A hacker group known as Wicked Panda experiences its own data breach of collected data. What exactly happens when the hackers get hacked? The US Department of Justice quietly shuts down Russian malware installed on US routers. The Signal messaging app introduces usernames to replace phone numbers in its latest beta. And Apple is giving the Music app the ability to import your playlists from Spotify.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, February 22, 2024.
This week’s Intego Mac Podcast security headlines include: a hacker group known as Wicked Panda experiences its own data breach of collected data. What exactly happens when the hackers get hacked? The U.S. Department of Justice quietly shuts down Russian malware installed on U.S. routers. The Signal messaging app introduces usernames to replace phone numbers in its latest beta. And Apple is giving the Music app the ability to import your playlists from Spotify. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:51
Good morning, Josh. How are you today?
Josh Long 0:53
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:54
I’m doing just fine within the limits of lots of rain in the part of England that I am in these days, it just rains and rains and rains. And sometimes you get water that leaks in some place. Which brings us to our first story about a data leak. See how I did that? Wasn’t that clever? Very clever. Yeah. This one’s interesting, because we’ve had data leaks that we’ve talked about recently; 23andMe, for example, had a big data leak. But this is a data leak of data from hackers.
Josh Long 1:23
Right, there was a threat actor that’s known as APT41, or Wicked Panda. And apparently they had a big data leak. So a lot of information about the malware that they’ve been using for the past couple of years has gotten out. And so some of the interesting things, there was some macOS malware that there was some information about. Apparently, they also have an iOS RAT, a remote access Trojan that supposedly is able to steal data from iOS devices without jailbreaking. Although that particular bit of information comes from a couple of years ago, actually way back in 2020, so almost four years ago at this point, so it’s not really clear that they can still exploit iPhones and iPads the same way without jailbreaking. But at least they apparently had the capability to do this at some point. So it’s just data. It’s—that’s out there. But it’s kind of interesting to see that, you know, even the threat actors can get breached. And sometimes we can learn some interesting things about threat actors, even from data leaks.
Kirk McElhearn 2:29
So some of these vulnerabilities we are talking about could have been patched already. But there could be others that aren’t patched. And so you can imagine that vendors like Apple are looking into this and thinking, well, if they can do this, we need to look at the vector that they’re using to patch it.
Josh Long 2:45
Right. Exactly. Yeah. So I’m sure that Apple is very carefully analyzing all of the leaked information and making sure that all these vulnerabilities that have been exploited have been patched.
Kirk McElhearn 2:54
Okay, so LockBit ransomware. This is one of the more widely exploited ransom wares that has been attacking all sorts of companies and hospitals and schools and things like that. And we have an article in Bleeping Computer that was disrupted by a global police operation. That’s good, isn’t it?
Josh Long 3:13
Yeah, this is a great thing. And LockBit is mostly associated with Windows, most of the time, when you hear about it in the news, they’re talking about Windows machines that have gotten hit with LockBit ransomware. But it was worth mentioning, just because last year in April, there was a LockBit variant that was discovered for macOS. Now, it wasn’t found in the wild. So it’s not really clear whether this was just an experimental bit of malware that somebody uploaded to a multi engine virus scanner, and maybe hasn’t actually been distributed in the wild. But at least we know that there was some variation of LockBit that was being developed for macOS. And so the feds have done the work to get locked bid shut down. And so this is a good thing.
Kirk McElhearn 4:01
This ransomware has gotten a lot of press here in the UK, because the British Library was attacked with a LockBit malware in October. And the library has been basically brought to its knees, no one can access its catalogs or digital archives, and they still haven’t resolved the problem. If this ransomware is shut down the way it just has, it doesn’t mean that people who’ve been attacked by it are going to get back their files.
Josh Long 4:23
Right, right. Unfortunately, the damage has already been done. So there’s not much that people who have already been attacked can really do other than rejoice in the fact that the feds have taken a big step against ransomware in general.
