Sunday, January 14, 2018

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users

from https://thehackernews.com

A security researcher has revealed details of a new piece of undetectable malware targeting Apple's Mac computers—reportedly first macOS malware of 2018.
Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.
DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.
First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.
After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a 'DNS Hijacker,' which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.
"OSX/MaMi isn't particularly advanced - but does alter infected systems in rather nasty and persistent ways," Patrick said.
"By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)" or to insert cryptocurrency mining scripts into web pages.
Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:
  • Take screenshots
  • Generate simulated mouse events
  • Perhaps persist as a launch item
  • Download and upload files
  • Execute commands
The motive, author(s) behind the malware, and how it is spreading are currently unknown.
However, Patrick believes that the attackers could be using lame methods like malicious emails, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users.
To check if your Mac computer is infected with MaMi malware, go to the terminal via the System Preferences app and check for your DNS settings—particularly look for 82.163.143.135 and 82.163.142.137.
According to VirusTotal, a multi-engine antivirus scanner, none of 59 popular antivirus software is detecting this malware at this moment, so you are advised to use a 3rd-party tool such as a firewall that can detect and block outgoing traffic.
You can also install a free open-source firewall for macOS named 'LuLu,' created by Patrick and available at GitHub, which blocks suspicious traffic and prevents OSX/MaMi's from stealing your data.

Wednesday, December 27, 2017

First Lawsuits Filed Against Apple for Slowing iPhones

from extremetech.com
Over the years, iPhone owners have often wondered aloud if Apple was doing something to slow down older devices. Now, we know that yes, it does do that. Just a few days after admitting that it has been quietly throttling older iPhones with degraded batteries, a pair of lawsuits have been filed against Apple alleging fraud and deceptive practices.

It became clear during the last few iOS version updates that Apple had opted to apply performance throttling to older devices. It wasn’t until Geekbench ran comparisons with various iOS versions that iPhone owners had any proof. Apple was forced to issue a statement in which is admitted to slowing down iPhones. In some ways, its position makes sense, but the way it handled the situation is terrible.

The situation has to do with how lithium-ion batteries age. We’re all familiar with batteries losing capacity as they get old, but they also have less voltage. It turns out Apple didn’t include enough headroom for the battery, and its voltage can fall below what is needed to power the custom A-series system-on-a-chip. Without enough voltage, the phone can just shut down without warning. Apple’s solution to this was to add performance throttling to iOS based on battery voltage. So, if your battery is degrading, your phone gets slow.

The first class-action lawsuit filed in Illinois accuses Apple of violating the Illinois Consumer Fraud and Deceptive Business Practice Art. Specifically, the filers point to Apple’s decision not to notify users it was going to throttle their phones. As had been pointed out, very few would suspect a battery issue as the root cause of sluggish performance. That could lead consumers just to buy a new phone, which is to Apple’s advantage.

Another suit filed in Los Angeles claims Apple’s phone throttling plan “was never requested or agreed upon.” This suit also suggests Apple is hoping to get consumers to upgrade by slowing down their phones rather than simply reporting that the hardware might need service.

It looks like Apple’s decision to introduce this “feature” secretly is the main issue here. Even if Apple’s intentions were pure (which is certainly up for debate), making these performance changes in secret looks very suspicious. For a company that claims to care about the user experience, this whole fiasco makes Apple look quite disconnected from the concerns of its customers. Class actions like these are notoriously slow to litigate, so iPhone owners might end up with a small settlement in a couple years.

Monday, December 18, 2017

New MacOS malware steals bank log-in details and intellectual property

From https://www.scmagazineuk.com
Security researchers have discovered a new, invasive OSX.Pirrit adware variant targeting Mac OS X that enables cyber-criminals to take full control of a user's Mac computer.
Security researchers have discovered a new, invasive OSX.Pirrit adware variant targeting Mac OS X that enables cyber-criminals to take full control of a user's Mac computer.
The malware has already infected thousands of Mac computers around the world. According to a blog post by Amit Serper, principal security researcher at Cybereason, while usual adware campaigns enable the attackers to flood a person's computer with ads, this malware not only bombards Macs with adware, it spies on users and runs with the highest user privileges, enabling hackers to leverage this adware to capture personal information on the users, including bank account logins and intellectual property of businesses.

