An Overlooked Way of Getting Malware Onto Mac’s

By: John Schnaufer

This article was about malware targeted against Macs that can be hidden in the Mac app store. The writer of the article says that although they found the vulnerability, no one has used it yet from what they can see.

This attack could be used by bypassing the code signing done before submission to the app store. The code signature checks or code signing is basically virtual security checks, to make sure the app is safe and stable. It was noticed that the code only gets checked once, and then the signature doesn’t get checked again. This means that an attacker can make a clean app, submit it to the app store, and then once it gets downloads from users, release an update infected with malware for the users to download. They can also steal or buy real code signatures and put them into their malicious app and it has the possibility of getting published to the app store for everyone to download.

The writer of the main article says, “As a result of this research, Reed himself added code signature verification to Malwarebytes Mac products so they now perform a check every time they launch.” Reed works at the company Malwarebytes and he put out an update to their software to check the code signature again of updates to apps. He even says, “A script kiddie could pull off something like this.” This shows how something should be done to fix this problem before others catch on and start infecting peoples computers with malware. This was released recently, so hopefully, it gets fixed soon. I remember when I made my app for the app store and I do not ever remember any checks being done to my updates after the initial release.

 

Source:

https://www.wired.com/story/mac-malware-hide-code-signing/

 

A New Form of Cold Boot Attacks

By Robert Gray:

Security researchers at F-Secure have developed a new method to extract encryption keys or other sensitive data in memory from a laptop in sleep mode if an attacker can gain physical access to it.

A quick explanation of how this type of cold boot attack works.

A “cold reboot” occurs when a computer is improperly shut down.  When that happens, the contents of the system RAM briefly remain after power is lost and might be readable when the system boots back up.  In response to this security issue, computer manufacturers programmed the BIOS to overwrite the RAM early in the boot process.  This new issue comes in how this fix was implemented.  The BIOS stores a value in flash storage to determine whether it needs to wipe the RAM on the next boot, but that value can be set by the operating system or through hardware tweaking.  An attacker can then boot the system from a USB drive and read the contents of memory.

This attack is theoretically possible against any Windows-based computer or any Apple computer released prior to 2018 that an attacker can gain physical access to.  Microsoft’s current recommendation is for anyone using encryption to use Hibernate mode instead of Suspend mode for keeping a laptop in sleep, as Hibernate wipes any encryption keys from RAM.  A more complete fix will require hardware and BIOS changes and likely will not be available for a while.

Sources:
https://blog.f-secure.com/cold-boot-attacks/
https://arstechnica.com/gadgets/2018/09/cold-boot-attacks-given-new-life-with-firmware-attack/

How Abandoned Domain Names Pose a Major Cyber Risk to Your Business

Many businesses don’t realize that abandoning their previous domain names that they no longer use can pose a huge security threat. A domain name is a name you can register to identify your business on the internet. For Canadian businesses, this is typically a domain name ending in .com or .ca such as example.com.ca. This is a typical example of a domain name. The problem with domain names are that they usually hold onto a decent amount of information about the company and they are left to be managed by lower leveled technician people or outsourced IT support providers to renew these domains. Domain renewals are often seen as a waste of money to many companies due to circumstances such as a change of branding name, reconstructing of the company, or abandoning the domain as a whole. The issue of the abandoned domain name occurs when the domain is no longer paid for and it is out of service so it is then available for anyone to claim after a certain grace period. After this grace period is over and the domain is available up for grabs, this means that even attackers can claim the domain name that was left behind with no proof of identity or ownership regarding the domain. After the domain is snatched by a new owner the domain can then be setup to do a “catch-all” email service which means emails meant for the previous owner will be rerouted to the new owner of the domain which can then end up in the hands of an attacker. As stated by the article “online services often only rely on an email address as a single factor for password resets meaning online services once held by staff of the previous owner can be hijacked.” This is an example of how hijacking an old domain can be devastating towards a business.

 This is an image from the article that shows researchers were able to access documents intended for the former clients. (Source: blog.gaborszathmari.me)

Often times even if business have joined other businesses to merge into one, there is still sensitive information to be leaked through emails between clients, colleagues, vendors, suppliers, and service providers.