Kirk McElhearn 4:36
Not just the Feds. This was a worldwide operation. So a number of countries were involved in this.
Josh Long 4:41
Right and this is usually how it works. And a lot of times the headlines will say for example, the FBI shuts down, but in it’s pretty much always going to be international law enforcement agencies working together including Europol and many, many others.
Kirk McElhearn 4:57
Okay, so we talk about fake apps that have been on The App Store. Just last week, we talked about a fake app and personating LastPass, which is a password manager. And we have a new one that appeared in the app store. It is a fake Rabby Wallet cryptocurrency app now Rabby Wallet doesn’t mean anything to me. Do you know what this is?
Josh Long 5:16
I hadn’t heard of them before. But apparently this is a cryptocurrency wallet app that, interestingly enough, they actually say that they had submitted their legitimate real app to the App Store. And somehow a fake wallet app that use their name got put into the App Store first. And so many people had downloaded this app. And several people had reported that they actually lost money when person reported they lost $5,000 worth of cryptocurrency, because they trusted this app and they thought it was the real Rabby Wallet tap.
Kirk McElhearn 5:55
You know, there’s an easier way to lose $5,000 A cryptocurrency just by $5,000 worth of cryptocurrency and watch it go down? (Yes.) Speaking of the feds, they had been busy in US homes and businesses removing Russian malware. The thing is, they didn’t tell anyone. So they hacked into people’s routers to remove Russian malware. And we don’t know if they left anything behind and installed anything. What do we know about this? This seems this seems like they’re going a bit too far here to hack into people’s devices and not tell them.
Josh Long 6:29
Okay, I’m going to give them the benefit of the doubt and assume that they did not leave behind any malware on US-owned devices…
Kirk McElhearn 6:37
Or backdoors. Or any kind of, you know, surveillance things. Come on. It’s possible.
Josh Long 6:43
Okay. Okay. So I’m gonna say, let’s, let’s give them the benefit of the doubt on this. But yes, it is kind of concerning, right? Because like, does one hack justify another hack? Because it’s not really unpacking, it’s like, you have to hack again to undo the malware that some bad guys put on your device. So okay, to back up a little bit. More than 1000 Ubiquity, routers and homes and small businesses were infected with malware, according to Ars Technica. And apparently these come from the Russian hacking group, Fancy Bear. So Fancy Bear threat actor group, hacked a bunch of us based homes and small businesses that had these Ubiquity brand routers, and then the FBI came in and hacked them again to remove the malware. That’s the story.
Kirk McElhearn 7:29
Okay. 1000. That’s not an awful lot.
Josh Long 7:31
No, it’s not. I’m actually surprised that the number is not a lot larger than that. And that kind of makes me wonder if like, this was a very targeted campaign to remove malware from specific organizations. I find that very puzzling, because I would think that there are a lot more than 1000 infected devices exist in the US, because Ubiquity is a pretty popular router brand.
Kirk McElhearn 7:54
At least among businesses. Not too many home users have them. But if I had a Ubiquity router, I might want to change it for something else now that the feds have been there. Okay, I’m just saying, I’m just saying you can’t trust everyone, right, as you say, they hacked to get rid of a hack. But who knows if they didn’t leave some other way to hack in again, if they need to get into another hack. It’s like, who’s watching the hackers?
Josh Long 8:21
By the way, regular reminder, make sure that you check for updates on your router, because most people don’t do that. And it’s kind of important to do that. Because you don’t want Fancy Bear putting some malware on your router.
Kirk McElhearn 8:34
Definitely don’t want Fancy Bear. And I don’t want Wicked Panda either. I mean, we’ll talk about these names. At some point, we should make a campaign to create a national update the firmware on your router day.
