Tag: Malware and Virus Protection

Bug in macOS Could Allow Hackers Root Access

Do you own a Mac? Is it running Apple’s latest macOS, the “High Sierra?”  If so, be extra careful with who you allow access to your machine.

A security flaw recently discovered by a developer named Lemi Orhan Ergin can easily allow anyone unfettered access to everything on your machine, and by extension, give them an easy “in” to whatever network it’s connected to. All they need is physical access.

Exploiting this vulnerability is a lesson in simplicity. All a hacker has to do is enter “root” in the username field, leave the password field blank, and press Enter.

Done.

They now have total access.

Needless to say, this is a large and rather glaring security issue, and one which Apple will be remedying in the near future via a patch. Until they do, however, be aware that the physical security of your Mac is of paramount importance. Leaving your workstation unsecured and unattended, even for a few minutes, is all it would take to lose control over all the files on your machine and give a hacker access to the even more sensitive data lurking elsewhere on your company’s network.

Unfortunately, as bad as this security flaw is, it’s not the only recent stumble by Apple. Just last month, the company had to issue an emergency patch to fix a flaw that affected encrypted volumes, where the password hint section was displaying the actual password in plain text.

To try this exploit out for yourself to verify how easy it is to use, simply do the following:

  • Open your machine’s System Preferences and select “Users and Groups”
  • Click on the lock icon, which will allow you to make changes. You’ll get a user name and password box at this point
  • Type in “root” in the username field
  • Move the cursor into the password field and hit enter

That’s all there is to it.

Until Apple issues their patch, the best thing you can do is leave your machine on and lock your workstation when you step away. At least that way, the hacker would have to know your current password in order to gain access.

Of course, they could simply power the machine off and reboot, but that would take a bit more time, during which they could be discovered.

It’s far from perfect, but for the time being, it’s the best protection you have.

Virus Spread Through Facebook Messenger Mines For Cryptocurrency

Facebook scams are fairly common occurrences, owing to the sheer size of the platform’s user base. It’s no surprise that there’s a new one making the rounds that you should be aware of.

This latest threat was discovered by researchers at Trend Micro, and makes use of Facebook Messenger. If you get a message containing an embedded video file saved as a zip (the file name usually appears as “video_xxxx.zip”), don’t click on it, even if it’s from someone you know.

This file is a modified form of a legitimate piece of software called “XMRig”, an open source project that allows users to mine the cryptocurrency called Monero.

When the user clicks on this poisoned version, it will direct them to a website controlled by the hackers, in addition to quietly installing the corrupted software in the background. Once installed, the hackers put the infected PC’s processor to work for them, creating a distributed network of hash power to solve advanced cryptographic puzzles and generate new Monero “coins” for themselves.

The hackers have gone to some lengths to mask their true intentions. The site appears to be a video streaming service, and users who click on the embedded file will actually see a video playing. Of course, the website is also part of the C&C structure.

There are several intriguing things to note about this new threat:

  • It only affects people who use the Google Chrome web browser
  • It only affects PCs and Laptops. Smartphones are not impacted in any way
  • The miner software is actually controlled via the C&C server, meaning that the hackers can upgrade their malware, adding new functionality in the blink of an eye

So far, the virus has been spreading mostly in south east Asia, but has also begun appearing in the Ukraine and Venezuela. Given the global nature of Facebook’s user base, this is wholly unsurprising, so be on the lookout for it. Don’t click embedded files in Messenger, even if you think you know the sender.

Sound Waves May Be Used In Future Hard Drive Attacks

Another week, another attack vector, and this one deserves extra points for creativity.

New research has proved the viability of using something as simple and innocuous as sound waves to disrupt the normal functioning of HDDs, which can be used to sabotage a wide range of equipment from Pcs, to CCTV systems, ATMs and more.

Researchers have toyed with, and been aware of the possibility of using sound waves to disrupt the normal functioning of an HDD for more than a decade, but the most recent research conducted by scientists from Princeton and Purdue universities have outlined exactly how such an attack could be carried out.

The attack exploits a peculiar design feature of HDDs. Because they store large amounts of data on small platters, they’re designed to shut down in the presence of excessive vibration to avoid scratching or damaging the platter, and thus, destroying information on the drive.

If a hacker can determine the optimal attack frequency against a given HDD, then he could play a sound aimed at the drive that would cause it to stop functioning. If the sound were played long enough, it would require the system to be manually restarted to get it working again.

As the researchers demonstrated, finding the optimal attack frequency is a trivial enough task, but it should be noted that this is a fairly exotic type of attack, and not likely to see widespread use.

The biggest threat one would potentially face from such an attack would be the disruption of the functioning of security cameras to create a blind spot at a facility, which could then be physically breached. But given that the tones are within the range of human hearing, anyone in the vicinity could come and investigate.

Nonetheless, it’s an intriguing bit of research with potentially damaging implications.

New Wifi Standard WPA3 May Be Coming

Remember the KRACK WiFi (WPA2) vulnerability, discovered by Mathy Vanhoef? It turns out that his discovery was a catalyst for action. Recently, the WiFi Alliance, which is the industry’s standards organization, released details about its new WPA3 protocol.

