Perpetual IT

A decade or so ago, many Mac users used to claim very confidently that anti-virus software would be wasted on them, “because Macs don’t get malware.”

They’d admit that Mac malware was theoretically possible, but point out that because they’d never run into any problems themselves – problems that they knew of, anyway – and had never heard a fellow Mac user asking for help with a malware attack, they’d decided to ignore the issue of rogue software entirely.

A few Mac fans went further than that, saying that Macs were immune to malware because they’re based on Unix – Unix, they’d say, couldn’t get viruses because the operating system was completely different from Windows internally, and was secure against malware by design.

The problem with definitive claims of this sort is that you only need a single example of Unix malware – what you might call an existence proof – to debunk the theory, such as the infamous Morris Worm that downed the internet back in November 1988.

Of course, we’ve written about Mac malware – including zombies, data stealers, ransomware and many other sorts of badware – many times since 1988.

Even Apple itself came to the anti-virus party back in 2009 when it introduced a rudimentary malware blocking tool called XProtect right into into OS X (now macOS).

Whether you called it malware or not, there have long been “software actors” out there ready to go after Mac users in the same way that they’ve been going after Windows users for years.

Well, nothing has changed: altough you’re probably more likely to get hit up with malicious or unwanted software on Windows, you aren’t free and clear just because you’re using a Mac.

In fact, SophosLabs has just published a fascinating new report about an adware threat known as Bundlore that has Mac users very clearly in its sights.

Bundlore itself isn’t new – Sophos products have been detecting an adware family by that name on both Windows and Mac since about 2015 – but the operators behind it are certainly keeping up with the times.

As the name suggests, Bundlore isn’t really one item of adware, but what SophosLabs likes to call bundleware – a software installer that lures you in, for example with promises of enabling you to “download, play and organise third party files, video, audio and other content.”

As you can see, the Mac version of the Bundlore installer, which arrives as a Mac DMG (disk image) file and presents itself an app called WebTools, goes through a legitimate-looking licence acceptance process.

The licence explains that a lot of what happens next will depend on what various un-named “third parties” might get up to, in much the same way that a search engine warns you that it can’t vouch for the content of the pages it thinks you might be interested in.

For that reason, Bundlore isn’t detected by Sophos products as outright malware, but Bundlore installers are nevertheless blocked by default as PUAs, short for potentially unwanted applications, so that you won’t be taken by surprise.

For example, in the installation screen above, SophosLabs notes that if you decide to avoid the “Express install” above and go for a “Custom installation” – the presence of which sounds reassuring, as though you aren’t being forced into anything – then you don’t really end up opting out, after all:

As the report explains:

PUAs are among the most common privacy and security threats to macOS. Since they can potentially steal personal data and act as a pathway for malvertising and other malware, Sophos (and other endpoint protection products) block PUAs as a rule. Apple’s XProtect feature in MacOS also blocks known Bundlore payloads, and Apple revokes the developer signatures associated with them as well – blocking them from execution on […] macOS.

What you will learn

To learn just how risky this sort of innocent-on-the-surface bundleware can be, we urge you to read through the report, which deconstructs the techniques used by the Bundlore adware to alter your browsing experience in subtle and insecure ways.

Notably, recent versions of Bundlore for Mac simultaneously support both older and newer versions of Safari on the Mac, including browser plugins that work across all recent versions of macOS.

(Safari 13, which arrived with macOS 13, better known as Catalina, requires a different format for its browser plugins that Safari on older macOS versions.)

Remember that browser plugins work right inside the browser itself, so they get to see web requests before they go out, and web replies before they are processed for display.

That means they can snoop on and modify your web traffic despite the use of TLS encryption (what’s known as HTTPS, short for secure HTTP), because plugins operate before the encryption is applied to outbound traffic, and after the encryption has been stripped off from inbound traffic.

SophosLabs digs into the detail of two of these Bundlore plugins, called AnySearch and MyCouponSmart – the report unravels how these plugins work, written in a style that is technical enough to be insightful but not so technical that you need to be a web developer to understand the risks.

In particular, these plugins can hijack search results to earn affiliate credit for the Bundlore crew, alter search replies entirely to skew the results, and rewrite download links to fetch rogue content:

[A]dware operators are diversifying their sources of revenue. And, as demonstrated by the download link replacement behavior of these scripts, adware operators are finding new ways to leverage their control over web browsers’ content— and the result could be new privacy and security risks.