Josh Long 8:46
Yeah, I actually like that idea. You know, it’s funny, because we wouldn’t necessarily have to do that if they updated on their own. But unfortunately, most routers don’t do that. So we need to get to a point I think we’re routers update on their own when you’re setting it up in the first place. You pick. Let’s say I’m never awake on Sundays at 3am. That would be the perfect time for you to check for updates and install them if they’re available. Like why don’t we just have that be part of the setup process for new routers? That seems like it’s such a logical, easy thing to do. And yet most routers don’t do that. Anything like that?
Kirk McElhearn 9:24
Well, if you think of devices like an Apple TV, right, most people leave that to update automatically. And I’m sure that it’s going to update when it’s not in use. And it knows that two in the morning, three in the morning. Well, you might be watching TV at three in the morning. But it knows specific times that it can do it. And lots of devices you can set to automatically update work with that sort of thing. If you set an Apple device like an iPhone to automatically update it’s going to do at some time during the night but it’s only going to do it when it’s on charge. That’s important. Now a router of course is going to be plugged into you don’t have to worry about that. We have two stories about secure messaging one is interesting. One is really interesting. So the first one is that Signal, the instant messaging service is now allowing you to create usernames. I mean, this is groundbreaking, an instant messaging service, it lets you create usernames. I mean, didn’t AOL do this in 2003? Or something? I see what you’re saying here.
Josh Long 10:19
But hang on, let’s take a look at the positive side of this. Okay, so Signal, yes, for a long time, that’s been the major complaint about Signal is that in order for someone to send you a secure message through the Signal platform, they had to know your phone number. And if you don’t want to give out your phone number, well, then you’re out of luck, you’re gonna have to use some other messaging app. So what Signal is doing now and this is only available for those who are using the beta versions of the app, there’s an iOS beta version, but it’s not really available anymore, they’ve already hit the maximum number of beta users for the iOS version, Apple has a limitation on the number of people that you can have beta testing your iOS app publicly. But you can download the Mac version of the Signal app if you want to try out this new feature. By the way, one other thing that’s a little bit annoying about this whole username thing is you don’t really get to pick the username that you want, you get to pick the first part of username. And then the second part of the username is a dot and followed by two numbers that are randomly generated. So unfortunately, I can’t be at the Josh Meister, I have to be at the JoshMeister.07 or whatever number they happen to assign to me. So that’s not great. And then the other thing that people are really complaining about about this is you still have to have a phone number to sign up for the service, which, you know, not everybody has a phone number. Most people do. But you know, some people are a little bit upset about that as well.
Kirk McElhearn 11:51
Well, it’s kind of hard to use computing software without a phone number these days. Because either you’re using it for your username or using it to get two factor authentication codes. And if there’s no alternative of some services give you an option for telephone and email for two factor authentication codes couldn’t Signal what you sign up with an email address instead of a phone number username? I mean, it seems like the options are there. Most people have email, most people have phone numbers. I think usernames are better, because I would rather not publicly give out that information. But I don’t even use Signal. So then
Josh Long 12:27
Well, you might be happy about this next story, because Apple just announced that they are coming out with a new encryption protocol that’s being used with iMessage. It’s going to make it even more secure than Signal they say.
Kirk McElhearn 12:39
It is the new state of the art in quantum secure messaging at scale. Now, I’m a pretty intelligent guy about computers. And I read through this article, and there are so many words that like the individual words, I understand, but the way they go together make absolutely no sense. So this is about quantum computing that Apple has created an encryption protocol to prevent quantum computers from decrypting and reading iMessages. And if you think about this, well, there’s two things going on. It’s like, what’s Apple hiding from us? Are we going to get the quantum pro the apple quantum pro this year at the worldwide developer conference. But the other thing is quantum computers exist and not very common. And they may be used by nation states who want to intercept messages between certain people that they don’t like. And you can imagine, some nation state has a quantum computer and they’re messing around, they figured out a way to get into iMessage encryption, which makes me think that someone has figured out a way to crack iMessage encryption using quantum computing.
