Hackers Distribute Malware-Infected Media Player to Hundreds of Mac Users

Yet another software supply-chain attack hits popular applications.
Lucian Constantin
Oct 20 2017, 3:52pm
https://motherboard.vice.com/en_us/article/bj789w/elmedia-player-malware-hack-mac-trojan

Hackers managed to compromise the website of a company that develops several popular apps for Apple computers, distributing malware-infected versions of those apps to hundreds of users. Security researchers from antivirus firm ESET reported Friday that the free version of Elmedia Player distributed from Eltima Software’s website contained a macOS information stealing trojan known as OSX/Proton. The same malware was distributed earlier this year through another trojanized version of a popular macOS application called HandBrake.

Eltima told me in an email that hackers also managed to trojanize one of the company’s other applications, an internet download manager called Folx that also acts as a BitTorrent client. The Proton malware is capable of stealing a lot of data from infected computers including history, cookies, bookmarks, and log-in data from browsers; cryptocurrency wallets; SSH authentication keys; macOS keychain data; Tunnelblick VPN configuration data; PGP encryption keys and data stored in 1Password, a password management application.

Elmedia Player has 1 million users as of August, according to Eltima. The company provides free and paid versions of its software programs and distributes them through its website and through the Mac App Store. Only the installers for Elmedia Player and Folx downloaded by users from the company’s website contained the Proton trojan, an Eltima spokeswoman told me. “The built-in automatic update mechanism [of the applications] seems to be unaffected.”

The security breach happened Thursday and was discovered relatively fast by ESET who reported the incident to the software developer. The malicious installers were available on Eltima’s website for around 24 hours and were downloaded by almost 1,000 users. “Users who downloaded and executed the software on October 19 before 3:15 PM EDT, are likely compromised,” the ESET researchers said. On Friday morning, Eltima announced that both apps are now “safe to install and malware-free.”

The attackers don’t appear to have compromised the company’s development infrastructure, as happened recently with the developer of a Windows application called CCleaner. Instead, the hackers just managed to hack into Eltima’s website through a vulnerability in a JavaScript-based library called TinyMCE. The malicious installers were not digitally signed with Eltima’s Apple developer certificate, but with a different developer ID under the name Clifton Grimm. It’s not clear if this certificate was obtained from Apple by using a fake identity or if it was stolen from another developer. Gatekeeper, Apple’s first line of defense against malware, allows signed binaries to execute without warning by default, Patrick Wardle, director of research at Synack and a macOS security expert, told me in a Twitter direct message. Because of this, most Mac malware is now signed with stolen or fraudulently obtained Apple developer IDs, with the latter being much more likely, he said. “It appears Apple has a problem with ensuring only legitimate developer IDs are given out,” Wardle said.

Apple revoked the misused Clifton Grimm certificate after being alerted by ESET and Eltima, but users who downloaded and executed the rogue Elmedia Player and Folx installers before this happened didn’t get a Gatekeeper warning. At installation, Proton displays a fake password authorization window in order to gain system administrator privileges. It’s not unusual for legitimate applications to request such access, so users might easily be tricked into inputting their password. There is some evidence that this new attack might have been perpetrated by the same attackers who compromised a legitimate download server for the HandBrake video converter application in May and distributed a malicious version of that program to macOS users.

In both cases, the trojanized installers infected computers with Proton and in both cases the malware’s command-and-control servers used domain names similar to those of the compromised software. The difference is that the rogue HandBrake installer was not digitally signed, meaning that users would have had to override Gatekeeper manually in order to install it.

To determine if they’ve been infected users can search their systems for the presence of the following files or directories: /tmp/Updater.app/, /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist, /Library/.rand/ and /Library/.rand/updateragent.app/. If any of them exist, Proton was installed, according to ESET.

“As with any compromise with an administrator account, a full OS reinstall is the only sure way to get rid of the malware,” the ESET researchers said. “Victims should also assume that the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them.”

Software supply-chain attacks pose a very serious danger because they abuse the existing trust relationship between users and software developers. These attacks can happen in several ways and can be very hard to detect and prevent. Attackers recently managed to distribute infected versions of CCleaner—a Windows system optimization tool—to over 2.2 million users after hacking into the program developer’s infrastructure. Last year, attackers hacked into the website of popular open-source Transmission BitTorrent client on two separate occasions and distributed infected installers to macOS users.

