At a glance.
- New iOS jailbreak released.
- Bluetooth impersonation attack.
- Turla's using a new ComRAT variant.
- Silent Night builds on ZeuS's code.
New iOS jailbreak released.
A group of researchers on Saturday released an iOS jailbreak, Unc0ver 5.0.0, that reportedly works on devices running the most recent version of iOS. Notably, the jailbreak is said to use a zero-day flaw in the kernel to achieve root access. ZDNet notes that most jailbreaks, particularly in recent years, have used known vulnerabilities that have already been patched.
Apple by default gives users limited control over the operating system, requiring them to install vetted apps through the official App Store. A jailbreak is a software tool that allows users to bypass those restrictions and gain root access on the device, usually by exploiting vulnerabilities in the operating system. This grants users access to parts of the system that are otherwise restricted, and enables them to install apps from third-party sources, but it also generally opens the device up to serious security risks.
In this case, the researchers haven't disclosed the vulnerability they used, and the jailbreaking software isn't open-source. As a result, the jailbreak will probably remain effective until Apple itself discovers the vulnerability and issues a patch. Unc0ver's lead developer, who goes by "Pwn20wnd," estimates that this will take at least two to three weeks, according to Motherboard.
Interestingly, the researchers claim that the latest version of Unc0ver "preserves security layers designed to protect your personal information and your iOS device by adjusting them as necessary instead of removing them." AppleInsider and others stress that this claim hasn't been independently verified, and that for the vast majority of users the security risks and technical challenges associated with jailbreaking outweigh the benefits.
Bluetooth impersonation attack.
Researchers Daniele Antonioli, Kasper Rasmussen, and Nils Ole Tippenhauer discovered a Bluetooth vulnerability that can allow "an attacker to impersonate a device and to establish a secure connection with a victim, without possessing the long term key shared by the impersonated device and the victim." In other words, the attacker can insert their own device into securely authenticated pairing without observing the initial pairing process.
When a Bluetooth connection is established, both devices create a shared long-term key to verify their identities in future connections. An attacker can impersonate one device's address, but they shouldn't be able to prove the device's legitimacy without the shared key. The researchers discovered several flaws in the Bluetooth standard stemming from a "lack of integrity protection, encryption, and mutual authentication" that can enable an attacker to undermine this process.
The attacker can first collect information about the two paired Bluetooth devices, such as their addresses, by eavesdropping on the (unencrypted) establishment of a connection. The attacker can then jam the connection, causing the devices to disconnect and reconnect. At this point, the attacker can impersonate one of the devices, and the lack of the long-term key should prevent the other device from establishing a connection. However, the researchers found that in every case they tested, only the device requesting the connection would verify that the other device possessed the long-term key. As a result, an attacker can impersonate the requesting device and connect to the requested device without knowing the key. The attacker can also request a role switch in order to conduct the same attack against the device that was being impersonated.
The researchers explain that this attack stems from the fact that "the Bluetooth standard does not require to use the legacy authentication procedure mutually during secure connection establishment." They tested twenty-eight unique Bluetooth chips from top manufacturers on thirty-one different devices, all of which were found to be vulnerable. The attacks involve Bluetooth's standard authentication process, so any standard-compliant Bluetooth device can be assumed vulnerable.
Turla's using a new ComRAT variant.
ESET discovered a new variant of ComRAT, a remote access Trojan that's been used by the Russia-linked Turla group since at least 2007. The new version of the malware was first spotted in 2017 and was most recently observed in January 2020. Notably, it uses the Gmail web user interface to communicate with its command-and-control server and exfiltrate data, enabling it to evade some security technologies. ESET notes that the group exfiltrates logs from antivirus software to determine if their malware has been detected, which the researchers say indicates a desire to maintain a long-term presence on the infected machines.
ESET has seen the Trojan deployed against two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region. Turla's apparent goal in these incidents was theft of confidential documents. The researchers believe ComRAT is installed "using an existing foothold such as compromised credentials or via another Turla backdoor."
Silent Night builds on ZeuS's code.
Malwarebytes and HYAS have published a report on a new malware family based upon the venerable ZeuS banking Trojan. The new Trojan is called "Silent Night," and its first compilation date appears to have been in late November 2019. It's being sold by its author on Russian-language underground forums at $2000 for a "general build" and $4000 for a "unique build." A fourteen-day trial alone is $500, and buyers can shell out an extra $1000 for hidden virtual network computing (HVNC) functionality. Silent Night's author claims he wrote the Trojan by himself over the course of more than five years and "on average about 15k ~ hours were spent," which resulted in "the ideal banking trojan."
The malware is being distributed via phishing campaigns with malicious documents. The researchers are certain the malware is being used by multiple actors, some of whom are more sophisticated than others, and they "predict with moderate confidence an evolution of the bot from something that anyone with a budget can buy, into a vehicle for one group to conduct banking theft at scale."
Proofpoint researchers on Wednesday outlined their own observations on the malware, which they track as a "ZLoader variant." ZLoader is a generic term used to describe any malware based on Zeus, but it's also the proper name of one the most well-known of these variants (also called "Terdot"), which circulated between 2016 and 2018. Proofpoint believes the new variant is likely based on an earlier version of ZLoader/Terdot, rather than a continuation of the version last observed in 2018. The Malwarebytes report has a useful section comparing the new malware to ZLoader/Terdot, and concludes, "Conceptually, it is very close to Terdot, yet rewritten with an improved, modular design. We don’t have enough data to say if the author of Silent Night was previously involved in developing Terdot, or just got inspiration from it. What we can say is that not all similarities among those two come from the common ancestor, ZeuS."
Proofpoint's researchers write that "[s]ince we started observing the new variant in December 2019, it has become popular and widespread. At the time of writing, we are documenting at least one ZLoader campaign per day by a variety of actors primarily targeting organizations in the United States, Canada, Germany, Poland, and Australia." The campaigns are using commonly observed phishbait, such as references to unpaid invoices or coronavirus-related topics.