Sunday 28th July 2024

Good morning, I hope you're all having a great weekend and thank you for joining me for the latest instalment of Cyber Daily.

Today's edition is covering everything from a malicious PyPI package targeting macOS users' Google Cloud credentials to crafty China-based hackers phishing Indian iPhone users via text, the cyber landscape is as turbulent as ever. And if that's not enough, we've uncovered a widespread Secure Boot bypass issue affecting millions of Intel and ARM systems.

Malicious Package Targets macOS on PyPI

Cybersecurity researchers have uncovered a malicious package on the Python Package Index (PyPI) repository designed to steal Google Cloud credentials from specific Apple macOS users. The package, named "lr-utils-lib," was downloaded 59 times before being removed after its June 2024 upload.

The malware first checks if it's on a macOS system, then compares the system's UUID against a list of 64 hard-coded hashes. If there's a match, it targets the application_default_credentials.json and credentials.db files in the ~/.config/gcloud directory, transmitting any harvested Google Cloud credentials to a remote server.

Checkmarx researcher Yehuda Gelb highlighted that this targeted approach indicates attackers have prior knowledge of the systems they aim to infiltrate. The campaign also involved a fake LinkedIn profile, "Lucid Zenith," falsely claiming to be the CEO of Apex Companies, suggesting a social engineering component.

This incident follows a similar attack involving the "requests-darwin-lite" package, demonstrating that threat actors are honing their tactics to deceive developers and breach targeted macOS systems, potentially impacting enterprises significantly.

China-based Hackers Target Indian iPhone Users

A hacking group from China, known as Smishing Triad, has launched text message phishing attacks against individuals in India, using the government-operated postal system as bait. These attacks aim to deceive iPhone users into believing a package is awaiting collection at an India Post warehouse, leading them to fraudulent websites via malicious URLs.

Between January and July 2024, over 470 domain registrations mimicked India Post's official domain, mostly through Chinese and American registrars. Fortinet FortiGuard Labs discovered phishing emails sent via iMessage using third-party email addresses, such as Hotmail, Gmail, and Yahoo, with Apple ID accounts configured to send the malicious messages containing short URLs to the fake websites.

Stephen Kowski, field CTO at SlashNext Email Security+, noted the evolving tactics of threat actors, now leveraging trusted communication channels like iMessage. This underscores the need for comprehensive mobile Web threat protection to detect and block malicious URLs, even in encrypted messages.

Mobile devices are increasingly targeted by phishing campaigns due to their various attack vectors, including SMS, QR codes, third-party communication apps, and personal email. Krishna Vishnubhotla, VP of product strategy at Zimperium, highlighted the false sense of security among mobile users, particularly on iOS, making them prime targets for phishing.

Users should stay vigilant for unusual messages, especially those related to SMS or text messages. Organisations must prioritise user education on identifying and reporting suspicious messages and implement robust security measures to inspect and mitigate threats in real-time.

PKFail: The Secure Boot Bypass Issue

Millions of Intel and ARM-based systems are vulnerable due to a leaked cryptographic key used in the Secure Boot process. The Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust, verifying firmware and boot software during startup. Researchers from Binarly discovered that this key, exposed in a 2018 data leak, was widely used without replacement by multiple OEMs, including Lenovo, HP, Asus, and SuperMicro.

An OEM used the AMI test key for various Intel and ARM-based devices, leading to potentially millions of devices sharing the same compromised key. This allows attackers with access to the private part of the PK to bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database.

Dubbed "PKFail" by Alex Matrosov, CEO of Binarly, this issue makes it easier for attackers to deploy UEFI bootkits, like the BlackLotus, which offer persistent kernel access and privileges. The fix involves replacing the compromised key and shipping firmware updates. While some vendors have issued updates, deployment may take time, especially in critical applications like data center servers.

Binarly developed a proof-of-concept exploit for PKFail, showing how trivial exploitation can be if the device is impacted. Matrosov advises disconnecting vulnerable devices from critical networks until updates are deployed.

Rogier Fischer, CEO of Hadrian, compared the issue to having a master key that unlocks many houses. Since the same keys are used across different devices, a single breach can affect many systems. PKFail highlights poor cryptographic key management practices, a problem persisting for over a decade, as seen in a 2016 incident where Lenovo devices shared the same AMI test PK.

PKFail is a stark reminder of the importance of proper cryptographic key management in the device supply chain. Matrosov emphasized the gravity, likening it to an apartment complex where all locks have the same keys—one missing key creates problems for everyone.