Research found by Gabor Szathmari and Jereimah Cruz that they were able to:

  • access confidential documents of former clients;
  • access confidential email correspondence;
  • access personal information of former clients;
  • hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
  • hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff by re-registering abandoned domain names belonging to former businesses.

Active LinkedIn accounts belonging to former staff can be hijacked via abandoned internet domains (Source: blog.gaborszathmari.me)

There are many steps one can take to protect their data from abandoned domains. According to the Australian Cyber Security Centre these following steps should be taken to minimize risks for businesses:

  • Keep renewing your old domain name indefinitely and do not let them expire and be abandoned, especially if the domain name was once used for email.
  • Close cloud-based user accounts that were registered with the old domain email address (this can be difficult to do for domains with a large number of email addresses).
  • Unsubscribe the email notifications which may feature sensitive data such as Text-to-email services and banking notifications.
  • Advise clients to update their address book.
  • Enable two-factor authentication, where the feature is supported for online services.
  • Use unique and complex passwords.

– Rusaf Talukder

Sources:

https://securityboulevard.com/2018/09/how-abandoned-domain-names-pose-a-major-cyber-risk-to-your-business/

https://cyber.gov.au/individual/news/domain-names/

https://www.csoonline.com/article/3300164/hacking/dont-abandon-that-domain-name.html

https://blog.gaborszathmari.me/2018/09/18/abandoned-domain-names-are-risk-to-businesses/

Recent Zero-Day Vulnerabilities disclosed on Twitter

By Stuart Nevans Locke:

 
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.zerodium_prices

On September 10, Zerodium released a tweet saying that a the NoScript plugin of Tor Browser version 7.x could be trivially bypassed. The NoScript plugin is made for Firefox and bundled into Tor Browser. Its primary purpose is to prevent javascript from running in your browser. While a vulnerability that bypasses NoScript would not be enough to de-anonymize users of the Tor Browser, it could be a useful step in running javascript based exploits to do so. What makes this case of irresponsible disclosure so interesting is that Zerodium is in the business of buying and selling vulnerabilities, not giving them away on Twitter for no reason. This has caused speculation about why they released the vulnerability and theories range from it being a PR move to them having more severe exploits in other versions of Tor.

Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.

The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.

Some Sources:
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)

Third Major Vulnerability in Intel Chips This Year

Researchers from KU Leuven, Technion – Israel Institute of Technology, University of Adelaide, and the University of Michigan collaborated to discover the third major vulnerability in Intel CPUs this year. They named it Foreshadow. Foreshadow is similar to two attacks that were discovered earlier this year — Spectre and Meltdown.

To explain briefly, Spectre, Meltdown, and Foreshadow are all vulnerabilities that result from hardware issues. Nearly every processor made by Intel after the year 1995, that utilizes out-of-order execution is vulnerable to Meltdown. Spectre is a vulnerability that is based on exploiting the side effects of speculative execution — an optimization technique which speeds up computer operations by doing tasks in advance that may or may not be necessary. Meltdown looks into memory (L1, L2, L3, RAM) and Spectre tricks programs into leaking information. Patches have been released for these vulnerabilities, but it is not a fix and may (will) decrease system performance. Example of meltdown: https://www.youtube.com/watch?v=RbHbFkh6eeE

Foreshadow is a new vulnerability that affects Intel chips made after 2015. It affects CPUs that have the Software Guard Extensions feature (SGE). SGE allows programs to create “Lock Boxes” in Intel chips that the operating system cannot access. This means that even if your computer is infected with malware, it cannot access information that is guarded by SGE

 

“But we discovered we could specifically target a lock box within Intel’s processors. It would let you leak any data you want out of these secure enclaves.”

— Prof Thomas Wenisch from the University of Michigan

 

Intel stated that there have been no reports of these vulnerabilities being used by hackers. There are far more obvious and easier approaches to hacking. Nevertheless, this highlights the importance to stick to safety procedures such as regularly updating and patching. There will always be errors and vulnerabilities in systems, hardware, and initial design. The longer you operate on older versions, the longer the hackers have to discover and make use of those vulnerabilities.

– Cheng Ye

Sources:

https://www.techrepublic.com/article/intel-foreshadow-exploit-how-to-protect-yourself-from-latest-chip-vulnerability/

https://www.bbc.com/news/technology-45191697?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-correspondent

https://meltdownattack.com/