In order to compromise Macs, attackers need a way to get malicious applications onto them, and hacking into a legitimate developer’s website to surreptitiously trojanize a popular app is a great way to achieve this, Wardle said. We’ve seen attackers use this mechanism before, so it won’t be surprising if they continue to rely on this attack vector, he said.

KRACK attacks – is your Wi-Fi at risk ?

Here’s what its all about and what to do

The latest bug to hit with its own logo called the KRACK Attack. KRACK attacks mean that most encrypted Wi-Fi networks are not as secure as you think.
KRACK works against networks using WPA and WPA2 encryption, which these days covers most wireless access points where encryption has been turned on.
An attacker within Wi-Fi range could, in theory, sniff out some of the encrypted traffic sent to some of the computers in your organisation or home. Even if an attacker can only “bleed off” small amounts of traffic, in dribs and drabs, the end result could be very serious.

KRACK explained

KRACK is short for Key Reinstallation Attack, which is a curious name that probably leaves you as confused as we felt when we heard about it, so here’s our extremely simplified explanation of what happens (please note this explanation covers just one of numerous flavours of similar attack). At various times during an encrypted wireless connection, you (the client) and the access point (the AP) need to agree on security keys.
To do so, a protocol known as the “four-way handshake” is used, which goes something like this:
(AP to client) Let’s agree on a session key. Here’s some one-time random data to help compute it.
(Client to AP) OK, here’s some one-time random data from me to use as well.
At this point, both sides can mix together the Wi-Fi network password (the so-called Pre-Shared Key or PSK) and the two random blobs of data to generate a one-time key for this session.
This avoids using the PSK directly in encrypting wireless data, and ensures a unique key for each session.
(AP to client) I’m confirming we’ve agreed on enough data to construct a key for this session.
(Client to AP) You’re right, we have.

The KRACK Attacks (with numerous variations) use the fact that although this four-way protocol was shown to be mathematically sound, it could be – and in many cases, was – implemented insecurely. In particular, an attacker with a rogue access point that pretends to have the same network number (MAC address) as the real one can divert message 4 and prevent it reaching the real AP. During this hiatus in the handshake, the client may already have started communicating with the AP, because the two sides already have a session key they can use, albeit that they haven’t finalised the handshake. This means that the client will already be churning out cryptographic material, known as the keystream, to encrypt the data it transmits.

To ensure a keystream that never repeats, the client uses the session key plus a nonce, or “number used once”, to encrypt each network frame; the nonce is incremented after each frame so that the keystream is different each time. As far as we can determine, all the KRACK attacks involve reused keystream material accessed by “rewinding” crypto settings and thus encrypting different data with the same keystream. If you know one set of data you can figure out the other – that’s the best case; some cases are worse than that because you can as good as take over the connection both ways.

Back to the handshake

At some point, the real AP will send another copy of message 3, possibly several times, until the rogue AP finally lets the message get through to the client.
The mathematical certainty in the protocol now meets cryptographic sloppiness in its implementation.
The client finalises the handshake at last, and resets its keystream by “reinstalling” the session key (thus the name of the attack), and resetting the nonce to what it was immediately after stage 2 of the handshake.
This means the keystream starts repeating itself – and re-using the keystream in a network encryption cipher of this sort is a big no-no.
If you know the contents of the network frames that were encrypted the first time, you can recover the keystream used to encrypt them; if you have the keystream from the first bunch of network frames, you can use it to decrypt the frames encrypted the second time when the keystream gets re-used.
Even if attackers are only able to recover a few frames of the data in any session, they still come out ahead.
Gold dust sounds less valuable than a gold ingot – but if you collect enough gold dust, you get to the same value in the end.

What to do

Changing your Wi-Fi password won’t help: this attack doesn’t recover the password (PSK) itself, but instead allows an attacker to decrypt some of the content of some sessions.
Changing routers probably won’t help either, because there are numerous variants of the KRACK Attacks that affect most Wi-Fi software implementations in most operating systems.

Here’s what you can do:

Until further notice, treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
Stick to HTTPS websites so your web browsing is encrypted even if it travels over an unencrypted connection.
Consider using a VPN, which means that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.

Apply KRACK patches for your clients (and access points) as soon as they are available.

Simply put, if you ever use open Wi-Fi access points (or Wi-Fi access points where the password is widely known, e.g. printed on the menu or handed out by the barista), you are already living in a world where at least some of your network traffic could be sniffed out at will by anyone. The precautions that you take in those cases – why not take them all the time? If you always encrypt everything yourself, in a way that you get to choose and can control, you never have to worry what you might have forgotten about.

