Sideloading on iOS, Lockbit Ransomware on Mac, and Zero-Day Chrome Vulnerabilities – Intego Mac Podcast Episode 288
Posted on
by
Kirk McElhearn
Lockbit ransomware is starting to target Macs, two zero-day Chrome vulnerabilities require urgent updates, and sideloading – installing apps not from Apple’s App Store – is coming to iOS soon; at least in the EU.
- Urgent Update: Chrome, Edge, Brave, Vivaldi browsers patch zero-day vulnerability
- Urgent: 2nd Chrome zero-day vulnerability patched in 5 days
- The LockBit ransomware (kinda) comes for macOS
- Fake “Geek Squad” emails: Call center scam leverages Intuit QuickBooks servers
- Sideloading may be coming to iOS 17 for the EU in early 2024
- The Digital Markets Act: ensuring fair and open digital markets
Transcript of Intego Mac Podcast episode 288
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, April 20 2023.
This week’s Intego Mac Podcast security headlines include: browsers that employ the Chromium framework have to update and update and update; the widely-deployed Electron cross-platform development package unfortunately uses a graphics rendering library found to have a serious vulnerability; evidence that the world’s most nefarious ransomware software may soon be able to target Apple’s operating systems; there’s a surprising amount to learn about an email scamming Operation, as we find out when we take the bait; and app sideloading may be coming to the iPhone as soon as next year. Now, here are the hosts of the Intego Mac Podcast: Veteran Mac journalist, Kirk McElhearn and Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 1:00
Good morning, Josh, how are you today?
Josh Long 1:02
I’m doing well. How are you Kirk?
Vulnerabilities have been discovered in the Chromium browser engine.
Kirk McElhearn 1:04
I’m doing well. We just spent a lot of time preparing for this episode talking about all the malware, the vulnerabilities, the zero days, the scam emails and Josh’s undercover investigation of the scam email story that we reported on last week. We’re gonna start with an urgent update to the Chrome, Edge, Brave and Vivaldi browsers. No what do these browsers have in common?
Josh Long 1:26
These browsers are all based on the Chromium engine. So Chromium is the open source browser engine on which Google Chrome is based. Basically all of the big browser makers with the exceptions of Apple and Mozilla, so which makes Safari and Firefox, but almost everybody else, all the big players anyway, base their browsers on Chromium.
Kirk McElhearn 1:51
So we often talk about WebKit vulnerabilities on Apple platforms. This is the other browser technology.
Josh Long 1:58
Exactly. We’ve got WebKit for Safari, we’ve got Gecko is kind of the main well, most well known engine that’s part of Firefox, and then you’ve got Chromium, which is actually based on two engines, Blink and V8.
Kirk McElhearn 2:11
Sorry, Blink and V8? is that a boy band from the 90s and a tomato juice?
Josh Long 2:18
Well the V8 engine is what’s interesting this particular week, because there is a zero day actively exploited in the wild vulnerability for this V8 engine.
Kirk McElhearn 2:29
That’s a trifecta zero day in the wild actively exploited.
Josh Long 2:33
Okay, well, they’re all kinds of different ways of saying the same thing. But basically, yeah, this is this is a problem. This is something that’s out there, it’s in the real world, it’s not a theoretical problem, bad guys are already using this. That’s the important thing to know.
Kirk McElhearn 2:47
So this was discovered on Friday, and all the browsers updated immediately, right?
Josh Long 2:52
So Google updated their browser immediately as you would expect. Microsoft also released an update for their browser the same day. And Vivaldi, which is kind of a lesser known browser, also released an update on on Friday. Who didn’t? Well, Brave is another pretty big browser, they didn’t release an update until Saturday. And then Opera, they’ve been around for a long time, they switched to the Chromium browser underpinnings sometime within the past several years. And they didn’t release an update until today. So five days later.
Kirk McElhearn 3:28
For a zero day in the wild vulnerability.
