Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label macOS. Show all posts

SysBumps: A Groundbreaking KASLR Break Attack Targeting Apple Silicon macOS Devices

SysBumps: Attack Disurpts KASLR in MacOS Kernel Security

In a significant revelation, researchers from Korea University have uncovered “SysBumps,” the first successful Kernel Address Space Layout Randomization (KASLR) break attack targeting macOS devices powered by Apple Silicon processors. Presented at CCS '24, the study exposes flaws in speculative execution that compromise critical kernel memory addresses, presenting severe security implications for macOS users.

Kernel Address Space Layout Randomization (KASLR) is a vital security mechanism designed to randomize memory locations, thereby mitigating memory corruption vulnerabilities. Apple has enhanced KASLR on macOS for Apple Silicon devices with features like kernel isolation, which separates kernel and user memory spaces to bolster system security.

However, the study identifies a critical weakness in this implementation. Researchers discovered that speculative execution during system calls introduces a vulnerability. This flaw enables attackers to bypass kernel isolation and infer kernel memory locations, undermining the effectiveness of KASLR.

Mechanics of the SysBumps Attack

SysBumps exploits speculative execution vulnerabilities by manipulating system calls to avoid kernel address validation checks. This triggers the Translation Lookaside Buffer (TLB) to behave differently depending on the validity of the address being probed. By leveraging TLB as a side-channel, attackers can gather insights into kernel memory layouts.

The attack unfolds in three stages:

  1. Speculative Execution: Attackers craft system calls to bypass validation mechanisms, exploiting speculative execution to access kernel address translations.
  2. TLB Probing: By analyzing TLB state changes, attackers determine whether specific kernel addresses are valid.
  3. Revealing Kernel Layout: Using reverse-engineered TLB attributes, attackers deduce the kernel base addresses, effectively breaking KASLR protections.

Remarkably, this attack achieves a 96.28% success rate across various M-series processors and macOS versions. It executes in under three seconds, demonstrating its efficiency and potential for real-world exploitation.

Implications and Response

The SysBumps attack has far-reaching consequences for macOS security. By breaking KASLR, the primary defense against memory corruption exploits, this attack leaves systems vulnerable to advanced threats. Despite Apple’s kernel isolation mechanisms, SysBumps exposes the underlying architecture to significant risks.

Apple has acknowledged the findings and is actively investigating the root cause of the vulnerability. The researchers plan to publish their study and the SysBumps source code on GitHub, offering valuable insights for the cybersecurity community to address future challenges.

The discovery of SysBumps highlights the evolving sophistication of cyberattacks, particularly those exploiting speculative execution and architectural flaws. This serves as a critical reminder of the need for ongoing research, robust system design, and proactive security measures to safeguard against emerging threats in the cybersecurity landscape.

MITRE’s Latest ATT&CK Evaluations Reveal Critical Insights into Cybersecurity Solutions

 

MITRE Corporation has published its findings from the latest round of ATT&CK evaluations, offering important insights into the effectiveness of enterprise cybersecurity solutions. This sixth evaluation assessed 19 vendors against two major ransomware strains, Cl0p and LockBit, as well as North Korean-linked malware targeting macOS systems. The advanced malware simulations used during the evaluation highlighted sophisticated tactics, such as exploiting macOS utilities and covert data exfiltration, emphasizing the dynamic nature of modern cyber threats.

The Findings and Their Significance

According to MITRE’s general manager, William Booth, the evaluation revealed notable disparities in vendors’ abilities to detect and distinguish between malicious activities. Some solutions achieved high detection rates but also suffered from alarmingly high false-positive rates, indicating a need for better precision in threat identification. MITRE’s methodology involved a two-phase approach: first, evaluating baseline detection capabilities and then assessing protection performance after vendors adjusted their configurations to improve detection accuracy. This approach highlights the adaptability of vendors in enhancing their solutions to counter emerging threats.

The Struggles with Post-Compromise Detection

A key takeaway from the evaluation was the struggle vendors faced with post-compromise threat detection. MITRE stressed the importance of detecting and mitigating ransomware activities after the initial breach, as ransomware often mimics legitimate system behaviors. Booth emphasized that relying solely on blocking initial infections is no longer sufficient—solutions must also account for activities occurring later in the attack chain. This represents a critical area where cybersecurity solutions need improvement to effectively neutralize threats at all stages of an attack.

Contrasting Detection Strategies

The evaluation also highlighted differences in detection strategies among vendors. Some vendors utilized machine learning and AI-based methods for threat detection, while others relied on more traditional heuristic approaches. These contrasting methodologies led to varying levels of effectiveness, particularly in the detection of false positives and distinguishing between benign and malicious activities. The use of AI-based methods showed promise, but some vendors struggled with accuracy, underscoring the challenges faced by the industry in keeping up with evolving threats.

MacOS Threats: A New Challenge

For the first time, MITRE included macOS threats in its evaluation. Addressing macOS malware posed unique challenges, as there is limited publicly available Cyber Threat Intelligence (CTI) on such threats. Despite these challenges, MITRE’s inclusion of macOS malware reflects its commitment to addressing the evolving threat landscape, particularly as more organizations adopt Apple devices in their enterprise environments. The move signals MITRE’s proactive approach to ensuring that cybersecurity solutions account for all major operating systems in use today.

Looking Ahead: Vendor Transparency and Improvement

Although MITRE refrains from ranking vendors, its evaluation provides transparency that can guide organizations in making informed decisions about their cybersecurity strategies. The findings underscore the importance of refining cybersecurity technologies to meet the demands of a rapidly evolving cyber environment. Booth highlighted that these evaluations encourage vendors to continuously improve their technologies to better counter the increasing sophistication of cyber threats.

By incorporating ransomware and macOS malware into its evaluations, MITRE continues to shed light on the complexities of modern cyberattacks. The insights gained from this evaluation are invaluable for organizations looking to enhance their defenses against increasingly sophisticated threats. As cyberattacks become more advanced, understanding the varying capabilities of enterprise security solutions is essential for building a robust cybersecurity posture.

Godot Game Engine Targeted in Widespread Malware Attack

 


A newly identified malware threat, GodLoader, is targeting gamers globally by exploiting the Godot game development engine, according to a report from Check Point Research. This sophisticated attack has already impacted more than 1.2 million users across various platforms. 

How GodLoader Works 

 
GodLoader infiltrates devices by leveraging Godot’s .pck files, which package game assets. These files can embed harmful scripts that execute malicious code upon launching a game, effectively bypassing traditional antivirus detection. The malware primarily targets: 

-Windows 
- macOS 
- Linux 
- Android 
- iOS 

Check Point Research reported that hackers have infected over 17,000 systems in just the past three months. By utilizing Godot’s GDScript (a Python-like scripting language), attackers distribute malware via more than 200 GitHub repositories, often masked as legitimate game assets. 

Exploitation of Open-Source Trust 


Eli Smadja, Security Research Group Manager at Check Point Software Technologies, highlighted the exploitation of open-source platforms:  

"Cybercriminals have turned the flexibility of the Godot Engine into a vulnerability, spreading cross-platform malware like GodLoader by capitalizing on the trust users place in open-source software." 

