Apple has been all over InfoSec news in the past week or so, along with Spectre / Meltdown developments, a tax season scam alert from the feds, and an apparent solution to the Winter Olympics’ hack whodunit. In addition, researchers warned about a new trend of using Memcached servers to significantly boost DDoS attacks, as GitHub became a victim of this new tactic.
Apple under siege
The second half of February was intense for Apple on the security front. A digital forensics vendor claimed having the ability to unlock all iPhone models, including the X, while a researcher warned about a Trojan targeting MacOs computers that’s not detected by anti-virus products. Oh, and Apple had to squash another one of those pesky bugs that let people crash iPhones via texting.
Forbes dropped a news bomb on Monday when it reported that Cellebrite recently started telling its customers — which are primarily government, military and corporate investigative teams — that it’s able to unlock and extract data from devices running iOS 11, such the iPhone X, as well as other iPhones, iPads and iPods.
While Cellebrite isn’t publicly trumpeting this capability, anonymous sources told Forbes that in recent months the company “has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe.”
As Forbes noted, Cellebrite has posted a brochure on its website where it details its ability to unlock these Apple products as well as several Android devices, and extract data from them. The way it works is that customers ship the devices to Cellebrite, where its engineers work their magic. Cellebrite can’t (or won’t) crack devices remotely.
Forbes also found a warrant that states that as part of an investigation, a research specialist from the U.S. Department of Homeland Security who received training from Cellebrite managed to extract data from a suspect’s iPhone X.
Apple has so far offered no commentary other than to say its customers should make sure they’re running the latest iOS version, which is 11.2.6, a version whose security Cellebrite claims it can circumvent.
In the meantime, the implications for the security and privacy of iPhone users are, needless to say, enormous, as are the concerns that whatever technique and knowledge Cellebrite may possess could fall into the hands of criminals, or be independently replicated by bad actors.
“Such a technique has ramifications for all users of Apple products. Because if Cellebrite has found a way to do this, the ability could also potentially be found by others — including law enforcement agencies and dodgy authoritarian regimes,” wrote security analyst Graham Cluley. “And if they haven’t discovered how to do it… well, they could always pay Cellebrite to do it for them.”
The situation also highlights the ongoing tug-of-war between tech vendors and law enforcement agencies, as the former resist watering down encryption on their products, while the latter argue they need access to devices and data for their investigations.
In a follow-up Forbes article on Thursday, Cellebrite’s marketing chief sought to calm fears about his company’s ability to crack iOS security, saying “there’s nothing inherent in the technology that means it’s open to misuse.”
Still, there’s a high level of concern among privacy and security experts. “All of us who’re walking around with this vulnerability are in danger,” Electronic Frontier Foundation’s senior staff attorney Adam Schwartz told Forbes.
MacOS targeted by RAT
Because when it rains it pours, a researcher has sounded the alarm that a nasty remote access Trojan that targets MacOS has been around apparently for almost two years and isn’t detected by AV tools.
The Trojan, called Coldroot, can, among other things, log keystrokes and steal passwords. Disconcertingly, anti-virus vendors apparently have ignored its existence even though the malware has been available on Github since late March 2016.
The warning comes from Patrick Wardle, chief research officer at Digita Security, who provided all the ugly details of the malware in a blog post.
As ZDnet explains: “The malware when activated can record and steal passwords, list files, rename and delete files, download and upload documents, remotely view the desktop in real time, and shut down the system.”
While AV vendors update their tools to detect Coldroot, Wardle advises MacOS users to upgrade to Sierra or High Sierra, which contain a feature that blocks the malware’s attempt to modify the operating system’s privacy database in order to gain accessibility rights.
Texts cause iCrash
Proving that bad things come in threes, Apple also had to patch a bug in several of its operating systems — including iOS, WatchOS, and MacOS — that caused app crashes and system malfunctions when a character representing a letter of India’s Telugu language was displayed.
Citing Apple’s brief technical description of the bug, Threatpost explained that the flaw occurred when affected Apple products processed a maliciously crafted string that could lead to a heap corruption. “A memory corruption issue was addressed through improved input validation,” the Apple advisory reads, according to Threatpost.
Memcached servers used for DDoS attacks
A troubling trend is emerging in which hackers are using unprotected Memcached servers to dramatically amplify the intensity of their DDoS attacks.
Reporting on Dark Reading, Jai Vijayan explains that the open source Memcached software is designed for use behind firewalls on internal networks to boost server performance. However, many organizations have made them available from the Internet. Bad actors are searching for these hosts and using them “to direct high-volume DDoS traffic at a victim.”
