I have been noticing odd behavior on both Mac OS Monterey and iPhone running iOS 16.0.2.
On my Mac I have noticed settings changed in Logic that I did not make, and a search done in a website using Safari that I did not initiate. In iOS I have noticed text being entered that did not appear to be auto-complete, random apps opened that I did not open, and icons being tapped in front of my eyes.
I would love to chalk this up to random bugs, coincidence or glitches, but security folks say to “Assume breach and act accordingly.” So, how should one act accordingly in this situation?
Here is what I have done so far (though not necessarily in this order, which I cannot remember):
-
I reset my password on my laptop, iPhone and iCloud. However, if one
assumes breach, then one assumes key logger, then one assumes this
is useless. I also reset my iPhone. However, it reinstalls from
iCloud backup and I assume the backup may be tainted. Perhaps I
should do this all again once I am sure my devices are locked down. -
I ran a couple of different malware scans on my Mac from Bitfender
and Malwarebytes. Bitfender found the following, which it
quarantined and I deleted: An infected file attempted to run on your
device. Threat name: JS:Trojan.Cryxos.5913 Path: /Users/me/Library/Containers/com.apple.Safari/Data/Library/Caches/com.apple.Safari/WebKitCache/Version16/Records/F7C238782183305DAF70908C7374B34484AA2439/Resource/04D3A3239B7E6A329EC6E8B17F1B3D9E4094F8E0-blob=>(INFECTED_JS)I looked up JS:Trojan.Cryxos.5913 and F-Secure says “Cryxos trojans
display an alarming notification message saying that the user’s
computer or web browser has been ‘blocked’ due to a virus infection,
and that their personal details are ‘being stolen’. The user is then
directed to call a phone number for assistance in the ‘removal
process’. This is a version of a ‘call support’ scam.”So, it seems like maybe this is just a malicious javascript on a
website that got cached and not an actual Trojan or RAT. -
I installed Little Snitch on my Mac and denied most connections
other than the base Apple ones, plus a few more Apple processes not
included in the default settings. I also subscribed to a bunch of
rule groups from
https://github.com/naveednajam/Little-Snitch—Rule-GroupsV2. -
I ran netstat on my Mac to see what ports were being used and ran
lsof to see what processes they belonged to and then killed those
processes if they weren’t part of the OS or software I use. -
I noticed a couple of connections in particular that seemed
worrying. One was for a game that I had been working on a few years
ago that was still active. It used Node.js so I uninstalled Node and
the connection disappeared the next time I ran netstat. The other
was for something called Exosee but I found scant info about it
online, though it appears to be a Windows file sharing program. It
also disappeared after I uninstalled Node. -
I used nc to port scan my iOS devices and found 3 open ports on one
device. 49212, 49213 and 62078. I ran the port scan on my other IOS
devices and only 62078 was open on those. I looked up those ports
and only 62078 seemed legit, so I added a rule in my router to block
access to 49212 and 49213 on my iPhone, just in case. I also made
sure on my router that all my IOT devices are on a separate SSID
that is segmented away from the other SSIDs so that anyone who
breaches one of those devices cannot easily reach my other devices. -
I ran Last on my Mac to see if anybody but me had logged in. No one
appears to have. However, the item sshd-keygen-wrapper appears
unchecked in my full disc access privacy settings so it appears
someone may have ssh’d into my machine at some point, though not
sure if this is normal or not (like perhaps it is a factory
default.) -
I made sure my firewall in the Mac’s settings was still set to deny
all incoming requests.
My main questions are:
A) Am I paranoid or does this seem like a possible breach?
B) If I am not paranoid or my paranoia is justified, then what else should I do to contain the damage?
I am considering calling the other developer of the game I was working on and ask if they had any breaches. However, if the developer themself is the culprit, then not sure what good that would do. I trust them, but you know, trust no one.
I am also hesitant to change passwords at my banks and such, assuming that by typing them in, I am exposing them. I generally use Keychain as my password manager, so for most things I am pretty sure I can just copy and paste or let it enter the password without displaying it on the screen or copying it to the clipboard. However, if the keychain itself is accessible, then what?
Such a pain, for perhaps what could really just be random weirdness.
Thanks for taking the time to read and respond!
