Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Facebook query packs detects Hacking Team malware on Mac OS X

Facebook releases query packs for finding possible malware infection, including the malicious exploits used by the Hacking Team to hack Mac OS X. The Hacking Team hack revealed to the IT industry the “weapons” used by the Italian firm to compromise practically every system. Security experts who analyzed the material leaked online discovered the exploits […]

Facebook query packs detects Hacking Team malware on Mac OS X

Facebook releases query packs for finding possible malware infection, including the malicious exploits used by the Hacking Team to hack Mac OS X.

The Hacking Team hack revealed to the IT industry the “weapons” used by the Italian firm to compromise practically every system. Security experts who analyzed the material leaked online discovered the exploits used by the surveillance firm to hack its targets and serve its RCS surveillance malware.

While researchers at Rook Security have released the free tool Milano that is able to detect the presence of HackingTeam malware on target systems, Facebook announced the distribution of some “query packs” for detecting Hacking Team spyware on Mac OS X systems.

hacking team

Facebook is going to release on its code page query packs that would allow experts to search for signs of Hacking Team infection on Mac OX X systems.

Query packs help you group queries by function or problem domain into files that are easy to download, distribute, and update. Network security monitoring has had this concept for ages (e.g., Emerging Threats), and now we’re bringing it to a free, performant host instrumentation platform. Query packs utilize osqueryd’s existing query scheduler. As queries within the pack are executed on a defined, configurable interval, so you’ll receive data differentials and alerts for changes that matter to you.” reports the Facebook code page.

The query packs, released by Facebook as part of its security defenses measures, could be used by administrators to collect data on the network status and ask questions to uncover potential security threats.

Facebook has recently provided an update to extend protection against some critical Apple Mac and iPhone vulnerabilities.

“Attackers continue to develop and deploy Mac OS X backdoors. We’ve seen this with Flashback, IceFog, Careto, Adwind/Unrecom, and most recently, HackingTeam. The OS X-attacks pack has queries that identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, it means a host in your Mac fleet is compromised with malware. This pack is high signal and should result in close to zero false positives.” states Facebook in a blog post under the section “Mac OS X attacks”.

Security experts can create their own whilst query packs to bunch specific sets of questions for datasets, including ones related specifically for Mac OS X machines.

Javier Marcos, a security engineer at Facebook, explained that the query pack includes commands that is able to detect Hacking Team intrusion of targeted Mac OS X systems.

For the recent HackingTeam OS X backdoor, here are some queries we include that can help identify its presence in your infrastructure:

select * from file where path = '/dev/ptmx0';
select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';
select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';

Facebook users can simply create their own queries to identify other cyber threats menacing their systems.

Pierluigi Paganini

(Security Affairs – Facebook, Hacking Team)