your accounts without the secondary authentication method.

3. Avoid Clicking Suspicious Links: Be cautious when clicking on links, especially in emails or messages from unknown sources. iLeakage can be triggered through malicious links, so refrain from interacting with any that seem suspicious.

4. Use Strong, Unique Passwords: Utilize complex passwords that include a combination of letters, numbers, and special characters. Avoid using easily guessable information, such as birthdays or common words.

5. Regularly Monitor Accounts: Keep a close eye on your email and other accounts for any unusual activities. If you notice anything suspicious, change your passwords immediately and report the incident to your service provider.

6. Install Security Software: Consider using reputable security software that offers additional layers of protection against cyber threats. These programs can detect and prevent various types of attacks, including iLeakage.

7. Educate Yourself and Others: Stay informed about the latest security threats and educate family members or colleagues about best practices for online safety. Awareness is a powerful defense against cyberattacks.

Apple consumers can lower their risk of being victims of the iLeakage assault greatly by implementing these preventive measures. In the current digital environment, being cautious and proactive with cybersecurity is crucial. When it comes to internet security, keep in mind that a little bit of prevention is always better than a lot of treatment.


Apple's iOS 17.0.3 Update: Solving Overheating and Enhancing Security

 


In response to reports that iPhone 15s were running hot over the weekend, Apple pointed to an array of possible causes for the problem, including app-specific problems like Instagram and Uber, problems with background processing/post-transfer, and the presence of unspecified bugs in iOS 17. 

With the new software update created recently by Apple, the company was able to address a bug that could cause the iPhone to run hotter than normal. According to the patch notes for iOS 17.0.3, this bug may cause the iPhone to run hotter than usual.

It has been identified that two vulnerabilities have been fixed for both iOS and iPadOS in an update highlighting the security fixes included in this patch. An attacker with local access to the device could exploit the first vulnerability, which was a kernel exploit that could be exploited by a local attacker on the device. 

Apple mentioned that they believe it was exploited against older versions of iOS before iOS 16.6. It was also tackled in the update that a bug had been found in libvpx, which had been previously raised as a concern by CISA (Cybersecurity and Infrastructure Security Agency) and had been noted by them. 

A device with this bug may be vulnerable to remote attacks that could allow attackers to gain control of the device remotely. Additionally, other applications such as Chrome and Firefox have recently implemented similar patches to fix the same libvpx bug that was identified in the Chrome bug report. 

As a result, it is recommended that you check for the latest version of the iOS on your device in the Settings application. The download will take approximately 400MB, and there is no charge for this update. This update addresses an issue in iOS, the iPhone operating system, that was discovered on Wednesday.

The developers of these apps are also updating their apps with fixes for bugs that have been found in them. In addition, Apple said that the heat issue with the new phones was not partly due to the titanium and aluminium frames on the new models at the top end, and it was not partly due to the USB-C port since USB-C is the standard for charging phones now. 

It should be noted that Apple informs its customers that all iPhones are likely to feel warm when they are being restored from a backup, while they are being wirelessly charged, when using graphics-rich apps and games or when streaming high-quality video. 

As long as iPhones display an explicit warning about the temperature, they are safe to use, according to Apple. There has been a security problem identified in iOS 17.0.3 and iPadOS 17.0.3 that was addressed by Apple with improved checks, but Apple has not yet revealed who is responsible for finding and reporting the issue. 

In a nutshell, there are a lot of devices that have been impacted, including: iPhone XS and later In addition to iPad Pro 12.9-inch and iPad Pro 10.5-inch 2nd generation models, there are the iPad Pro 11-inch and iPad Pro 12.9-inch 1st generation models, the iPad Air and iPad Mini 5th generation models, as well as iPad 6th generation models. 

The open-source libvpx video codec library does not contain a heap buffer overflow vulnerability, CVE-2023-5217, which can be exploited to execute arbitrary code, resulting in the execution of arbitrary code following successful exploitation. 

The vulnerability was also addressed by Apple. Despite this fact, Apple has not labelled the libvpx bug as exploited anywhere in the wild, but it has already been patched as a zero-day by both Google and Microsoft in their Edge and Teams web browsers and their Skype service. 

As part of Google's Threat Analysis Group (TAG), a group of security experts who are known for frequently discovering zero-day vulnerabilities in government-sponsored targeted spyware attacks that target high-risk individuals, Clément Lecigne discovered CVE-2023-5217 as part of a research project. 

In the past few months, Apple has begun to fix 17 zero-day vulnerabilities discovered by its clients through attacks due to CVE-2023-42824 being exploited. Aside from the recently patched CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, Apple recently patched three other zero-day vulnerabilities reported by Citizen Lab and Google TAG researchers and exploited by hackers to install Cytrox's Predator spyware during spyware attacks. 