Be careful out there, folks!

(While you’re here, we’re happy to say that Sophos Home can block malware, PUAs and dodgy web downloads on Windows and Mac alike, for free.)

Windows 10 updates released as part of last week’s Patch Tuesday appear to be making life hard for some printer users.

Problems after monthly updates are not unusual, but the numbers tend to be limited to subgroups of users.

It’s hard to tell how many people have encountered the latest glitch but it was enough to register on Microsoft forums as well as multiple threads on that great bell-weather, Reddit. A typical error message ran something like:

Windows cannot print due to a problem with the current printer setup.

Numerous printer makers seemed to be affected. But other problems were reported too, ranging from application crashes and even the blue screen of death (BSOD), which hints at a deeper issue within Windows itself.

After several days of confusion, Microsoft has acknowledged the issue, describing it in the following terms:

After installing this update, certain printers might fail to print. The print spooler might throw an error or close unexpectedly when attempting to print, and no output will come from the affected printer.

It can also affect users printing to file formats such as PDF. No date for a fix has been set but the company said it was “working on a resolution” and would provide an update as soon as possible.

What is causing the problem?

That’s not clear but the issue overlaps with an earlier problem already acknowledged to affect users printing through a local USB port. However, the local print spooling issue seems also to affect users printing to network printers.

Who is affected?

The updates causing the trouble are KB4560960 for Windows 10 and Server 1903 (build 18362), 1909 (build 18363), and KB4557957 for the 2004 version (build 19041) released on 9 June.

Until Microsoft issues a fix, the only reliable way around the issue is to temporarily uninstall last week’s updates.

It’s also been reported that replacing the generic Windows HP PCL5 printer drivers with PCL6 might do the trick (downloaded for each printer manufacturer separately).

The print spooling issue can be bypassed by connecting a powered-on printer to a USB port before starting Windows.

The latest screw-up follows hot on the heels of May’s printer security vulnerability, PrintDemon.

The Miami-based cryptocurrency firm Centra Tech was built on fairy dust and paid celebrity hoo-ha, but co-founder Robert Joseph Farkas is going to be doing real time in a real prison for the $25 million initial coin offering (ICO) rip-off.

An ICO is an unregulated fundraising technique with a dodgy reputation that’s used by blockchain companies where cyptocurrencies like Bitcoin and Ethereum are used to purchase “tokens” from a startup. If the company takes off, they’ll theoretically be worth something. Centra Tech took off, all right, but only because its founders allegedly lied through their teeth.

Farkas – also known as RJ – pled guilty in Manhattan federal court on Tuesday to charges of conspiring to commit securities and wire fraud, according to the US Attorney’s Office for the Southern District of New York.

Sentencing hasn’t been scheduled yet. Farkas, 33, pled guilty to two charges, each of which carries a maximum sentence of five years in prison. Maximum sentences are rarely handed out, but Farkas agreed to serve between 70 and 87 months and a fine of up to $250,000 in a plea deal.

From Miami Exotics car rentals to shilling celebrities

Centra Tech’s founders included Farkas, who held different roles, such as chief marketing officer and chief operating officer. Co-defendant/co-founder Sohrab Sharma was in turns chief technology officer and president. Before Centra, third co-defendant/co-founder Raymond Trapani ran a credit-fixing business and liked to post pictures of luxury cars and stacks of $20 bills on his Instagram account.

None of them had any experience in virtual currency, but since when has that stopped anybody? According to prosecutors, the three men founded Centra Tech after working together at a luxury car rental company in Florida called Miami Exotics. In August 2017, the trio put up a site and released an announcement that described Centra as “The World’s First Multi-Blockchain Cryptocurrency Debit Card & Smart Insured Wallet”: an answer, they promised, to the proliferation of virtual currencies.

They offered a debit card – the Centra Card – that was purportedly based on Bitcoin, Ethereum, Litecoin and other cryptocurrencies. The card would supposedly enable users to spend their cryptocurrency “in real time” with no exchange, spend, or withdrawal fees as are generally charged by other companies. Users could purportedly use the Centra Card at establishments that accepted Visa or Mastercard payments.

Partnerships with Bancorp, Visa, and Mastercard? You can see why the money would have flowed in. It didn’t hurt that Centra hired celebrity social media influencers – including famed boxer Floyd Mayweather and music producer DJ Khaled – to shill for them.

