This Week in Security: Mysterious Mac Malware, An Elegant VMware RCE, and a JSON Mess February 26, 2021
News
Allow cross-site cookies

There’s a new malware strain targeting MacOS, Silver Sparrow, and it’s unusual for a couple reasons. First, it’s one of the few pieces of malware that targets the new M1 ARM64 processors. Just a reminder, that is Apple’s new in-house silicon design. It’s unusual for a second reason — it’s not doing anything. More precisely, while researchers have been watching, the command and control infrastructure didn’t provide a payload. Silver Sparrow has been positively found on nearly 30,000 machines.

The malware also has an intentional kill switch, where the presence of a particular file triggers a complete removal of the malware package. Researchers at Red Canary point out that this package behaves very much like a legitimate program, difficult to pick out as malware. Ars Technica got an off-the-record statement from Apple, indicating that they are tracking the situation, and have revoked the developer’s certificate used to sign the malware. It’s not entirely clear whether this prevents the malware running on already compromised machines, or just stops new infections.

So who’s behind Silver Sparrow? The observed stealth mode and other complexities suggest that this is more than a simple adware or ransomware campaign. Since it was discovered before the payload was delivered, we may never know what the purpose is. It may have been a government created campaign, targeting something specific.

VMware RCE

The details of a VMware vulnerability were published this week, and the attack struck me as rather elegant. CVE-2021-21972 is a combination of two problems. The first is that the VMware web interface exposes an HTTP endpoint that doesn’t enforce user authentication. One of the functions of this endpoint is to allow the upload of an archive file, and extract this in the /tmp directory. The second problem is that the extraction function didn’t properly sanitize the names of the extracted files. Hence, it was possible to create an archive with a path transversal attack.

Here we have two very simple flaws, and when put together, allow a completely unauthenticated actor to easily get arbitrary code execution on the machine running VMware. The attack works on Linux and Windows servers, with expected implementation variations.

Inside a Wireless Security System

Ever wonder just how secure a residential security system is? [Nick Miles] and [Chris Lyne], a pair of researchers from Tenable, wondered the same thing, and decided to tear apart a SimpliSafe system, wringing out all of its secrets. They started with logic analyzers, and went as far as paying for functional decapping of the chips, to recover the firmware.

The step-by-step process is worth reading, but the conclusion is that the system is relatively well put together. Each device has an immutable AES key, and that represents an attack surface that wouldn’t be present with a more robust key exchange.

For the curious, [Nick] did a detailed analysis of a Ring system just a few months back.

Proper Exploit Attribution, The Story of Jian

I’ve been known to be a bit skeptical when an attack or exploit is …read more

Source:: Hackaday