“To my surprise, it's very active. Not only is it still infecting people's Macs, OSX.Pirrit's authors learned from one of their mistakes (They obviously read at least one of our earlier reports),” said Serper.

He added that unlike old versions of OSX.Pirrit that used rogue browser plug-ins or even installed a proxy server on the victim's machine to hijack the browser, this incarnation uses AppleScript, Apple's scripting/automation language.

“And, like its predecessors, this variant is nasty. In addition to bombarding people with ads, it spies on them and runs under root privileges,” he said.

Serper said that the malware uses AppleScript to injects JavaScript code directly into the browser. He added that the code is “a great example of how an adtech company is borrowing nefarious tactics found in malware to make it hard for antivirus software and other security products to detect them.”

“There is no difference between traditional malware that steals data from its victims and adware that spies on people's Web browsing and target them with ads, especially when those ads are for either fake antivirus programs or Apple support scams,” he said.

“As for OSX.Pirrit malware, it runs under root privileges, creates autoruns and generates random names for itself on each install. Plus, there are no removal instructions and some of its components mask themselves to appear like they're legitimate and from Apple.”

He said that a company called TargetingEdge created OSX.Pirrit and his research hasn't gone unnoticed by it.
“Cybereason has received a few cease and desist letters from a firm claiming to be TargetingEdge's legal counsel. The letters demand that we stop referring to TargetingEdge's software as malware and refrain from publishing this report,” he said.

Serper said around 28 other antivirus engines on Virus Total also classify it as such. “The authors of this software went through great lengths to mask themselves and distance themselves from it,” he added. TargetingEdge claimed that it develops and operates a “legitimate and legal installer product for MAC users,” and is not malware and doesn't include any features of malware.

Kelvin Murray, threat research analyst at Webroot, told SC Media UK that users need to report any changes to the search or browser settings of their device to the admin. Users need to be aware that these changes can just be one visible part of a much bigger problem. He adds, “In addition, admins need to take the usual security measures including software updates, AV, and user education. Both the admin and users need to see this as yet another sign that Macs are not “virus proof” as is so commonly assumed and often ignored. There is a need of a stronger focus put onto OSX as security vulnerabilities are becoming more apparent, especially taking into account the event of the MacOS High Sierra.”

Sunday, December 17, 2017

Apple refunds Chinese woman after colleague unlocks her iPhone X using Face ID

from https://www.techworm.net

Chinese Woman Gets Refund From Apple After Colleague Unlocks iPhone X With Face ID

The USP of Apple’s 10th anniversary premium smartphone, iPhone X is the Face ID technology used in the device that provides high security and cannot be tricked, according to the tech giant.

However, this Face ID technology failed when a colleague of a Chinese woman from Nanjing could unlock not one but two of her iPhone X handsets, reported the South China Morning Post.

The woman identified only by her surname Yan, from Nanjing, China told the Jiangsu Broadcasting Corporation that her co-worker was able to unlock both her iPhone X – original as well as the new one Apple gave her as a replacement – on every single attempt.

The first time it happened, Yan called the Apple hotline but the support team apparently refused to believe her. In order to demonstrate the facial recognition problem, Yan went to the nearest Apple Store along with her colleague to show the staff what happened.

Apple staff at the store said the camera might be faulty and gave Yan a refund, which she used to buy a new iPhone X, reported the South China Morning Post. However, she faced the same problem with the replaced iPhone X prompting the store to offer a second refund, said the report.

It’s still not clear whether Yan has bought a third iPhone X with the refund money. Apple has yet to comment on the issue.

Sunday, December 3, 2017

Number of malware attacks on Macs increased by more than 70%

from https://de.business.f-secure.com

70% more malware against Macs
In the first three quarters of 2017, the number of malware attacks on Macs increased by more than 70% and PUA (potentially unwanted applications such as adware) by 50% over the previous year (source: F-Secure Labs). The number of threats is growing rapidly as attackers are clearly shifting their efforts towards the often-unprotected Macs.