Josh Long 3:33
Right. And it looks like the reasoning behind this is they have like a pretty strict release schedule. They only release, at least in recent history, they’ve only released on like Wednesday or Thursday. That’s it. So even if there’s like a critical vulnerability that’s being actively exploited (In the wild.) they’re not going to go out of their way to patch this out of cycle. So my recommendation is don’t use Opera if you care about security, because I mean, that’s kind of a significant thing that they’re choosing not to do this.
Kirk McElhearn 4:05
That’s a really fair point. And most people don’t really think about that. Let’s face it, most people either use Safari, if they’re on the Mac or on Apple devices. They use Chrome because they just think that Chrome is better even though it’s not. Or they use Edge. If they’re really into Microsoft, the number of people who use Opera, Vivaldi, Brave, you know, tiny percentages here. So it’s not a lot. But these are all the people that are using these apps, because they’re different somehow, right? I mean, Opera, I remember Opera in the late 1990s. It’s that old. It was a different, faster browser. And these tend to be the more tech savvy and security conscious people. So if it turns out that they’ve chosen tools that are less safe, maybe they just stick with the easy ones. I mean, I find Safari to be, you know, it works most of the time. We both switched from Chrome to Edge since Edge has gotten improved and when I need a non-Safari browser…there’s still apps that won’t let you use Safari for certain things. I recorded a podcast a few days ago as a guest, and it used a podcast recording service that only works with Chrome. So you do have to use Edge. But I don’t see much of an advantage in using these alternative browsers anymore.
Josh Long 5:15
Yeah, there are some nice benefits of some of the built in things with Brave for example, if you really like to block JavaScript, by default, if you like to block ads by default, and just have that built into your browser and not have to install an additional extension and keep them updated, and all that kind of stuff, then a third party browser might make sense for you. I use Brave on iOS. But of course, all the iOS browsers are forced to use WebKit. Apple does not allow third party browser engines on iOS and iPadOS. So when I’m using Brave on iOS, I’m actually using WebKit. I’m basically using a wrapper around Safari to give me the JavaScript blocking by default, and the ad blocking by default.
Electron framework vulnerability affects dozens of the most popular apps.
Kirk McElhearn 6:00
Okay, but this goes a little bit further than just browsers doesn’t it? There’s a type of app that is made with a framework called “Electron”. Now, if you’re not involved in development, or if you’re not really into the bleeding edge Mac stuff, you might never have heard of this. However, you have probably heard of apps that use Electron. Microsoft Teams, for example, uses Electron. Zoom, which we’re using right now to record this. Signal. Slack for desktop. So if you’re using Slack, not in a browser, but in an app. WordPress, for desktop. Skype. Discord. WhatsApp. All of these are using Electron and Electron is a kind of framework that allows developers to make cross platform apps. Remember the back in the day Java was like the cross platform until you know it ended up being relatively insecure. Electron is a way of building apps that use a rendering engine, like a web browser, and that rendering engine is Chromium. So Electron has not yet updated their framework. So for Electron apps to be up to date, Electron itself has to update their framework, each individual app needs to update Electron in their app, then they need to push these updates out to users. So it’s three steps in here. Electron has not yet updated their framework. So any Electron app that is going to load web pages–remember, these apps use Chromium to display content that may not be web pages, but if they do load web pages, then they could be vulnerable to this zero day, in the wild exploit vulnerability.
Josh Long 7:33
I should mention that to be fair, the Electron framework was just updated on Friday to update in part to a recent Chromium version, which was the recent version, probably until the moment that they updated the Electron framework. And then they came out with, I presume, I don’t know the exact timing. But I’m gonna guess for giving them the benefit of the doubt that this new Chromium version came out right after Electron just released its update on Friday. But as of today, again, here we are five days later. And there’s still no update to the Electron framework that has the new Chromium version built into it with the updated V8 engine that patches this known vulnerability. So that means that basically all of these Electron apps are potentially vulnerable right now, if they can run, third party HTML and JavaScript content. And we are specifically talking about Mac and Windows and Linux. That’s what platforms that Electron apps run on. So this doesn’t apply to iOS. iOS is kind of its own whole different thing. But at least on the desktop, there are a lot of really popular apps based on Electron. And so it’s really important that the Electron framework get updated quickly whenever there are these major vulnerabilities in Chromium.