Infected computers are not only compromised but may also be converted into cryptocurrency mining rigs through XMRig, rendering them unusable for other tasks. 

Stargazers Ghost Network: Distribution-as-a-Service (DaaS) 


The attackers used the Stargazers Ghost Network to distribute GodLoader. This platform, active since 2022, employs over 3,000 ghost GitHub accounts to create networks of malicious repositories. These repositories: 

- Host info stealers like RedLine, Lumma Stealer, Rhadamanthys, and RisePro. 
- Manipulate GitHub’s trending section by starring, forking, and subscribing to their own repositories to appear legitimate. 

During a campaign between September and October 2024, Check Point discovered four separate attacks targeting developers and gamers. These attacks aimed to distribute infected tools and games, enticing users to download malware through seemingly credible GitHub repositories. 

Broader Implications and Future Risks 


The malware’s ability to target multiple platforms significantly enlarges the attack surface, posing a growing threat to the gaming community. Experts warn that attackers could embed malware into cheats, mods, or cracks for popular Godot-built games, increasing the vulnerability of millions of gamers. 

The Stargazers Ghost Network has already earned over $100,000 by distributing malware through its DaaS platform. With its continuous evolution, this network poses an ongoing threat to both developers and users of the Godot engine. 

Call to Action for Developers and Gamers 


Industry experts emphasize the urgent need for proactive cybersecurity measures to counter such threats. Recommendations include: 

- Avoid downloading game assets from unverified sources. 
- Regularly update antivirus and anti-malware software. 
- Implement robust security practices when developing or downloading games built with Godot. 

As the gaming ecosystem continues to expand, vigilance and collaboration between developers and security researchers will be critical in mitigating threats like GodLoader and ensuring a safer gaming environment.

North Korean Hackers Employ macOS Malware to Target Crypto Firms

 

BlueNoroff, a North Korean threat actor, has been attacking crypto firms with a new multistage malware for macOS systems. 

According to the researchers, the campaign is known as Hidden Risk, and it lures victims with emails that include fake data on the current activities in the cryptocurrency market.

The malware employed in these attacks depends on a novel persistence method on macOS that does not generate any alerts on the most recent versions of the operating system, allowing it to bypass detection. 

BlueNoroff is known for cryptocurrency theft and has previously targeted macOS with a payload malware called 'ObjCShellz' that opens remote shells on affected Macs. 

Infection chain 

The attacks begin with a phishing email containing crypto-related news and subjects, disguised as if forwarded by a bitcoin influencer to boost credibility. The mail includes a link to a PDF containing the information, but it actually points to the attackers' "delphidigital[.]org" domain. 

According to SentinelLabs experts, the "URL currently serves a benign form of the Bitcoin ETF document with titles that change over time," but it also serves the first step of a malicious application bundle known as 'Hidden Risk Behind New Surge of Bitcoin Price.app'. 

The researchers state that for the Hidden Risk campaign, the threat actor employed an original academic paper from the University of Texas. The first stage is a dropper software signed and notarised with a valid Apple Developer ID, "Avantis Regtech Private Limited (2S8XHJ7948)," which Apple has since revoked. 

When activated, the dropper gets a decoy PDF from a Google Drive link and opens it in the default PDF browser to distract the victim. In the background, however, the following stage payload is downloaded from "matuaner[.]com.”

Interestingly, the hackers have effectively circumvented Apple's App Transport Security standards by altering the app's 'Info. plist' file to permit unsafe HTTP connections to the attacker-controlled site. 

The "Hidden Risk" campaign, according to SentinelLabs, has been in operation for the past 12 months or more. It employs a more straightforward phishing strategy that excludes the customary "grooming" on social media that other DPRK hackers partake in. 

In order to get beyond macOS Gatekeeper, the researchers also point out that BlueNoroff has demonstrated a consistent capacity to find new Apple developer accounts and have their payloads notarised.

HM Surf Bug in macOS Raises Data Privacy Concerns

 


Several vulnerabilities in the Safari web browser for macOS may have left users open to being spied on, having their data stolen, and acquiring other types of malware thanks to this security weakness. Specifically, the vulnerability arises from the special permissions Apple gives to its proprietary apps, and here, it is the browser, as well as the ease with which an attacker can obtain the important configuration files of an app. 

Ultimately, what it allows a user to do is to circumvent the Transparency, Consent, and Control (TCC) security layer on MacBooks that is designed to safeguard sensitive data from an attacker. CVE-2024-44133 has been rated as a "medium" severity vulnerability by the Common Vulnerability Scoring System (CVSS), meaning that it has a 5.5 severity score as per the CVSS. According to the CVE-2024-44133 vulnerability report, attackers can bypass the user data protection methods implemented by the operating system by bypassing Transparency, Consent, and Control (TCC). 

During the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later), the vulnerability, also referred to as CVE-2024-44133, had been fixed. Please take note that this vulnerability will only impact devices that are managed by Mobile Device Management (MDM), not any other device. Typically, MDM managed devices are subject to policies and procedures set by the IT department of an organization, which is responsible for centrally managing and maintaining the devices.


According to Microsoft, the flaw has been named "HM Surf." By exploiting this vulnerability an attacker would be able to bypass macOS' Transparency, Consent, and Control (TCC) features and gain unauthorized access to a user's protected data, which they would have no control over. There is a possibility users may discover Safari's TCC in action while browsing a website that requires access to the camera or microphone when browsing through the website. It was noted by Apple in mid-September that a bug in macOS Sequoia 15 has been fixed by removing the vulnerable code. However, the bug does not seem to affect MDM-managed devices. As stated in the blog post, Microsoft’s Sequoia 15 release only protects Apple’s Safari web browser when it is installed. 

It was also pointed out that browsers like Google Chrome and Mozilla Firefox don't have the same private entitlements as Apple applications, so they cannot bypass TCC checks like Apple applications can. Therefore, once TCC checks are approved, it is up to the app to maintain access to the privacy database as long as people have approved the checks. This vulnerability can be exploited by removing the TCC protection for the Safari browser directory and editing a configuration file in that directory. It is stated in Microsoft's response that it involves gaining access to the user's data, such as browsed pages, the camera, microphone, and location of the device, without the user's knowledge.

Users of macOS are strongly encouraged to apply these security updates as soon as possible so that their system will be protected. Using its behavior monitoring capabilities, Microsoft Defender for Endpoint has detected activities associated with Adload, one of the most prevalent macOS threat families, which may be exploiting this vulnerability in some way. In addition to detecting and blocking CVE-2024-44133 exploitation, Windows Defender for Endpoint also detects and blocks anomalous modifications of the Preferences file through HM Surf or other mechanisms that potentially exploit the vulnerability.

According to Microsoft, it was TCC technology that first enabled them to learn how to bypass the technology when they discovered powerdir's vulnerability. Please remember that TCC, as its name implies, is a technology that prevents apps from accessing users' personal information when they are installed and that this includes services such as location services, camera and microphone devices, download directories, and others, without the user's knowledge or consent. 