Josh Long 13:39
Well, or they’re just trying to get ahead of the game. So and if all this talk about quantum computing is confusing to you, basically, this is just futuristic computing technology. There are some examples of this that exist. But the the fear in the security industry in general is that quantum computing is going to make it possible to crack encryption very easily in some cases. And so we’re trying to as an industry shift to more quantum resistant encryption protocols. And so that’s what Apple’s doing here, basically. Now, what’s kind of interesting about this is that they say that techniques that they’re using, they’re they’re starting out with something very similar to what Signal currently does, but they’re tacking on an additional rekeying aspect of this whole system. And they say that that’s what makes it possible for them to be even more secure than Signal. So Apple is claiming iMessage is now better than everything out there and you should just just stick with iMessage you need an iPhone if you want secure messaging.
Kirk McElhearn 14:40
Okay, we’ll link to Apple’s article on their security research blog. I’ll also link to an article on the Intego Mac Security Blog that I wrote a couple years ago about quantum computing about what the idea is of quantum computing. And as with anything about quantum anything, it was out of date very quickly. So take it as an introduction. I’m sure that things have changed a great deal, given the increases in computing power that we’ve seen, I think it’s pretty cool. I think that Apple didn’t really publicize this, they didn’t publish a press release on their Apple newsroom site. They didn’t keep it quiet. But they didn’t come out and communicate with this. We’re probably going to hear more about this at the Worldwide Developer Conference in June.
Josh Long 15:18
They did put up a blog post about this on security.apple.com. If you want to look at all the technical details and see their charts and things like that, and who peer reviewed this, by the way, that’s another important point is usually when a random company, especially one that you’ve never heard of claims, we’ve developed a new encryption protocol, that’s usually a big red flag. But this is obviously a big company. And they say that they’ve gotten peer reviews from a number of professors that are named in the piece. And they say that although it’s not open source, which can also be a red flag, they say that we have had a third party, carefully review our source code to check for any possible flaws that there might be so you know, I think that some hardcore cryptographers are probably going to look at this and raise an eyebrow. But it does sound overall like they’re doing a good thing and moving iMessage encryption to a better place than it was before. And by the way, they also mentioned that in the future, they’re going to add another layer on top of this to further protect against quantum computing decrypting their encrypted messages. With P QC authentication, they say that’s the next step coming in the future sometime.
Kirk McElhearn 16:33
Okay, we’re gonna take a break. When we come back, we’ve got some really interesting Apple news and more.
Voice Over 16:40
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego: world-class protection and utility software for Mac users, made by the Mac security experts.
Kirk McElhearn 17:57
So one of the most important bits of Apple news this week is that Apple has a document saying don’t put a wet iPhone into rice. Now, I don’t know about you, I have always heard that if your phone falls in water, put it in a bag with rice that the rice would absorb the humidity. This is like one of those things that just everyone knows. I don’t know how I guess we weren’t in kindergarten. And you know, it’s just been in the zeitgeist forever. And well, Apple has a support document says don’t do this, because small particles of the rice can get into the phone. So on the phone, there are a couple of areas that this could happen. One is the USB or the Lightning jack on the phone but also into the speaker vents on the phone.
Josh Long 18:38
I would have been worried a little bit about rice kind of maybe scratching up the surface of the phone, but they don’t really say anything about that. Now Kirk, you had an interesting idea. You said you know what, there’s a whole bunch of products that come with those little silica gel packets that that can absorb moisture, so maybe you just collect a whole bunch of those and stick them in a baggie right and then when you accidentally drop your iPhone into water, you just stick your iPhone in the baggie that’s got all the silica gel packets in it. I guess that could work exactly.
