An Overlooked Way of Getting Malware Onto Mac’s

By: John Schnaufer

This article was about malware targeted against Macs that can be hidden in the Mac app store. The writer of the article says that although they found the vulnerability, no one has used it yet from what they can see.

This attack could be used by bypassing the code signing done before submission to the app store. The code signature checks or code signing is basically virtual security checks, to make sure the app is safe and stable. It was noticed that the code only gets checked once, and then the signature doesn’t get checked again. This means that an attacker can make a clean app, submit it to the app store, and then once it gets downloads from users, release an update infected with malware for the users to download. They can also steal or buy real code signatures and put them into their malicious app and it has the possibility of getting published to the app store for everyone to download.

The writer of the main article says, “As a result of this research, Reed himself added code signature verification to Malwarebytes Mac products so they now perform a check every time they launch.” Reed works at the company Malwarebytes and he put out an update to their software to check the code signature again of updates to apps. He even says, “A script kiddie could pull off something like this.” This shows how something should be done to fix this problem before others catch on and start infecting peoples computers with malware. This was released recently, so hopefully, it gets fixed soon. I remember when I made my app for the app store and I do not ever remember any checks being done to my updates after the initial release.

 

Source:

https://www.wired.com/story/mac-malware-hide-code-signing/

 

Facebook is Pushing Spyware as Security

Hidden inside the navigation menu of the facebook app (currently for iPhone only) lies a banner titled “Protect”. If you click this you will be redirected to download Onavo a “VPN Security” app for both iOS and android. This app was acquired by Facebook way back in 2013 but is just now being pushed. Sadly, Facebook didn’t have security in mind during this acquisition.

With the download of Onavo, Facebook has the ability to monitor user activity across all apps on their phone. This information gives Facebook a heads up on trend spotting allowing it to know which apps to buy next or if their changes affect the other social media giants. What it also does is invade the privacy of any user that downloads this product. Facebook hides this invasion by calling it protection and assuming users will look into the app’s description for more details. But, Onavo does it’s best to hide its spyware like behavior from the user, the details of which can’t be found until after the read more:

To provide this layer of protection, Onavo uses a VPN to establish a secure connection to direct all of your network communications through Onavo’s servers. As part of this process, Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences

Soon enough many users who think they are protecting their Facebook will accidentally be feeding more of their information into the product itself. This protective feature is one that can definitely be skipped when trying to secure your Facebook from unwanted security breaches. Instead follow a tutorial and secure your account on your own. And, in the future when Facebook suggests any apps to download be sure to read the fine print.

Sources:

– Bailey Pearson

Apple’s iBoot source code is leaked online

Apple is a company well known for it’s secrecy surrounding upcoming products and features. The company has it’s own dedicated Global Security team, tasked with monitoring possible leaks and tracking down the source. So it was a shock to many when the source code behind iBoot, the second-stage bootloader responsible for securely launching iOS, was leaked February 7th, 2018.

The source code that leaked was from a version of iBoot that ran alongside iOS 9.3, making it outdated by a couple of years. This may make it sound like there is little to no risk, given that Apple reports that only 7% of all active iOS devices are using a version of iOS less than 10. However, this code still holds significance in the world of mobile security, allowing security researchers and hackers alike to directly view the code responsible for checking code signatures and launching iOS on the iPhone, iPad, and iPod Touch.

Although the most up-to-date version of iBoot may eliminate some of the flaws that can be found in the leaked code, it is still entirely possible for vulnerabilities to still exist between both versions, and if not, the code still provides valuable insight for a low-level system process that could be used to compromise, or jailbreak, an iOS user’s device. Information learned from the source code could also lead to the future emulation of iOS on unsupported platforms.

The leak originated from a Reddit post made with a throw-away account in September of 2017 on the r/jailbreak subreddit, linking to a download of the source code. The post made little traction due to the subreddit’s policy for new users, however the leak gained publicity when links to the post began appearing on Twitter. Shortly after the original link was taken down, the code was re-uploaded to GitHub, and has continued to show up on the site despite Apple’s multiple DMCA take-down requests.

