Digital life destroyed from Hacker/Malware

[antiq25]

I am pretty close to putting all my devices, including my Windows machines in storage I feel like i am going through probably one of the worst cyber attacks ive personally ever heard of on a normal person, and have contacted pretty much every outlet possible and now realize that pretty much there isnt anything I can do. So I figured i would come here and maybe shed light and provide some insight into what has happened to me, and maybe it can help others in the future, or maybe someone can help me. Who knows.

A person, or a group of people ( who doesnt really matter at this point because whats done is done ) have been able to do the following to my electronics in just a matter of one week

OSX Setup:
M2 Pro Max Ultra 36gb video
M2 Air 8gb
Iphone 14 pro max
Iphone 11

1) Created 20 Network Interfaces in each of my computers and made some sort of advanced point to point tunneling system where they can move laterally through my network, including my cell phones, my wifes phone, and my son.

2) Have established pre-boot sector files that I cannot get rid of. I have been able to remove every single drive except the macos base system, which then it tells me that its in use by process 0, havent been able to figure out how to remove that

3) Have created NVRAM arguments that live past DFU firmware flashes and most of their files live within the macos base system, which is everything they need to keep persistence.. they are literally in my unifi firmware aswell

4) are able to somehow change the way native apple binaries work, as you are downloading them they are intercepted ( Not one hash or sha256 key in the past few days has matched )

5) I am most likely using some counter feit operating system because I am getting warning messages in recovery OS that i am trying to conenct to a server that is pretending to be apple.

These devices have been the joy of my life since ive bought them, and i am just lost for words that everything is basically unusable (apple just firmware flashes it and gives it back to me and puts their hands up, police dont care)

Hopefully someoen has been through this and can shed some light on what to do

 

[theorist9]

Do you have uncontaminated backups? If you've filed police reports indicating these devices have been rendered unusable, maybe you could be reimbursed for them by your homeowner's insurance (since they've effectively been vanadalized) and start over with new devices.

 

[aj_niner]

On a uncontaminated device contact Apple Support and describe your problem.

They may be interested in buying your devices to observe the hack themselves. If they can compromise your current devices then there is a chance it will spread to others.

 

[cupcakes2000]

These devices have been the joy of my life since ive bought them, and i am just lost for words that everything is basically unusable (apple just firmware flashes it and gives it back to me and puts their hands up, police dont care)

You have given every device in the house back to Apple and they have erased them down to the firmware and it still persists? Is it only Apple devices at yours? So the attack is not coming from your devices, they’re clearly getting in a different way and reinfecting. I think you should look at your network setup then. Have you tried to change your router and looked at that side of things?

 

[Mike Boreham]

I am pretty close to putting all my devices, including my Windows machines in storage I feel like i am going through probably one of the worst cyber attacks ive personally ever heard of on a normal person, and have contacted pretty much every outlet possible and now realize that pretty much there isnt anything I can do. So I figured i would come here and maybe shed light and provide some insight into what has happened to me, and maybe it can help others in the future, or maybe someone can help me. Who knows.

A person, or a group of people ( who doesnt really matter at this point because whats done is done ) have been able to do the following to my electronics in just a matter of one week

OSX Setup:
M2 Pro Max Ultra 36gb video
M2 Air 8gb
Iphone 14 pro max
Iphone 11

1) Created 20 Network Interfaces in each of my computers and made some sort of advanced point to point tunneling system where they can move laterally through my network, including my cell phones, my wifes phone, and my son.

2) Have established pre-boot sector files that I cannot get rid of. I have been able to remove every single drive except the macos base system, which then it tells me that its in use by process 0, havent been able to figure out how to remove that

3) Have created NVRAM arguments that live past DFU firmware flashes and most of their files live within the macos base system, which is everything they need to keep persistence.. they are literally in my unifi firmware aswell

4) are able to somehow change the way native apple binaries work, as you are downloading them they are intercepted ( Not one hash or sha256 key in the past few days has matched )

5) I am most likely using some counter feit operating system because I am getting warning messages in recovery OS that i am trying to conenct to a server that is pretending to be apple.

These devices have been the joy of my life since ive bought them, and i am just lost for words that everything is basically unusable (apple just firmware flashes it and gives it back to me and puts their hands up, police dont care)

Hopefully someoen has been through this and can shed some light on what to do

Presume you have alerted your bank and credit card companies etc to lock down on line activity?

 

[antiq25]

Do you have uncontaminated backups? If you've filed police reports indicating these devices have been rendered unusable, maybe you could be reimbursed for them by your homeowner's insurance (since they've effectively been vanadalized) and start over with new devices.

