DragonEgg, Watering Holes, Google Passkeys, and curl – Intego Mac Podcast Episode 313
Posted on
by
Kirk McElhearn
We look at DragonEgg malware for Android, which has a link to some Mac surveillanceware, and is a watering hole. Google is now requiring passkeys for personal accounts. And the curl command line tool has a serious vulnerability that Apple needs to patch.
- About the security content of iOS 17.0.3 and iPadOS 17.0.3
- About the security content of iOS 16.7.1 and iPadOS 16.7.1
- curl 8.4.0 resolves a high-severity vulnerability
- Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware
- Cloudflare, Google, Amazon, Microsoft explain what’s behind the largest DDoS attacks ever
- Apple bows to China, starts enforcing App Store rules
- Firefox tests a built-in checker for fake reviews
- Google will now make passkeys the default for personal accounts
- What are Passkeys, and how do they work?
- Three Individuals Convicted for Laundering Money Stolen from Scam Victims Through Gift Cards
- ‘I felt powerless’: how a crypto scam cost a finance boss £300,000
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Transcript of Intego Mac Podcast episode 313
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, October 12, 2023.
This week’s Intego Mac Podcast security headlines include a look at Apple’s latest security updates for macOS, iOS and iPadOS. Meanwhile, a serious vulnerability with the curl command line tool is waiting for a patch from Apple. DragonEgg is new Android spyware that has a surprising connection to similar iOS surveillance-ware. And Google now requires passkeys by default when users sign into their Google accounts. And that’s a big step forward. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:51
Good morning, Josh. How are you today?
Josh Long 0:53
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:55
I’m doing just fine. You were not far from me last week, were you? You went to a conference in London.
Josh Long 1:01
Yeah, this was actually my first time in the UK. I was giving a presentation at Virus Bulletin in London last week. And it was pretty good. It was a lot of fun. Good conference. This is my second year in a row going to Virus Bulletin. The year before that it was in Prague, and then this year was in London. So pretty cool.
Kirk McElhearn 1:21
A lot of these conferences change venues each year. Some of them like RSA is in Las Vegas every year right. But several of them change venues every year, which makes it easier for people in different countries to attend them.
Josh Long 1:33
Right. My session was titled “Stolen Cookies, Stolen Identity – How Malware Makers are Exploiting the Insecurity of Browser Data Storage.” And I talked about what we’ve discussed in the past on the show about how first of all there’s a lot of Stealer malware, and a lot of it is grabbing cookies off of people’s machines. Usually it’s Chromium-based browsers that it’s targeting. Some of them also target Firefox. But we’ve been seeing this a whole lot on the Mac this year. Stealer malware is just in general becoming a lot more common. And a lot of the Stealer malware, in addition to stealing cryptocurrency wallets, they’re also grabbing things like cookies, which, as we’ve talked about before on the show, allows somebody to basically break into your account and bypass any need to know your password or two factor authentication that you may have set up. It’s a limited period of time because those session cookies do expire at some point. But if somebody grabs those cookies from you puts them on their own machine, generally, that means they can be logged in as you and post on your accounts, if it’s a social media type situation, or potentially get access to other things that they shouldn’t have access to that only you should have access to.
Apple updates operating system software for macOS, iPadOS and iOS
Kirk McElhearn 2:50
Okay, so Apple released a couple of security updates. We’re recording on Wednesday, October 11. They released some updates for iOS 16 on October 10. And for iOS 17 on October 4, and these were some serious vulnerabilities weren’t there.
Josh Long 3:04
Yeah, one of them was an actively exploited vulnerability, meaning that somebody out there, some bad guy was using this against somebody else right to break into their device or infect their device. That one particular vulnerability was a kernel issue that affects basically all iPhones and maybe also Macs too. Apple hasn’t released a patch for it yet. But typically a lot of kernel vulnerabilities, and a lot of web related vulnerabilities are cross platform. So there were two vulnerabilities that were patched again, starting with iOS 17 and iPadOS 17. Last week on October 4, the vulnerability description is a local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6. So that’s the the kernel issue. There was also a web RTC issue, but specifically there’s a video codec that had a vulnerability and so Apple was able to fix that by updating that component to a newer version. Both of these issues affect all iPhones, all iPads. And if you have not yet upgraded to iOS 17 you could get the iOS 16 patch that just came out yesterday as we’re recording. But at this point really you should be upgrading to iOS 17. Because there’s a whole bunch of vulnerabilities that got patched in iOS 17 that are probably never getting patched in iOS 16. So you might as well just upgrade to iOS 17.0.3 at this point.