Kirk McElhearn 8:55
So this Chromium framework, if there is a zero day in the wild vulnerability, it’ll affect macOS, Windows and Linux, it will affect all these operating systems, right? (Yeah, absolutely.) But will it require something special afterwards to get into the operating system? In other words, this vulnerability allows bad guys to sort of get through the firewall, but will it then require some sort of special code to take advantage of each particular operating system?
Josh Long 9:23
Well, depending on the vulnerability, it could theoretically be possible for it to sort of break out of the sandbox, it could read contents of memory, which could include things outside of that particular app. If it’s something like an arbitrary code execution vulnerability, then it can run whatever code it wants, which again, could be something completely out of the sandbox, it could do anything basically that it wanted to right. So it depends on the vulnerability but it is theoretically possible that yeah, something bad could happen within an Electron app that affects your whole system.
Lockbit, a component frequently used in ransomeware, has been exploring ways to target Apple operating systems.
Kirk McElhearn 10:01
Okay, in other news Lockbit ransomware is finally available for the Mac, should we be happy that we now have serious ransomware. And this isn’t just serious ransomware this is like, they’re the Microsoft of ransomware.
Josh Long 10:15
I think you could call it that. Yeah, this is the ransomware platform, I don’t know if you’d call it that, that is most popular on Windows. Basically, all the big ransomware is like Lockbit based on Windows today.
Kirk McElhearn 10:29
So if Electron is a framework for apps, Lockbit is a framework for ransomware,
Josh Long 10:34
Something like that. So Lockbit, this is a big deal. The first sample of Lockbit ransomware from Mac was found over the weekend. This particular sample isn’t signed with an Apple developer certificate. It’s not notarized by Apple. And what that means is that it’s not going to run if you just download it and double click it. You would either need some sort of exploit that would make this code run. Or it would be something where you trick the user into running it manually. It’s not like this is something that is known to be out there in the wild infecting Macs and encrypting all of their files yet (“Yet.”). But the fact that Lockbit is actively developing Mac malware, the Mac version of their ransomware, that’s a pretty significant thing. And that’s why we thought it was worth mentioning. So we don’t know of any like active use of this ransomware on the Mac in the wild at this point. But it’s very important to know that we have a big ransomware family now that’s targeting macOS. So if you are using Intego products, if you’re using Intego Virus Barrier on the Mac, or you’re using Intego Antivirus for Windows, then you will be protected from Lockbit regardless of whether it’s the Mac or Windows variant of it.
Kirk McElhearn 11:55
Okay, we’re going to take a break. When we come back, we’re going to talk about Josh’s undercover investigation of Geek Squad scam emails, and then we’re going to talk about sideloading that may be coming to iOS 17 in the European Union, sometime next year…So just after we finished recording, literally minutes after we finished, Josh found that there was yet another zero day in the wild vulnerability patched for Chromium.
Josh Long 12:19
That’s right, yeah, so this just hit the news like within like the last couple of hours. This is a different vulnerability. Apparently, this does affect all Chromium browsers, again, from what it looks like this was a vulnerability not in the V8 engine. But instead in Skia, S-K-I-A, which is an open source 2-D graphics library, that’s part of Chromium. So it looks like this is something that’s going to affect Microsoft Edge, and probably the other browsers as well. So we don’t have a lot of details on this yet, because this just came out, but watch for an update in Chrome and all of your other Chromium based browsers coming within the next day or so. And well, maybe by next week in Opera’s case.
Kirk McElhearn 13:04
Okay, let’s take a break now for real.
Voice Over 13:08
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
Follow-up on the Geek Squad email phishing scam.