“The amplification factor with Memcached servers is hundreds of times larger than DNS,” Karsten Desler, CTO of DDoS mitigation service provider Link11, told Vijayan. “You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector.”
A high profile victim was GitHub. The popular software development platform got walloped on Wednesday by what’s being called the most intense DDoS attack ever.
GitHub said in a blog post that the attack knocked it completely offline for about five minutes, and intermittently for another four minutes. The first portion of the attack peaked at 1.35Tbps, and there was a second 400Gbps spike. The company said data wasn’t compromised.
Intel releases more Spectre / Meltdown patches, while Microsoft aids with distribution
After an initial failed attempt in January, Intel has released new versions of its Spectre Variant 2 microcode update for CPUs including Skylake, Broadwell and Haswell. The first iteration of those patches had to be pulled because they caused a raft of system problems, including constant reboots and data corruption.
Meanwhile, Microsoft announced this week additional efforts of its own to help distribute Spectre and Meltdown patches. As Tom Warren explains on The Verge, Microsoft plans to list the Intel firmware updates in the Microsoft Update Catalog, “which will help IT admins distribute these to systems.”
And IT admins need all the help they can get to manage the complex Spectre / Meltdown mitigation. As ZDNet’s Ed Bott reminds us, the process of protecting PCs and servers — and their software and applications — from these hardware vulnerabilities is far from straightforward.
“Repairing these flaws requires a series of updates to hardware and software, as well as coordination with developers of security software, where incompatibilities between updates can cause crashes and possible data loss,” Bott writes. “As a result, the process of protecting PCs from these potentially deadly attacks could take months, with a series of patches (and updates on top of updates) from multiple vendors.”
Qualys has been on top of the Meltdown / Spectre issue from the very start, dispensing advice and insight publicly in blog posts, news articles and webcasts, as the industry scrambles to deal with these vulnerabilities, which affect most Intel CPUs released in the past 20 years, as well as a smaller quantity of ARM and AMD CPUs.
Meltdown (CVE-2017-5754) provides access to all physical memory, including kernel memory, via a user mode, ring 3 process, so that “any process running in the system can access all the contents of physical memory,” Qualys Product Management Director Jimmy Graham said recently during a webcast.
Attackers could steal passwords, grab private keys and do whatever necessary to escalate their system privileges to administrator levels. “Anything that can be stored in memory can be accessed through Meltdown,” Graham said.
Meanwhile, Spectre (CVE-2017-5753, CVE-2017-5715) impacts Intel, AMD, and ARM CPUs by abusing branch prediction and speculative execution, resulting in data leakage from compromised processes.
It’s W-2 scam season
The U.S. Federal Bureau of Investigation (FBI) is alerting taxpayers and employers about phishing scams involving W-2 forms, in which criminals attempt to obtain this confidential data to submit fraudulent tax returns and receive refunds.
According to the FBI, there’s been a spike in these email scams since January 2017. “This scam is just one of several new variations of IRS and tax-related phishing campaigns targeting W-2 information, indicating an increase in the interest of criminals in sensitive tax information,” reads the FBI’s announcement.
The U.S. Internal Revenue Service (IRS) issued its own warning in January, outlining how the scam usually works: “Using a technique known as business email compromise (BEC) or business email spoofing (BES), fraudsters posing as executives send emails to payroll personnel requesting copies of Forms W-2 for all employees.”
Having obtained the employee’s name, address, Social Security number, income and withholdings, “criminals use that information to file fraudulent tax returns, or they post it for sale on the Dark Net,” the IRS warned.
Both the FBI and IRS alerts provide scam-prevention tips and best practices for employers and individuals.
In other InfoSec news …
- Ethical hackers are leaving friendly alerts for cloud workload administrators whenever they find Amazon AWS cloud storage servers that aren’t properly secured and thus expose confidential customer and business data via the Internet, according to the BBC. One such alert reportedly read: “Please fix this before a bad guy finds it.”
- In related news, security vendor HTTPCS analyzed about 100,000 AWS storage buckets and said this week that it found 10% were public, including almost 6% that contained readable files, allowing for data leakage, and 2% that weren’t write-protected, opening the door for data tampering and other attacks, like ransomware.
- Drupal patched several vulnerabilities on versions 7 and 8 of its web publishing platform, including two critical ones that if exploited “could lead to cross-site scripting errors under certain circumstances,” according to ZDNet.
- The U.S. government says Russia carried out the hacks that disrupted the opening ceremony of the Winter Olympics in South Korea, while trying to make it seem like North Korea was to blame, according to the Washington Post. At the time of the cyber attack, officials confirmed that hackers knocked out the games’ website for 12 hours, which prevented people from printing tickets, and disabled WiFi service at the stadium.