Home advanced malware protection

More Mac Malware Thus Far in 2017 Than Any Other Year

More Mac Malware Thus Far in 2017 Than Any Other Year

With more than 4 months to go before the year ends, this year has already seen more Mac specific malware than any other. Is this finally the end of Mac OS’s reputation as relatively virus-free?

Obviously, Macs have never been totally virus-free. Compared to Windows malware however, the amount of Mac targeted malware has always been minimal. This has largely been due to the substantially smaller market share of Mac OS X. With far fewer users to target compared to Windows, malware creators didn’t have enough incentive to develop as many viruses for Apple’s personal computing platform.

Interestingly, this year has been quite different in regards to Mac malware activity. According to Malwarebytes, not only was there a 230% year-on-year increase in Mac malware last July, the first half of 2017 has already seen more Mac malware than all of 2016 or indeed, any other year. While we’re accustomed to seeing more malware year after year, Mac focused malware is a bit different.

Could the significant uptick in Mac malware due to a corresponding increase in user base? Not really. In fact, OS X market share hasn’t changed significantly since last year.

Malware in the App Store

What makes this surge even more alarming is that a significant amount of malware has managed to invade even the App Store. Apple is known to be very thorough in screening the applications that make it to the Mac App Store.

They review each app for objectionable content, acceptability, app completeness, hardware compatibility, intellectual property, spam, ability to inflict harm, and a host of other criteria. Apple has even been quick to pull apps from the store if they’re later found to be problematic.

Apple touts the App Store as the safest place to download apps and many users believe that to be wholly accurate. This false sense of security leaves them more vulnerable to attacks as they are perhaps not as vigilant or discerning as they might be on another platform.

Proton RAT leads off 2017 surge

One of the biggest threats to emerge this year was a RAT (Remote Access Trojan) known as OSX.Proton.B or simply Proton. Being a RAT, Proton takes the form of a legitimate application accompanied by a back door that provides administrative control to a victim’s system.

During one campaign, Proton handlers were able to modify Handbrake, an app built to convert video files. Proton’s handlers infiltrated one of Handbrake’s download mirrors, enabling them to replace the app’s DMG file with a modified version infected with Proton code.

Once the compromised application is installed onto a victim’s device, the Proton RAT kicks in. Proton can carry out several malicious acts, including: recording keystrokes, stealing passwords, controlling the webcam, allowing remote access, and gaining access to the user’s iCloud account.

Proton can be installed surreptitiously because the malware uses genuine Apple code-signing signatures. This allows it to bypass Apple’s Gatekeeper, an OS X feature that blocks apps if they aren’t digitally signed using a valid Apple Developer ID.

Proton’s existence was uncovered when researchers from cyber security firm Sixgill chanced upon a post on a notorious Russian cybercrime message board. The post introduced Proton as the “Newest and only macOS RAT in the market.” Originally priced at approximately 100 BTC (bitcoin), which was equivalent to about $100,000 at the time, Proton was out of reach for most.

Findzip Ransomware

Another piece of Mac malware that emerged this year is Findzip. Ransomware has been gaining a lot of notoriety lately, so people in the Mac community were rightly alarmed upon learning that one of the the biggest malware threats in the world today is now right on their doorstep.

Findzip is usually disguised as a crack for either Adobe Premier Pro or Microsoft Office. Being a crack, it doesn’t go through the normal Mac application installation process. People who use cracks typically employ workarounds to bypass Apple’s security measures meant to prevent the installation of malicious programs. Of course, the use of these workarounds plays right into the hands of Findzip’s operators.

Unlike Proton, Findzip isn’t digitally signed using an Apple-issued certificate. As such, it will be considered as coming from an unidentified developer, marked with a ‘quarantine’ flag, and ultimately denied installation. Well and good, but that doesn’t stop Findzip from getting through.

Normally, apps that aren’t downloaded from the App Store, are downloaded through a Web browser. Some popular web browsers are designed to identify the quarantine flag as well as invalid signatures- so if a user attempts to open such a DMG file, the system will prevent the file from being opened.

Alas, people who want to install cracked applications and other pirated software don’t go down that route. Instead, they download files through alternative means, usually torrents. Torrent clients don’t set the quarantine flag when they download a file. Thus, when the user opens the DMG file, the system won’t be able to do anything about it.

It’s comforting to note however that 1) Findzip will not be able to affect users who download apps through legitimate means and 2) it’s now easy to find tools or methods for decrypting files encrypted by Findzip. In fact, if you google for ‘findzip ransomware’, the first search results actually point to removal/remediation solutions, and not just information about the malware itself.

Flashback to Flashback?

The last time there was a surge of Mac malware activity of this magnitude was in 2011-1012, when the Flashback Trojan struck. Flashback was said to have infected about 600,000 Macs then. That number amounted to more than 1% of the total number of Macs at that time.