Here’s a quick rundown of the changes you can expect to see in the months ahead:

  • Enhancements in encryption capabilities – The new protocol will enable encrypted connections between connected devices and the router/access point, and the cryptographic standard has been improved. According to the WiFi Alliance, it will be “a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, which will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.”
  • The ability to configure one WiFi enabled device to configure other devices on the network – As an example, you’ll now be able to configure a network-connected smart device that doesn’t have a display screen from your smartphone or PC connected to the same network.
  • More protection – In addition to offering more robust encryption, the new standard will also offer enhanced protection against brute force attacks by halting the WiFi authentication process after some number of failed login attempts. This mirrors the functionality found on many web-based authentication systems.

All of these are welcome changes indeed, but despite relatively quick action on the part of the WiFi Alliance, it will still be several months before consumers are able to purchase devices that offer WPA3 support.

Mathy Vanhoef, the researcher who brought the KRACK attack to the world’s attention, had this to say about the recent announcement:

“The standards behind WPA3 already existed for a while, but now, devices are required to support them. Otherwise, they won’t receive the WPA3-Certified label. Linux’s open source Wi-Fi client and access point already support the improved handshake, it just isn’t used in practice. But hopefully, that will change now.”

This is good news indeed, and will help make wireless networks more secure. Kudos to Mathy Vanhoef for his discovery, and for spurring the industry into action.

Backdoor In Certain Lenovo Switches Discovered

Does your company utilize either RackSwitch or BladeCenter networking switches? Are those switches running ENOS (the Enterprise Network Operating System)? If so, there’s a backdoor in your network you weren’t aware of. Even worse, it’s been there since 2004.

Engineers at Lenovo recently discovered the backdoor in the firmware when they conducted an internal security audit. These products were added to the company’s portfolio via acquisition from Nortel, and Lenovo only just became aware of their existence.

A spokesman for the company had this to say: “The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”

Updates are available on Lenovo’s website, and links to the updates are available inside the company’s security advisory on this topic.

It should be noted that this backdoor would be relatively difficult for a would-be hacker to exploit, because it’s not a hidden account whose password could be guessed at or cracked via brute force, but rather an authentication bypass mechanism that requires a strict set of conditions to trigger. Lenovo describes the various configurations of security settings that activate the backdoor in their security advisory.

In any case, the presence of a backdoor into your network (even one that’s hard to trigger and access) isn’t something to be taken lightly. If you’re able, grab the firmware updates from Lenovo at your next opportunity and seal the breach. If that is impractical for some reason, Lenovo has spelled out a few mitigation strategies your company can apply as a stop gap, until you can get the firmware updates in place.

Kudos to Lenovo from their swift, deft handling of the issue!

Do Not Use These Chrome Extensions

Do you use any of the following Chrome browser extensions?

  • Change HTTP Request Header
  • Nyoogle – (a custom logo for Google)
  • Stickies – (a Post-It note for Chrome)
  • Lite Bookmarks

If so, you’re not alone. These four extensions have a combined user base of more than half a million.

Recently, security researchers from ICEBRG (a US cyber-security company) have discovered malicious codes embedded in copies of these on the official Chrome Web Store. The code allows hackers to manipulate the users’ browser via JavaScript.

So far, the hackers have only contented themselves with relatively tame activities like loading and displaying ads, clicking on ads, and loading malicious web pages in the background. However, the potential exists to do much more than this.

Since ICEBRG informed Google, the company has removed three of the four plugins from the Web Store. As of this moment, only Nyoogle remains, though the expectation is that it will be removed in short order as well.

While all four extensions utilize the same basic techniques, and do many of the same things, it is not clear if all four were created by the same group, although this seems likely.

Since the extensions have now been (mostly) removed, the rate of infection will slow. Of course, if you’ve already downloaded and installed one of these four, then you are going to continue to be impacted.

The extensions are easy to uninstall, and if you’re using one of them, that is the recommended course of action.

In recent months, Google has taken steps to make their auditing process more robust to prevent malicious extensions and apps from finding their way onto the web properties they manage. As this latest incident proves, no matter how careful a company is, sooner or later something is going to slip through.

Mac Computers Battling New Malware For Hijacking DNS

It’s official, the first macOS malware of 2018 is here. Discovered by an independent security researcher and dubbed “OSX/MaMi,” the code is functionally similar to DNSChanger malware.

The researcher posted his findings on the Malwarebytes forum and none other than Patrick Wardle (an ex-NSA hacker) analyzed it, having this to say:

“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads) or to insert cryptocurrency mining scripts into web pages.”

In addition to that, hooks were found in the software that would eventually allow it to:

  • Upload and download files
  • Execute commands
  • Generate simulated mouse events
  • Take screenshots

And more, although at present, these features are not yet active, which points to the malware as being a piece of code still very much in development.

At present, there are no anti-malware or antivirus programs capable of detecting this new strain. That, of course, will change in short order. However, for the time being, the best way to verify whether or not your machine is infected is to go through “System Preferences” and into the terminal app to check your DNS settings.

Two values you don’t want to see there are: 82.163.143.135 or 82.163.142.137.