In addition to these two zero-day bugs (CVE-2023-41061 and CVE-2023-41064), Citizens Lab also disclosed today that they were exploited, together with NSO Group's Pegasus spyware, to infect fully patched iPhones with BLASTPASS, a zero-click exploit chain exploited by the FBI. 

In the same way that new phones and new operating systems come out at around the same time each year, it's not uncommon for new iPhones to receive specific iOS patches in rapid succession. In addition, older devices receive a more thorough vetting as they enter the months-long developer and public beta programs, which Apple is making even easier to use in recent releases. 

There is currently a beta version of the first major update to iOS 17 called 17.1, which is currently being tested. According to MacRumors, the update appears to mainly refine a few of iOS 17's new features, such as the StandBy smart display mode. 

A comprehensive list of the changes can be found in MacRumors. It is expected that Apple will release the 17.1 update within a couple of weeks if it follows its usual schedule. Although rumours were circulating about potential hardware issues, possibly linked to the iPhone 15's advanced processor or the incorporation of titanium components, Apple's official statements primarily attribute the problem to software-related issues. 

Moreover, they also acknowledge the possibility of overheating when utilizing USB-C chargers. It is worth noting that Apple had previously released a post-iPhone 15 launch patch to address data transfer problems that were experienced by certain new users. 

Additionally, it is important to mention that the company is currently in the beta testing phase for a more substantial update, namely iOS 17.1. This update is expected to bring significant improvements and enhancements to the overall user experience.

Lazarus Attacks Apple's M1 Chip, Lures Victims Via Fake Job Offers


New Attack by Lazarus

Advanced Persistent Threat (APT) Lazarus linked to North Korea is increasing its attack base with current operation In(ter)caption campaign, which targets Macs with M1 chip of Apple. The state-sponsored group continues to launch phishing attacks under the disguise of fake job opportunities. 

Threat experts at ESET (endpoint detection provider) alerted this week that they found a Mac executable disguised as a job details for an engineering manager position at the famous cryptocurrency exchange operator Coinbase. ESET's warning on twitter says that Lazarus posted the fake job offer to Virus total from Brazil. 

Operation In(ter)ception 

"The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity," reports DarkReading

Lazarus made the latest rebuild of the malware, Interception.dll, to deploy on Macs via loading three files- FinderFontsUpdater.app and safarifontsagent, fake Coinbase job offers and two executables. The binary can exploit Macs packed with Intel processors and with Apple's new M1 chipset. 

ESET experts began researching Operation In(ter)ception around three years back when the experts found attacks against military and aerospace companies. 

They observed that the operation's main goal was surveillance, but it also found incidents of the threat actors using a target's email account through a business email compromise (BEC) to finalize the operation. 

The interception.dll malware posts fake job offers to bait innocent victims, usually via LinkedIn. The Mac attack is the most recent one in a continuing aggressive front by Lazarus group to promote operation In(ter)ception, which has aggravated recently. ESET released a detailed white paper on the technique incorporated by Lazarus in 2020. 

It's an irony that the fake Coinbase job posting targets technically oriented people. The experts think that the threat actors were in direct contact, which means the victim was prompted to open whatever pop-up windows showed up on the screen to see the "dream job" offer from Coinbase. 

Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, saysPeter Kalnai, a senior malware researcher for ESET.


Microsoft Cautions Regarding a new Version of UpdateAgent Aimed at MacOS

 

Microsoft Security Intelligence researchers have found a new variant of UpdateAgent (aka WizardUpdate) which attacks Mac devices. The spyware, which was discovered in November 2020, may also install adware on macOS. According to the business, the new variation includes a variety of additional features that make it extremely challenging to identify and remove owing to greater persistence and escape methods. 

The virus may also exploit public cloud infrastructure to serve new payloads, which is another harmful capability. For example, when UpdateAgent is infected, it downloads additional adware known as Adload. 

“We recently discovered the latest variant of a Mac malware tracked as UpdateAgent (aka WizardUpdate) with new persistence and evasion tactics, the latest in a series of upgrades over the past year. Given its history, this Trojan will likely continue to grow in sophistication,” Microsoft tweeted. 

An additional feature of the virus is the ability to host multiple payloads on public cloud infrastructure. Adload is new adware that UpdateAgent installs as part of the extra malware.

The virus can gather computer information and transfer it to a command and control site. Notably, it is capable of circumventing Apple's Gatekeeper security function. It accomplishes this by removing the quarantine properties from the downloaded file. 