On October 17, Reuters  reported a security  breach of the Microsoft Vulnerability Tracking System. A violation that occurred  more than four years ago in 2013  . And what was the attack vector related to this security breach? Macs.  That these were Macs, our security adviser Sean Sullivan suspected right from the start.

Back in February 2013, he had correctly deduced that Apple Macs were involved in  a related hack on Twitter  . Given the serious potential damage such hacks could have caused,  Sean wrote :

"People who use their Mac for work should not have the same sense of security as home users. It's obvious that work-based Macs are more of a goal, and security expectations should be scaled according to the threat level. "

Nothing about the current Mac threat landscape has led Sean to question his earlier assessment. If you're using a Mac for business, Sean says, "You need to take the time to rethink your security profile."

The latest analysis from F-Secure Labs  shows that the new malware is predominantly in the spyware category and over a third of the attacks are targeted attacks. That may not surprise anyone:  Macs need protection. However, there are huge differences in how companies have handled the safety of their various endpoints. A quick way to solve this is  to opt for cyber security all-round protection, such as  Protection Service for Business . The new version includes the advanced  XFENCE technology, which provides the next level of Mac security.

Glitch forces iPhones to reboot over and over

from fox8.com

NEW YORK – Apple iPhones were rebooting themselves over and over Saturday morning.

Phones across the world running iOS 11 encountered a glitch that triggered at 12:15 a.m. local time. A bug in the 11.1.2 software meant that phones using third-party apps to send recurring notifications, like reminders from work out apps or medical apps, would reboot over and over.

Apple did not respond to a request for comment about the glitch and it’s unclear exactly how many users were affected.

A number of iPhone users took to social media and message boards to learn about the glitch and voice frustrations.

“Looks like i found this late but glad it’s patched. I thought my phone was having a hardware failure, worst iOS bug i’ve ever experienced. This was really bad,” wrote Reddit user KarlKrum.

“This is embarrassing. Facepalm,” wrote Reddit user Siannath.

The company took the unusual step of releasing a software update on a Saturday when it pushed iOS 11.2.

The update fixes the rebooting issue and also includes Apple Pay Cash, the company’s new peer-to-peer payment system, faster wireless charging, and new live wallpapers.

Apple typically releases software updates on Tuesdays.

This is just the latest in a string of glitches for Apple over the past few weeks.

In early November, users encountered an error with its text messaging service in which the device would change a typed lower case “i” into a capital “A.”

Earlier this week developers found a security flaw in the company’s macOS High Sierra computer operating system that allowed users to gain administrative access without inputting a password.

For users still experiencing the rebooting glitch, Apple recommends the following steps.

–Tap Settings > Notifications.

–Tap an app, then turn off Allow Notifications. Repeat this step for each app.

–Update your device to iOS 11.2.

–After updating, tap Settings > Notifications and turn Allow Notifications on again for each app.

Friday, October 6, 2017

"Forgot Password" button reveals your actual password

from nakedsecurity.sophos.com

It’s only eight days since Apple’s latest and greatest macOS 10.13 release, better known as High Sierra.

But the first security update has already come out, and we suggest you apply it urgently.

The update is called High Sierra 10.13 Supplemental Update, detailed in the security advisory APPLE-SA-2017-10-05-1.

There are two bugs fixed; the facepalming one is described thus:

[BUG.] A local attacker may gain access to an encrypted APFS volume. If a [password] hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint.
To explain.

APFS is short for Apple File System, Apple’s new way of organising hard disks that replaces the old (but still supported) HFS Plus, a 20-year-old filing system itself derived from Apple’s Hierarchical Filing System, or HFS, that dates back to the 1980s.

By some accounts, APFS was long overdue: HFS Plus dated from the early days of Mac OS, and wasn’t really designed for the Unix core that was introduced in OS X (now macOS).

For example, HFS Plus can’t deal with dates after 2040, and doesn’t allow multiple processes to access the filesystem at the same time, making it more sluggish and less future-proof than other widely-used filing systems such as NTFS on Windows and ext4 on Linux.

