Home Tags Mac OSX

Tag: Mac OSX

Threatpost News Wrap, May 12, 2017

The news of the week is discussed, including this week's Microsoft Malware Protection Engine bug, Handbrake OS X malware, the HP keylogger, Trump's Cybersecurity EO, and more.

Hajime, the mysterious evolving botnet

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks.
In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.

Unraveling the Lamberts Toolkit

The Lamberts is a family of sophisticated attack tools that has been used by one or multiple threat actors against high-profile victims since at least 2008.

The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers.

BrandPost: How Does a 20X Speed-Up in Python Grab You?

Thanks to Intel, I just got a 20X speed-up in Python that I can turn on and off with a single command.

And this wasn’t even in ideal conditions. but in a virtual environment: openSUSE Linux (Tumbleweed) running on a VBox on my quad-core iMac. What I did can be done on Windows, Linux, or OS X.  Intel doesn’t list openSUSE on their list of tested Linux configurations (SUSE Enterprise is on the list), but it worked perfectly for me.Here’s how I did it:1.     Download the Anaconda command-line installer from https://www.continuum.io/downloads.To read this article in full or to leave a comment, please click here

Apple pushes security update to OS X Yosemite and El Capitan

Apple has a surprise for OS X Yosemite and El Capitan users -- a security update.

Malware That Targets Both Microsoft, Apple Operating Systems Found

A new strain of malware is designed to spread malware on either Mac OS X or Microsoft Windows, depending on where it’s opened.

Future iOS update will shut the door on apps from the...

Apple is on track to complete its 32-to-64-bit transition in just four years.

Apple quashes bugs in iOS, macOS, and Safari

Apple on Monday updated macOS Sierra to 10.12.3, patching 11 security vulnerabilities and addressing a graphics hardware problem in the latest 15-in. MacBook Pro laptop. At the same time, Apple released iOS 10.2.1, an update that fixed 18 security flaws, the bulk of them in WebKit, the foundation of the baked-in Safari browser. According to Apple’s typically terse update documentation, macOS 10.12.3 “improves automatic graphics switching on MacBook Pro (15-in., October 2016).” Another fix addressed “graphics issues” on both the 15-in. and the smaller 13-in. sibling when encoding in Adobe Premiere Pro; that bug attracted attention after a video showing a notebook wildly cycling through colors went viral. Apple unveiled the new MacBook Pro on Oct. 29.
Its most notable feature was the “Touch Bar,” a narrow display above the top row of keys that responds to gestures and adapts to the active application. The same update also patched nearly a dozen vulnerabilities, most of them critical.

A pair of kernel bugs reported to Apple by Google Project Zero, for instance, was cited as having the potential to “execute arbitrary code,” Apple-speak for a very serious vulnerability ranking. iOS was also refreshed Monday, with 10.2.1 offered to iPhone and iPad owners. Apple described only the 18 vulnerabilities patched by the update.

Thirteen of those flaws were within WebKit, the open-source project that produces the rendering engine that powers Safari. Safari on macOS was also updated to patch 12 of the 13 bugs quashed in the iOS version. Labeled Safari 10.0.3, it was packaged with the Sierra 10.12.3 update, but was made available separately to Mac owners running the older OS X Yosemite and OS X El Capitan, Sierra’s predecessors. Although no description in the Safari 10.0.3 update mentioned the bug reported by Consumer Reports—the flaw resulted in the magazine initially refusing to recommend the new MacBook Pro notebooks because of unusual battery test results—Apple previously said it dealt with the flaw in a beta leading up to macOS 10.12.3.
If so, it should also have been fixed in the Safari-only update. The iOS, macOS and Sierra updates will be automatically offered on the appropriate devices. Users can manually trigger an update on a Mac by selecting “App Store” from the Apple menu, then choosing “Updates” from the row of icons at the top of the window. On iPhones and iPads, users can begin an update by touching “Settings,” then “General,” then “Software Update.” This story, "Apple quashes bugs in iOS, macOS, and Safari" was originally published by Computerworld.