What version of curl comes installed on macOS Sonoma?
Kirk McElhearn 4:46
Okay, we have a vulnerability in something that most people have never heard of. I say most people, anyone who uses the command line or terminal certainly knows “curl”, C-URL. The name stands for client for URL. It’s an extremely popular tool that’s nearly 30 years old. And you use it to request information from a URL. So you would put curl and then the name of a website to get information. This is widely used in all operating systems. And there are some serious vulnerabilities that have been patched that have not yet been patched on Apple devices.
Josh Long 5:18
Right. Curl is mostly used on Unix based operating systems. But a lot of other third party apps on other platforms may use curl as well. There’s a curl library that can be embedded in other apps. So curl is very, very commonly used. So far, I’ve only seen this patched on one particular app that I use on my iPhone, that’s called TLS Inspector. It’s a really geeky app. But you know, if you want to, like look at information about a particular website certificate, you can use TLS Inspector and they just updated their app today. The new version of curl just came out today. And so they already updated their app TLS Inspector to use curl 8.4.0. Now macOS Sonoma currently has curl 8.1.2, released back in May, May 30. So it’s an older version. And there was one vulnerability that was medium severity vulnerability that was patched in mid September that still hasn’t been fixed for macOS. Kind of odd. Because, you know, why wouldn’t Apple have released a patch by now and now there’s some really bigger issues, because now we’ve got a high severity vulnerability. There’s two vulnerabilities that were just patched in curl version 8.4. So we’re just waiting on Apple. Now at this point, hopefully, Apple will release a patch for this for macOS, within the next week or two. If it takes longer than that, it’s kind of a problem.
What is DragonEgg spyware?
Kirk McElhearn 6:47
You said that curl is mostly used on Unix systems. But the lib curl library is used on pretty much every platform Android, macOS, Windows, Linux, Unix BPOS. Net BSD, Open VM, I mean, there’s a list on the Wikipedia page of all these operating systems, many of which are no longer use. So it’s a really popular tool. And it may be used within third party apps who will call on this when they’re getting information from the web. And this is why a vulnerability like this is so serious. Okay, so here we go again, with the funny names for malware. DragonEgg. We have DragonEgg Android spyware, which is linked somehow to LightSpy iOS surveillance, where I wish there was a better way of naming. I mean, I know they want to have cute names because they stand out but they don’t mean anything. Does this mean that this spyware actually lays dragon eggs on your phone and that they hatch? Like in what was it, Game of Thrones? The dragons hatch, something like that?
Josh Long 7:46
Yeah, DragonEgg sounds like a video game or something, you know, but Sure, but yeah, no, unfortunately, DragonEgg is Android spyware. And the reason that we bring this up is, although we don’t usually talk about Android malware and other things like that. What’s interesting is that apparently this DragonEgg Android spyware, something called LightSpy, which is iOS surveillance, were kind of on the same lines as Pegasus and Predator that we’ve talked about recently. This is malware that basically nation states used to break into people’s devices, including iPhones. And so apparently, this recently discovered Android spyware has ties to this LightSpy. I don’t know if we mentioned it at the time, but LightSpy came to light in March 2020, as part of a campaign that was called Operation Poisoned News. And as part of this campaign, iPhone users in Hong Kong were apparently targeted with watering hole attacks that were used to install this LightSpy spyware on iPhones
What is a “watering hole”?
Kirk McElhearn 8:49
“Watering hole”. Now, you just give us a term here that before the show, we didn’t know what this was. And so I know the term “honeypot”. And I know what catfishing is, but what’s a watering hole?
Josh Long 9:00
The question that you had for me was what’s the difference between a watering hole attack and a honeypot? Basically, the difference is…like I think of a honeypot is something that the good guys are doing to try to catch the bad guys. And a watering hole attack is kind of the opposite of that. But there’s a little bit more nuance to that. A watering hole attack is often where an existing site is now infected. People who are targets of these attacks might frequent a particular website. And now that site becomes infected, and those who frequently go to that site will now potentially get infected because they’re visiting this hacked site or infected site.
Kirk McElhearn 9:37
Right. So they’re assuming that it’s a safe site, and maybe they’ve already entered credentials to log into a site, but someone’s taken over the websites like squatters taking over a website, and then they can do what they want since you’re trusting them.