New drivers, new utilities

APFS was introduced as Apple’s default and preferred filing system in High Sierra.

This means new drivers inside the operating system to support disks formatted with the new system, and new features in Apple’s disk management utilities to prepare APFS disk volumes for use.

There are two main disk management tools in macOS – the easy-to-use graphical tool Disk Utility, and the super-powerful but arcane command line program diskutil.

It turns out that the APFS support in the High Sierra version of Disk Utility has feet of clay, as we’ll show here.

We erased a USB disk and created a new APFS (Encrypted) volume on it.

Disk Utility prompted us for a password (twice) and an optional hint.
We entered keepthisSecret as the password and The hint should be shown as the hint.

Disk Utility created the encrypted volume and mounted it automatically.
We unplugged the USB disk and then plugged it back in, and macOS asked for the password. We entered keepthisSecret and the disk was unlocked and mounted, showing that the password had been set as expected.
So far, so good, until we unplugged the device and plugged it back in:

Again, macOS asked for the password. This time, we clicked the [Show Hint] button before entering the password.
The password dialog revealed that keepthisSecret has been set as the hint as well as the password.

The text The hint should be shown had, it seemed, simply been thrown away.

In other words, if you set a password hint as suggested, anyone who stole your disk could “hack” the password simply by using Disk Utility’s [Show Hint] button!

What to do?

If you haven’t created any new APFS encrypted volumes since upgrading to High Sierra, you are OK. If you created an APFS encrypted volume but didn’t specify a hint, you are OK.  If you created an AFPS encrypted volume using diskutil you are OK (the bug is in Disk Utility, not the operating system itself).
If you upgraded to High Sierra from an earlier version of macOS, your disk will have been converted to APFS, but any hint you had before is left untouched (so
far as we can tell), so you are OK.

Apply the APPLE-SA-2017-10-05-1 Supplemental Update as soon as you can.
By the way, you can blank out the password hint on any APFS volume, just in case, with the following diskutil command in a terminal window:

$ diskutil apfs hint /Volumes/[YOURNAME] -user disk -clear
Removing any hint from cryptographic user XXXXXXXX on APFS Volume diskYsZ
$

If there wasn’t a hint, no harm is done, but you’ll see an error message like this, so by repeating the above command until you provoke the error message, you can verify that any hint was indeed scrubbed:

Error editing cryptographic user on APFS Volume:
Unable to set APFS crypto user passphrase hint (-69554)
Alternatively, you can overwrite the existing password hint by using the command line option -hint, instead of -clear, like this:

$ diskutil apfs hint /Volumes/[YOURNAME] -user disk -hint "Your hint here"
Setting hint "Your hint here" for cryptographic user XXXXXXXX on APFS Volume diskYsZ
$

Whatever you do, though, don’t follow the suggestions of Apple’s own diskutil help text, which offers this terrible advice:

$ diskutil apfs hint help
[. . . .]
Set a passphrase hint for an existing cryptographic user; you can specify
"disk" for the "Disk" user. Specifying "-clear" will remove any hint.
Ownership of the affected disks is required.
Example:  diskutil apfs setPassphraseHint disk5s1 -user disk -hint NameOfMyPet
$

Pets’ names makes a dreadful passwords, because they’re usually neither secret nor hard to guess, and setting a hint to tell a crook that you have made a dreadful password choice just makes a bad thing worse.

Of course, if you had set a hint with Disk Utility, then for all you know someone who knew the [Show Hint] trick might have seen your password, so you ought to change it.

You can update the passphrase on an APFS Encrypted volume quickly and easily as follows:

$ diskutil apfs changepassphrase /Volumes/[YOURNAME] -user disk
Old passphrase for user XXXXXXXX: ..........
New passphrase: ..........
Repeat new passphrase: ..........
Changing passphrase for cryptographic user XXXXXXXX on APFS Volume diskYsZ
Passphrase changed successfully
$

A bad look for Apple, letting a buggy system utility like that into a production release…

…but a creditable response by Apple in getting a fix out quickly.