Kirk McElhearn 14:24
Last week, we talked about the Geek Squad emails that we have all received…well actually you didn’t receive them. I got a number of them our producer, Doug got a number of them and you’ve still jealous and you haven’t gotten any. And we have an article on the Intego Mac security blog. I’ll link in the show notes explaining how this works. And that this was leveraging Intuit’s QuickBooks servers to send invoices to people with a number that they had to call in order to, well basically cancel a $200 order that was placed on their credit cards. Josh went undercover. He called the scammers. Tell us what happened, Josh.
Josh Long 14:58
That’s right and I did just double check, and I still don’t have any samples of this scam. (Aww, poor Josh. ) I know it’s very sad. Okay, so what did I do. Kirk and Doug, our producer, sent me copies of this scam email that they had gotten. So I had a couple of phone numbers from these emails. And I thought, Okay, well, let’s see what happens if I call up one of these numbers, because obviously, the whole thing is they’re trying to get you to call a number, so that you can say, hey, this charge doesn’t seem right. Can you cancel this for me, please. So I called them up. And I role played as an unaware victim, you know, somebody who just was trying to get them to cancel this charge that shouldn’t have happened, right? So I gave them an invoice number from Kirk’s invoice that we talked about on the show last week, the one that I knew other people had had. So I knew I wasn’t giving anything that was like uniquely identifying Kirk’s email address or something. They told me to go to a webpage, they told me to go to a particular site that isn’t where at least as of last week, when I wrote this up, it wasn’t on any major website, blacklists yet. It was just registered a month ago in March. And the title of the website was “os911” dot something. And when you go to this page, it asks you to enter a secure code, which the scammer has to give to you. And the reason that they do this is so that if anyone else is going and investigating the site, they won’t be able to see what the site is actually going to do or download any files from the site. You know, how like one time passwords work when you have like a second factor that Yeah, six digit code. Yeah, like they give you a six digit code. That’s exactly what this website was doing something exactly like that. So the scammer knew what code would work at any given space of 30 seconds. And they knew what code to give me to type into to that field. So they did. And what happened was, it prompted me to download some software. This was Mac software that was signed notarized software from a company called ConnectWise, which is a technology service provider. And this is one of those like remote administration tools. Apparently scammers use this tool a lot. Because when I went to that company’s Trustpilot page, I went to ConnectWise’s page on one of these sites where you can kind of like read customer reviews and things. A couple of the reviews talked about how someone had used ConnectWise software to try to scam them. And interestingly, and I put a screenshot of this, in my, in my article about this, one of the reviews described exactly the scenario that we’re talking about here, where someone claiming to be from Best Buy Geek Squad used ConnectWise to gain access to their computer without them knowing it. So it sounds like from this person’s description that what happened was, the scammer said, I’m gonna need you to log into your bank account. And we’ll check and make sure that the charges got reversed. And then when the person wasn’t seeing anything happen, then the scammer said, Oh, okay, well, it’s alright, just go ahead and put your computer to sleep. And we’ll call back later or something. And so the person does what they’re asked to do, they leave the room. And then the scammer goes to work because they still actually have access to the computer during this whole time. And then presumably, they would steal money from the person’s bank account, or whatever they’re going to do.
Kirk McElhearn 18:38
So the ConnectWise software itself isn’t malicious. It’s the scammers leveraging software that’s used in businesses, that is meant for good purposes.