Josh Long 9:51
Right. So that particular LightSpy campaign back in 2020, was used to infect iPhones and so LightSpy is yet another one of these things just like Pegasus and Predator that we’ve talked about. And there’s others as well. It’s good to know that there is this surveillance-ware this spyware that can infect iPhones, we often think of iPhones are kind of impervious to malware attacks, right? Like there’s no malware for iPhones. Nobody ever talks about that. But in fact, there is malware out there for iPhones. It’s just usually it’s like nation state installed spyware. That’s the kind of thing that is more of a threat right now on iPhones.
Largest distributed denial of service attack to date targets major tech companies
Kirk McElhearn 10:31
So the internet has experienced the largest distributed denial of service attacks ever, I believe this was in August and September, this affected CloudFlare, Google, Microsoft and Amazon and Google says that they had over 398 million requests per second. Now think about that 398 million requests every second. They don’t say how long this lasts and we’ll link to an article on Google’s Cloud Blog where they discuss this and explain how it works. And it’s actually quite fascinating, the technique that was used for this denial of service attack.
Josh Long 11:05
Right, so they were able to exploit a zero day vulnerability in the HTTP/2 protocol. This vulnerability is dubbed HTTP 2 Rapid Reset. And you know, when you have a protocol level vulnerability, it’s kind of a big deal, because protocols kind of have to be supported by everybody, right? In order for them to function properly, it’s not like software, where you just release a patch, you install the new version, it’s got the new patch, and you’re just fine. Protocol vulnerability’s kind of a big deal, because now you’ve got all kinds of things that need to be updated, and everybody has to update them in order for it to be fixed across the board. Now, something like this denial of service attacks have been around for a long time. Distributed denial of service attacks are where you have a whole bunch of endpoints, they might be bots, they might be computers, or devices that are infected and being controlled by a bot master, right, somebody who’s sending forth this army of infected devices to all issue the same type of query or command at one particular target to try to flood it with requests that are going to take it offline. And that’s the whole idea generally behind a DDoS, or distributed denial of service attack. And this new method was unbeknownst to all of these big companies. And so now all of a sudden, within the past couple of months, August and September, they’ve been hit with these really big attacks. And so they’re figuring out how to mitigate these attacks. So they won’t be as big of a problem.
Kirk McElhearn 12:43
So this record of 398 million requests per second beats the last record in 2022, of about 46 million requests per second. So this is six times as large, it’s important to point out that no one was attacking the Cloudflare website, the Google website, or the Microsoft, Amazon website, what they were attacking is the elements that these companies use to protect other websites. So Cloudflare is just a service that is between users and websites to filter traffic, Google, Microsoft, and Amazon all have cloud infrastructure that they’re protecting the same way. We don’t know if this DDoS was targeting individual websites, multiple websites, or just these providers in order to bring them down to access something we have no idea why these attacks are made. And none of the companies said who the attacks were directed against.
Josh Long 13:34
One thing that I think is really worth pointing out here is that when you’ve got these record setting DDoS attacks, these are not script kiddies. In other words, these are not kids, or, or small groups who have infected a bunch of devices and are just directing them all to attack a particular website. If you’re talking about these record scale attacks, these are very likely to be nation state level attacks, like some somebody with a lot of money, a lot of resources is involved in these attacks. That’s why this kind of thing is kind of a big deal. First of all, they’re using a zero day vulnerability, and there’s a record number of requests.
Kirk McElhearn 14:13
Okay, we’re gonna take a break, we’re gonna come back and talk about some more news.
Voice Over 14:19
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection a
China imposes strict identification requirements on developers selling apps on the App Store
Kirk McElhearn 15:35
Okay, Apple Insider has an article explaining how Apple is bowing to China and starts enforcing App Store rules. Now in China, you’re not allowed to use certain apps. And they’re very strict about what can be sold in the App Store. And for a while Apple was saying well, we’re Apple and we’ll sell what we want. But you know, Apple doesn’t have a choice any big company selling things in China, they do have to toe the line.
