It seems like this story starts back in late 2020, when [Marak] lost quite a bit in a fire, and had to ask for money on Twitter. Two weeks later, he tweeted that billions were being made off open source devs’ work, citing a FAANG leak. FAANG is a reference to the big five American tech companies: Facebook, Apple, Amazon, Netflix, and Google. The same day, he opened an issue on Github for faker.js, throwing down an ultimatum: “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”
If you find yourself feeling sorry for [Marak], there’s a wrinkle left to turn. He hasn’t committed code to colors.js since February 2018. Another developer, [DABH] has been doing maintenance since then, up until the vandalism happened. All told, it’s a mess. Both projects on NPM have been reverted to their unmolested releases, and will likely be pivoted to official forks of the projects.
The common wisdom is that while there are multiple iOS malware kits, produced by the likes of of NSO group, that malware can’t actually defeat Apple’s secure boot, so a phone reboot is enough to “uninstall” it. The problem with this is obvious once you hear it: You’re trusting a compromised device to actually perform a clean reboot. Researchers at ZecOps have demonstrated the ability to interrupt the reboot process in what they’re calling NoReboot. Their code hooks into the shutdown function, and instead kills the user interface. Once the power button is pressed again, the boot animation is shown, and finally a handy system command reboots userspace. Watch the demo embedded below.
No problem, right? Just use the hardware force restart function. Volume up, volume down, then hold the power button til you get the Apple logo. How long do you hold it? Until the logo shows up — right, it’s trivial to fake a forced reboot before the real one happens. OK, so to know you get a true reboot you just pull the battery… Oh.
Microsoft Hacks MacOS
MacOS has a feature called Transparency, Consent, and Control (TCC) that handles permissions for individual apps. This system prevents the calculator application from accessing the system’s webcam, for instance. The settings are stored in a database stored in the home directory, with strict controls preventing apps from modifying it directly. Microsoft has announced the Powerdir vulnerability, which combines a couple quirks to overcome the protection. The exploit is simple: Create a fake TCC database, and then change the user’s home directory so that spoofed database is now the active one. It’s a little more complicated than that, because a random app really shouldn’t be able to remap the home directory.
They found two techniques to make the remap work. First is the directory services binaries, dsexport and dsimport. While changing the home directory directly requires root access, this export/import dance can be done as an unprivileged user. The second technique is to provide a malicious bundle to the configd binary, which does a code-injection attack. It’s interesting to see Microsoft continue to do security research targeting MacOS. Their motivation might be less than noble, but it really does help keep all our devices more secure.
QNAP and UPnP
We’ve covered quite a few NAS vulnerabilities over the years, and I’ve noted several times that it really isn’t wise to expose appliances like this to the internet. One of the suggested explanations was UPnP, and today we have some official confirmation that this is indeed part of the problem. In a new advisory, QNAP officially recommends turning off UPnP in QNAP devices. It seems like this should have been recommended quite some time back, or better yet, these devices shipped with UPnP disabled by default. I would go a step further, and suggest turning the feature off in your router, too, unless you know that you actually need it for something.
If You Get a USB Drive in the Mail…
For goodness sake, don’t plug it in! It seems that a few companies didn’t get that memo, as there has been a successful ransomware campaign by FIN7 using just this approach. The trick is that they include an official looking letter, and maybe a gift card, tempting the receiver to plug in the USB drive to claim their loyalty reward. A 2020 campaign from the same group impersonated Best Buy, where this one claims to be from either Amazon or HHS.
You may have gathered that these flash drives are more than just flash storage. In fact, they seem to be BadUSB devices — small chips that register as HID devices and send keystrokes to the computer. Once plugged in, they open Powershell and run a malicious script, giving remote access to the attackers. If you receive one of these, or a similar attack, call the FBI or your local equivalent. Reports from companies and individuals is what leads to warning like this one.
The first round of Android updates for this year is out, and there’s one standout issue, affecting a plethora of devices sporting the Qualcomm Snapdragon. CVE-2021-30285 is a critical rated vulnerability in Qualcomm’s closed source software. It’s called an “Improper Input Validation in Kernel”, but appears to be a memory management problem in the Qualcomm hypervisor. It’s rated a 9.3 on the CVSS scale, but no other details are available at this time.
VMWare’s virtualization products have been patched against CVE-2021-22045, a heap-overflow vulnerability in their virtual CD-ROM device code. Exploitation could result in a VM escape and arbitrary code run on the machine hypervisor, a worst-case scenario for VM operators. The flaw rates a 7.7, and thankfully there must be a CD image actively attached to the machine, so the workaround is pretty easy — just remove the CD drive or image.