This week on Threat Thursday, there’s a field day for long-running malware and thousands of print devices are still vulnerable online.
And while NetGear routers are also suffering a major vulnerability, Zoom at least continues to up its security game. Welcome back all - let’s jump in!
Shlayer Returnsh to Shtealthily Shabotage Your Mac’sh Operating Shyshtem
It seems like years ago that we last spoke of Shlayer, the Mac OSX malware with an uncomfortable pronunciation. Touted as Mac’s most malignant malware, 10% of its successful infections occur within the UK alone, making it one of the operating system’s most commonly-encountered threats. It’s an advertising trojan which commonly hides within fake and irreputable software, scattering all kinds of adware across systems and even allowing for browser hijacking.
Shlayer’s latest campaign relies on Google ‘poisoning’, manipulating search results to direct users to dodgy links. In a blog post by Intego, they explain how searching for specific popular YouTube videos within Google search returns a number of malicious results, all of which go through multiple redirects before sending the user to a page claiming that their Flash Player is out of date. The user is then instructed to download the latest Flash Player update; which, of course, is little more than a false download housing the Shlayer malware.
Here’s where it all gets a little sloppy. Because the Shlayer developers didn’t make the effort to obtain an Apple Developer Account, the Mac OS immediately informs the user that the app may contain malware should they try to open it, and prevents immediate installation. Pre-empting this, the Shlayer developers instead encourage the user to ‘Control-click’ the link, which overrides system security and allows for the file to be opened – even though it still doesn’t prevent Apple’s stark warnings from displaying. As diversionary tactics go, this is the malware equivalent of shouting “Look behind you!” to somebody and then doing a runner while they’re distracted.
Furthermore, Shlayer might want to revise their choice of software installer. As we mentioned not a month ago, Flash will be defunct as of December this year, and Apple are said to be dropping support entirely from their next version of Safari. As awareness of Flash’s demise grows, Shlayer are merely lessening their pool of potential victims – not expanding it.
Sodinokibi - Now Making Smarter Sales Decisions!
Sodinokibi, this week’s other unfortunately named recurring villain, just became a whole lot more proficient thanks to the ‘Cobalt Strike’ malware.
Though Cobalt Strike is designed as a ‘paid penetration testing software’ over on malpedia, it’s just as valuable to threat actors looking to exploit its command execution, privilege escalation and key logging abilities. In the case of this Sodinokibi campaign, Cobalt Strike can be used to reduce the malware’s chances of being discovered once it oozes its way into a compromised system.
As revealed in Symantec’s in-depth report, Cobalt Strike is instrumental in what appears to be an incredibly large-scale ransomware campaign. This has seen Sodinokibi targeting major players across the catering, services and healthcare sectors, while adopting an all-new tactic of scanning systems for Point-of-Sales software.
This is an interesting new technique, and hints at some grand aspirations for the ransomware’s users. Not only are they specifically targeting large-scale organisations, but they’re potentially looking to ensure large payouts or volumes of data when they do so. Whether the PoS scanning is for the purpose of skimming card data, or for holding the service to ransom for a potentially higher payout, is yet to be concluded. Suffice to say, any ransomware that can bring Travelex to its knees for two weeks - and pocket £4.6million in the bargain - isn’t one to be trifled with.
Salacious Scenes as Thousands of Printers Willingly Expose Themselves Online
It’s old news to us at Mirus, but it’s a fact still unknown to millions worldwide: your print devices are often-exploited attack vectors that need strict protective measures. That fact was hammered home earlier this week by the Shadowserver Foundation, who’ve published an eye-opening report on worldwide print security.
In a scan of routable IPv4 addresses, Shadowserver discovered that as many as 80,000 printers were exposing their IPP Ports online on a daily basis. We promise that’s not as lewd as it sounds.
The IPP, or Internet Printing Protocol, is the system that allows printing over the internet to occur. Unprotected, it allows for the kind of infiltrations we’ve warned about numerous times on the Mirus blogs – allowing criminals to rifle through your personal files and even compromise a company infrastructure. It’s vital that these are protected with firewalls, a secure print solution and the proper setup by a trained IT or Managed Print professional.
If you’re old enough to remember the printers of old – little more than a paper feeder and an inkjet loaded with cartridges – remember also that modern-day printers are far more evolved. With hard drives, internet connectivity and on-board operating systems, they’re almost as capable as your desktop PCs – so treat them as such.
NetGear Exploit Enters That Awkward Teenage Phase
Ahh, yes, my teenage years. Awkward, volatile, and misunderstood; much like this latest Netgear router vulnerability. Now entering its 13th year, this exploit had covered 79 routers and 758 firmware versions before an older, wiser guardian caught wind of its shenanigans and gave it a much-needed clip around the ear.
In a blog released by cyber security experts Grimm (whose logo is rendered instantly cool by the inclusion of a red-eyed skull), Adam Nichols goes on to explain how a long-unnoticed bug in the web server allows malicious actors to potentially initiate a full router takeover.
Using terminology I understand roughly 3% of, Nichols says:
“In addition to lacking stack cookies, the web server is also not compiled as a Position-independent Executable (PIE), and thus cannot take full advantage of ASLR. As such, it’s trivial to find a ROP gadget within the httpd binary… that will call system with a command taken from the overflown stack.” I’ll take your word for that, Adam.
The long and short of all this is that a wide selection of NetGear routers will need an urgent firmware update. According to Grimm, NetGear were made aware of the issues at the beginning of May but – as you can imagine – fixing 79 routers and 13 years of firmware upgrades was never going to be an easy task, and fixes are ongoing.
Two of these fixes have already been released, with NetGear promising the remaining 77 in the coming weeks. ZDNet has a helpful list of all the affected routers, but be aware that some of these may well have entered their end-of-life period and won’t receive any dev support. If you’re a NetGear user, we strongly recommend researching your router type, lifespan and firmware version so you can take appropriate action.
And Finally, Some More Good News – This Time For Zoom Users
Given the Annus Horriblis that is 2020, we decided to end last week on some good news. And I’m determined to make that a recurring theme, as this week I bring yet more news worth celebrating.
Zoom, the popular web conferencing app that doubles as a handy way to host socially-distanced pub quizzes, now offers end-to-end encryption to free and paid users.
Once only available to users of Zoom’s paid service, this end-to-end encryption now means anyone using the app’s services can enjoy basic privacy and security. No doubt, this is a response to ongoing criticism around Zoom’s security - which has something of a questionable history – but it at least demonstrates the company’s commitment to improving. This is the latest in some much-needed developments that bring Zoom’s security closer to the standards of Microsoft Teams’.
And that’s your lot, folks! But we’ll no doubt be back next Thursday with more news, alerts and – hopefully – good developments from the world of cyber security.
In the meantime, why not sign up for our weekly alerts?
Simply stick your email address in the little box on the right ➡️ and we’ll send the latest edition directly to your inbox!