In the world of mobile applications, the only legal way for them to gain access to these services is by approving a popup through their user interface, or if they approve per-app access via the settings in their operating system. This vulnerability, known as HM-Surf, may allow attackers to bypass key security features on macOS systems, which gives them a chance to gain access to sensitive data through the use of malicious code. It is possible that users who are not authorized to exploit the flaw could exploit macOS' own security functions, such as the sandboxing mechanisms and restrictions on file access. 

HM-Surf exploit is a vulnerability that allows attackers to gain enhanced privileges, which allows them to access sensitive data and files that would otherwise require a login and password. Initial warnings were raised about this vulnerability because it played a role in adware campaigns, where malicious actors used this loophole to install unwanted software on users' devices in order to profit from the vulnerability. There are, however, a lot more dangers than just adware; though, it is only the beginning. If the same vulnerability were weaponized, then it might even be used for more serious attacks, such as data exfiltration, surveillance, or even as a gateway to further malware infiltration in the near future. There is probably no doubt that HM-Surf's unique ability to bypass Apple's robust security architecture is one of the most troubling aspects of this malware. 

Security macOS is widely regarded as a secure platform, but the recent discovery of the HM-Surf vulnerability shows that even advanced systems are not immune to evolving cyber threats. This finding serves as a crucial reminder for users and organizations to prioritize cybersecurity and adopt proactive measures to protect their digital environments. Microsoft's cybersecurity team uncovered HM-Surf, an exploit posing a serious risk to macOS. Their investigation revealed a program altering Google Chrome settings to grant unauthorized microphone and camera access while collecting user and device data. 

These actions suggested preparations for a second-stage payload that could further compromise the device. The culprit was identified as the well-known macOS adware "AdLoad." This malware hijacks browser traffic, inundates users with ads, harvests data, and transforms infected devices into botnet nodes for further malicious activity. Although Microsoft's findings aligned with HM-Surf techniques, the researchers could not conclusively link AdLoad to actively exploiting the vulnerability. 

Nevertheless, they warned that "attackers using a similar method to deploy a prevalent threat" underscored the need for enhanced protection. The HM-Surf vulnerability illustrates the risks associated with macOS, highlighting that no operating system is invulnerable to sophisticated attacks. Exploiting such weaknesses could lead to severe consequences, including financial losses, reputational damage, and the exposure of sensitive data. The evolving nature of these threats suggests that attackers are continuously refining their methods to bypass security measures.

To address these challenges, organizations must adopt a multi-layered approach to cybersecurity. This includes regular system updates, comprehensive monitoring, and user education on safe practices. Deploying advanced threat detection and real-time monitoring can help detect and mitigate attacks before they cause significant harm. Regular security assessments can also identify and address potential vulnerabilities. In summary, the emergence of the HM-Surf vulnerability is a stark reminder of the dynamic landscape of cybersecurity threats. For macOS users and businesses, this discovery emphasizes the need to act swiftly in strengthening defenses and protecting digital assets against evolving risks.

Sevco Report Exposes Privacy Risks in iOS and macOS Due to Mirroring Bug

 

A new cybersecurity report from Sevco has uncovered a critical vulnerability in macOS 15.0 Sequoia and iOS 18, which exposes personal data through iPhone apps when devices are mirrored onto work computers. The issue arose when Sevco researchers detected personal iOS apps showing up on corporate Mac devices. This triggered a deeper investigation into the problem, revealing a systemic issue affecting multiple upstream software vendors and customers. The bug creates two main concerns: employees’ personal data could be unintentionally accessed by their employers, and companies could face legal risks for collecting that data.  

Sevco highlighted that while employees may worry about their personal lives being exposed, companies also face potential data liability even if the access occurs unintentionally. This is especially true when personal iPhones are connected to company laptops or desktops, leading to private data becoming accessible. Sean Wright, a cybersecurity expert, commented that the severity of the issue depends on the level of trust employees have in their employers. According to Wright, individuals who are uncomfortable with their employers having access to their personal data should avoid using personal devices for work-related tasks or connecting them to corporate systems. Sevco’s report recommended several actions for companies and employees to mitigate this risk. 

Firstly, employees should stop using the mirroring app to prevent the exposure of personal information. In addition, companies should advise their employees not to connect personal devices to work computers. Another key step involves ensuring that third-party vendors do not inadvertently gather sensitive data from work devices. The cybersecurity experts at Sevco urged companies to take these steps while awaiting an official patch from Apple to resolve the issue. When Apple releases the patch, Sevco recommends that companies promptly apply it to halt the collection of private employee data. 

Moreover, companies should purge any previously collected employee information that might have been gathered through this vulnerability. This would help eliminate liability risks and ensure compliance with data protection regulations. This report highlights the importance of maintaining clear boundaries between personal and work devices. With an increasing reliance on seamless technology, including mirroring apps, the risks associated with these tools also escalate. 

While the convenience of moving between personal phones and work computers is appealing, privacy issues should not be overlooked. The Sevco report emphasizes the importance of being vigilant about security and privacy in the workplace, especially when using personal devices for professional tasks. Both employees and companies need to take proactive steps to safeguard personal information and reduce potential legal risks until a fix is made available.

Fake macOS Apps Infect Devices, Steal Sensitive Data in the Latest Malware Attack

 


The latest cyber-attack uncovered by security researchers is an information stealer that targets Apple macOS hosts and gathers a wide array of information to reach sensitive computer data. It underscores how threat actors are increasingly targeting the OS as a target. As of late 2023, malware dubbed Cthulhu Stealer was available as a malware-as-a-service (MaaS) product and was priced at $500 per month as part of a subscription-based price structure. 

As far as the architecture is concerned, it can support both x86_64 and Arm platforms. Several cybersecurity researchers have discovered a new form of macOS malware that can steal user's sensitive data in the most insidious ways. A malware called Cthulhu Stealer has been spotted that impersonates popular applications to infect users with Trojan malware that allows the malware to steal passwords for users' operating systems and the iCloud keychain, as well as cryptocurrency wallets. 

A $500/month service offering for bad actors has reportedly been available since late 2023, as part of the Cthulhu Stealer program. It is particularly effective because it can masquerade as legitimate software and thus make itself appear more appealing. A Cado Security researcher has pointed out that Cthulhu Stealer is an Apple disk image (DMG) that carries two binaries, depending on the architecture of the machine, according to Gould. 

Using Golang, the malware disguises itself as a legitimate piece of software and disguises itself as a malicious application. A few of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP because the last of these is an open-source tool that can patch Adobe apps to bypass Creative Cloud service encryption and use the serial key to activate them without having to create a login account with a creator's account. 

A user who launches an unsigned file that has been explicitly allowed to be run – i.e., bypassing Gatekeeper protections – will be prompted to enter their system password when they launch it. In addition to Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer using this postscript-based approach, other software developers have adopted similar approaches. Afterwards, a second prompt will appear asking the user to enter their MetaMask password for the third time. 

This tool was also designed with the goal of harvesting system information and dumping iCloud Keychain passwords using an open-source tool called Chain Breaker which an anonymous developer developed. There are several ways the data theft takes place, including through the use of web browser cookies and information from Telegram accounts. This information is compressed and stored in a ZIP file, before being sent to a command-and-control server (C2).

