Monthly Archives: January 2019

New Mac malware steals cookies, cryptocurrency and computing power

A new piece of Mac malware is looking to steal both the targets’ computing power and their cryptocurrency stash, Palo Alto Networks researchers warn.

Mac malware steals cookies

About the CookieMiner malware

Dubbed CookieMiner on account of its cookie-stealing capabilities, this newly discovered malware is believed to be based on DarthMiner, another recently detected Mac malware that combines the EmPyre backdoor and the XMRig cryptominer.

Like DarthMiner, CookieMiner uses the EmPyre backdoor for post-exploitation control. This agent checks if the Little Snitch application firewall is running on the victim’s host and if it is, it stops and exits. It can also be configured to download additional files.

The mining software mines Koto, a Zcash-based anonymous cryptocurrency associated with Japan.

But the most interesting thing about CookieMiner is that it is capable of stealing:

  • Chrome and Safari browser cookies associated with popular cryptocurrency exchanges and wallet service websites (Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, etc.);
  • Usernames, passwords and credit card credentials saved in Chrome;
  • Cryptocurrency wallet data and keys; and
  • iPhone’s text messages (if backed up on the Mac).

“If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login. However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods,” the researchers explained.

To get around past the authentication process that involved 2-factor authentication, CookieMiner also tries to steal text messages that deliver the second authentication factor.

How worried should Mac users be?

Jen Miller-Osborn, Deputy Director of Threat Intelligence (Unit 42) at Palo Alto Networks, told Help Net Security that they do not know if the attackers wielding the malware have been successful, but they feel there is only a very small chance of success of bypassing multi-factor authentication for these sites by using this approach.

Another unknown is how the malware is pushed on victims. But the researchers believe that, like in DarthMiner’s case, users are tricked into downloading the malicious software (i.e., they believe that they are downloading legitimate software or a pirated version of a legitimate app).

Palo Alto Networks has released indicators of compromise and C&C information that can help users and administrators detect active infections.

from Help Net Security – News

Update now! Chrome and Firefox patch security flaws

It’s 2019’s first browser update week with both Google and Mozilla tidying up security features and patching vulnerabilities in Chrome and Firefox for Mac, Windows, and Linux.

But for Chrome security in version 72, it’s more about what’s being taken out than what’s being added.

One of these changes is the deprecation of support for obsolete TLS 1.0 and 1.1 protocols with a view to removing support completely by Chrome 81, scheduled for early next year (the same will apply to Firefox, Microsoft Edge and Apple’s Safari). This will affect developers rather than users who will still be able to connect to the tiny number of sites using TLS 1.0/1.1 for another year.

However, one standard that is completely banished in Chrome 72 is HTTP-Based Public Key Pinning (HPKP), deprecated from version 67 last May.

An IETF security standard designed to counter digital certificate impersonation, HPKP’s problem wasn’t obsolescence so much as doubts about the unintended problems it could cause. Consequently, uptake was low.

Also on the slippery slope is FTP, which Google considers to be a legacy protocol that it’s time to migrate away from. The latest version will only render directory listings, downloading anything else.

An interesting tweak is the integration of WebAuthn APIs to allow users to authenticate using FIDO U2F keys and Windows Hello. Although still not defaults – and no major websites offer WebAuthn in anything other than a test state – it’s a necessary stage for enabling this by default in a future release.

from Naked Security – Sophos