More malware finds MacOS, French domain registrar loses control of 751 domain names, attackers demonstrate taking full control of a Segway MiniPro (while its being ridden), the Devil’s Ivy exploit leaves millions of IOT devices vulnerable, and more cryptocurrency is stolen, $30M more.
1. OSX/Dok targets Macs in bank account theft.
Due to the rise in popularity of Macs (3x market share growth in the last decade – Gartner) and the (false) stigma that Macs are invulnerable to malware, we are seeing a rise in the number of malware ports from macOS to windows.
Repackaged Windows Retefe Trojan has become OSX/Dok on Macs. This new Mac malware is pushing Signal, a private messaging app onto victims’ mobile devices as part of a complex operation to steal banking credentials. The initial attack starts with a phishing email that includes a malicious application signed with an Apple certificate which helps to bypass macOS Gatekeeper (an app that verifies apps haven’t been tampered with since they were signed).
After a successful install, the malware OSX/Dok disables security updates and blocks communications with Apple and antivirus websites. Next, a Tor browser and proxy file are installed, which setup a man-in-the-middle attack and redirect user traffic to a list of banking sites to a fake sites hosted by the attackers such as cbhbank, credit-suisse, etc. Once the attackers have captured the victim’s account information they have access to do whatever they want with it.
When the victim visits one of these sites (hosted by the attacker) they are prompted to enter a mobile number to receive a download link for a mobile application (Signal – an encrypted messaging app). While Signal isn’t directly used in the attack, researchers believe that the platform may be used to communicate with the impacted user at a later date.
More info and screenshots:
2. Gandi.net domain name registrar hacked – losses control of 751 domains
An unauthorized connection to a technical partner resulted in the modification of the name servers controlling 751 domain names pointing their traffic to a malicious site.
The attacker was able to make the changes by accessing the web portal of a technical partner using covertly gained login-credentials. It is believed that the credentials were obtained from an insecure connection to the technical partner’s web portal (the platform allows access via http).
Additionally, the attacker also hijacked email, DNS MX, and SPF records. The domain hijacking event also broke incoming HTTPS traffic to the affected domains.