It is believed that the main purpose of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from a wide range of shops and services, including game accounts, to steal information. The functionality and features of Cthulhu Stealer are very similar to that of Atomic Stealer, which implies that it was probably developed by the same person who modified Atomic Stealer. As users can see from the above paragraph, Atomic Stealer and Cthulhu both use Osascript as a password prompt. Even the spelling mistakes in the two games are identical. 

As a result, the threat actors responsible for the malware appear to have vanished, in part due to disagreements over payments, which has led to affiliates accusing the main developer of an exit scam, which has led to him being permanently banned from the cybercrime marketplace he used to advertise the malware in the first place. It is important to note that Cthulhu Stealer does not have very sophisticated anti-analysis techniques that would allow it to operate stealthily, which could be used to avoid detection. 

As well as this, it does not include any features that set it apart from similar underground offerings, apart from the fortress is one issue that affects this. Malware like Cthulhu Stealer, as well as other software threats like it, can cause far less damage when users take macOS' security features seriously, so they do not fall victim to them. 

MacOS is much less commonly targeted by malware threats than Windows or Linux, but users are advised to stay away from downloading software from sources they don't trust, stay away from installing apps that are not verified, and make sure their systems are updated with the latest security measures. 

There has been a surge in macOS malware recently and in response Apple announced this week that an update is coming to its next version of the operating system that will add more friction when trying to open software that is not signed correctly or notarized, which will help prevent future outbreaks of macOS malware.

Mac Users Targeted by Hackers Through Microsoft App Security Flaw

 


During the past couple of weeks, Cisco Talos, one of the world's most respected cybersecurity companies known for its cutting-edge cybersecurity products, has discovered at least eight security vulnerabilities. As a result of these bugs, researchers have found that the cameras and microphones of users of those applications may be accessed by attackers who exploit them for malicious purposes. In addition to this, a vulnerability like this could be exploited to steal other types of sensitive information, which can have a detrimental effect on the security of the system as well. 

It has been reported that many widely used Microsoft apps, including Word, Outlook, Excel, OneNote, Teams, and others, have been affected. To carry out this attack, malicious libraries to gain access to the user's entitlements and permissions are injected into Microsoft apps so that hackers can access a user's entitlements and permissions. According to the problem, this result is caused by the fact that Microsoft apps work with the Transparency and Consent framework on macOS, which allows applications to manage their permissions on a system with the Transparency Consent framework. 

The security vulnerability found in Microsoft's Mac apps made it possible for hackers to spy on Mac users without their knowledge. A security researcher from Cisco Talos posted a blog post explaining how attackers could exploit the vulnerability in Windows and what Microsoft has been doing to fix the problem. According to Cisco Talos, a security company, Microsoft's macOS apps, like Outlook, Word, Teams, OneNote, and Excel, contain a major flaw that renders them unusable. By taking advantage of this vulnerability, attackers can inject malicious libraries into these apps, which will give them access to the permissions and entitlements granted by the user. 

According to Apple's macOS framework, permission-based data collection relies on the Transparency, Consent, and Control framework, which is composed of three components. As a result, macOS will request permission from the user before running new apps and display prompts when an app asks for sensitive information, for example, contacts, photos, webcam data, etc. when the user wants to grant permission from the computer. It is important to understand that the severity of these vulnerabilities varies depending on the app and its permissions. 

There are several ways in which Microsoft Teams, which is a popular tool for professional communication, could be exploited to capture conversations or access sensitive information, for instance. As another example, the report notes that Microsoft Outlook may be used to send unauthorized emails and, ultimately, cause data breaches, according to the report. With the help of TCC, apps must request certain entitlements to access certain features such as the camera, microphone, location services, and other features on the smartphone. 

A majority of apps do not even have to ask for permission to run without these entitlements, preventing access to unauthorized users. Cisco Talos' discovery of the exploit, however, shows that malicious actors are capable of injecting malicious code into Microsoft apps, which then hijacks the permissions that were granted to those apps previously. It means that an attacker with the correct skills can successfully inject code into a software application such as Microsoft Teams or Outlook and gain access to a Mac computer's camera or microphone, allowing them to record audio or take photos without the user's knowledge to do so. 

It was found by Cisco Talo that Microsoft has made an acknowledgement of these security flaws in its applications and has classified them as low risk, in response to Cisco Talo's findings. Additionally, some of Microsoft's applications, including Teams and OneNote, have been updated to address the problem with library validation in these applications. As for other vulnerable apps from Microsoft, such as Excel, PowerPoint, Word, and Outlook, the company has not yet taken action to fix them. Security Concerns Raised Over Vulnerabilities in Microsoft Apps for macOS Recent findings by cybersecurity experts at Cisco Talos have brought to light significant vulnerabilities in popular Microsoft applications for macOS. 

These flaws, discovered in apps such as Outlook, Teams, Word, and Excel, have alarmed users and security professionals alike, as they allow hackers to potentially spy on Mac users by bypassing Apple's stringent security measures. The issue revolves around macOS's Transparency, Consent, and Control (TCC) framework, which is designed to protect users by requiring explicit consent before apps can access sensitive data, such as cameras, microphones, or contacts. However, Cisco Talos researchers uncovered that eight widely used Microsoft apps contained vulnerabilities that could be exploited by attackers to bypass the TCC system. 

This means that hackers could potentially leverage the permissions already granted to these apps to spy on users, send unauthorized emails, or even record videos—all without the user’s knowledge or consent. The researchers expressed concerns about Microsoft’s decision to disable certain security features, such as library validation. This safeguard was originally intended to prevent unauthorized code from being loaded onto an app. 

However, Microsoft’s actions have effectively circumvented the protections offered by the hardened runtime, potentially exposing users to unnecessary security risks. Despite addressing some vulnerabilities, Microsoft has not yet fully resolved the issues across all its macOS applications, leaving apps like Excel, PowerPoint, Word, and Outlook still susceptible to attacks. This partial response has led to further concerns among security experts, who question the rationale behind disabling security measures like library validation when there’s no clear need for additional libraries to be loaded. 

The Cisco Talos team also pointed out that Apple could enhance the security of the TCC framework. One suggestion is to introduce prompts for users whenever third-party plugins are loaded into apps that have already been granted sensitive permissions. This added layer of security would help ensure that users are fully aware of any unusual or unauthorized activities within their applications. Given the current state of these vulnerabilities, both Microsoft and Apple may need to take more proactive steps to protect their users from potential threats. 

As digital communication tools continue to play a critical role in our daily lives, the importance of robust security measures cannot be overstated. In the meantime, Mac users who rely on Microsoft applications are advised to remain vigilant. Keeping their software up to date and monitoring for any unusual activities can help minimize the risk of exploitation. While these companies work on strengthening their defenses, user awareness and caution remain key to navigating the ever-evolving landscape of cybersecurity threats.

New Report Reveals Rising Attacks on macOS Systems

 


A new report published by Intel471 reveals that macOS is increasingly being targeted by threats developing malware specific to the operating system or using cross-platform languages to achieve their goals on macOS computers through malware being developed for Mac operating systems. It is also widely reported that macOS contains more vulnerabilities than other operating systems. There are many ways in which malware and exploits can be used to commit cybercrime and spy on individuals and businesses. 