Josh Long 18:51
Yeah, any kind of remote administration tool. And really, if you think about it, just about any kind of tool can be used for good or evil, right. And so this is an example of the bad guys using something that could be used for good purposes and perfectly legitimate purposes for something illegal and evil. In my particular case, probably because I was using a Mac, they didn’t expect me to be prompted to download something, they probably thought I was using Chrome on Windows, and was going to get like a browser extension or something offered to me. And so they kind of seemed frustrated. And then he told me to call them back. So they gave me a different number, which was actually a US based phone number to call them back. And I was like, Oh, this is kind of interesting. So I tried to look up that number to see what I could find out about the phone number. Apparently this was a phone number based in Lexington, Kentucky. And depending on whether I use the White Pages app or the white pages website, they had different opinions on whether this was a landline or a Verizon cell phone number and I was like wouldn’t it be great if I just got the scammers cell phone number? But unfortunately, it turned out that it was neither one of those. In fact, I called the number back, the scammer didn’t answer. And so it went to voicemail. And I found out that this was because they just had the generic recordings still set up. It was a TextNow number. TextNow–one word–is an app that you can find in the App Store. Apparently, based on the app’s description, it allows anybody anywhere in the world to use a phone number that looks like it’s based somewhere else like in the United States. So probably this scammer is overseas, I noted that he had an accent that did not sound like somebody who’s native to the US. And so very likely, he is some scammer overseas who has a US based number just so he can plausibly pretend that he works for some US company like, you know, Best Buy Geek Squad.
Kirk McElhearn 20:54
So what I find interesting about this whole story is that we have multiple elements that that are threaded together. Normal features normal things that we use accounting software, to connect to our software that businesses use to help employees train or whatever, phone number systems that allow you to create virtual phone numbers, all of these things that can be used normally are just kind of woven together to create this scam. I wonder how much money they make. Remember, the invoice that you receive is for $200, this has nothing to do with the amount of money they’re going to try and take out of your bank account if they do get the information. Or maybe they’ll get other data from your computer with usernames and passwords and, you know, to be able to usurp your identity even more.
Josh Long 21:41
Exactly, yeah. And who knows what else they might do. Right. This particular person who wrote a Trustpilot review seemed to think that they were trying to steal money out of his bank account. But potentially if he hadn’t caught them in the act, they may have gone on to do other things, too, they could have done really anything they wanted to with his computer, if they thought that he had valuable looking files, they could have exfiltrated those. Basically anything that you would expect that a remote administration software would have the ability to do, these bad guys would have been able to do with any victim’s computer.
Kirk McElhearn 22:15
Okay, that was quite an interesting story, I must say, because we don’t always see what happens after the malware gets installed or after after the phishing attempt is successful. So really good, we’re going to keep on top of this. And maybe you should call back again next week with a different number, and try and find out a little bit more.
Josh Long 22:34
One other thing that I’ll mention is that if you ever been scammed, or even if you’ve gotten these emails, and you didn’t fall for the scam, but you just want to report them, I do have a section of the article where I talk about how you can report the scams to Intuit if it was sent through their system–like we talked about at length last week–and also how you can report it to the US Federal Trade Commission as well as the anti phishing working group. And if you happen to get a scammers text now number I even have the email address where you can report that.
The EU could compel Apple to provide sideloading options as soon as next year.
Kirk McElhearn 23:06
Okay, worth pointing out no link to your tweet to Intuit where Intuit replied, Well, an Intuit social media intern replied, basically blah, blah, blah, we take security very seriously. Go away, Josh. Like the way they mentioned your name in the tweet. All right, we only have a few minutes. But Josh really wants to talk about the fact that sideloading may be coming to iOS 17 in early 2024 for the European Union. So the European Union has a new Digital Markets Act. And this includes a lot of things, including messaging interOperability, which we’ll talk about in the future. But one of the things that includes is the requirement for third party app stores to be available on devices. Now as it stands, there’s only one app store for iOS. There’s only one app store from macOS official app store, you can still of course, buy apps from developers directly. On Android, Google Play is the big store. But we were discussing earlier how Amazon also sells Android apps. If you have an Amazon Fire tablet, there’s a kind of a hack to get the Google Play Store. And I think there’s other stores. This has big implications for gaming Epic was a company who sued Apple for not allowing them to put their own app store on iOS devices. If you’re into gaming, think of the Steam app store that you can access on the Mac or on Windows or I think on other platforms as well. And it’s like it’s its own app and you buy games through that app, and you launch them through that app. And this is what epic wanted to do. third party app stores and won’t necessarily work like that. But they will give you ways to install apps on iOS. And this is going to be kind of worrying for security, isn’t it?
