Pwc Weekly Cyber Security
Total Page:16
File Type:pdf, Size:1020Kb
Threats and Threats and Malware Top story vulnerabilities vulnerabilities PwC Weekly Security Report This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information. Malware Palo Alto networks discovers MacOS Trojan ‘XAgentOSX’ Threats and vulnerabilities Bug allowed theft of over $400,000 in Zcoins Threats and vulnerabilities A chip flaw strips away hacking protections for millions of devices Top story Hackers can steal millions of cars after discovering huge flaw in manufacturer’s connected car apps Threats and Threats and Top story Malware vulnerabilities vulnerabilities Palo Alto networks discovers MacOS Trojan ‘XAgentOSX’ Palo Alto Networks discovered a backdoor trojan Though Mac malware is comparatively rare, Macs called XAgentOSX that can take screenshots from, aren’t magically immune to cybercriminality. Even examine files stored on, and log keystrokes sent to a though Mac users aren’t losing huge amounts of macOS computer. XAgentOSX is said to be made by money to ransomware like their Windows a group called Sofacy that uses the similarly named counterparts, Mac malware is often technically XAgent to steal information from Windows PCs. sneaky and geared towards exfiltrating data or providing covert remote access to thieves -- XAgentOSX appears to be related to Komplex, something that could easily get companies in just as another trojan that targeted computers running the much trouble with regulators as with their operating system formerly known as OS X, the customers. The bad guys gained plenty of traction company said. Komplex was likely used to install with these attacks, and we expect more of it in 2017. XAgentOSX--which has broader capabilities--by the malware's creators. Palo Alto Networks said it XAgentOSX certainly appears to be "more of it." found "a loose connection to the attack campaign Palo Alto Networks said its products have been that Sofacy waged on the Democratic National updated to protect their users from the trojan. For Committee based on hosting data in both attacks." everyone else, this is another reminder that the days of macOS being too high-effort/low-reward for So what information can XAgentOSX gather? Palo hackers are over. Alto Networks said that in addition to keylogging, the trojan can also be used to take screenshots or Source: figure out if a Mac has been used to back up an iOS http://www.tomshardware.co.uk/palo- device. The company said in a blog post that digging alto-networks-macos-trojan,news- around for backups is particularly noteworthy: 54868.html The ‘showBackupIosFolder’ command is rather interesting, as it allows the threat actors to determine if a compromised system was used to backup an IOS device, such as an iPhone or iPad. We believe this command is used to determine if a mobile device was backed up, and we speculate that the actors would use other commands within XAgent to exfiltrate those files. Palo Alto Networks' report follows reports that malicious software has become more common on Macs. Apple's computers used to have a reputation of being virus-free, at least among general consumers, but the reality was that hackers were better served by targeting more popular Windows devices. Now it seems that some attackers no longer want to participate in the platform wars--they're going to target people who use either operating system. Sophos said as much in the 2017 malware forecast released during the RSA Conference: Threat and Threats and Malware Top story vulnerabilities vulnerabilities Bug allowed theft of over $400,000 in Zcoins An implementation bug has allowed someone to Source: make a profit of more than $400,000 after creating http://www.securityweek.com/bug- roughly 370,000 units of the Zcoin cryptocurrency, allowed-theft-over-400000-zcoins users were told on Friday. Zcoin (XZC), worth approximately $2 per unit, is an implementation of the Zerocoin protocol, which aims to provide fully anonymous currency transactions. Zerocoin has also been used to create a new protocol called Zerocash and the ZCash digital currency. A typo in the code allowed an attacker to fraudulently obtain Zcoins. They managed to create roughly 370,000 coins and sold a majority of it for a profit of approximately 410 bitcoins ($435,000). Zcoin representatives pointed out that the exploit was possible due to a bug in the code and not a cryptographic weakness, and that the anonymity provided by Zerocoin has not been compromised. Zcoin said the damage was “mostly absorbed by the markets.” “From what we can see, the attacker (or attackers) is very sophisticated and from our investigations, he (or she) did many things to camouflage his tracks through the generation of lots of exchange accounts and carefully spread out deposits and withdrawals over several weeks,” said Zcoin’s