Taken individually, none of the Mac malware detected this year appear to have infected as many devices as Flashback. The Flashback outbreak remains the largest Mac-based malware outbreak in history, but 2017 shows a disturbing trend that all Mac users should pay close attention to.

How Malware Steals Credit Card Data from Your POS Systems

How Malware Steals Credit Card Data from Your POS SystemsSome of the biggest data breaches involving credit card data, including those that hit Home Depot and Target, were perpetrated by POS malware – we’ll explain exactly how POS malware works.

A brief overview of the market behind POS malware

POS malware is a vital tool in the highly lucrative credit card data theft industry. At the end of the supply chain, there are people who use fake credit cards to purchase products and services. These people source these fraudulent cards from cyber gangs who produce the fake cards.

The gangs in turn source data that make up the cards from carding forums or stores (a.k.a. card malls or card shops) on the dark net or other online black markets. Sellers in these marketplaces typically offer thousands or even millions of pieces of credit card data. Lastly, the people who sell card data in those forums and stores purchase the data in bulk from hackers (yes, we know they’re supposed to be called crackers).

It’s these hackers who employ POS malware. Cyber criminals are drawn to where the money is. As long as there are people down the supply chain who will use fake credit cards, there will always be criminals who will steal the data to make those cards work. As a result, businesses will always be under the threat of data-stealing POS malware.

How a POS system gets infected

Before any POS malware can go about stealing credit card data, it first has to find its way into a POS system. Unfortunately for us, there are many ways for it to get there.

Because POS vendors sometimes need remote access to their products for troubleshooting, applying patches, or performing technical support, most POS devices are designed to directly or indirectly connect to the Internet. As part of PCI DSS compliance, some systems are also required to connect to the Internet in order to perform time-synchronization with NTP servers. Lastly, an Internet connection may also be needed to enable the system to export purchasing, inventory, or other business data to remote servers.

While needed for upkeep, maintenance, security, and other business functions of the device, the Internet also allows attackers to gain access. Here are the most common ways POS systems get infected with malware:

Phishing and social engineering

Not all of these systems are dedicated POS terminals. In fact, many of them are regular desktops that run on Windows. When a POS system is set up like this, it’s likely to be used for other functions like sending/receiving emails, web browsing, checking social media sites, instant messaging, and other online activities.

Unfortunately, these online activities are susceptible to phishing and other social engineering attacks. Once the user clicks a link or downloads an attachment in a phishing email or message, they could end up downloading either the malware itself or a trojan that subsequently downloads the malware.

Unpatched systems

As in most other systems, a POS terminal can also get infected when malware exploits vulnerabilities in the operating system, browser plugins, or the web browser itself. Known vulnerabilities are easily addressed through patches or software updates. Unfortunately, most people don’t patch properly, and many don’t patch at all.

Hacked administrative interface

As mentioned earlier, the main purpose of these Internet connections is for performing upgrades, tech support, and troubleshooting. To perform these tasks, the vendor has to connect through some form of administrative interface. Attackers sometimes brute force their way into these interfaces or take advantage of default settings. Once they’ve gained entry, they then install the malware.

Compromised third party credentials

It’s common for businesses to employ the services of various third parties. Some of these third party providers are given access to either the POS machine itself (e.g. for vendors of software installed on the same machine) or to another device running on the same network as the POS machine. This gives cybercriminals an avenue for attack.

Cybercriminals can steal login credentials assigned to these third parties in order to gain access into the POS system. This type of attack is difficult to trace because if you view the logs, the logins appear to be carried out by someone authorized to access the system.

Other compromised devices in the network

In the event that the POS device is connected to the office LAN but not to the Internet, cyber criminals can still access the device through an indirect attack. They would first attack a device connected to the Internet and use that as a jump off point to reach their main objective.

They can employ phishing, brute force, or an SQL injection on the corporate website. They can even simply hack into a network device whose factory default passwords have not been changed. Once they’ve gotten a foothold into the network, they usually try to acquire administrative-level credentials before finally seeking out the main target – the POS machine. Once they’ve breached to the POS machine, they install the malware.

RAM scraping

So what happens when malware gets installed on a POS system? It does what it’s programmed to do – steal credit card data. Theoretically, there are number of opportunities for malware to steal credit card data from a POS system. First, while the data is stored (a.k.a. data-at-rest). Second, while it traverses the network (a.k.a. data-in-transit). And third, while the credit card data is in memory.

Most POS systems encrypt data-at-rest and data-in-transit (e.g. via SSL/TLS or IPsec), so POS malware rarely strikes at these stages. Cyber criminals can extract the information they need only if the data is in plaintext (unencrypted) form. Usually, this only ever happens when the data is still in memory. This explains why most current malware (including the one used in the Target data breach) attack there.