Microsoft fixes remote desktop app Mac hole

Full read/write access was there for the taking Microsoft has patched a code execution hole in its Mac remote desktop client that grants read and write to home directories if users do no more than click a link, says Italian security researcher Filippo Cavallarin. The hole was patched 17 January. Cavallarin says the flaw allowed remote attackers to execute arbitrary code on vulnerable machines if users did not more than click phishing links. From there, attackers would gain read and write access to Mac home directories. "Microsoft Remote Desktop Client for Mac OS X allows a malicious terminal server to read and write any file in the home directory of the connecting user," Cavallarin says. "The vulnerability exists to the way the application handles rdp urls.
In the rdp url schema it's possible to specify a parameter that will make the user's home directory accessible to the server without any warning or confirmation request. "If an attacker can trick a user to open a malicious rdp url, they can read and write any file within the victim's home directory." Mac OS X apps like Safari, Mail, and Messages by default open clicked rdp urls without confirmation. Youtube Video This drastically shortens the attack chain of most phishing attacks which require users to be convinced by some form of narrative to open links and attachments, and again to fill out personal data and credentials into fake forms. Cavallarin included a proof-of-concept with his disclosure, increasing the need for users to apply the Microsoft updates. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Researchers ID Decades-Old 'Fruitfly' Mac Malware

It uses antiquated code, possibly to decrease chances of detection. A rare strain of malware known as "Fruitfly" appears to have been lurking in the dusty corners of macOS for years, taking advantage of vulnerabilities in code that hasn't been update...

Newly discovered Mac malware found in the wild also works well...

reader comments 32 Share this story A newly discovered family of Mac malware has been conducting detailed surveillance on targeted networks, possibly for more than two years, a researcher reported Wednesday.The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes.
It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014.
It's still unclear how machines get infected. "The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac," Thomas Reed, director of Mac offerings at Malwarebytes, wrote in the post. "This led to the discovery of a piece of malware unlike anything I've seen before, which appears to have actually been in existence, undetected for some time, and which seems to be targeting biomedical research centers." Ancient artifacts The malware contains coding functions that were in vogue prior to the first release of OS X in 2001. Open source code known as libjpeg, which the malware uses to open or create JPG-formatted image files, was last updated in 1998.
It's possible Fruitfly wasn't developed until much later and simply incorporated those antiquated components.
Still other evidence—including a comment in the code referring to a change made in Yosemite and a launch agent file with a creation date of January 2015—suggests the malware has been in the wild for at least two years. Enlarge "The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure," Reed wrote. "There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research.

Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage." Another intriguing finding: with the exception of Mac-formatted Mach object file binary, the entire Fruitfly malware library runs just fine on Linux computers. Reed said Malwarebytes has yet to spot a Linux variant, but he said he wouldn't be surprised if one existed. He said he has also come across Windows-based malware that connected to the same control server used by the Mac malware. Despite its functionality, Fruitfly remains unsophisticated compared to some malware.
Its control servers are simply the IP address and the dynamic DNS address eidk.hopto.org.
Its method for keeping Macs infected even after they're rebooted—a hidden file and a launch agent—is also outdated because it's so easy to detect and remove. People who work with Macs inside research labs should consider checking their machines for infections.

Besides the update automatically pushed by Apple, Malwarebytes also detects the infection, although it's known as OSX.Backdoor.Quimitchip.

‘Ancient’ Mac backdoor discovered that targets medical research firms

More secure than PC? Ha! Security researchers at Malwarebytes have discovered a Mac backdoor using antiquated code that targets biomedical research facilities. The malware was probably created years ago but has only recently been discovered. Malwarebytes speculates that it wasn't found before because it was only ever used in targeted attacks, limiting its exposure. US and European scientific research is known to be targeted by Chinese and Russian hackers. The malware only came to light after an alert admin spotted strange outgoing network traffic from a particular Mac.

This led to the discovery of a piece of malware, which Malwarebytes detects as Quimitchin. The malware features antique system calls, some dating back to pre-OS X days.
In addition, the binary also includes the open-source libjpeg code, which was last updated in 1998. "The presence of Linux shell commands in the original script led us to try running this malware on a Linux machine, where we found that – with the exception of the Mach-O binary – everything ran just fine," Malwarebyes explains. "This suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample." The malware is primarily geared towards screen captures and webcam access on compromised Mac boxes.
It is also capable of remote control and mapping the local network. Apple, which calls the malware Fruitfly, is said to be about to release protection against the nasty. Other security vendors can be expected to follow. Malwarebytes is due to publish more information on the malicious software in a blog post due to be published on Wednesday afternoon. ® Bootnote Quimitchin were Aztec spies who would infiltrate other tribes. "Given the 'ancient' code, we thought the name fitting," Malwarebytes said. Sponsored: Flash enters the mainstream.
Visit The Register's storage hub