The core of macOS security is Gatekeeper; it prevents harmful apps from being installed by requiring code signing. UpdateAgent, like OSX/Dok malware, can easily circumvent Gatekeeper security, making it a persistent danger. 

Furthermore, PlistBuddy is used by cybercriminals to establish persistence. Malware often attempts to destroy produced directories, files, and other artifacts to hide its tracks. PlistBuddy is a built-in Mac software that allows users to edit.plist files. 

“The malware also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/LaunchDeamon for persistence. It then covers its tracks by deleting created folders, files, and other artifacts,” researchers tweeted. 

The new edition impersonates legal software as well; nevertheless, Microsoft did not specify whose software is being impersonated. The virus is suspected to be propagated via drive-by downloads.

Expert Releases PoC Exploit for MacOS Gatekeeper Bypass

 

Cybersecurity expert Rasmus Sten, an F-Secure software engineer, published a PoC exploit code for MacOS Gatekeeper bypass that Apple fixed earlier in 2021. The PoC (Proof of Concept) exploit attacks CVE-2021-1810 vulnerability, which leads to escaping three protection that Apple has built against harmful file downloads, particularly Gatekeeper, notarization and file quarantine. The vulnerability was discovered in the Archive Utility component of MacOs Big Sur and Catalina and can be compromised using specifically made ZIP file. 

For the compromise to be successful, the attacker has to fool the user into downloading and installing the archive to deploy malicious codes in the system. The vulnerability exploit would allow an attacker to execute unsigned binaries on MacOS systems, including Gatekeeper that enforces code signatures and user wouldn't be aware of the malicious code execution. According to Sten, the vulnerability is linked to a pattern where Archive Utility controls file paths. Especially, if the paths are larger than 886 characters, the com.apple.quarantine feature couldn't be enabled, which will allow Gatekeeper bypass for the malicious files. 

During the investigation of long path file names samples, Sten found that few MacOS parts showed unexpected pattern after the final path length touched a certain point. In the end, experts found that it may be possible to make an archive with a hierarchical structure, in this case, the path length would be long enough for Safari to call Archive Utility to unload it and wouldn't use com.apple.quarantine attribute, but small enough for Finder to browse and MacOS to deploy the malicious codes in the system. 

To lure the victim easily, attacker could hide archive folder structure using a symbolic link in root which is almost indifferent from a single application bundle in an archive root. "Sten, who also released a video demo of the exploit, has published PoC code that creates the archive with the path length necessary to bypass CVE-2021-1810, along with a symbolic link to make the ZIP file look normal.The vulnerability was addressed with the release of macOS Big Sur 11.3 and Security Update 2021-002 for Catalina," reports Security Week.

HPE: Sudo Flaw Grants Attackers Root Privileges to Aruba Platform

 

A vulnerability in Sudo, open-source software used within HP's Aruba AirWave management platform, can enable any unprivileged and unauthorized local user to acquire root privileges on a vulnerable host, as warned by Hewlett Packard Enterprise (HPE). 

According to a recent HPE security advisory, the Sudo vulnerability may be part of a "chained attack." An attacker gains a foothold with fewer rights via another flaw and then exploits this to escalate privileges. 

The Aruba AirWave management platform for wired and wireless infrastructures is HPE's real-time monitoring and security warning system. In January, researchers at Qualys discovered the Sudo issue (CVE-2021-3156) and think it affects millions of endpoint devices and systems. 

According to the Sudo license, Sudo is software used by various platforms that allows a system admin to distribute power to give particular users (or groups of users) the ability to perform certain (or all) commands as root or another user.” 

Mehul Revankar, Qualys' VP of Product Management and Engineering, defined the Sudo bug as "perhaps the most significant Sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years" in a research note at the time it was discovered. 

For HPE, the company officially reported the issue last week, stating that it impacted the AirWave management platform prior to version 8.2.13.0, released on June 18, 2021. 

According to the security bulletin, “A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges.” 

The Sudo vulnerability has been termed "Baron Samedit" by Qualys researchers, who claim the flaw was introduced into the Sudo code in July 2011. The problem was first thought to primarily affect Linux and BSD operating systems, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33. (Sudo 1.9.2). 

Since then, further security advisories have been issued by other companies. HPE isn't the first company to report a Sudo dependency in its code, and it probably won't be the last. 

However, in February, an Apple security advisory warned that the Sudo vulnerability was present in macOS (macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6). Following the announcement, Apple released a Sudo patch (Sudo version 1.9.5p2) to fix the vulnerability. 