Reuben Yap. Ian Miers, one of the founders of ZCash, has provided a likely explanation for what went wrong. Miers believes it was probably a bug that resulted from copying and pasting code. The bug was addressed over the weekend and pools and exchanges have been instructed to update their code. Zcoin said no coins will be forfeited or blacklisted, despite the severity of the hack. Incidents involving cryptocurrencies are not uncommon. In June 2016, the value of the Ethereum digital currency plummeted after someone exploited a vulnerability in the DAO. Threats and Threats and Malware Top story vulnerabilities vulnerabilities A chip flaw strips away hacking protections for millions of devices For the last decade or so, hackers have faced a It may also be as difficult to fix as it is easy to daunting challenge when they try to break into a deploy. The VUSec technique exploits the deepest computer: Even when they get malicious code properties of the computer’s hardware, the running on a victim’s machine, they have to figure microprocessors made by companies including out where in the computer’s memory that code has Intel, AMD, Nvidia, and Samsung. Making ASLR ended up. That’s because a security protection used fully effective again, the researchers say, could in Windows, Android, and every other modern require not just a quick operating system or browser operating system randomizes where programs run update but also redesigning and replacing those in a device’s memory. It turns the process of digital chips. intrusion into something like an attempt to burglarize a house in total darkness. Cracking the safe But now a team of Dutch researchers has found a The attack exploits the way microprocessors and technique that undermines that so-called address memory interact: Processors have a component space layout randomization, creating the You Are called a memory management unit that maps where Here arrow that hackers need to orient themselves a computer stores programs in its memory. To keep inside a stranger’s computer. That means any of the track of those addresses, the MMU constantly common memory corruption bugs found in software checks a directory called a page table. applications on a daily basis could lead to a much The key to the VUSec hack is that devices usually deeper takeover of a target PC or smartphone. And store the page table in the processor’s cache—a because the attack exploits not software but small chunk of memory that keeps frequently hardware, it leaves millions of devices at risk accessed information close to its computing cores. regardless of their operating system—and it can’t be That makes the chip speedier and more efficient. fully fixed with any mere software update. But a piece of malicious javascript code running on Back in the ASLR a website can write to that cache too. And, crucially, “Bugs are everywhere, but ASLR is a mitigation that it can simultaneously watch how quickly the MMU makes bugs hard to exploit,” says Ben Gras, a is working. “By monitoring the MMU very closely, researcher at the Free University of Amsterdam the javascript can find out about its own addresses, who developed the attack along with his colleague which it’s not supposed to do,” Gras says. Kaveh Razavi. “This technique makes bugs that The VUSec researchers’ attack turns the MMU’s weren’t exploitable exploitable again. In some speed into a revealing clue. The attacking code sense, it takes us back to the ’90s in terms of overwrites the cache, one unit of memory at a time, security.” until it sees the MMU slowing down. That’s a sign Their attack is particularly serious because attackers that whatever part of the cache got overwritten was can pull it off with javascript alone, meaning that a chunk of the page table the MMU was looking simply visiting a malicious website can trigger it; for—the MMU slows down because it has to go back the research team, known as VUSec, released to a copy of the page table in normal random-access a demonstration video showing it running in a memory instead of in the processor’s cache. Firefox browser. “Nobody has done this before from the context of a web page,” says Yossi Oren, a researcher at Ben Gurion University who specializes in microarchitecture security. “It’s a very insidious and clever example of this class of attack.” Threats and Threats and Malware Top story vulnerabilities vulnerabilities A chip flaw strips away hacking protections for millions of devices The MMU has to perform four separate page table A full fix will ultimately require replacing hardware, checks to find the physical address of any given not software. Devices will need new chips with new piece of code. So the attack overwrites the cache architectures that separate the MMU and its page four times, ferreting out four places in the cache table from the processor’s cache.