Josh Long 24:42
Well, there’s definitely security implications. I’m working on an article I’ll have it published by the time that the podcast goes live about all of the security implications of sideloading on iOS 17. The whole idea of sideloading is that if you want to install an app on your iPhone or iPad, that Apple does not approve for the App Store, you would want to get that app some other way. But currently, Apple doesn’t really allow you to get apps from third parties on an iPhone or iPad. There are some kind of hacky ways that you can get some third party apps. But there’s no simple way like another app store that you can go to and download an app. And you also can’t just go to a developer’s website and just download an app. You could do this on Android, but you cannot do this on iOS or iPad OS. So that’s what sideloading is, and why you might want to do it. Antivirus software. Intego used to have virus barrier for iOS. But in 2015, Apple decided, yeah, we don’t want antivirus software in the iOS App Store anymore. We don’t want to be able to scan your files for malware. Why would why would anyone want to do that? So they banned them. Emulators. If you like playing classic video games, too bad, you can’t do that. Because Apple doesn’t think that that is something you should be allowed to have in the app store. If your app is too similar in functionality to other apps that already exists in the Store, they might just ban you, even though you have every right to have an app that’s similar in functionality to other people’s apps.
Kirk McElhearn 26:17
I think that’s one of the biggest problems not withstanding the fact that Epic wants to sell its games through their own app store. But Apple can deny the right for developers to sell their apps just because they don’t like them. In some cases, they’ll say, Well, there’s a problem. This doesn’t do something correctly there are security issues, but they can say there’s duplicate features that already exist. And this prevents developers from duplicating features that are in Apple apps. And that’s where the real antitrust concerns come. Well, anti competition concerns as far as the EU is concerned,
Josh Long 26:49
right? Okay. So what does this new law in the EU actually mean? Apple would probably have to comply with this by around March of next year, 2024. Sometime in the iOS 17 era, we’re probably going to have, built into iOS and iPad OS, the ability to sideload. Whether that means that it’s an individual app from a developer, or more likely what that would mean is some third party store that would be available and you would get an app through them.
Kirk McElhearn 27:26
You said “we”. You may not be included in that we Josh, because of the country you live in.
Josh Long 27:32
Right, which is an important point, because this only applies in the EU, right? So this does not apply anywhere outside of the EU. So of course Apple, I predict that probably what Apple is going to do is they’re going to keep this as narrow and limited as possible. So they only are complying with EU law, and not allowing third party apps to everybody else. Now Apple could actually kind of surprise us a little bit and decide to do this globally, just to make them look, you know, I don’t know, altruistic or whatever. I don’t know, I have a feeling that Apple is going to try to just keep this limited to those in the EU at first. But we’ll see.
Kirk McElhearn 28:11
I’m going to bet you that Apple rolls it out around the world, because what would happen if they don’t is other countries will look at the EU and say, Well, if you can do it there, you can do it here. And this would bring all sorts of legal things and make apple look really bad. I’m going to bet you a hoagie that Apple does this around the world.
Josh Long 28:28
Okay, that would be very interesting.
Kirk McElhearn 28:31
What the hoagie or Apple doing this around the world?
Josh Long 28:35
No, no, I don’t care about the hoagie. But it wouldn’t be very interesting if Apple did this all around the world. Remember, this is not just about getting antivirus software back on iOS. The other thing that this the other big security implication here is that now third parties that are not getting full App Store validation, approval from Apple, they are going to be able to have apps on iOS. And that could mean malware, it could mean more scam apps than we’re currently seeing in the App Store from time to time. It could be a bigger security problem. And in fact, that’s Apple’s whole argument this whole time for why they have not allowed third party apps to go around the App Store to date. So it’ll be a very interesting time a year from now.
Kirk McElhearn 29:21
And yet we can install third party apps on the Mac. Until next week, Josh, stay secure.
Josh Long 29:27
All right, stay secure.
Voice Over 29:30
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
Transcribed by https://otter.ai
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