Mitigate The Risk

According to experts, the flaw may be exploited to carry out privilege escalation attacks in the context of the Aruba AirWave management platform Sudo's flaw is a heap-based buffer overflow that allows any local user to deceive Sudo to operate in shell mode. 

Researchers explain that when Sudo is executed in shell mode, it "escapes special characters in the command's parameters with a backslash." Then, a policy plug-in eliminates any escape characters before deciding on the Sudo user's permissions.” 

Users should upgrade to version 8.2.13.0 or above of HPE's AirWave management platform to mitigate the potential risk, according to HPE. Sudo issued a fix earlier this year as well, for HPE AirWave, a technical fix is also available:

“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above,” as per HPE.

New AdLoad Malware Circumvents Apple’s XProtect to Infect macOS Devices

 

As part of multiple campaigns detected by cybersecurity firm SentinelOne, a new AdLoad malware strain is infecting Macs bypassing Apple's YARA signature-based XProtect built-in antivirus. 

AdLoad is a widespread trojan that has been aiming at the macOS platform since late 2017 and is used to distribute a variety of malicious payloads, including adware and Potentially Unwanted Applications (PUAs). This malware can also harvest system information and send it to remote servers managed by its operators. 

According to SentinelOne threat researcher Phil Stokes, these large-scale and continuing attacks began in early November 2020, with a spike in activity commencing in July and early August. 

AdLoad will install a Man-in-the-Middle (MiTM) web proxy after infecting a Mac to compromise search engine results and incorporate commercials into online sites for financial benefit. 

It will also acquire longevity on infected Macs by installing LaunchAgents and LaunchDaemons, as well as user cronjobs that run every two and a half hours in some circumstances. 

According to SentinelLabs, “When the user logs in, the AdLoad persistence agent will execute a binary hidden in the same user’s ~/Library/Application Support/ folder. That binary follows another deterministic pattern, whereby the child folder in Application Support is prepended with a period and a random string of digits. Within that directory is another directory called /Services/, which in turn contains a minimal application bundle having the same name as the LaunchAgent label. That barebones bundle contains an executable with the same name but without the com. prefix.” 

During the period of this campaign, the researcher witnessed over 220 samples, 150 of which were unique and went unnoticed by Apple's built-in antivirus, despite the fact that XProtect presently comprises of dozen AdLoad signatures. 

Many of the SentinelOne-detected samples are also signed with legitimate Apple-issued Developer ID certificates, while others are attested to operate under default Gatekeeper settings. 

Further, Stokes added, "At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules." 

"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices." 

To effectively comprehend the significance of this threat, Shlayer's case can be considered which is another common macOS malware strain capable of bypassing XProtect and infecting Macs with other malicious payloads. 

Shlayer recently exploited a macOS zero-day to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs. 

Even though these malware strains are just delivering adware and bundleware as secondary payloads, for the time being, their developers can, however, switch to distributing more serious malware at any point. 

Apple’s head of software, under oath, while testifying in the Epic Games vs. Apple trial in May said, "Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS."

Apple isn't Happy About the Amount of Mac Malware

 

During testimony defending Apple in a lawsuit with Fortnite developer Epic Games, a top Apple executive said that Mac malware has now surpassed Apple's tolerance level and framed safety as the justification for keeping iPhones locked to the App Store. According to a top Apple executive, this is why Apple must keep iPhone, iPad, and other mobile products behind the App Store's walled garden. 

Craig Federighi, Apple's head of software engineering, told a California court that the existing levels of malware were "unacceptable." "Today, we have a level of malware on the Mac that we don't find acceptable," he stated in response to questions from Apple's lawyers, as ZDNet sister site CNET reports. 

Apple is defending its activities after Epic Games filed a lawsuit in the United States stating because Apple kicked its Fortnight game off the App Store after Epic implemented a direct payment scheme for in-game currency, bypassing Apple's 30% developer fee. Apple, according to Epic, is too restrictive. 

On May 03, the Apple-Epic case began. Phil Schiller, the CEO of the App Store, stated yesterday that the App Store has always prioritized protection and privacy. According to Federighi, 130 different forms of Mac malware have been discovered since May, with one version infecting 300,000 systems. iOS devices can only install applications from Apple's App Store, while Macs can install software from anywhere on the internet. 

Mac malware is already outpacing Windows malware, according to Malwarebytes, a US protection company that offers Mac antivirus. However, the company pointed out that the risks to Macs, which mainly consisted of adware, were not as harmful as malware for Windows. Federighi contrasted the Mac to a car, while iOS was created with children's protection in mind, according to 9to5Mac. 

"The Mac is a car. You can take it off-road if you want and you can drive wherever you want. That's what you wanted to buy. There's a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It's really a different product," he stated.