The Securities and Exchange Commission (SEC) was none too happy with endorsements like that. In November 2018, the SEC announced that it had fined both celebrities for failing to disclose the fact that Centra paid them to hype its ICO – the first such cases of that kind. Khaled failed to disclose that “game changer” Centra paid him $50,000 for his endorsement. Mayweather got $100,000.

A company built on moonbeams

Besides not disclosing that the celebrity endorsements were bought and paid for, Centra was built on these other lies:

• They concocted fictional executives with imaginary credentials. Their purported CEO, Michael Edwards, was as real as his imaginary MBA from Harvard and his 20+ years of banking industry experience.
• Those partnerships with Bancorp, Visa, and Mastercard to issue Centra Cards licensed by Visa or Mastercard? Pure baloney.
• Centra Tech’s purported license to transmit money, among other licenses, in 38 states? It’s not that pants were merely on fire; they were sending off fireworks.

Based on these misrepresentations, prosecutors say, victims shelled out millions of dollars worth of digital funds to invest in Centra Tech tokens. By around October 2017, at the end of Centra Tech’s ICO, the fakery firm had raised digital currency worth more than $25 million. The DOJ say that during 2018, the funds hit a value of more than $60 million.

The house of cards fell apart on or about May 2018 and October 2018, when the FBI and the Southern New York Attorney’s Office seized 100,000 Ether units that victims had forked over to buy digital tokens issued by Centra Tech during its ICO.

The three co-founders were charged with lying to investors. Next up will be Frakas’s sentencing – not yet scheduled – as well as the trials of Sharma and Trapani, who are scheduled to appear in court in November.

Just when you thought you’d dealt with Patch Tuesday, Adobe sent you another one. The company released another set of patches for its products on Tuesday, 16 June 2020, a week after dropping its first set of fixes for the month.

This set of 19 patches affects six Adobe products. They’re almost all critical bugs (which may explain the company releasing these hot on the heels of the last lot). Aside from one, they all allow attackers to execute arbitrary code on a user’s machine.

Adobe Audition (its digital audio workstation that used to be Cool Edit Pro), got a fix for two critical CVEs, both of which allowed arbitrary code execution via an out-of-bounds write. Updating your software to the newest version, 13.0.7, makes this nasty Windows and macOS-based product go away.

The company also fixed three arbitrary code execution CVEs in Adobe Premiere Rush, a tool for creating videos and sharing them via social media. The bugs stem from out-of-bounds reads and writes. Upgrading to version 1.5.16 fixes the problem. The same CVEs affected the grown-up version of that tool, Premiere Pro. Update your Windows or macOS version to 14.3 and you can breathe easy.

There were more bugs in Adobe Illustrator 2020, the company’s graphical design and layout tool. Five CVEs spanned two vulnerability types: buffer errors and memory corruption. Version 24.2 fixes the bug, which affects Windows and macOS.

Adobe After Effects, the company’s post-production special effects tool beloved of film titlers everywhere, suffered from five bugs of its own. If you want to fix those in post, as they say in the movies, you’ll have to download a new version of the software (17.1.1) for Windows or macOS.

Finally, Adobe Campaign Classic, its ‘conversational marketing’ tool, had an unpleasant message for users: an information disclosure bug stemming from an out-of-bounds read problem. This was the only bug in the batch that escaped a critical rating. Fix it by updating to version 20.2 of the program if you’re a Windows or Linux user.

Global direct-sales cosmetics company Avon has filed two reports with the US Securities and Exchange Commission in the past few days.

The reports are known as Form 8-K filings, used to advise investors about unplanned issues affecting a listed company – all the way from the resignation of a director to failing to meet a financial obligation.

Avon’s filings fall into what you might call Form 8-K’s catchall category, known simply as Other Events, and the first report, submitted on 09 July 2020, said simply:

[The Company] suffered a cyber incident in its Information Technology environment which has interrupted some systems and partially affected operations. The Company is evaluating the extent of the incident and working diligently to mitigate the effects, applying all efforts to normalize operations.

On 12 June 2020 Avon updated its situation by saying:

[The Company], after suffering the cyber incident communicated on June 9, 2020, is planning to restart some of its affected systems in the impacted markets throughout the course of next week. Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data. Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main ecommerce website does not store that information.

But what really happened, and just how far did the crooks get?

