More malware finds MacOS, French domain registrar loses control of 751 domain names, attackers demonstrate taking full control of a Segway MiniPro (while its being ridden), the Devil’s Ivy exploit leaves millions of IOT devices vulnerable, and more cryptocurrency is stolen, $30M more.
1. OSX/Dok targets Macs in bank account theft.
Due to the rise in popularity of Macs (3x market share growth in the last decade – Gartner) and the (false) stigma that Macs are invulnerable to malware, we are seeing a rise in the number of malware ports from macOS to windows.
Repackaged Windows Retefe Trojan has become OSX/Dok on Macs. This new Mac malware is pushing Signal, a private messaging app onto victims’ mobile devices as part of a complex operation to steal banking credentials. The initial attack starts with a phishing email that includes a malicious application signed with an Apple certificate which helps to bypass macOS Gatekeeper (an app that verifies apps haven’t been tampered with since they were signed).
After a successful install, the malware OSX/Dok disables security updates and blocks communications with Apple and antivirus websites. Next, a Tor browser and proxy file are installed, which setup a man-in-the-middle attack and redirect user traffic to a list of banking sites to a fake sites hosted by the attackers such as cbhbank, credit-suisse, etc. Once the attackers have captured the victim’s account information they have access to do whatever they want with it.
When the victim visits one of these sites (hosted by the attacker) they are prompted to enter a mobile number to receive a download link for a mobile application (Signal – an encrypted messaging app). While Signal isn’t directly used in the attack, researchers believe that the platform may be used to communicate with the impacted user at a later date.
More info and screenshots:
https://www.grahamcluley.com/dok-mac-malware/
2. Gandi.net domain name registrar hacked – losses control of 751 domains
An unauthorized connection to a technical partner resulted in the modification of the name servers controlling 751 domain names pointing their traffic to a malicious site.
The attacker was able to make the changes by accessing the web portal of a technical partner using covertly gained login-credentials. It is believed that the credentials were obtained from an insecure connection to the technical partner’s web portal (the platform allows access via http).
Additionally, the attacker also hijacked email, DNS MX, and SPF records. The domain hijacking event also broke incoming HTTPS traffic to the affected domains.
Once notified Gandi.net reacted quickly and has since cleaned up after the attack. A full time line of events here:
https://news.gandi.net/en/2017/07/detailed-incident-report/
Vulnerabilities exposed by an IOActive security analyst expose 3 critical issues.
These 3 vulnerabilities (now patched) would have allowed attackers to locate nearby Segway MiniPros, push malicious firmware, and take over the scooters. The Segway MiniPro app which connects to the MiniPro over Bluetooth allows device settings can be altered and firmware updates approved. However, Bluetooth authentication wasn’t enforced in many areas of the system allowing commands to be sent to the scooter without PIN authentication.
Because the software update platform didn’t have an integrity check to authenticate firmware updates, an attacker could fool the device into allowing a firmware update to be installed that could override the programming and shutoff any off its built in safety mechanisms.
IOActive provided the results of their testing to Ninebot, Segway’s parent company. The issues have largely been addressed through validation of firmware updates by cryptographic signing, elimination of the “Find Users Nearby” feature, and enhancing security around its Bluetooth communication protocols.
Video showing an attacker taking over a Segway MiniPro
https://www.wired.com/story/segway-minipro-hack/
A stack buffer overflow bug, nicknamed Devil’s Ivy by its discoverers at IoT security firm Senrio affects tens of millions of IoT devices. The bug was originally discovered in 249 different camera models manufactured by Axis. The bug allows attackers to remotely access video feeds or prevent the devices owner from accessing the feed. The bug lies in gSOAP a C and C++ development toolkit used in XML parsing and web services. More than 34 companies use gSOAP in their IOT products, additionally many Fortune 500 companies use the gSOAP code in various ways including Cisco, Microsoft, Xerox, IBM and Adobe.
gSOAP manager Genivia has released a patch for gSOAP, but because many companies use the shared library, the vulnerability exists in a large number of devices.
The exploit happens when 2GB of data is uploaded to the webserver. When the source code was reviewed in 2002 the bug was not discovered. Likely, in part due to the fact that moving 2GB of data on the internet was not something that was regularly done outside of large corporations.
More details of the exploit and a video showing an attack:
https://www.uhwo.hawaii.edu/cyber/devils-ivy/
A total of 599 multi-sig wallets were exploited, 3 by the attacker, and the rest commandeered by the “White Hat Group” which used the same exploit to secure the other compromised wallets with the stated intention to return the wallets to the original owners.
According to UK based Parity Technologies, developers of Parity Wallet software “The bug was in a pair of extremely sensitive functions designed to allow the set-up of "multi-sig" wallets in the Parity Wallet software.”
Blockchain specialist Manual Araoz (Proof of Existence creator) suggests that the 3 multi-sig wallets affected by the hack belong to Edgeless Casino, Swarm City and æternity blockchain.
Parity Technologies has stated that the bug has been fixed. Future precautions are being taken to ensure that this doesn’t happen again, one of those measures includes setting up a bug bounty program.
Parity Technologies Post Mortem:
https://blog.ethcore.io/the-multi-sig-hack-a-postmortem/
Manuel Araoz
https://twitter.com/maraoz/status/887755889897295872