Josh Long 16:00
China has this process that developers are have to go through now. They have to submit their internet content provider ICP filing, whenever they’re submitting new apps to Apple in order to comply with Chinese law. They are now requiring developers who submit their apps for the App Store in China to fill out this form, this filing. This went into effect in September. Apple wasn’t initially complying, they were kind of trying to work this out with with the Chinese government. Now they’re in compliance apparently. So far, this only applies to new app registrations. But if somebody wants to submit an app that’s never been in the App Store in China, they have to apply for this approval. But the second stage of this is that existing apps also have to submit to this filing. And they have until March 2024 to do that. So what this means is that things like VPN apps and social networks and other things like that, that the Chinese government doesn’t want in their country, are very likely to be soon removed from the App Store in China specifically, meaning that you probably won’t be able to get Facebook, you probably won’t be able to get your VPN apps. If you currently have them installed, you might be able to keep them but they won’t get updates, that could be a problem. Now, there are other ways to use a VPN. It’s just tricky. iOS does have a thing built in. If you go in the Settings app and go to VPN, if you scroll down to the bottom, you have an option to add VPN configuration, you can do this manually. But the problem is you have to put in a server. So that means you have to either have an IP address or domain name. And guess what, the Great Firewall of China is very likely to be blocking those things. So you have kind of a chicken and egg and or cat and mouse kind of thing going on where you’ve got to, if you’re trying to use a VPN in China, you’ve got to try to stay ahead of the game or just comply with the law and don’t use a VPN potentially problematic for people who want to stay off the radar in China.
Firefox plans to build fake product reviews detection into its browser
Kirk McElhearn 18:18
So we’re coming up to Black Friday. In fact, as we speak, it is the second of Amazon’s prime days in October. Do they do this every month now Amazon Prime days it feels like it. But we’re coming up to Black Friday. And we have over the years talked about how to shop safely on Black Friday. And one of the things we’ve talked about is how to check to see if reviews on a site like Amazon are fake. And there’s a service we recommend called fake spot. Firefox is testing a built in tool to check for fake reviews using technology from Fakespot. And this is actually I don’t use Firefox. But I can imagine that if I plan to do some Amazon shopping and they have this built in. I might actually want to use it.
Josh Long 18:59
Yeah, it’s kind of cool. Firefox is not necessarily my main browser, but it is one of the browsers that I use. I like this idea. I do want, I don’t because every time that they add new stuff to a browser, it just makes it more complicated. The download is going to be bigger, it’s going to use more RAM. In that element of it. I don’t really like but I do like the idea of Firefox trying to be more proactive in protecting users from potential scams. This is a big issue, right? This is not like phishing sites where some website is trying to steal your login information. This is a different thing. But it’s also something that a lot of people don’t really know how to mitigate these kind of attacks. People trust Amazon. Do you trust the review process? You see, oh, this has five stars Great. That means it’s a trustworthy product. And people don’t generally know that. This is something that can be abused and is frequently abused on sites. like Amazon,
Kirk McElhearn 20:01
it’s worth pointing out that Fakespot has extensions for Chrome and Safari. And they have iOS and Android apps. But I’m not really comfortable installing a bunch of extensions in Safari. I mean, you could turn them off when you’re not using them. But that’s a headache. I kind of like the idea of having a browser for something specific like this.
Josh Long 20:19
I actually brought this up in my talk last week, the whole concept of whether it’s such a good idea to install extensions. And one of the things that we’ve seen earlier this year, one of those cookie stealing malware that was actually cross platform was something that was called fake GPT. And this showed up in the Chrome Web Store, where if you had searched for, say, ChatGPT, you were looking for some ChatGPT related extensions for Chrome, you may have come across one of these sorts of fake extensions that may have even had some functionality, like it’s possible to have something that does what it claims to do, but also has some malicious functionality. Fake GPT would steal Facebook cookies, specifically from your browser. And so you’ve got to be really careful when you’re installing extensions. A lot of people just install extensions, trusting that Chrome Webstore is going to be giving them something legit. It’s just like the same concern that we have about the App Store. Where, you know, a lot of the stuff that Apple vets and is available in the App Store is just fine. Every so often, there’s apps that slip through, there’s a couple of researchers who have been finding a whole bunch of loan apps that have been scams recently, we’ve talked about this on the podcast, bad stuff can get past human review, be very careful when you’re installing extensions, use as few extensions as possible. You only use the ones that you feel you really need and can’t live without. So you might have, for example, a trusted ad blocker, something that’s been around for ages is developed by an individual who is not likely to sell his product out. Because that’s another concern is sometimes these popular extensions get bought up by a threat actor, right. And so you’ve got to be really careful about these things.
Kirk McElhearn 22:17
So when that happens, does the extension become a watering hole?
Josh Long 22:20
Yeah, I guess you could look like that. Yeah, it now is a problem, because you’ve already got some existing extension that’s on everybody, you know, on all these, sometimes a quarter million or more computers. And if that extension now gets automatically updated to the latest version. And unbeknownst to you, that new version is developed by somebody else who’s added some malicious functionality that the Google Store didn’t catch. He might end up with an infection on your device, all because you had an innocuous extension that now got updated, and now it’s malicious.
