ISA is committed to keeping the security community up to date with the latest cybersecurity news. 

New strain of Mac malware

The Mac world has not been hit as hard or as frequently as the Windows world when it comes to malware. That’s just one of the reasons the recent outbreak affecting Mac computers is particularly noteworthy. Another: while the attack presents itself as ransomware, its real focus may actually be on stealing data.

In late June, researchers identified a new type of malware – first dubbed EvilQuest, then renamed ThiefQuest – that is being bundled into pirated copies of name-brand software. Upon installation, the primary software appears to work fine, but behind the scenes, a malware download is quietly added. In some cases, the malware seems to behave like ransomware – a few files are encrypted, and a “readme” text message is dropped in, demanding payment.

The ransom, however, is in US currency (unlike most ransom demands, which are usually made in cryptocurrencies like Bitcoin), there is no contact information provided for paying the ransom, and the instructions do not appear to provide any way of linking the victim to the decryption key for the scrambled files.

Puzzled by these incongruities, researchers at JAMF and Malwarebytes dug deeper and now believe that the clumsy ransomware attack is really just a diversionary tactic to draw attention away from a data exfiltration engine that the malware also starts. This secondary malware variously attempts to scan the infected computer, download data to the hackers, install keylogger software, and drop code that can stay resident in infected computers as a backdoor for future attacks.

Fortunately, the malware has not yet been seen in authorized downloads or independent phishing attacks; the deployment appears isolated to pirated download copies of utilities and applications. This serves as an extra incentive to always be sure to download software through official channels or Apple/Windows/Android online stores to reduce your risk of exposure to cyberattack.

Time running out for TikTok?

Popular streaming app TikTok is back in the crosshairs of the United States this week. On July 6, Secretary of State Mike Pompeo said Americans should avoid using TikTok unless they want their data “in the hands of the Chinese Communist Party.” President Donald Trump doubled down on these comments the following day, saying the United States is considering an outright ban on TikTok.

Concerns about the security of data on the application have swirled for over a year, making major headlines in January when techs at Check Point published a report outlining a variety of significant security flaws. While parent company ByteDance reported that they had resolved the issues in late 2019, the potential for personal data to be harvested by hackers – or the Chinese government – have lingered. These worries flared in late June when it was revealed that Tiktok had been exploiting a known problem with iOS, allowing the application to surreptitiously read the clipboard on a user’s device.

In parallel, Tiktok’s handling of data has repeatedly come into question. After settling a complaint from the American Federal Trade Commission (FTC) in January regarding the illegal collection of data from minors, Tiktok is still involved in litigation around the handling of data that may have violated European privacy laws protecting minors. And throughout these legal issues, accusations persist that Tiktok is being directed to suppress content at the behest of the Chinese government. Tiktok has strenuously denied these charges.

Despite this, the app reached peaks of popularity as a distraction during the COVID-19 pandemic, with over 800 million users worldwide – and an estimated 120 million of those in India.

However, after a border skirmish with Chinese forces in June, the Indian government banned Tiktok in late June, placing it at the top of a list of 59 Chinese-based apps that “pose a threat to sovereignty and security of our country [according to] several reports about mobile apps on Android and iOS platforms stealing and then surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India.” India’s Ministry of Electronics and Information Technology (MEITY) has issued a notice and a 79-point questionnaire to the manufacturers of the apps, along with a deadline of July 22 for a response. Without satisfactory answers to the enquiries, the apps face permanent prohibition.

The Indian ban is thought to have, at least in part, spurred the American response to Tiktok. While there has been no word from Canada with respect to shutting down the app, Australia is reportedly also considering removing access over security concerns, and as a show of solidarity with the U.S. Both the United States and Australia already forbid access to Tiktok among their military and defense personnel for security reasons.

The current moves to restrict access to Tiktok may well have political motivations, but there remain concerns with the security of the app, and the data handling practices at ByteDance.

More news on Ripple20

Reported by ISA Cybersecurity on July 10, the shockwaves of the Ripple20 vulnerability announcement are still being felt. A vendor-by-vendor summary is available online for affected customers to evaluate the risk to their operations. While some vendors have provided patches to their equipment in the form of firmware updates or software downloads, others are still assessing the scope and response.

The Ripple20 set of vulnerabilities was first identified and reported by security research group JSOF, who have outlined a detailed report on the nature of the flaws. A handful of the bugs are particularly serious, and could allow hackers to take complete control over an affected device. Companies of all sizes and all industries are at risk, due to the massive number of systems involved.

All customers are urged to review their hardware inventories to check for devices that may be at risk to this zero-day vulnerability. Remediation for Ripple20 vulnerabilities can be complex, as many of the affected devices cannot be patched wirelessly, may be integrated with other dependent devices, or may no longer have support of any kind from hardware manufacturers.

Contact ISA for assistance in analyzing and assessing your exposure, and developing a remediation plan.