According to a new report covering the subject, new research shows that macOS vulnerabilities exploited in 2023 increased by more than 30% compared to 2022. Many issues should be addressed as part of the Software Vulnerability Ratings Report 2024 issued by the patch management software company Action1. These include the fact that Microsoft Office programs are becoming easier to exploit and that attackers are increasingly attacking load balancers such as NGINX and Citrix.

According to Action1 analysts, it was possible to gain five insights into the threat landscape between 2022 and 2023 based on data available in both the National Vulnerability Database and CVEdetails.com. This NVD has seen a significant slowdown in the maintenance activity since February, as a large backlog of software and hardware flaws has been submitted to the National Institute of Standards and Technology, which is causing a decline in the number of maintenance activities. 

The NIST has said that the reason for the slowdown is that "the amount of software has increased and, therefore, so has the number of vulnerabilities as well as interagency support has changed.". As a result, they observed that between January 2023 and July 2024, more than 40 malicious actors attacked macOS systems with a variety of malware types, most commonly infostealers and trojans, which were one of the most popular threats. 

In recent years, information theft malware – also known as info stealers – has become increasingly popular and widespread across all operating systems. MacOS, of course, is not exempt from this trend. It has been reported by the cloud security company Uptycs that incidents involving info thieves have doubled in the first quarter of 2023 when compared to the same period of last year. Additionally, cyber security company Group-IB reported that underground sales of macOS infostealers have increased by five times in the last five years. 

Several types of software are utilized by cybercriminals. They use software to steal log-in credentials, session cookies that enable authentication without credentials, and even more sensitive information such as credit card information or cryptocurrency wallet addresses. A lot of companies have also started using this software to acquire legitimate credentials, which are then sold to other criminals, most of whom are buying them from companies instead of individuals. Atomic Stealer, which is also referred to as Atomic MacOS Stealer, or AMOS, has been one of the most popular MacOS data-stealing applications since 2023. 

There is a new security vulnerability in macOS devices and browsers that is designed to steal credentials and cryptocurrency wallet data from them. In addition, there are several other infostealers targeted at macOS that are being operated by cybercriminals or advertised. An anonymous threat actor nicknamed Code Hex advertised a Mac OS info thief known as ShadowVault, which can steal data from multiple Chrome-based browsers, files stored on compromised computers, as well as Bitcoin wallets by stealing information from their data storage. 

The fact that so many spyware providers have sold their services to state-sponsored threat actors in recent years does not mean that all threat actors do not develop malware and tools aimed at macOS as well. Among other threats, the North Korean threat actor BlueNoroff has developed a malware loader known as RustBucket that has been developed specifically for macOS, and which targets financial institutions that are involved in cryptocurrency-related activities. 

In the past, Russian threat actors became known for their use of macOS malware with the attack response team they formed, called APT28, which is part of the Russian General Staff of the Armed Forces, as well as APT29, another part of the Russian Foreign Intelligence Service. In APT29, the Empire cross-platform remote administration and post-exploitation framework was used, which, although no longer supported by Apple, did permit the use of macOS as a target. 

Among other things, the threat actor APT32, based in Vietnam, also released a macOS backdoor that was used to target different organization types. Furthermore, the perception that macOS has a lower amount of malware specific to it than Windows can further support this perception, as there is a relatively lower amount of macOS-specific malware available in comparison to Windows. Among the threat actors identified in the report, more than 40 are actively targeting macOS, with more than 20 actively trying to acquire malicious software crafted specifically for macOS. 

There are several ways in which this happens, including the purchase of pre-existing malware as well as commissioning the creation of new malware. The recent focus on info thieves, which steal sensitive data such as login credentials, session cookies, and credit card numbers, highlights that there is an immediate threat to consumers and businesses alike from these sorts of hackers. In addition to this, independent research also confirms the trend. The renowned security researcher Patrick Wardle reported in 2023 that there were twice as many macOS malicious programs compared to last year based on his observations. 

Similarly,        While different spyware providers have sold their services to state-sponsored threat actors, some of these threat actors do develop malware and tools aimed at macOS. North Korean threat actor BlueNoroff, for example, has developed a malicious loader known as RustBucket, developed for macOS and aimed at targeting financial institutions whose activities are related to cryptocurrencies. 

Russian threat actors APT28, part of the Russian Main Directorate of the General Staff of the Armed Forces, and APT29, part of Russia's Foreign Intelligence Service, have also used macOS malware. APT29 used the no-longer-supported Empire cross-platform remote administration and post-exploitation framework, enabling targeting of macOS. Vietnam-based threat actor APT32 also deployed a macOS backdoor used for targeting different organizations. The perception is further reinforced by the relatively smaller amount of macOS-specific malware compared to Windows, which can make it seem like an easier target. 

The report reveals that over 40 threat actors are actively engaged in targeting macOS, with more than 20 actively seeking to acquire malware specifically designed for the platform, including both the purchase of pre-existing malware and the commissioning of new malware development. The focus on info stealers, which steal sensitive data like login credentials, session cookies, and credit card information, highlights the immediate threat to individual users and businesses alike. The trend is further supported by independent research. 

Patrick Wardle, a renowned security researcher, observed a doubling of new macOS malware in 2023 compared to the previous year. Similarly, Group-IB, a cybersecurity firm, reported a fivefold increase in underground sales related to macOS infostealers. In the short term, infostealers and RATs are expected to remain the most prevalent threats to macOS users. However, the increasing presence of ransomware and other malware families suggests a growing sophistication and diversification of threats. 

The trend, coupled with the increasing number of threat actors targeting macOS, calls for heightened vigilance and proactive security measures. The report concludes with a stark warning: despite the perceived security of Apple products, macOS users should remain vigilant against various threats. The growing sophistication of malware and the increasing number of threat actors seeking to exploit vulnerabilities in the macOS ecosystem underscores the need for robust security measures, including the use of reputable antivirus software, regular software updates, and strong passwords. macOS systems must always be up to date and patched to avoid being affected by common security vulnerabilities. 

Security software should be deployed on systems to detect malware and suspicious activity. Email security solutions should also be used, as many initial breaches are spread via phishing emails. Finally, all employees need to be trained to spot potential social engineering techniques used in emails or instant messaging tools.

Major Security Flaw in WhatsApp and Signal MacOS Apps Puts User Data at Risk

 

A significant security warning has emerged for WhatsApp and Signal users this week, urging them to consider deleting their apps, particularly on MacOS. The issue, primarily affecting Apple users leveraging multi-device functionality, highlights severe vulnerabilities in the MacOS versions of these popular messaging platforms. Security researcher Tommy Mysk, known for uncovering critical vulnerabilities, recently disclosed that both WhatsApp and Signal MacOS apps store local data, including chat histories and media attachments, in locations accessible to any app or process running on the device. 

This is a stark contrast to Apple’s iMessage, which, despite storing similar data, uses sandboxing to prevent unauthorized access by other apps. The primary concern lies in how these apps handle local data storage. While WhatsApp and Signal emphasize end-to-end encryption for secure message transmission, this protection is compromised if local data can be accessed by other apps or malware. Mysk explained that the chat histories, the core of what these apps are designed to protect, are not sufficiently safeguarded on MacOS. The vulnerability means that if a malicious app gains access to the device, it could potentially monitor and exfiltrate the unencrypted local data. 