Kirk McElhearn 19:08
I always throw them out. But I’m going to start collecting them now just in case that you can buy silica gel packets on Amazon. I looked on Amazon UK you can get 50 for about five pounds. You might want to do that to have some in case Apple explains that you should not dry an iPhone using an external heat source or compressed air compressed air that comes in a little like a spray paint bottle that would blow the water into the device and not out of the device. Do not insert a foreign object such as a cotton swab or paper towel into the connector because that could get stuck as well. Do not put your iPhone in a bag of rice doing so could allow small particles of rice to damage your phone. Instead tap it gently against your hand with the connector facing down. After at least 30 minutes try charging with a lightning USB-C cable. And if you still get the word then that means is liquid in the connector or under the pins of the container. Apple just says leave it in a dry area with some airflow for up to a day you know the water, it’s going to evaporate unless you’re, I don’t know, by a swimming pool or something, they say it might take up to 24 hours to fully dry. What I would suggest, I happen to have a dehumidifier at home. And if you have something like that, you can set up the iPhone to the air of the dehumidifiers blowing into it. And that might make it a little quick, not too close, because that’s like the compressed air. But you want to create a not too humid environment. I just find it interesting that this is something that everyone knows that if you get a wet iPhone, you put it into a bag of rice. And what prompted Apple to issue this new document because maybe they were having lots of problems with iPhones that had rice stuck in them. In other Apple news, a new Apple Music beta is trying out a new feature for importing Spotify playlists. Now, this isn’t a big deal. But for some people who want to switch from one service to another can be useful. There have been third party apps that can do this sort of well, but not perfectly in the past. We’re old enough to remember Apple’s switching campaign, and they set up all these ways for people to switch from Windows to the Mac. I guess this is similar is Apple planning that a lot of people are going to give up Spotify in the near future. I don’t know. If you are a Spotify user and you want to switch to Apple Music, you might want to try this out. If you have an account with Spotify and Apple Music, you might want to import your Spotify stuff, let’s say you pay for Apple Music because there’s no free account, and you have a free Spotify account, you might want to import your library and playlists so you can check it out. We’ll have a link in the show notes.
Josh Long 21:29
Right now, this is only available in the Apple Music beta. But Apple actually does have an apple, something kind of along the similar lines in the Google Play Store on Android, they have an app called move to iOS. This is an official Apple app. And so they’ve already got kind of a history of helping people to migrate from other platforms onto their Apple platform so that I actually think this is a great thing. And if you’re looking for an excuse to leave Spotify for whatever reason, then hey, Apple’s happy to have you.
Kirk McElhearn 21:58
Okay, VoltSchemer, it’s a good name. Every week we have some new malware with some new interesting name vaults schemer, it sounds like I don’t know, Boris and Natasha, they’re doing a volt scheme. Two things that VoltSchemer can do. The first is to use wireless chargers to fry phones to actually set them on fire. And the second is to inject voice commands. Now, if they’re going to damage your phone, the only scenario that I could come up with is the evil made scenario because the maid has to do something to the USB port in the wall of the hotel. And this fries the phone, Tom Cruise’s in the next room and Simon pegs in the phone store downstairs, someone has to replace their phone. And Simon Pegg gives him the phone that’s got the backdoor or whatever. If this sounds a bit ludicrous. That’s because this sort of attack isn’t very useful in reality. Now it does say that it can inject voice commands and I guess it’s somehow vibrating through the wireless charger like a Qi charger. I’m not sure how that works. A good idea to make sure that Siri can’t do anything when your phone is locked.