The process of stealing information from RAM is known as RAM scraping. Depending on the type of RAM scraper, data is stolen either wholesale (i.e. everything is grabbed from memory) or according to a pattern match. RAM scrapers can typically collect the PAN or credit card number, name of cardholder, card expiration date, CVV code, and other information embedded in the cards magnetic stripe. After the data is scraped from RAM, it is temporarily stashed in a file somewhere in the system or in the network.

As more customers come in and have their credit card data swiped, more data is collected and accumulated into that same file. After a certain period, the malware connects to a remote C&C (Command and Control) server and commences with the exfiltration process.

Covert exfiltration and persistence

To avoid being detected, some POS malware encrypts the data before transmitting to the C&C. Some also use HTTP requests in transmitting the data to avoid suspicion. This will make it appear that the POS system is being used for harmless activities like web browsing, allowing the exfiltration process to bypass firewalls and most antivirus solutions.

Note that, when a RAM scraper grabs data from memory, it only manages to grab information from a single card, i.e. the card that was recently swiped. That’s why, as mentioned earlier, the data scraped from memory would still have to be accumulated into a sort of “staging” file. Because it can take some time before a substantial amount of data is collected, the malware has to persist in the system as long as possible for it to be effective.

To do that, POS malware usually employs privilege escalation techniques like tampering logs or disabling antiviruses and monitoring tools. Some types of malware also create backup copies of themselves, which are retrieved in the event their “production” selves are somehow deleted or incapacitated.

Mitigating the POS malware threat

Last year (2016), the rate of identity theft hit an all-time high, with some 15.4 million consumers getting victimized through some form of ID theft. This translated to about $16 billion worth of losses through fraud. Although not all of these incidents involved the use of POS malware, POS malware still remains one of the biggest threats to merchants who haven’t yet adopted EMV chip cards.

To mitigate this particular threat, businesses must adopt a number of security measures, including:

1. Dedicating a POS terminal solely to POS-related functions;
2. If budget does not permit #1, prohibiting employees from using a non-dedicated POS system for non work-related tasks (e.g. personal web browsing, email, or social media);
3. If #2 is still not possible, training employees to recognize and handle phishing emails/messages;
4. Updating all firmware and software;
5. Using reputable antivirus software;
6. Using firewalls and content filtering solutions that identify and block both suspicious inbound and outbound traffic;
7. Ensuring that in-house admins and third parties use strong passwords and 2-factor authentication; and
8. Adopting EMV-enabled cards, which theoretically eliminates credit card cloning.

For help to protect yourself from POS malware, feel free to contact us.

Your DNS and IoT Vulnerabilities

Your DNS and IoT VulnerabilitiesAre you properly defended? In the sense of your computer and network safety, do you feel you have a good defence in depth strategy? This is not something to take lightly, and if you wish to truthfully answer yes, you have to be sure you have defences such as a DNS firewall, advanced malware protection, cloud security solutions, and more. Let us take a moment to understand just why this is important to anyone online.

Consider this – the source code for the Mirai botnet was shared online in late 2016. This is a form of malware that converts networked IoT devices into remote controlled bots. These are then used in enormous numbers to perform network attacks at an astonishing scale. In fact, the Mirai botnet actually knocked the entire nation of Liberia offline.

Once the Mirai botnet was shared, though, it split many times over, and now there are multiple Mirai derivatives at work. While you may not yet know what that means to you in terms of security, it is safe to say that you do not want to become victim to it – whether as a business owner or consumer.

To understand why a strong DNS firewall, real time malware protection, and internet security services are important, we need to look at what happened when the Mirai botnet set to work in October of 2016.

Mirai at Work

When the malware had infected enough machines, it attacked and disrupted websites as famous as Airbnb, PayPal, Spotify and the PlayStation network. It did this by taking over IoT (Internet of Things) devices like baby monitors, CCTV systems, DVRs and routers. Though you may not think that the processing power of your CCTV system would amount to much, imagine millions of devices pooling their resources…this is how the Mirai botnet (and many other botnets) operate.

What did it use the power for? It performed a DDoS or distributed denial of service attack that flooded the systems at a firm known as Dyn, a cloud DNS provider. While IT experts are consistently advising against online businesses relying strictly on a single DNS provider in order to ensure accessibility even when under an attack, there are steps that you can take directly to protect yourself.

Considering Real Time Solutions

A DNS firewall is easily one of the strongest ways to overcome the risk of IoT vulnerability, botnets, malware and other threats. It will prevent system connections to known or recognized malicious locations. However, it can also make you aware of the presence of botnets within, or threatening, your network. Because the availability of your website (which is your business) is linked to the availability of your network, you have no real choice but to find ways to implement DNS security solutions. It is the availability of those DNS services that make you reachable, and the botnet attacks are directly targeting this accessibility.
Until IoT devices and other vulnerabilities that plague the Internet are remedied, it is best to find options for a DNS firewall, DNS security solutions, advanced malware protection and other cloud security solutions.