For WhatsApp, this includes both chat histories and media attachments. Mysk warned, “WhatsApp doesn’t encrypt the local database that stores chat histories. It doesn’t encrypt media attachments sent through the chat either. A simple malware could theoretically monitor this data and send it live to a remote server, rendering end-to-end encryption useless.” Signal, on the other hand, does encrypt local chat histories but fails to encrypt media attachments. More concerning is that the encryption key for the local chat history is stored in plain text within the same folder, making it accessible to other apps. This flaw undermines the app’s security, as an attacker could clone the local data folder to another device and restore the session. 

Mysk highlighted, “Signal’s false sense of security extends to their back-end servers. When copying the entire folder containing the app’s local data and moving the copy to a different Mac, an attacker can restore the session. Signal servers let the ‘cloned’ session co-exist with the other legit sessions.” The discovery underscores the persistent risk of endpoint compromise for fully encrypted platforms. While end-to-end encryption protects data in transit, the local storage vulnerabilities in these MacOS apps open potential pathways for remote or physical attacks. 

As users continue to rely on messaging apps for secure communication, these revelations call for immediate action from both WhatsApp and Signal to address these security gaps and reinforce their data protection measures on MacOS. For now, users should remain vigilant and consider the potential risks when using these platforms on their Mac devices.

Apple ID Shuts Down: Users Panic While Trying to Reset Password

Apple ID Shuts Down: Users Panic While Trying to Reset Password

Apple IDs serve as the gateway to our digital ecosystem. They unlock access to our beloved photos, messages, apps, and more. But what happens when that gateway suddenly slams shut, leaving us confused outside? 

Recently, Apple users have been struggling with this very issue, as widespread reports of forced password resets have surfaced.

Locked out of your Apple ID? Here’s what you need to know

If you've been locked out of your Apple ID in the last day or so without warning, you're not alone

Apple users have been suffering a wave of forced lockouts, with some indicating that they have been forced to reset their passwords to regain access.

The lockouts have resulted in customers losing access to their devices, but there appears to be no root cause or anything in common across incidents, and Apple has yet to comment on the matter. 

The company's System Status website indicates that all services are "operating normally," with Apple ID services particularly listed as "available."

The lockout mystery

If your Apple ID has locked you out, you might panic and try your usual password, but it’s useless. You’re left staring at the blank “Incorrect Password” message. What gives?

The cause behind these lockouts remains hidden in mystery. Experts believe it’s a security measure triggered by suspicious activity, while others suspect a glitch in the matrix. Regardless, the concern is real. Users have taken to social media, sharing their stories of being shut. 

Have you had your password reset?

If your Apple ID has been blocked out and you must change your password, any app-specific passwords you may have created will also need to be reset. That's something you'll have to do whether you utilize apps like Spark Mail, Fantastical, or any number of others.

It could potentially cause significant issues if you use iOS 17.3's Stolen Device Protection. You'll need to use biometrics on your iPhone, such as Face ID or Touch ID, to access your account or use Apple Pay.

Apple’s silence

As the lockout story falls out, Apple has remained silent. No official statements, no explanations. The tech giant continues to operate, but the users are panicking to regain control of their digital lives. Is it a glitch? A security enhancement? At this moment, we can only wait for Apple’s response

What can you do?

1. Reset Your Password: Change the password. But remember the app-specific ones too.

2. Biometrics: If you’ve set up Face ID or Touch ID, use them to reclaim your digital ID.

3. Stay Tuned: Keep an eye on Apple’s official channels. 

The Rise of RustDoor and ALPHV Ransomware



According to a recent finding, cybersecurity researchers at Bitdefender have identified a concerning development in the growing pool of threats, as a new backdoor named Trojan.MAC.RustDoor is targeting macOS users. This particular threat bears connections to the nefarious ransomware family known as BlackCat/ALPHV, which has traditionally focused on Windows systems.

The Trojan.MAC.RustDoor operates by disguising itself as an update for the widely-used Visual Studio code editor, a tactic commonly employed by cybercriminals to deceive unsuspecting users. What sets this backdoor apart is its use of the Rust programming language, making it a unique and sophisticated threat in the macOS workings. Bitdefender's advisory reveals that various iterations of this backdoor have been active for at least three months.

The malware's operating method involves collecting data from users' Desktop and Documents folders, including personal notes, which are then compressed into a ZIP archive. Subsequently, this sensitive information is transmitted to a command-and-control (C2) server, giving the attackers unauthorised access to the compromised systems.

Bitdefender researcher Andrei Lapusneau, in the advisory, emphasises that while there is not enough information to definitively attribute this campaign to a specific threat actor, certain artefacts and indicators of compromise (IoCs) suggest a possible link to the BlackBasta and ALPHV/BlackCat ransomware operators. Notably, three out of the four identified command-and-control servers have previously been associated with ransomware campaigns targeting Windows clients.

It is worth noting that the ALPHV/BlackCat ransomware, like Trojan.MAC.RustDoor, is coded in Rust, indicating a potential connection between the two threats. Historically, the BlackCat/ALPHV ransomware group has predominantly targeted Windows systems, with a particular focus on Microsoft Exchange Services.

As cybersecurity threats continue to multiply its digital presence, it is crucial for macOS users to remain vigilant and take proactive measures to protect their systems. This latest event underscores the importance of staying informed about potential threats and adopting best practices for withstanding cybersecurity hassles.

The users are advised to exercise caution when downloading and installing software updates, especially from unofficial sources. Employing reputable antivirus software and keeping systems up-to-date with the latest security patches can also serve as effective measures to mitigate the risk of falling short to such malicious activities.

The identification of Trojan.MAC.RustDoor serves as a reminder that threats can manifest in unexpected ways, emphasising the need for ongoing practical methods and collaboration within the cybersecurity community to safeguard users against these potential cyber threats.


RustDoor Malware Deceives macOS Users with Visual Studio Update Scam

 


In a significant and alarming development within the cybersecurity landscape, a new malware strain named RustDoor has surfaced, specifically designed to target macOS users. What sets RustDoor apart from its counterparts is its sophisticated and deceptive tactic—it masquerades as a seemingly innocuous update for Visual Studio, a widely utilized integrated development environment. 

This method of infiltration is particularly insidious as it preys on the implicit trust users place in routine software updates, leading them to unwittingly download and install the malware onto their macOS systems. The RustDoor malware employs a crafty strategy by posing as a legitimate software update, exploiting the trust users inherently have in updates from well-known and reputable sources. By impersonating Visual Studio, a staple platform in the realm of software development, the creators of RustDoor aim to capitalize on the unsuspecting nature of users who regularly install updates to ensure the security and optimal performance of their software tools. 

Once the user falls victim to this ruse and installs what appears to be a genuine Visual Studio update, RustDoor gains unauthorized access to the system, potentially opening the door to a myriad of malicious activities. The implications of RustDoor extend beyond individual users, considering the widespread usage of Visual Studio among professionals and developers. A large-scale attack leveraging this malware could have profound consequences, underscoring the critical importance of vigilance and caution even in seemingly routine software update scenarios. 

