U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical OS X flaw could be exploited to steal data from Keychain

Security researchers at MalwareBytes have discovered a new variant of an adware installer that is leveraging an old trick to access the Keychain on MAC OS X In July, researchers at Malwarebytes have identified a local privilege escalation (LPE) vulnerability in the Mac OS X operating system. The experts discovered that the flaw in OS X was […]

Critical OS X flaw could be exploited to steal data from Keychain

Security researchers at MalwareBytes have discovered a new variant of an adware installer that is leveraging an old trick to access the Keychain on MAC OS X

In July, researchers at Malwarebytes have identified a local privilege escalation (LPE) vulnerability in the Mac OS X operating system. The experts discovered that the flaw in OS X was exploited in the wild by an installer for the Genieo and VSearch adware.

The crooks also installed MacKeeper and directed victims to the Apple App Store page of a file downloader dubbed Download Shuttle.

Despite Apple fixed the flaw on August 13 with the release of OS X Yosemite 10.10.5, a new version of the installer was discovered once again by experts at Malwarebytes reported seeing a new version of the previously analyzed installer. This time the new installer asks users to enter their admin password, after which it performs exactly the same operation of the first variant.

The researchers also another singular trick implemented by the installer, once executed it throws an installer request that asks for permission to access the user’s OS X keychain.

The new version of the installer automatically simulates a click on the “Allow” button as soon as it appears, in this way it gains access to the Safari Extensions List and then install a Genieo Safari extension. 
Malwarebytes has spotted the malicious code in almost every app installed by the Genieo installer at least since early June.
The process of installing a malicious extension and gain access to the OS X keychain is very rapid and it is not perceived by the user.
The Keychain alert is visible for a fraction of a second before the Allow button is automatically clicked.
“It looks like this Installer app is using this hack to gain access to the Safari Extensions List in the keychain, for the purpose of installing a Genieo Safari extension (named Leperdvil, in this case).This seems like an unnecessary hack, considering that Genieo installers have been installing Safari extensions for years. Perhaps it’s an attempt to get around changes to handling of Safari extensions in the upcoming El Capitan (OS X 10.11). More concerning, though, is the question of what’s to stop this adware from accessing other confidential keychain information… like, say, passwords?” wrote MalwareBytes researcher Thomas Reed.
The Keychain alert is visible for less than a second before the Allow button is automatically clicked so victims are unlikely to become suspicious.

The principal problem related to this hack is the access to the Mac OS X Keychain which is the password management system that is used to store sensitive information and user credentials.

Mac-adware-installer keychain alert

The experts highlighted that the adware could be improved to access users’ iCloud passwords and any other information stored in the keychain.

The identity management company MyKi also disclosed a method to hack the Keychain, its researchers also developed a proof-of-concept (PoC) exploit that can steal passwords from the Keychain and sends them to the attacker via SMS.

CSOonline published an interesting post on the topic, in particular, it reported further details on the attack provided by the researchers from the MyKi company.

A reader asked if this affected iOS as well as OSX. Jebara, one of the researchers confirmed that in the case the user opted for the iCloud Keychain, “then all passwords saved on the iOS device will also be extracted by the exploit. But the exploit will only execute on a OSX device meaning that it can only be run from a Mac.”

As for attack vectors, Jebara said that the following come to mind:

  • Direct Attack: Attacker that knows victim sends malicious file via email or something similar
  • P2P Attack: Attacker embeds payload in torrent file and distributes it
  • Website Post: Share on social media disguised as an intriguing article

Relatively elaborate potential vectors:

  • Intercept user download from website X via MITM, append payload to download and redirect download to user.
  • Get a low privilege shell on user computer (root privilege not needed) and execute payload.

 Pierluigi Paganini

(Security Affairs – KeyChain, Mac OS X)