{"id":63157,"date":"2017-02-24T09:29:58","date_gmt":"2017-02-24T17:29:58","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=63157"},"modified":"2017-03-02T09:39:17","modified_gmt":"2017-03-02T17:39:17","slug":"month-in-review-apple-security-in-february-2017","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/month-in-review-apple-security-in-february-2017\/","title":{"rendered":"Month in Review: Apple Security in February 2017"},"content":{"rendered":"

\"Month<\/p>\n

Another month, another round of Apple\u00a0security news. Like last month, February has certainly\u00a0kept the news coming\u2014this time including a tidal wave of new malware designed to infect Macs.<\/p>\n

New Mac Malware:\u00a0Filecoder\/Findzip Ransomware<\/h3>\n

<\/p>\n

Yesterday the story broke that a new ransomware Trojan horse affecting Macs is out there in the wild. Called OSX\/Filecoder<\/strong> by Intego and OSX.Findzip.A<\/strong> by Apple, the malware masquerades as a “patcher” or cracking tool for\u00a0illegally unlocking unlicensed copies of Adobe Premiere Pro CC or Microsoft Office 2016.<\/p>\n

Whilst the Trojan horse app\u00a0pretends to do some mysterious\u00a0cracking magic, instead it\u00a0surreptitiously encrypts all of the user’s documents, after which read-me files are dropped onto the desktop requesting payment of a multi-hundred dollar ransom to recover the\u00a0user’s files.<\/p>\n

Check out Intego’s write-up for more details:\u00a0Patcher Ransomware Attacks macOS, Encrypts Files Permanently<\/a>.<\/p>\n

New Mac Malware: Sofacy XAgent<\/h3>\n

The biggest buzz in Mac malware this month involved a backdoor associated with a group known variously as Sofacy, APT28, and Fancy Bear. The malware itself is dubbed OSX\/Sofacy.gen<\/strong> by Intego, and OSX.XAgent.A<\/strong> by Apple. If a Mac has previously been infected by Sofacy’s malware known as Komplex, that malware may download and install XAgent as a secondary infection.<\/p>\n

<\/p>\n

Intego VirusBarrier<\/a> detects Sofacy XAgent<\/p>\n

XAgent includes functions to allow an attacker to do just about anything with your Mac, including but not limited to logging everything you type (including your passwords), automatically taking a screenshot every ten seconds, stealing iPhone and\u00a0iPad backups, and accessing the command shell (effectively equivalent to typing commands into your Mac’s Terminal app).<\/p>\n

For further details on this malware, see Intego’s article:\u00a0Komplex Malware: The Return of Sofacy’s XAgent<\/a>.<\/p>\n

New Mac Malware: iKittens<\/h3>\n

\"\"Earlier this month, a report<\/a> was published describing Mac malware called MacDownloader<\/strong> or OSX.iKitten.A<\/strong>. The malware was targeted at the United States defense industry, and was distributed through a site that impersonated an aerospace firm (as depicted in the screenshot; image credit: Iran Threats<\/a>).<\/p>\n

The deceptive page pushes a fake Flash Player installer that infects the victim’s Mac\u00a0with iKitten malware, after which iKitten\u00a0attempts to upload a copy of the user’s\u00a0Keychain (which contains a user’s saved passwords) to a site maintained by the malware developer.<\/p>\n

The malware itself is poorly written and doesn’t seem to persist in memory after a reboot, but by the time a user reboots their system, their\u00a0passwords may have already been stolen.<\/p>\n

New Mac Malware: EmPyre Word Macro<\/h3>\n

If you’ve been around long enough, you may remember hearing about Microsoft Office macro viruses nearly two decades ago. Around that time, Word and Excel macro viruses (that is,\u00a0Microsoft Office documents containing malicious scripts that automatically execute predefined actions) had started to become a cross-platform threat, but in recent years we haven’t heard much about macro viruses.<\/p>\n

Well, don’t count out macro viruses just yet, because at least one malware developer has gone retro!<\/p>\n

<\/p>\n

Image credit: Patrick Wardle<\/a><\/p>\n

A file named “U.S. Allies and Rivals Digest Trump\u2019s Victory – Carnegie Endowment for International Peace.docm” recently circulated that contained a Microsoft Word macro<\/strong>\u00a0(as indicated by the .docm<\/strong> filename extension) which contained\u00a0EmPyre<\/strong> malicious code.<\/p>\n

If a user attempts to open the file, Word will present a dialog box stating that the document contains macros (and in fine print it states that “Macros may contain viruses that could be harmful to your computer”).<\/p>\n

If the\u00a0user ignores the warning and\u00a0carelessly clicks on the (non-default) button “Enable Macros” (as seen in the screenshot above), their Mac could become infected with additional malware. For more details, see\u00a0Patrick Wardle’s write-up<\/a>.<\/p>\n

New Mac Malware: PROTON RAT<\/h3>\n

Reports circulated in early February about a new remote access Trojan (RAT), called PROTON<\/strong> (OSX.Proton.A<\/strong>), found on a Russian cybercrime message board. The RAT was\u00a0reportedly available for other would-be criminals to purchase for their own targeted campaigns,\u00a0and even offered to\u00a0add an Apple-approved developer signature to the attacker’s\u00a0custom RAT software\u00a0in order to bypass Apple’s Gatekeeper<\/a> protection on the victim’s Mac.<\/p>\n