Cybersecurity experts emphasize the need for users to rigorously verify the authenticity of update prompts, advocating for a thorough check of the source to ensure alignment with official channels before proceeding with installations. This incident serves as a stark reminder of the constantly evolving tactics employed by cybercriminals to infiltrate systems. 

It highlights the pressing need for ongoing innovation in cybersecurity measures to stay one step ahead of these ever-adapting threats. As the digital landscape continues to evolve, staying informed and adopting best practices becomes not just a recommendation but a critical imperative for individuals and organizations alike in defending against emerging cybersecurity challenges. 

 In response to the RustDoor threat, users are advised to remain vigilant and implement additional security measures. Cybersecurity firms are actively working to develop and deploy updated threat detection mechanisms to identify and neutralize this malware. 

Additionally, raising awareness among users about the potential risks associated with seemingly routine updates is crucial for building a resilient and informed digital community. By fostering a culture of cybersecurity awareness and proactive defense, the digital ecosystem can collectively strive towards creating a safer online environment for all users.

Hackers Drain Wallets via Cracked macOS Apps using Scripts Accessed From DNS Records


Hackers have found another clever way to transfer information-stealing malware to macOS users, apparently through DNS records that could hide malicious scripts.

The attack is being targeted to macOS Ventura and later, depending on the vulnerable applications repackaged as PKG files that include a trojan. 

Attack details

The attack was discovered by researchers at Kaspersky, following which they analyzed the stages of the infection chain. 

While downloading an Application/folder, victims tend to follow installation instructions, unaware that they are actually executing the malware. Following this, they open the bogus Activator window that asks for the administrator password. 

The malware uses the 'AuthorizationExecuteWithPrivileges' method to execute a 'tool' executable (Mach-O) after acquiring permission. If Python 3 is not already installed on the system, it installs it and appears to be "app patching."

The malware then contacts its C2 server, at a site named ‘apple-health[.]org,’ in order to obtain a base64- encoded Python script that is designed to run arbitrary commands on the targeted device. 

Researchers discovered that the attacker employed a clever technique to reach the C2 server at the right URL: a third-level domain name consisting of a random string of five letters and words from two hardcoded lists.

This way, the hacker was able to conceal its activity in traffic and download the Python script payload disguised as TXT records from the DNS server, which seem like common requests. 

Three TXT entries, each a base64-encoded portion of an AES-encrypted message containing the Python script, were included in the DNS server's response.

This first Python script served as a downloader for a second Python script that captures and sends information about the compromised system, including the CPU type, installed apps, directory listings, operating system version, and external IP address.

Kaspersky notes that during their analysis, the C2 provided upgraded copies of the backdoor script, indicating continuing development, but didn't see command execution, thus this might not have been deployed yet.

Additionally, two functions in the downloaded script search the compromised system for Bitcoin Core and Exodus wallets; if they are detected, they replace the original wallets with backdoored versions obtained from 'apple-analyzer[.]com.'

The code in the compromised wallets transmits to the attacker's C2 server the seed phrase, password, name, and balance.

Users usually do not get suspicious when their wallet app suddenly asks them to re-enter their wallet details, making them vulnerable to getting their wallets emptied. 

As indicators of compromise, the cracked software used in this campaign is made public in the Kaspersky study. According to the researchers, these applications "are one of the easiest ways for malicious actors to get to users’ computers."

While using cracked programs to trick users into downloading malware is a popular attack vector, the campaign that Kaspersky examined demonstrates that threat actors are sufficiently crafty to devise novel ways of delivering the payload, such as concealing it in a DNS server's domain TXT record.  

Bluetooth Security Flaw Strikes Apple, Linux, and Android Devices

Vulnerabilities in the constantly changing technology landscape present serious risks to the safety of our online lives. A significant Bluetooth security weakness that affects Apple, Linux, and Android devices has recently come to light in the cybersecurity community, potentially putting millions of users at risk of hacking.

The flaw, identified as CVE-2023-45866, was first brought to light by security researchers who detected a potential loophole in the Bluetooth communication protocol. The severity of the issue lies in its capability to allow hackers to take control of the targeted devices, potentially leading to unauthorized access, data theft, and even remote manipulation.

Security experts from SkySafe, a renowned cybersecurity firm, delved into the intricacies of the vulnerability and disclosed their findings on GitHub. If successfully employed, the exploit could lead to a myriad of security breaches, prompting urgent attention from device manufacturers and software developers alike.

Apple, a prominent player in the tech industry, was not exempt from the repercussions of this Bluetooth bug. The flaw could potentially enable hackers to hijack Apple devices, raising concerns among millions of iPhone, iPad, and MacBook users. Apple, known for its commitment to user security, has been swift in acknowledging the issue and is actively working on a patch to mitigate the vulnerability.

Linux, an open-source operating system widely used across various platforms, also faced the brunt of this security loophole. With a significant user base relying on Linux for its robustness and versatility, the impact of the Bluetooth flaw extends to diverse systems, emphasizing the urgency of a comprehensive solution.

Android, the dominant mobile operating system, issued a security bulletin addressing the Bluetooth vulnerability. The Android Security Bulletin for December 2023 outlined the potential risks and provided guidance on necessary patches and updates. As the flaw could compromise the security of Android devices, users are strongly advised to implement the recommended measures promptly.

Cybersecurity experts stated, "The discovery of this Bluetooth vulnerability is a stark reminder of the constant vigilance required in the digital age. It underscores the importance of prompt action by manufacturers and users to ensure the security and integrity of personal and sensitive information."

This Bluetooth security issue serves as a grim reminder of the ongoing fight against new cyber threats as the tech world struggles with its implications. In order to strengthen its commitment to a secure digital future, the IT industry is working together with developers, manufacturers, and consumers to quickly identify and fix vulnerabilities.

Adobe Patches 30 Acrobat, Reader Vulnerabilities

Adobe

Adobe has recently released a large batch of security updates for its flagship Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and MacOS installations. In this blog post, we’ll take a closer look at the details of these updates and what they mean for users.

The Details

On Tuesday, Adobe released a critical-level advisory listing the 30 security flaws that were patched in this update. The company cautioned that successful exploitation of these vulnerabilities could result in application denial-of-service attacks, arbitrary code execution, memory leaks, and feature bypasses. Among the affected programs are Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.

The majority of the bugs were memory safety issues, according to Adobe. The company also claimed to be unaware of any public exploits of these vulnerabilities. In addition to these patches, Adobe also released a separate critical update addressing three security flaws.

What This Means for Users

For users of Adobe’s Acrobat and Reader software, this update is an important one to install. The vulnerabilities that have been patched could potentially allow attackers to execute arbitrary code on a user’s system or cause application denial-of-service attacks. By installing the updates, users can protect themselves from these potential threats.

It’s always important to keep software up-to-date with the latest security patches to ensure that your system is protected from known vulnerabilities. This is especially true for widely-used software like Adobe’s Acrobat and Reader programs.

What next?