Josh Long 22:58
Okay, yeah. So to be clear, this this isn’t malware. This is an academic research paper, and they came up with a clever name. That kind of sounds like malware, like vaults schemer. Oh, that sounds terrifying. What is bolt schemer, but it’s just an academic attack. So the reason why this is not very practical in a real-world scenario is because basically, the bad guy has to maliciously modify the USB port on the wall that you’re plugging into assuming it’s on the wall. You know, if they’ve got physical access to the wall, well, they could just put a malicious charger in there in the first place. So like, it doesn’t really matter all that much that this works with all these commercial off the shelf chargers, does it. And even then, what are they going to do? The worst that they can do is they can overheat your phone? Oh, my gosh, they could burn your phone? Well, guess what? That could also be done if they had physical access to your phone, right? I mean, you have to have physical access at some point in this process. And that’s kind of what makes this mostly a non-story. The one thing that is kind of interesting is the fact that they were able to apparently deliver these inaudible voice commands. You might remember that years ago on the podcast, we talked about something called dolphin attack. Where are these out of human hearing range, voice commands were being issued to devices. And so you could for example, say invoke Siri and get it to respond to something that a human ear could not and could not hear? could not perceive.
Kirk McElhearn 24:34
What would you say to do that?
Josh Long 24:36
“Hey, Siri.”
Kirk McElhearn 24:37
Yes, yes, that’s what I’m talking about. Actually, you don’t have to say any more you can say “Siri” in iOS 17. I just want to push back on your physical access because if it isn’t evil made attack. The evil maid could do something to the USB port before someone checks into their room.
Josh Long 24:54
You know, it’s funny because even before the show we were trying to like think through like scenarios like What right combination of circumstances would make sense where Tom Cruise and his cronies could somehow, you know, use this flaw or this academic research to, to destroy somebody’s phone and maybe trick them into Oh, shoot, I need to go get a new phone. And so they go to the nearest phone store. And oh, Simon Pegg is working there. And it seems like way too many steps. It seems far too complicated.
Kirk McElhearn 25:28
But this is the problem with all these proof-of-concept attacks. That, yes, it can happen. But no, it’s very rare that anyone would be able to exploit it. And again, the voice commands is interesting, that could actually have some sort of an effect. But burning the phone, it’s just annoying.
Josh Long 25:45
The voice commands, part of it is at least a potential privacy concern, because you can potentially ask Siri some things that could reveal information about you maybe about your contacts, or various other things like that. So that’s the part that okay, there’s a little bit of a privacy angle there.
Kirk McElhearn 26:05
Well, you could have Siri, send a message to someone, and you dictate the message, and then that person would think the message is coming from you, instead of the attacker. So it could have a very important effect. Alright, we want to talk about two browser stories here. Mozilla Monitor Plus is a new tool that will automatically remove your personal information from data broker sites. I don’t believe it. Why are data brokers just going to listen when Mozilla comes and says this person wants his data removed from your site. So
Josh Long 26:34
Mozilla does have a free version of the service called Mozilla Monitor. But now, Monitor Plus is actually a paid service. And I don’t think it’s probably worth it’s paid for that.
Kirk McElhearn 26:47
Okay, DuckDuckGo has an upgrade to their browser, which allows you to privately sync your bookmarks and passwords across devices. This is interesting, because it syncs from one device to another, it doesn’t sit in the cloud, if I understand correctly. When you go to sync, it sends from one device, it has data saved in DuckDuckGo. And sent it to the device. It’s not like each device is connecting to the cloud. So it’s a bit more secure. DuckDuckGo points out that this also includes any bookmarks and passwords that you’ve imported from other browsers. And this can be useful if you use multiple browsers, and you want to put all this data into DuckDuckGo.
Josh Long 27:24
The cool part about this is that DuckDuckGo never sees your passwords or your bookmarks. And it works with a QR code. So from one device, you scan the QR code, and now you’ve got access to that same data on your other device. So it’s a great alternative to these cloud syncing platforms. And Google does this and Microsoft does this. Really, I guess even Apple does this too. So this is another approach to it, where that data is not going to reside on some server owned by DuckDuckGo. So that’s kind of cool. I like the idea behind this. And if you’re very privacy conscious, then this might interest you, too.
Kirk McElhearn 28:02
Okay, that’s enough for this week. Until next week, just stay secure.
Josh Long 28:05
All right, stay secure.
Voice Over 28:08
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.