After\u00a0deploying\u00a0the RAT onto a victim’s Mac, an\u00a0attacker could allegedly gain complete remote access, including viewing the user’s screen in real time, recording keystrokes, uploading the victim’s\u00a0files, downloading additional malware, accessing the webcam, issuing shell commands, and\u00a0other nefarious things. More information can be found in this PDF report<\/a>\u00a0published by Sixgill (their accompanying blog post<\/a>\u00a0was offline at the time of this article’s publication).<\/p>\n

iCloud Was Storing “Deleted” Safari History<\/h3>\n

Forbes broke the story<\/a> that a company in Russia had developed a tool, called Phone Breaker, that could recover (ostensibly) deleted Safari browser history as far back as November 2015. The tool’s functionality was independently confirmed by a Forbes source.<\/p>\n

<\/p>\n

Phone Breaker screen shot. Image credit: Forbes<\/a><\/p>\n

Apple did not respond to Forbes’ media inquiry, but shortly after the article was published, old browsing history records began disappearing from iCloud accounts that were known to have been affected.<\/p>\n

Since Apple was\u00a0tight-lipped about the ordeal, one can only speculate, but it’s possible that in late 2015 Apple either made a programming error that caused Safari history to no longer get deleted and has now corrected the issue on the back end, or perhaps Apple has yet to fix the underlying issue and has started proactively deleting old history backups while working on a more permanent fix.<\/p>\n

Apple Security Updates<\/h3>\n

Apple has released security updates<\/a> for the following software this month:<\/p>\n

    \n
  • GarageBand 10.1.6<\/strong> (available for Macs running macOS Sierra, OS X El Capitan, or OS X Yosemite) fixes a vulnerability described in a single CVE (Common Vulnerabilities and Exposures) ID, preventing maliciously crafted files from causing arbitrary code execution (i.e. doing bad stuff to your Mac) \u2014\u00a0If that sounds familiar, it’s because a similar bug discovered by the same security researcher was just patched last month<\/li>\n
  • Logic Pro X 10.3.1<\/strong> (available for Macs running Sierra or El Capitan) fixes the same vulnerability that was patched in this month’s GarageBand update<\/li>\n<\/ul>\n

    \"\"Apple also released updates<\/a> for the Apple Remote Desktop Client<\/strong> and Apple Remote Desktop Admin<\/strong> software (both of which are available for Macs running Sierra, El Capitan, or Yosemite), vaguely mentioning that the new Admin app offers “Improved security, with an optional compatibility option to support older clients in the Security tab of the Preferences panel.”<\/p>\n

    When asked to\u00a0comment on the security improvements, an Apple representative responded with the following details:<\/p>\n

      \n
    • ARD clients in Sierra and the ARD console now use the Secure Remote Password (SRP) protocol for authentication where possible.<\/li>\n
    • The Diffie-Hellman key size for encryption has been increased to 2048 bits.<\/li>\n<\/ul>\n

      Apple also uses the SRP protocol<\/a> for communications between mobile\u00a0devices running\u00a0iOS 9.3 or later and HomeKit accessories, according to this Apple white paper (PDF)<\/a>.<\/p>\n

      Alleged Nude Celebrity Photo Leak Blamed on “iCloud Hack”<\/h3>\n

      Image credit: IMDb<\/a><\/p><\/div>\n

      Various celebrity gossip sites reported earlier this week that model\/actress Emily Ratajkowski had allegedly fallen victim to a cyberattack,\u00a0and that\u00a0naked pictures of her were stolen\u00a0from her\u00a0iCloud account.<\/p>\n

      A salacious someone who allegedly was in possession of\u00a0those photos\u00a0reportedly attempted to convince\u00a0a gossip columnist to\u00a0publish the photos online.<\/p>\n

      The gossip columnist\u2014who, by the way, seems to be the sole source for the story\u2014declined to publish the pictures.<\/p>\n

      No details about the alleged hack have been published, but the story brings to mind a similar alleged “iCloud hack”\u00a0celebrity photo leak<\/a>\u00a0that we reported on in 2014.<\/p>\n

      In this case, it’s quite probable\u00a0that the attacker simply guessed or phished\u00a0Ratajkowski’s password\u2014assuming that the story is even authentic. There is no evidence to suggest that Apple’s iCloud servers were compromised.<\/p>\n

      RSA Conference<\/h3>\n

      \"\"Last week I attended RSA Conference<\/strong>, an annual cybersecurity conference held in San Francisco at (and around) the Moscone Center.\u00a0We’ll publish a separate article very soon covering some highlights\u2014there’s some great stuff that you won’t want to miss.<\/p>\n

      Stay Tuned! Subscribe to The Mac Security Blog<\/h3>\n

      There’s more to come.\u00a0Be sure to subscribe to The Mac Security Blog<\/strong> to catch our RSA Conference coverage, and of course to stay informed about Apple security throughout each month.<\/p>\n

      If you missed Intego’s other recent Apple security news roundups or our\u00a0security predictions for 2017, you can check them out here:<\/p>\n

      Month in Review: Apple Security in January 2017<\/a><\/p><\/blockquote>\n