Tag Archives: osx

Jul 05

OSX continues to be exploited

Posted on by

Once again, Apple’s OS X is being confronted with a security risk. The latest backdoor has been discovered by Russian security firm Kaspersky Labs and is being used as part of a Advanced Persistent Threat campaign. This is just the latest in a series of security risks present in the Mac OS X operating system.

Kaspersky researchers found that Uyghur activists in China were being targeted by hackers. These hackers sent e-mails with a compromised attachment that was in the form of a JPEG. The code hidden inside the JPEG was a new form of the MaControl backdoor and is compatible with both the PowerPC and i386 Mac variants.

The researchers found that the Command and Control server that the malware was reporting back to was located in China. This suggests that it could be the government trying to keep tabs on these activists. For years, users believed that Mac OS X was safer than Windows. However, with all of these recent outbreaks, people are starting to realize this is not the case.

It had seemed safer because not many hackers targeted Macs due to their low market penetration. Apple has now realized the times and taken down a comment from its website that claimed they weren’t susceptible to the same malware that Windows PCs are. Clearly, they are no longer sure this is the case.

Most recently, Kaspersky Lab researchers found that cyberthreats targeting the Mac OS X platform have been used as part of a comprehensive campaign targeting Uyghur activists–apparently presumed to be using Macs–by sending customized e-mails with attached ZIP files exploiting a malicious Mac OS X backdoor.

Like untold threats targeting Windows, the infected ZIP file is delivered as a phishing attack leveraging social engineering techniques, enticing victims with a JPEG photo that masks the malware.
The Mac OS X attack appears to be a new threat– detected as the most recent variant of the MaControl backdoor Trojan, which supports both i386 and PowerPC Macs. Once it gains entry, the Trojan installs itself on the Mac and immediately connects to its command and control center—which appears to be located in China–for instruction. The backdoor then has the ability to list and transfer files, as well as run commands on the victim’s Mac at the discretion of the malware’s operators.

The new MaControl variant is the latest in a string of recent APT-driven attacks this year targeting the Mac OS X platform. In April, Kaspersky Lab researchers detected an active APT campaign, so called SabPub, which targeted Mac OS X by exploiting a MS Office vulnerability running on the platform. Once the Trojan was installed on a victim Mac OS X, it could then take screenshots of the user’s current session and execute commands on the infected computer.

Prior to that, the Flashflake Trojan ran rampant on users’ Macs, creating a botnet comprised of more than 700,000 infected computers.

While Mac threats hasn’t yet reached the same heights as their Windows counterparts, the numbers are on a steady incline and will continue to grow, thanks in large part to a rising Mac OS X market share.

That said, the barrage of new Mac threats could open up new opportunities for security partners with tried and true mechanisms long-deployed on Windows environments. For one, the rising tide of Mac threats could easily pave the way for channel partners to add Mac security products and mechanisms to their portfolio.

Also, unlike previous years, the highly publicized spate of Mac threats will allow partners to simply start conversations with their customers in regards to securing their Mac environments.

Historically, with market share in the single digits, the Mac OS X has not been a highly lucrative target for cyber criminals. As such, Macs became known as the “secure” platform, lulling users into a false sense of security and making them largely resistant to any external security product or best practice.

But that might be changing. As threats targeting the Mac platform continue to emerge, many users will have to play “catch-up,” with everything from security best practices and awareness, to products and management for Mac environments.

Those knowledge gaps leave potential windows of opportunity for the channel, enabling partners to essentially go back to square one with basic security consulting services, and standard security software dedicated to the Mac OS X platform once thought to be immune to threats.

 

Mar 30

New OSX exploit due to Microsoft Office

Posted on by

A new wave of cyberattacks targeting computers running Apple’s Mac OS X is using an old —but patched— vulnerability in Microsoft Office for Mac to deliver malware.

Tech site CNET said that, while the vulnerability had already been fixed, this was the first time Microsoft Office documents have been used to exploit OS X systems.
“The vulnerability was patched soon after it was found, and currently all supported Office programs are well beyond these versions. However, malware developers are attempting to exploit unpatched systems. These efforts mark the first time Office documents have been used as a vehicle for attacks in OS X,” CNET reported.
It said the vulnerability had been detailed in a Microsoft security bulletin dating back to June 2009, affecting versions of Office 2004 and 2008, and OpenXML Converter 1.0.2 or earlier.
The attack involves a maliciously crafted Word file that has likely been distributed via spam. The file runs a script that writes the document’s malware payload to the disk.
The file executes a shell script that runs the malware then displays a Word document containing a poorly formatted political statement about Tibetan freedoms and grievances.
So far there are two observed malware variants being distributed via these malicious Word documents:
  • The first piece of malware appears to install in the Automator program that ships with OS X as a binary called “DockLight.”
  • The second piece of malware appears to try to mimic the system launcher program “launchd” by installing a similarly named executable file in the global library directory, and then creates a launch agent that keeps this binary file running when the computer starts.