Google now requires account log-ins using passkey
Kirk McElhearn 22:58
Okay, so while you were just talking in that last segment, I went to my Google account, I signed out and I signed in. And for the first time, Google said, We want you to sign in with a passkey. Google is making passkey is the default for personal accounts. And this started on October 10, the day before we started recording. And we haven’t talked about past keys much recently, we did a lot about them early in the year when they started rolling out. The process is really simple. You go to sign in Safari shows a little dialog says do you want to log into your passkey. And now I’m on an iMac with a touch ID keyboard, and it says, you know, fingerprint boom, it’s done. So I’m signed into Google with the passkey. I no longer have a password, although there’s probably a way to use the password if something breaks. And for a while, there’s a lot of overlap with this. I think passkeys are here to stay if companies like Apple are supporting if Google is requiring them. I think we’re going to see them a lot more often. Now.
Josh Long 23:52
We’ll have a link in the show notes to an article that Kirk wrote a while back about passkeys and what you should know about them. Kirk’s article is titled What are past keys and how do they work. And by the way from the Ars Technica article, Google describes past keys in this way, past keys are a new way to sign into apps and websites. They’re both easier to use and more secure than passwords. So users no longer need to rely on the names of pets birthdays, or the infamous password 123 course, you should never have been using any of those things anyway, and your passwords, but they say instead, passkeys let users signing to apps and sites the same way they unlock their devices with a fingerprint, a face scan, or a screen lock pin. And unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one time code. So basically, they’re using your device and your biometrics as a way to give you access to those resources. Which is better than having to input a username and password which you know, obviously other people can get access to if somebody keystroke logs you or other things, they can get that information from you. But if you’re using passkeys, that’s not something that can be easily stolen from you were defeated in the same way that usernames and passwords can be.
Scammers manage to trick victims into purchasing 2.5 million dollars in gift cards
Kirk McElhearn 25:15
Okay. So here’s the story. And this comes from the US Justice Department, a press release entitled three individuals convicted for laundering money stolen from scam victims through gift cards, you get these calls of someone who says there’s something wrong with the computer or whatever. And it’s in a noisy call center, and they’ve got an accent, you’re trying to figure it out. At some point, if one of these people tells you to buy a gift card for target, would you think that’s normal? I mean, this is two and a half million dollars worth of gift cards, I don’t know if they were all for target. And they explained that they have a team of what they call runners and the runners get the gift card numbers, and they go to Target in one case, as quickly as 13 minutes after the victim purchase the cards, they buy a lot of consumer electronics things that they can resell easily. I’m just trying to understand who would get tricked into buying a Target gift card, because I don’t know, they’re tricked to say that they’ve got a virus on the computer. And in order to get rid of the virus, you’ve got to buy a Target gift card and give me the code. I just don’t see the…
Josh Long 26:19
Right like, how does that happen? I don’t know. But we wanted to make sure to bring this up. Because I know a lot of people I have relatives even who have fallen for, you know, telephone scams. And you may not realize until you get to a certain part in the process that this is a scam, right that somebody’s actually trying to trick you. Hopefully, you realize it by the time you get to the point where somebody’s asking you to go and purchase a gift card from Amazon or target or whatever it might be. But you know, a lot of people don’t really know and they’re concerned maybe, you know, they’ve been told that their account is, is vulnerable, and they need to go through this process. And for whatever reason, the call center claims that they need you to pay them to move forward so they can assist you with this problem that you’re experiencing. But be very careful anytime that somebody is asking for it. And it’s not even necessarily just gift cards, it could be other things too. There’s other types of money cards and things like that. So always, always be really careful. And this should set off a red flag for you. Even if you know this, and you understand this, this is a good thing to share with relatives of yours too, who might be more susceptible to these kinds of scams, who may not be as tech savvy as you are.
Kirk McElhearn 27:40
If you’re an Apple user, and you ever have Apple support, and they ever asked you to buy an Apple gift card. Just don’t do it. I mean, it’s gotta be a scam. It’s someone who calls you not you calling them so don’t buy gift cards for anyone. I want to link to an article in The Guardian, which was just yesterday, “‘I Felt Powerless.’ How a Crypto Scam Cost a Finance Boss 300,000 Pounds.” This was an investment manager who handed over his life savings to someone in a crypto scam. Now, I don’t want to be that guy, but anyone who thinks they’re gonna make a fortune from cryptocurrency is opening themselves up for scamming. Okay, that’s enough for this week. Until next week, stay secure.
Josh Long 28:18
All right, stay secure.
Voice Over 28:21
Thanks for listening to the Intego Mac Podcast—the voice of Mac security—with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