I do not have any sadly, and i checked and i guess I forgot to check the box for the cyber attack clause of the homeowners insurance.

 

[antiq25]

Presume you have alerted your bank and credit card companies etc to lock down on line activity?

Yes

You have given every device in the house back to Apple and they have erased them down to the firmware and it still persists? Is it only Apple devices at yours? So the attack is not coming from your devices, they’re clearly getting in a different way and reinfecting. I think you should look at your network setup then. Have you tried to change your router and looked at that side of things?

Yes I have. I also hired a senior enterprise admin from IBM privately, he came into my house and installed a Unifi dream router, intrusion defense systems like surricatta, things like wazuh.. everything ive spent close to 5,000+ just trying to get a hold on the network and its been impossible. I've contacted my ISP, who said to phone the police, and my ISP has already provided me with a modem which was nuked pretty much an hour after they left.

They are now putting me on a corporate plan with more firewall at the modem, but i dont think its going to do much to be honest.

 

[Feek]

Paging @novagamer

 

[galad]

So did anything happens apart from your findings of "weird" things on your devices?
If you really think you have being hacked you should try to contact some security researches out there, they will be quite interested in discovering what's going on (and getting the bounty for finding the security issues).

But as usual, extraordinaries claims requires extraordinarie evidence.

 

[Feek]

So did anything happens apart from your findings of "weird" things on your devices?

I'm going to take a guess at strange messages in a log somewhere.

 

[antiq25]

So did anything happens apart from your findings of "weird" things on your devices?
If you really think you have being hacked you should try to contact some security researches out there, they will be quite interested in discovering what's going on (and getting the bounty for finding the security issues).

But as usual, extraordinaries claims requires extraordinarie evidence.

I mean if having every device you own get bootlocked within 2 days of a fresh install, open windows out of nowhere, turn itself on , turn itself off, and basically barely work on Internet is not "weird" enough.

I don't only have evidence, I have mitre signatures from multiple cyber security agencies, I have the malware.. tbh I'm not really here to PROVE anything, I'm here to get advice on how people dealt with intrusions at this level.
I could lay out a thesis right now exactly how these vulnerabilities have been exploited etc, but I feel like it's irrelevant, the damage is done.

Apple has put me in their bug bounty program actually, but It will not replace all the lost pictures, phone numbers, files and time that I have spent into fixing this, and even if they do give me a "bounty" how long will that take, and will they have a solution?

I'm going to take a guess at strange messages in a log somewhere.

TO anyone who is doubtful of my claims, why don't you open some of the files that are on my computer and see what happens.

 

[antiq25]

I just had to install a brand new copy of Sonoma onto the air because it was slowing down so bad I could barely use it. I will check back in in 2 hours. I guarantee you there will be over 500 detections.

 

[antiq25]

nvm, only took 2 minutes

 

[galad]

If you really think those logs are something to worry about (and not only the usual bot scanning the Internet for know vulnerabilities, a new malware won't be reported by such programs like wazuh) contact some security experts and let them validate them.

Apple can't and won't restore any lost file, they will just fix the vulnerability you reported if it's actually a vulnerability and give you a bounty if it falls under the terms of the bounty program.

 

[cupcakes2000]

Go to an undisclosed location, and get yourself a copy of tails sorted out. Open up that on to one of your laptops. At least that way you’ll have a safe place to get online and perhaps get some type of peace. It’s free and you can see if that gets infected. If not then you have a jumping off point.

 

[theorist9]

I'd be curious to see what Malwarebytes reports. It's free, and was recommended to me by Apple Support.

It focuses on malware that conventional anti-virus software struggles with, such as rootkit attacks.

 

[ondioline]

5) I am most likely using some counter feit operating system because I am getting warning messages in recovery OS that i am trying to conenct to a server that is pretending to be apple.

If this is real and not some schizophrenic delusion, then your network has a MITM outside your LAN. This is only possible if someone can intercept your DNS and TLS requests with fake responses and certificates. Basically any RPI running mitmproxy would be able to do this.

Anyway this is the realm of physical security. Installing IDS and firewalls or whatever isn't going to stop it. You need to start looking for devices wherever your physical internet connection is.

 

[Malus120]

Assuming for a second this is actually real you'd likely be dealing with either a nation state actor or a well funded criminal organization (or some combination of the two.)

For that to be the case you'd likely either need to have some connection to national security, foreign policy, or critical industry/infrastructure at something above an entry level position, or be wealthy and high profile enough to be worth a lot of effort for a criminal organization.
If the former applies, you should already be talking to the people above you about how to deal with this situation.
If the latter, you're likely going to want to hire a cyber security firm to help you get the situation under control and it probably wouldn't hurt to just throw out and replace every device in your house and set up a new line with your ISP.

