Apple's latest macOS release is breaking security software, network connections

PLUS: Payer of $75M ransom reportedly identified; Craigslist founder becomes security philanthropist, and more

Infosec In Brief Something's wrong with macOS Sequoia, and it's breaking security software installed on some updated Apple systems.

Sequoia, aka macOS 15, was released on Monday of last week. By Thursday, reports of problems with security products – from vendors including CrowdStrike and Microsoft – had begun to pile up with no explanation from Apple, as first reported by TechCrunch.

Objective-See founder and macOS security expert Patrick Wardle suggested one possible cause for the problems on X: networking bug(s) in Sequoia. He noted he had seen security bulletins from Microsoft, CrowdStrike, and others warning about the issues, and mentioned that Apple was well aware of them.

"This was reported to Apple before [Sequoia] released (by multiple people, to multiple teams/orgs within Apple) so Apple 100% knew about this, and shipped macOS 15 anyways," Wardle posted.

Both Microsoft and ESET have posted bulletins about networking problems in macOS 15, and both report different fixes for their respective problems as well.

After upgrading to Sequoia, ESET software can inform users it's unsupported and also cause network connectivity trouble. The issue seems to be tied to network filters configured in macOS that must be removed before the software will work. If users don’t do that job, the software must be removed and reinstalled.

According to Microsoft, its issue has to do with macOS's Stealth Mode, which stops a machine from responding to ping requests or connection requests from closed TCP or UDP networks. Stealth Mode has to be disabled in Firewall settings to resolve the issue.

Speaking to The Register, Wardle told us he'd heard from some of the larger vendors he's spoken to that Apple has acknowledged some unintended changes that it was working on fixing, but said he wasn't sure if that meant the issue was at the firewall or lower-level networking components.

Microsoft's notice on the issue, which advised customers not to upgrade to Sequoia, indicated the issue has to do with changes to the network stack in macOS.

Either way, the open source developer told us, it's something that never should have happened – and it's not the first time, either.

"If you pride yourself on building secure systems, you can't push out software that breaks security tools," Wardle noted.

Apple hasn't responded to questions.

Critical vulnerabilities of the week: You updated HugeGraph, right?

You may recall in April when Apache disclosed a rather serious CVSS 9.8 vulnerability in HugeGraph, or in June when we warned that proof-of-concept code for the sandbox bypass and RCE vulnerability had been released.

If not, here's yet another warning: The vulnerability, tracked as CVE-2024-27348, is under active exploitation. It affects Apache HugeGraph-Server versions 1.0.0 all the way up to 1.3.0, which fixes the matter when used with Java 11 and the authentication system enabled. Get patching!

Elsewhere:

• CVSS 9.8 – CVE-2024-6670: Network monitoring platform WhatsUp Gold contains an SQL injection vulnerability that can allow an unauthenticated attacker to retrieve a user's encrypted password, and it's under active exploitation.
• CVSS 9.8 – CVE-2022-21445: Unauthenticated attackers with HTTP network access can easily compromise and take over certain versions of Oracle Application Development Framework.
• CVSS 9.8 – CVE-2020-14644: A flaw in certain versions of Oracle WebLogic Server in Oracle Fusion Middleware can allow an unauthenticated attacker with network access to take over the server. Active exploitation of this vulnerability has been reported.
• CVSS 8.8 – CVE-2020-0618: Microsoft SQL's Server Reporting Services has an RCE vulnerability when incorrectly handling page requests, and it's being exploited in the wild.

Craigslist founder pledges $100M for cyber security projects

Craig Newmark, who started his eponymous list in 1995, is worried about the state of cyber security in the United States, so he's pledged $100 million of his own fortune to fix it.

The Wall Street Journal shared news of the initiative, reporting that Newmark plans to donate $50 million toward protecting critical infrastructure from cyberattacks. The other half will go toward public education on simple security practices – like using password managers, updating software, and the like.

Newmark's moving fast, too – some of the money has already been awarded to the University of Chicago to recruit and train cyber security professionals for local infrastructure projects, and another chunk has been allotted to child internet safety group Common Sense Media.

"The country is under attack," Newmark told the Journal, adding that he sees his efforts as championing the work of American cyber security professionals.

UK Apple users urged to watch for new iCloud scam

The UK's reporting center for fraud and cyber crime warned last week of a scam going around for which anyone whose iCloud storage fills up frequently should be on the lookout.

According to Action Fraud, the last two weeks have seen over 1,800 reports of emails claiming the recipient's iCloud storage space was running out - and offering a link to buy more storage.

Those links, naturally, are phishing sites on which cyber criminals are harvesting Apple IDs – likely for further compromise in the future, resale or other malicious use.

Buyers for such info are legion.

According to IBM's X-Force threat intel team, around 90 percent of the goods and services sold on dark web marketplaces are stolen credentials. Verizon's 2023 Data Breach Investigation Report found around half of all data breaches, and 86 percent of basic web application attacks against web applications, start with stolen credentials.

Mystery $75M ransomware payer identified

When we reported on what was believed to be the largest-ever ransomware payment – $75 million - in early August, we didn't know who paid it, but their identity may have been uncovered.

According to unnamed insiders who spoke to Bloomberg, the payment was made by drug distributor Cencora, which was breached in February. According to notifications from the time of the breach, stolen data included health records and other PII.

Bloomberg reported that Cencora's data was stolen by the Dark Angels gang and that the payment was made in Bitcoin in three separate installments. The original ransom demand was reportedly double that, Bloomberg's sources claimed.

The healthcare sector has been an increasingly popular target for threat actors due to poor cyber security tooling and the highly sensitive nature of medical data.

Cencora declined to comment on the matter to Bloomberg, calling reports that it paid ransom "speculation."

Dell investigating alleged employee data leak

The miscreant behind the earlier leak of data from French IT firm Capgemini has resurfaced with a claim they hold stolen employee info from Dell.

Dell confirmed to BleepingComputer that it was looking into the claims of a crook who goes by "Grep" and posted in a hacking forum detailing data describing nearly 11,000 Dell and partner employees stolen during "a minor data breach" earlier this month.

Grep claimed employee names, status, and internal ID numbers were included in the stolen dataset – far less valuable than what he or she made off with from Capgemini earlier this month. In that case, the stolen data allegedly included source code, credentials, API keys, and employee data.

The value – or lack thereof – of the data allegedly stolen from Dell was reflected in its price: According to reports, the entire set of more than 10,800 records can be had for around $0.30.

If accurate, this would mark the second theft of a database from Dell in recent months. ®