Federighi also said that things would change significantly if Apple allowed iOS users to sideload applications.

Apple's Find My Network: Can be Abused to Leak Secrets Via Passing Devices

 

Apple's Find My network, which is used to track iOS and macOS devices – as well as more recently AirTags and other kits – has been revealed to be a possible espionage tool. 

In brief, passing Apple devices can be used to send data over the air from one location to another, such as a computer on the other side of the world, without the need for any other network connection. 

Using Bluetooth Low Energy (BLE) broadcasts and a microcontroller designed to act as a modem, Fabian Bräunlein, co-founder of Positive Security, invented a way to send a limited amount of arbitrary data to Apple's iCloud servers from devices without an internet connection. A Mac application can then download the data from the cloud. He dubbed his proof-of-concept service Send My in a blog post on Wednesday. 

When activated in Apple devices, the Find My network acts as a crowdsourced location-tracking system. Participating devices transmit over BLE to other nearby Apple devices, which then relay data back to Cupertino's servers via their network link. Authorized device owners can then use the company's iCloud-based Find My iPhone or iOS/macOS Find My app to get location reports on enrolled hardware. 

Researchers from Germany's Technical University of Darmstadt – Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick – released an overview of Apple's Find My network's protection and privacy in March, uncovering a few issues along the way. 

Bräunlein's aim was to see if the Find My network could be exploited to send arbitrary data from devices that didn't have access to the internet. "Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet," he states. "It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users." Since he didn't find any rate-limiting mechanism for the number of location reports devices can send over the Find My network, he theorizes that his strategy may be used to deplete smartphone users' data plans. 

With each report being more than 100 bytes, broadcasting a large number of unique public encryption keys as part of the Find My protocol would increase the amount of mobile traffic sent. Bräunlein used an ESP32 microcontroller with OpenHaystack-based firmware to transmit a hardcoded default message and listen for new data on its serial interface for his data exfiltration scheme. These signals will be picked up by nearby Apple devices that have to Find My broadcasting switched on and transferred to Apple's servers. 

In order to satisfy Apple's authentication criteria for accessing location data, obtaining data from a macOS computer necessitates the use of an Apple Mail plugin that runs with elevated privileges. To view the unsanctioned transmission, the user must also install OpenHaystack and run DataFetcher, a macOS app created by Bräunlein.

Hackers Take Advantage of Adobe Zero-Day Vulnerability Impacting Acrobat Reader

 

A patch for Adobe Acrobat, the world's most popular PDF reader, addresses a vulnerability that has been actively exploited and affects both Windows and macOS systems, allowing for arbitrary code execution. 

Adobe is advising customers about a crucial zero-day vulnerability in its widely used Adobe Acrobat PDF reader software that is being actively exploited in the wild. As part of Adobe's Tuesday roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento, a patch is now available. 

According to Adobe, the CVE-2021-28550 zero-day vulnerability "has been exploited in the wild in selective attacks targeting Adobe Reader users on Windows. Adobe Reader users on Windows may be the only ones that are currently being targeted. The bug, however, affects eight different versions of the software, including those for Windows and Mac. The versions include:

1.Windows Acrobat DC & Reader DC (versions 2021.001.20150 and earlier) 
2.macOS Acrobat DC & Reader DC (versions 2021.001.20149 and earlier) 
3.Windows & macOS Acrobat 2020 & Acrobat Reader 2020 (2020.001.30020 and earlier versions)
4.Windows & macOS Acrobat 2017 & Acrobat Reader 2017 (2017.011.30194  and earlier versions)

Adobe did not have any technical details about the zero-day flaw. Those details are usually available after users have had a chance to apply the patch. Users can manually update their product installations by going to Help > Check for Updates, according to Adobe's May security bulletin, which was released on Tuesday. 

Several other important bugs were included in Tuesday's roundup of 43 fixes. Adobe Acrobat received a total of ten crucial and four significant vulnerability patches. A total of seven of the bugs were arbitrary code execution bugs. Three of the vulnerabilities patched on Tuesday (CVE-2021-21044, CVE-2021-21038, and CVE-2021-21086) expose systems to out-of-bounds write attacks. 

On Tuesday, Adobe Illustrator got the highest number of patches, with five critical code execution vulnerabilities patched. Three of the flaws (CVE-2021-21103, CVE-2021-21104, and CVE-2021-21105), according to Adobe's definition, are memory corruption bugs that enable hackers to execute arbitrary code on targeted systems. The three memory corruption bugs were discovered by Kushal Arvind Shah, a bug-hunter with Fortinet's FortiGuard Labs.