New malware backdoor: CloudMensis
ESET researchers first spotted the new malware in April 2022 and named it CloudMensis. Why? It uses pCloud, Yandex Disk, and Dropbox public cloud storage services for command-and-control (C2) communication. CloudMensis’ capabilities clearly show that its operators’ main goal is to collect sensitive information from infected Macs through various means. These include screenshots, exfiltration of documents and keystrokes, as well as listing email messages, attachments, and files stored from removable storage. CloudMensis can also bypass the macOS Transparency Consent and Control (TCC) system and “if SIP is enabled but the Mac is running any version of macOS Catalina earlier than 10.15.6, CloudMensis will exploit a vulnerability to make the TCC daemon (tccd) load a database CloudMensis can write to.” The vulnerability it uses for this is a CoreFoundation bug tracked as CVE-2020–9934 and patched by Apple two years ago.
If you want to dig deeper into this new malware backdoor, here is our source material for you to enjoy:
- CloudMensis – macOS Spyware beobachtet Dich genau (welivesecurity.com)
- CVE – CVE-2020-9934 (mitre.org)
- New CloudMensis malware backdoors Macs to steal victims’ data (bleepingcomputer.com)
Hackers use trusted online storage services for delivering malware
Organizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google Drive – to conduct day-to-day operations. However, Unit42 research shows that threat actors are finding ways to take advantage of that trust to make their attacks extremely difficult to detect and prevent. When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.
The complete article can be read here:
Vulnerabilities of the week
Multiple vulnerabilities have been discovered in Google Chrome prior to 103.0.5060.134. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user.
Furthermore, Juniper Networks published 21 security advisories to inform customers about more than 200 vulnerabilities affecting its products last week. The security holes impact Junos OS (including on SRX, EX, PTX, QFX and MX series devices), Junos Space, Contrail Networking, and Northstar Controller products. Six advisories describe six high-severity vulnerabilities that are specific to Juniper products. All except one of these vulnerabilities can be exploited by an unauthenticated attacker on the network to cause a denial of service (DoS) condition. The remaining flaw can allow a local attacker authenticated with low privileges to take full control of the targeted device. There are also six advisories with an overall rating of “critical” or “high severity” that describe more than 200 issues affecting third-party components. The remaining advisories describe medium-severity issues affecting Junos OS.
Our advice: Please update now!
For more insights on the topic, feel free to check some of our trusted sources below:
- Chrome Releases: Stable Channel Update for Desktop (googleblog.com)
- Contrail Networking: Multiple vulnerabilities resolved in Contrail Networking 21.4
- Junos Space: Security Director Policy Enforcer upgraded to CentOS 7.9
- Northstar Controller: nginx component allows remote attacker to cause worker process crash or potentially, arbitrary code execution (CVE-2021-23017)
- Junos Space: Multiple vulnerabilities resolved in 22.1R1 release
- Junos OS: SRX and EX Series: Local privilege escalation flaw in “download” functionality (CVE-2022-22221)
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.