 

Unifi Networks were one of the first to release patches for their routers and firewalls – if you are interested in upgrading your wireless network to Unifi Enterprise grade – speak to me http://prpcs.co.uk/services/wifi-optimisation

Is Antivirus Necessary in the World of Mac?

credit : https://www.macworld.com/article/3230164/antivirus-software/is-antivirus-necessary-in-the-world-of-mac.html

The misconception that only Windows OS computers need antivirus protection is just that—a misconception.

The last decade has served up plenty of lessons around taking digital security too lightly. For years, threats targeting the Windows operating system have grabbed the headlines, leaving the impression that other operating systems are immune to commercial, opportunistic threats.

The modern Mac OS is based on a solid architecture, with built-in security features that do a pretty good job fending off malware. But the explosive growth of the web and our dependence on cloud services has changed the security landscape completely. Platform-focused threats are now complemented by web-borne attacks trying to gain control of your cloud services.

On the malware side, while it’s true that Windows computers are more susceptible to attacks due to their popularity, the increase in malware families specifically designed for Mac is higher in 2017 than in the previous five years combined. Security experts – and sometimes Apple – warn Mac users not to rely on the operating system for security alone, as prevention is always the wiser approach.

Cyber criminals are getting better at hiding malware from users and security agents. They’re not in it for the notoriety, like they used to be in the good old days. Now they are in it for the money. Hackers are no longer writing poor-quality malware, but instead designing hostile, complex, malicious software programs which takes advantage of users’ blind spots to sneak in, by either working around the operating system defenses, or by tricking the user into voluntarily installing them.

Some of the notorious threats that have taken Mac users by surprise are CoinThief, a Mac Trojan that goes for Bitcoin wallets after infiltrating computers, or the devastating Flashback Trojan that infected more than 600,000 devices worldwide. And new threats, such as ransomware, are being perfected as we speak, designed to extort money from victims all over the globe. In March 2016 Apple had to fight KeRanger, the first ransomware designed for Mac.

Before you hit the road, fasten your digital seatbelt

When talking about online security, one of the most important misconceptions is that anti-virus programs only protect against known viruses, and the number of such viruses is so small that you should hardly bother. In reality, an anti-malware solution designed for Macs cover all the attack avenues: They include anti-phishing, anti-adware, anti-spyware, anti-ransomware, and other layers of security to keep your Mac running only the software or apps that you have authorized.

Modern threats targeting Macs are silent: they can run in the background for years without showing any sign of trouble. Aggressive adware that stealthily profiles you and casually serves banners might not look like a big deal for the uninformed—but they leak out your private information, from browser habits to contacts or browsing history, without you even knowing. Other websites take advantage of your processing power and silently use it to mine digital currency at the expense of your computer’s performance and reliability. This, in turn, wears down your hardware and increases your electricity bill.

Are all security solutions made equal?

If you’re concerned about the security of your Mac device and want to get an anti-malware solution installed, make sure you don’t fall into a trap. Fake malware protection applications are out there for all platforms, from Android to Windows to Mac.

Choose a security solution that provides certified 100% detection, such as  the BitDefender GravityZone .

Speak to me about a quote for BitDefender GravityZone for all your Mac or Windows devices.

The new macOS, High Sierra is now available

Apple’s new Operating System, High Sierra is now available and ready to install on your Mac. Here’s how you go about it.

Before starting, make sure uou have backed up your Mac. Run Time Machine or your online backup service if you have one.
The entire process will take around an hour, depending on your internet connection speed.

Got that? Right, you’re ready to go.

  • Fire up the App Store app, located in your Applications folder.

  • Look for macOS High Sierra in the App Store – you will probably find it in the top marquee carousel. once you locate it, click on it.
  • This should bring you to the High Sierra section of the App Store, and you can read Apple’s description of the new OS there.
  • When you’re ready to start, click the Download button at left side of the display.
  • Downloading will take a while as its over 5GB.
  • Once the download completes, the installer will launch automatically.
  • If you wish to install later, you can quit at this stage by pressing Command-Q. It will be saved to your Applications folder.
  • If you wish to proceed and install now, click continue.
  • Read the software license agreement and click Agree.
  • Select your Mac’s startup drive and click Install.

 

  • Enter your username and password for the new “helper tool” that the installer wants to install, and click Add Helper.
  • The Mac will then need to restart, so click Restart.
  • Any applications that are open will need to be closed. Click Close Applications.
  • Your Mac will restart and proceed with the installation.
  • When it’s done, you’ll have High Sierra on your Mac.