If you’d rather not check manually, Patrick Wardle has created a free, open-source firewall for macOS called “Lulu,” which you can download from GitHub. This program was designed to block suspicious traffic and will prevent OSX/MaMi from stealing anything from your system.

As threats go, this one is relatively minor, but it’s still early in the year, and whomever is behind this piece of code will no doubt be making improvements on it. Stay tuned.

2 Million Credit Cards Stolen From Popular Sandwich Shop

By now, we’ve seen enough large-scale Point of Sale (POS) credit card thefts that patterns are beginning to emerge. Some companies follow the general arc of the narrative better than others, and deserve credit for doing so, but in the end, the story is about the same.

That’s certainly the case with Jason’s Deli. Recently, they discovered RAM-scraping malware on a number of their POS terminals. This has happened at a total of 164 of their locations, scattered across 14 states.

During the seven-month period before the malware was discovered, the company estimates that the credit card payment information of some two million customers was stolen. The data included credit and debit card numbers, expiration dates, the cardholder’s service and verification codes, and the cardholder’s name.

As is the case with most of these incidents, the company immediately contacted law enforcement and hired a third-party firm to assist with the forensic investigation, which is still ongoing.

Jason’s Deli’s handling of the aftermath of the incident has been well above average. However, the bottom line is that unless companies start paying increasing attention to data security, issues like these are going to continue to occur.

As a general rule, hackers prefer to go after the low-hanging fruit. There’s simply more money in attacking soft targets than hard ones. Your company doesn’t need bullet proof security in order to be safe from most hackers, it’s just got to be better than average. Although obviously, the better and more robust your digital security is, the safer you will be.

Unfortunately, this painfully obvious lesson seems to be falling on too many deaf ears. Until and unless that changes, we’ll continue reading about incidents like these. It’s costing business billions every year. Make sure your company isn’t next on the hackers’ hit list.

Blizzard Games Vulnerability Could Leave Gamers Open To Hacking

Do you play Blizzard online computer games such as World of Warcraft, Diablo III, Hearthstone, Starcraft II, or Overwatch?  If so, there’s a potential problem you need to be aware of.

Tavis Ormandy, a researcher on Google’s Project Zero team, recently discovered that the Blizzard Update Agent is vulnerable to hacking, via a technique known as “DNS Rebinding.”

The update agent is designed to accept commands to install, uninstall, change settings, update and  perform other maintenance related options. This means it has a lot of power and access to the system you’re playing the game on.

Unfortunately, because the update agent in use (JSON-RPC, port 1120) doesn’t include a validation step to check the identity of the server issuing commands, it’s possible for a hacker to insert himself into the middle of the process. This includes possibly injecting malicious commands and using the updater to hijack your machine.

Ormandy developed a proof of concept of the attack, and contacted Blizzard when he made the discovery.  The company was receptive for a time, but then suddenly and inexplicably ceased all communication.  Ormandy had this to say regarding the matter:

“Blizzard was replying to emails but stopped communicating on December 22nd.  Blizzard is no longer replying to any enquiries, and it looks like in version 5996, the Agent now has been silently patched with a bizarre solution. Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist.  I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple.  I’m not pleased that Blizzard pushed this patch without notifying me or consulting me on this.”

Since Ormandy went public with his findings, Blizzard has been in contact again, stating that a more robust fix is in the works, one that will adopt the strategy of whitelisting hostnames. Meanwhile, Ormandy is continuing to test the exploit on other online games with a user base of over 100 million to see if others are also vulnerable.  If you’re an online gamer, be aware that you could be leaving the door unlocked for hackers.

700,000 Potentially Malicious Apps Removed From Google Last Year

Google recently released their Play Store stats for 2017.  The results are both encouraging and disheartening.  Overall, Google caught and removed more than 700,000 malicious apps from the Play Store, minimizing their impact on the company’s massive Android user base.

That’s unquestionably good news, but it comes with a bit of a dark side.  That figure represents a staggering 70 percent increase in the number of apps removed compared with 2016 figures.  The hackers are not only relentless in their efforts, but they’re picking up the pace dramatically.

Last year, Google made a significant change, putting Play Store security under the umbrella of the Google Play Project.  This system is driven by “smart” detection software that automatically scans and provides alerts for any software that exhibits questionable behavior and gets better on its own thanks to Machine Learning protocols.

So far, that approach seems to be working pretty well.  It’s not without its flaws, of course.  Google found itself in the news a few times last year when some malicious apps managed to slip through their impressive detection mechanisms, and got downloaded by several thousand users.  Even so, it’s clear that the company is committed to the process and takes the security of its users very seriously.  Given today’s digital landscape, that’s important.  That means something.

As for Google’s plans for 2018:

More of the same.  Continued, incremental improvements in the Google Play Project, continued support for the Zero-Day initiative, and keeping a watchful eye on all things security-related.  The company is by no means perfect, but it’s nice to know that we’ve got such a large company out there, fighting back.

Of course, it still falls to each individual user to be careful what apps you install on your various devices.  No matter what Google does in the coming year, due diligence is still your last, best defense.