Adobe’s recent release of security updates for its Acrobat and Reader software is an important step in protecting users from potential threats. By patching at least 30 vulnerabilities affecting Windows and MacOS installations, Adobe has taken proactive measures to ensure the safety and security of its users. As always, it’s important for users to install these updates as soon as possible to protect themselves from potential exploits.

New Malware can Allow Control of macOS Without Users Noticing


Cybersecurity company Guardz recently exposed a new malware, used by hackers to take control of unprotected Macs, remotely. Guardz describes how a threat agent has been selling the tool on a Russian cybercrime forum since April 2023 in a blog post. 

Hidden Virtual Network Computing (HVNC)

HVNC is a malware, sharing similarities with a VNC (Virtual Network Computing), a tool used in remotely controlling computers over the internet or other networks. 

An employer with an IT department might, for instance, utilize VNC to diagnose a worker's computer, and the worker can see that the computer is being accessed. However, with an HVNC, the target user is unaware of the access, allowing a threat actor to utilize an HVNC for malicious practices.

Reportedly, the malware has been distributed to the Russian cybercrime forum – Exploit. For a "lifetime price of $60,000," the threat agent is selling the HVNC, and for an extra $20,000, the customer can add "more malicious capabilities to the arsenal."

However, Guardz did not mention any instance of such a case except in Mac. Moreover, the CVE.report database that identifies various vulnerabilities and exploits did not yet make an entry of the HVNC malware, and neither did Apple release an official statement.

How to Protect Oneself Against the Malware

While malware attacks are inevitable, users can protect themselves by taking certain measures.

First, one must make sure to update their macOS to the latest version. Moreover, Apple provides safeguards within macOS, along with releasing security patches regularly through OS updates, thus it becomes necessary to adopt them whenever they are made available to the users.

With macOS Ventura 13.5 being the latest version, a user who is using any other version is in fact running an older version, which needs to be updated. However, Apple has released security updates for its operating systems like Monterey and Big Sur – Monterey 12.6.8 and Big Sur 11.7.9 on July 24. 

Since malware are often presented as legitimate software distributed to users via email or on web forums and slipshod websites, another way that can keep users from falling prey to the malware is by only downloading software from trusted sources, like App Store or directly from the developers.

Moreover, users can make use of the several guides provided online, such as the guides on ‘whether or not you need antivirus software,’ list of Mac viruses, malware, and Trojans, and a comparison of Mac security software.

Atomic macOS Malware: New Malware Steals Credit Card Credentials in Chrome


A brand-new malware has apparently been targeting macOS. The malware, according to BleepingComputer, is named “Atomic” and was being sold to cybercriminals in darknet markets for $1,000 a month. 

A victim management UI that is simple to use and gives malicious actors access to very sensitive information, such as keychain passwords, cookies, files from local computers, and other information that may put victims in serious trouble, is provided by this ill-intentioned subscription.

What is Atomic Capable of? 

While Atomic is an information-stealing malware, it can drastically make its quarries much poorer. When cybercriminals buy Atomic, they receive a DMG file with a 64-bit Go-based malware program that can steal credit card information from browsers. This covers Yandex, Opera, Vivaldi, Microsoft Edge, Mozilla Firefox, and Google Chrome. 

After gaining access to a victim's Mac, Atomic may show a bogus password window asking users to enter their system passwords. As a result, attackers can access the target's macOS computer and cause havoc. 

Moreover, due to the activities of Atomic, cryptocurrency holders are particularly vulnerable. More than 50 well-known cryptocurrency extensions, including Metamask and Coinbase, are intended targets of this macOS malware. 

Atomic, unfortunately, has a tendency to go unnoticed. Only one malicious software detection was made by 59 anti-virus scanners. 

How can you Protect Yourself from Atomic macOS Malware? 

Thankfully, Atomic will not be hiding in any official macOS services. Atomic is disseminated by phishing emails, laced torrents, and social media posts by nefarious buyers. Some even use the influence of black SEO to lure Google users into downloading malicious software that poses as legitimate software. 

In case you are a crypto holder, it is best advised to use a well-known crypto hardware wallet in order to protect yourself from digital-asset thieves. Moreover, it has also been advised to not use software wallets, since that way valuable virtual currencies are majorly exposed. 

It has also been recommended to online users to remove their credit card information from Google Chrome by navigating to Settings > Autofill > Payment Methods. Tap on the three-dotted icons next to your credit cards and click on "Turn off virtual card." Go to pay.google.com, select Payment Methods, and then click "Remove" next to your credit cards to take things a step further.  

Top Cybersecurity Trends to Watch Out in 2023

 

The most recent research from Malwarebytes, which examines the situation of malware in 2023, has just been published. The research includes information on current significant security advancements, 5 cyber threat archetypes to watch out for this year, the most prevalent malware identified on Macs, and more. 

The 30-page 2023 State of Malware study was released earlier this week by Malwarebytes. The business states in its opening: 

"The traditional cybersecurity guidelines are obsolete. Your company can no longer only rely on the greatest security software to protect you from the most harmful malware used by your adversaries. The conflict is becoming more human; your best soldiers are up against their worst."

More than ever, malicious hackers are turning to social engineering as older assault routes have closed up. The report begins with six significant occasions from 2022 that had an impact on cybersecurity:

Conflict in Ukraine: The conflict in Ukraine was strategically significant, making it a good subject for social engineering lures. According to the Malwarebytes Threat Intelligence team, the war was a common theme in attacks against German targets by alleged Russian state actors and against Russian targets by alleged Chinese state actors. 

Ransomware: Throughout 2022, ransomware organisations tried out a variety of new strategies, but few of them were successful. Purchasing access to businesses through displeased employees is one strategy that might be more successful in 2023. Macros One of the most effective malware delivery mechanisms ever created was ultimately stopped in 2022 when Microsoft declared that it will prohibit macros in Office documents obtained from the Internet.

Authentication:  It has taken a while to find a truly viable replacement, but in May, Google, Apple, and Microsoft announced their strong support for FIDO2, an established, current, and widely used standard for password-free authentication.

Roe v. Wade: The US Supreme Court's decision to overrule Roe v. Wade in June 2022 represented the most significant shift to data privacy in that year. As previously innocuous data points—like whereabouts, purchasing preferences, search histories, and menstrual cycles—acquired a potentially life-altering meaning, worries about digital privacy suddenly became widespread. 

TikTok: Brendan Carr, a commissioner for the US Federal Communications Commission, called the social media app TikTok "an intolerable national security danger" in June due to its vast data collection and "Beijing's apparently unfettered access to that sensitive material." 

Mac malware that is most prevalent

Macs are not immune to malware, though they are less frequently attacked than Windows. Adware was the most typical detection on macOS in 2022, according to Malwarebytes. A single adware programme called OSX accounted for 10% of all detections on Mac. 

The "worst," according to the company, is Genio. Despite being categorised as adware, the report states that it exhibits malware-like behaviour in order to "dig deeper into the machines it's placed on, penetrating defences and compromising security in the name of making itself incredibly difficult to remove." 

OSX.Genio makes money by 'intercepting users' web searches and putting its own intrusive adverts into the results in order to work. 11% of the total came from malware detections, followed by 14% from adware operators and a variety of other sources.