The iBoot leak itself also makes a statement for Apple’s security, which within the past week has dealt with numerous leaks of internal files and information, including future Apple Watch firmware, development Apple TV firmware, a large leak of private links to Apple sales material, and even the source code for the Baseband from iOS 9.3. Leaks like these can come from unsecured web servers as well as employees who either accidentally or purposefully give away the information. Apple has reportedly led investigations within the company to find leakers through their Global Security team, sometimes taking years to track down the source of an information leak. What Apple does now about their security in response to the breaches mentioned has yet to be seen.

Sources:

-Alex Noel

The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm

Sources

Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016

Vulnerabilities in systems without updated EFI

Recently there has been a study done. A company by the name of “Duo” has been analyzing the firmware in many models of Apple computers. What they had found is that while the OS may have been up to date, in some cases the computers EFI firmware was not. Duo’s reasoning behind using Apple products was that Apple themselves handle everything, from the software, to the hardware, and everything in between. This is not to say that the issue doesn’t occur on windows systems.

Actually, it might even be worse due to the fact that most windows systems use parts from other manufacturers. This essentially means that unless you update the firmware yourself you probably will not be receiving updates for it. On the other hand an Apple computer is usually set to install EFI firmware updates as the operating system updates. However, the problem has become when that doesn’t happen.

I’ve been going on about EFI and that it probably isn’t being properly updated on the systems, but what is it? EFI, or Extensible Firmware Interface, is a type of firmware. Firmware is a type of software that is fully independent from the operating system and can perform many tasks. The first and foremost job of EFI is to get your system up and running, though it can take on other roles like remote diagnostics to fix problems on a computer without anyone being present at the physical device.

So, what can be done by an attacker if your EFI isn’t up to date? Well, in an Apple system there are a few attacks that come to mind. The first being Thunderstrike. Basically what Thunderstrike allowed an attacker to do was flash a new EFI in place of the current Apple firmware version. This allowed for the attacker to have control of many aspects of the system without the user realizing it or being able to remove it. This mode of attack required physical access to one of the machines thunderbolt ports in order to write the new boot ROM. Later, Thunderstrike 2 came around. This did basically the same thing, except that the attacker could do it remotely.

Who is at risk? On average about 4.2% of the systems Duo analyzed had the wrong EFI version for their respective models. That doesn’t sound like a lot, but given the vast user base of Apple products this is actually quite a lot of systems. It also depends on the model you have. Some are more likely to have the wrong version over others. Duo released a table of Mac models that are likely to not have the correct firmware version.

Mac Model Version Number
iMac iMac7,1; iMac8,1; iMac9,1; iMac10,1
MacBook MacBook5,1; MacBook5,2
MacbookAir MacBookAir2,1
MacBookPro MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
MacPro MacPro3,1; MacPro4,1; MacPro5,1

If your device is listed in this table then it has the potential of not having the correct version of EFI firmware or the firmware may have never been updated at all.

The bottom line is that EFI is just important to keep up to date as our operating systems, but most of us don’t even realize that it’s an issue. It doesn’t generally affect system performance so we generally don’t even think about it. In the world of Apple consumers this shouldn’t be a problem, seeing as the newest updates were supposed to fix the issues of EFI patches not being installed. However if you are on a Windows, Linux, or any other type of system, you may want to update your EFI firmware. In most cases this comes as a BIOS update for your motherboard.

Duo analyzed about 73,000 real world Mac systems, only using systems with updates that had been released within the last three years.

–Brett Segraves

Duo also has their study publicly available in PDF format.
Duo Labs Report: The Apple of Your EFI

Sources:

Duo Apple of your EFI Security Research
Wired: Critical Code in Millions of Macs isn’t getting Apple’s Updates
Info-Security: Many Patched Macs Still Vulnerable Via EFI Issues