Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

The recently patched Firefox vulnerability tracked as CVE-2019-11707 has been exploited to deliver Mac (and possibly Windows) malware to the employees of cryptocurrency exchanges.

Mozilla announced on Tuesday that the latest update for Firefox patched a critical type confusion zero-day that had been exploited in targeted attacks. The Tor Project has also updated its browser, which is based on Firefox, to address the vulnerability.

The flaw was reported to Mozilla by the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero, but initially no details were made available on the attacks.

Philip Martin of the Coinbase security team revealed on Twitter that CVE-2019-11707 had been used alongside another unpatched Firefox vulnerability, a sandbox escape weakness, to target Coinbase employees. Martin said the attackers also targeted other cryptocurrency-related organizations.

After seeing the indicators of compromise (IoCs) made public by Martin, including malware hashes and command and control (C&C) IP addresses, FireEye’s Nick Carr revealed that they matched uncategorized activity observed by FireEye between 2017 and 2019. The attacks seen by FireEye had been aimed at financial institutions and cryptocurrency exchanges.

Security researcher Vitali Kremez, who has analyzed the payloads delivered via the new Firefox exploit, reported uncovering some links to recent attacks involving a WinRAR zero-day. Kremez described the malware as a “stealer.”

macOS security expert Patrick Wardle has obtained a sample of the macOS malware delivered via CVE-2019-11707. He got the sample from an individual who claimed to have received it via an email that referenced the Adams Prize, a prestigious prize awarded by the University of Cambridge in the UK. The targeted person said he had been involved until fairly recently with a cryptocurrency exchange.

Wardle’s analysis revealed significant similarities to OSX.Netwire (Wirenet), a piece of malware that emerged in 2012. The old malware was designed to steal passwords from Linux and OS X systems.

Advertisement. Scroll to continue reading.

While there are significant similarities, the researcher says the new and the old malware are also very different and they seem to have different objectives — the old malware was only designed to steal passwords, while the new threat has other capabilities that Wardle plans on detailing in an upcoming blog post. The expert believes they were both created by the same developer or team of developers.

Interestingly, the new macOS malware bypassed Apple’s Gatekeeper security system — Gatekeeper only scans files that are downloaded by users via normal methods, not files downloaded via an exploit — but Apple’s XProtect system does detect the malware based on a Yara signature added by the company in 2016 for a version of Netwire.

According to VirusTotal, the sample of the macOS malware delivered via the latest Firefox zero-day is only detected by security solutions from Symantec and China’s Tencent.

UPDATED. The article incorrectly stated that both Windows and macOS malware had been used in the attacks. Vitali Kremez told SecurityWeek that he has no evidence of any Windows malware being served, but pointed out that the “referenced hashes and IOCs are clearly related to the PE32 malware.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...