If you're really just an everyday dude, you're not making this up, and you really have no clue how this happened... try talking to your son.

 

[Feek]

I could lay out a thesis right now exactly how these vulnerabilities have been exploited etc, but I feel like it's irrelevant, the damage is done.

No, I feel this is really relevant. Let’s find out more.

 

[startergo]

I’m pretty sure you have some kind of a physical device similar to one of the hack5 devices attached to your network, or anywhere physically on your devices masquerading as a different type of device

 

[antiq25]

Assuming for a second this is actually real you'd likely be dealing with either a nation state actor or a well funded criminal organization (or some combination of the two.)

For that to be the case you'd likely either need to have some connection to national security, foreign policy, or critical industry/infrastructure at something above an entry level position, or be wealthy and high profile enough to be worth a lot of effort for a criminal organization.
If the former applies, you should already be talking to the people above you about how to deal with this situation.
If the latter, you're likely going to want to hire a cyber security firm to help you get the situation under control and it probably wouldn't hurt to just throw out and replace every device in your house and set up a new line with your ISP.

If you're really just an everyday dude, you're not making this up, and you really have no clue how this happened... try talking to your son.

Field Effect wants far more than what all of my devices are worth to take this on (25,000$ for 12 months of montoring + no gaurentee they will actually remove whatever is going on from my network, and it also seems like they are just using IDR / Threat management programs.


I dont have no clue on how. I know. I just feel like without doxxing myself completely, and sharing too much information on a public form that any stranger can read it , it would be pretty hard to do this, but yes I check soime of the boxes in the list you described.

 

[antiq25]

I’m pretty sure you have some kind of a physical device similar to one of the hack5 devices attached to your network, or anywhere physically on your devices masquerading as a different type of device

I thought so too, but

So it says here that there is someone with over 112 AP's, which at first got me paranoid that it was my neighbours, but the more I looked into what was going on in my network I realized that these 112 AP's are actually me. Look at my network interface..

Now I dont know about you guys, but this seems to me like something is a little screwed up here. The things that I have currently on computer fundamentally changed the way I look at technology and just security in general

 

[antiq25]

This is "their" drive, no matter what I do. DFU firmware flash, you name it, this drive will stay, and it will not go away.

I have managed before to get disk3 almsot entirely deleted, but the snapshot will never go away, no matter what i do.
seems to me like there is a launch agent, that is inside of the com.apple.recoveryosd that recreates it.

As soon as /dev/disk3 is delete, all of the files they need to "persist" go directly into disk0 , and stay there into the operating system is reinstalled.

Do you guys constantly have a website that is open, even if you are offline and type localhost into your browser that says this? Is this a feature that mac has built in?

Im currently in the bounty program or whatever , but I cannot explain whats happening in 800 characters. I need to write a multi paragraph full explaination with videos and pictures etc, and i just havent had the time in the past couple days.. I have to work, have a family, have dogs, life has to go on as im sure you all know as well

 

[antiq25]

I'd be curious to see what Malwarebytes reports. It's free, and was recommended to me by Apple Support.

It focuses on malware that conventional anti-virus software struggles with, such as rootkit attacks.

I can record what this thing does to an antivirus scan its actually probably the most insane thing ive ever seen.

What happens is it creates a PLIST file specifically for malwarebytes, or whatever anti virus is installed at the moment, which basically makes the anti virus skip over all of the files that would be triggered as malicious by the antivirus, and guess what? You have to give it permissions to create the helper, or the files itself will NOT install. I can show you a video if youd like

 

[startergo]

I thought so too, but View attachment 2346597
So it says here that there is someone with over 112 AP's, which at first got me paranoid that it was my neighbours, but the more I looked into what was going on in my network I realized that these 112 AP's are actually me. Look at my network interface..

View attachment 2346598

Now I dont know about you guys, but this seems to me like something is a little screwed up here. The things that I have currently on computer fundamentally changed the way I look at technology and just security in general

nothing wrong with this:

networksetup -listallhardwareports

Hardware Port: Thunderbolt Bridge
Device: bridge0
Ethernet Address:

Hardware Port: Wi-Fi
Device: en0
Ethernet Address:

Hardware Port: Thunderbolt 1
Device: en1
Ethernet Address:

Hardware Port: Thunderbolt 2
Device: en2
Ethernet Address:

Hardware Port: Thunderbolt 3
Device: en3
Ethernet Address:

Hardware Port: Thunderbolt 4
Device: en4
Ethernet Address:

I removed the addresses, but these are the interfaces with ethernet address.