A boutique Polish cybersecurity audit and pentesting company called Niebezpiecznik, which is a play on words that very loosely translates as “security bypass” (literally, no safety fuse), has suggested it was down to ransomware:

Nowe informacje:

Potwierdziliśmy (nieoficjalnie, bo oficjalnie wciąż brak kontaktu) że to jest niestety ransomware (DoppelPaymer)

Dobra wiadomość jest taka, że na stronie przestępców nie ma (jeszcze?) paczki z wykradzionymi firmie AVON danymi. Co to oznacza? O tym w artykule: https://t.co/K51iYiGktB

— Niebezpiecznik (@niebezpiecznik) June 16, 2020

QUOTED TWEET: Something bad happened at Avon [LINK] Staff and consultants are worried that their data was leaked. The issues may have started in mid-March.

MAIN TEXT: Update. We’ve “confirmed” (not officially because we haven’t yet heard back from an official source) it’s ransomware. (DoppelPaymer.) The good news is that there aren’t any Avon data files on the criminals’ website (yet)…

You may have heard the name DoppelPaymer before – along with numerous other ransomware gangs including Maze and Revil, the crooks behind this one don’t just scramble your data, they steal copies of it first.

That gives them a double reason to hit you up for money: you’re not only paying for the decryption key (which you don’t actually need if you have a recent backup), but also for the crooks to keep silent about what they did.

The threat is that if you don’t pay up, the crooks will publish a choice selection of your data where the public can find it, and then alert the relevant authorities that you’ve suffered a data breach.

In other words, the crooks are blackmailing you on the basis that even if the stolen data isn’t super-secret or damaging in its own right, the leak itself nevertheless has the potential to harm your reputation with customers and cost you fines from the authorities.

A new take on ransomware

One obvious question at this point is, “If it was a ransomware, why doesn’t Avon just say so?”

Well, the company has already formally and officially disclosed that it got breached, so the details of whether this was down to ransomware or not is something of a side-issue at this point.

In fact, as we’ve regularly explained in Naked Security, many ransomware attacks turn out to be the final chapter in a sometimes lengthy series of malware infections, where each infection is used as the vehicle to implant the next.

For example, our threat response team, when called in to try to rewind a ransomware attack to figure out how it all came about, often find that the attack started with a strain of zombie malware – what’s usually called a bot, short for software robot – called Emotet.

As far as we can tell, the crooks behind Emotet aren’t themselves interested in logging your keystrokes, stealing your files or zapping you with ransomware.

Their “cybercrime niche”, if you can call it that, is essentially a B2B service where they offer pay-per-infection services to other crooks who are interested in going after you and your network.

In other words, even if a ransomware attack happens on your network – whether or not the actual data scrambling takes place or not – you might already have had crooks wandering around inside your business for weeks or even months.

What happened to Avon?

So, we don’t yet know what happened to Avon, and to be fair, the company itself probably isn’t sure either.

It’s easy to write off words such as “[we are] continuing the investigation to determine the extent of the incident, including potential compromised personal data” as an excuse not to open up about what really happened…

…but, in truth, it’s hard to be certain what happened after the fact, and we don’t think that any company would willingly choose “we still don’t quite know what happened” as an excuse for a cybersecurity incident.

What to do?

Remember that we still don’t know if there was any ransomware in the attack chain experienced by Avon, but we do know that crooks got into the network somehow, and that the extent of the breach still isn’t clear.

In other words, this isn’t so much about keeping ransomware out but about keeping out any threats that might ultimately lead to ransomware.

In quick form, we have five tips for you:

1. Protect your system portals. Don’t leave RDP and other tools open where they aren’t supposed to be. The crooks will find your unprotected access points.
2. Pick proper passwords. Don’t make it easy for crooks and their password guessing tools. Use 2FA wherever you can.
3. Peruse your system logs. Crooks who permeate your entire network often use regular sysadmin tools but in irregular ways, and your logs will often give the game away. Don’t wait until after you know about an attack to go looking.
4. Pay attention to warnings. Attack attempts where the crooks tried and failed could be reconnaissance for a future attack rather than an attack in their own right. (See point 3.)
5. Patch early, patch often. Many crooks are still finding their ways into networks where old exploits still work. Don’t be the network where you could have been ahead of the crooks but weren’t.

Of course, don’t forget the obvious – make sure you are using protection against intrusions and malware, including ransomware. Sophos Intercept X and XG Firewall are designed to work hand in hand to keep cybercrimals out of your business. Individuals can protect themselves with Sophos Home.