New XcodeSpy Mac Malware Targets Software Developers
Unknown threat actors have used a recently discovered Mac malware to target software developers who use Apple’s Xcode integrated development environment.
Endpoint security company SentinelOne reported on Thursday that the malware, which it has named XcodeSpy, appears to deliver a custom variant of a backdoor known as EggShell, which allows its operators to spy on users. The backdoor can be used to upload and download files and capture data from the victim’s camera, microphone, and keyboard.
More recently, a piece of Mac malware named XCSSET was seen spreading through code injected into Xcode projects, with the payload being executed when the project was built. XCSSET allows its operators to launch ransomware attacks and steal data from victims. It was recently analyzed by researchers at Kaspersky, who discovered a variant designed to run on devices powered by Apple’s M1 chip.
WhiteHat Security, a wholly-owned, independent subsidiary of NTT Ltd. and a world leader in application security, today released AppSec Stats Flash Volume 2. This article mentions that web applications are polymorphic with many attacks surfaces which include web, mobile and API-based interfaces. This is making web application security a multi-dimensional challenge.
Within the report they had these findings:
Research indicated at least 50 percent of applications in industries such as manufacturing, public services, healthcare, retail, education and utilities, are vulnerable throughout the year due to one or more serious exploitable vulnerabilities.
Data analysis found as more industries pivot to become online-first, the Window of Exposure continues to remain abnormally high, leading to increased vulnerability.
Since last month, statistics showed there was a 5-day improvement in a 12-mo rolling average in time to fix critical applications, decreasing to 189 days from 194 days.
The February volume found that only five of WhiteHat’s ten most common risk detections are represented in the OWASP Top 10.
With so much risk, organizations have to be proactive with their detection and mitigation. For more information, you can listen to their podcast where they go over more details about the findings.
BlackRock trojan is a banking malware that is capable of stealing user data, intercept and modify SMS messages, hide device notifications, and even lock the device’s screen. Recently, it has been hidden in a fraudulent Android application that is mimicking a popular iOS only application called Clubhouse. Clubhouse is an invitation-only audio chat application that allow users to listen to conversations in real-time. With the fake application installed on the user’s device and the user tries to access another app such as Twitter, Facebook, and Netflix, an overlay appears requesting the user’s credentials. Once the credentials are submitted, the data in sent to the malware.
ZOOM! Yes, we use it everyday at school, work, with our mom, grandma, colleague, boss, etc. It’s insane how our dependency went from 25% to 100% in the span of ONE pandemic! 🙂 All sarcasm aside, however, Zoom has suffered a series of attacks since the pandemic hit. Given that my key take away from this weeks CH 8 Web App Security was on the SQL injection threats, I found this nifty little article on SQL injection attacks in ZOOM. The article is actually written by the person who FOUND the vulnerability and then kindly reported it to Zoom causing Zoom to issue a patch release within 5 days for macOS and 7 days for Linux clients.
The author, Keegan Ryan, a PhD student, delves into the article head first into the technical process of hunting down vulnerabilities in zoom and uncovering this one which “allowed a remote attacker to alter a victim’s settings, including camera privacy options” for mac and Linux users.
There is a whole lot of technical mumbo jumbo that maybe one day in the future I will be able to understand but for those that are well versed it is an interesting article that gives it to you from the attackers perspective.
New CopperStealer Malware Hijacks Social Media Accounts
The Copperstealer malware attempts to steal the account passwords to Facebook, Instagram, Google, and other major service providers, according to Proofpoint. The stolen passwords are used to run malicious ads for-profit and spread more malware. Researchers were first alerted to the malware sample in late January. The earliest discovered samples date back to July 2019. “CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks,” says Sherrod DeGrippo, senior director of threat research at Proofpoint. “These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.” https://www.darkreading.com/attacks-breaches/new-copperstealer-malware-hijacks-social-media-accounts/d/d-id/1340454
TikTok Pays Out $11,000 Bounty for High-Impact Exploit
A researcher has earned over $11,000 from TikTok after disclosing several vulnerabilities in the TikTok app for Android. He discovered a couple of cross-site scripting (XSS) vulnerabilities, an issue related to starting arbitrary components, and a so-called Zip Slip archive extraction vulnerability. Chaining these vulnerabilities could have allowed an attacker to remotely execute arbitrary code on the targeted user’s Android device simply by convincing them to click on a malicious link. And it was enough for the victim to click on a link posted on a website or sent to their TikTok inbox.
If the victim has given the storage permission to the TikTok application, the exploit can access the storage’s file. If bad people exploit this vulnerability, they may chain it with an Android vulnerability to take over the whole device, even if the TikTok app doesn’t have permission to do anything.
TikTok acted quickly and rolled out a temporary fix within a week and the researcher’s blog post contains proof-of-concept (PoC) code, as well as information on how TikTok addressed the vulnerabilities.
Remote Desktop Protocol (RDP) became a hot target for cybercrime as businesses shifted to remote work due to the COVID-19 pandemic. A year later, the trend shows no sign of slowing. In the spring of 2020, when many organizations shut their office doors, attacks targeting RDP began to skyrocket: Kaspersky reported a spike from 93.1 million global RDP attacks in February to 277.4 million in March – a 197% increase, researchers note. The trend went up and down throughout the year but saw another significant jump as winter lockdowns were announced. By February 2021, Kaspersky reported 377.5 million brute-force attacks targeting RDP, underscoring a massive spike from the 91.3 million observed at the start of 2020. In some countries these attacks tripled, while in others they grew as much as 10 times, says Kaspersky researcher Maria Namestnikova. RDP has long interested attackers because it allows them to easily gain complete control over a machine, but their attacks have ramped up in the past year. Much of the attacks researchers are seeing against RDP are brute-force attacks. These require minimal effort from attackers, Namestnikova says, but remain effective because people continue to use simple passwords that can be brute-forced with several attempts. It’s worth noting that attackers may exploit vulnerabilities to target RDP, and Microsoft patched a number of remote desktop flaws in 2020. And RDP isn’t the only protocol in use; if a company uses other means of remote access, such as the VNC protocol, it will still be at risk. The attack vector, already popular, has become even more accessible in terms of the number of users and level of security. “The primary measure that you should take in your company if you use RDP is, firstly, to educate employees on how complex passwords should be,” she says. (The answer is very, and it is better to store them using password managers.) Namestnikova also advises using a corporate VPN for RDP access. Further, RDP allows additional authentication before establishing a server connection, which organizations should be using. If they don’t use RDP, the protocol should be turned off. Now that criminals have identified RDP as an effective attack vector, it’s unlikely we’ll see these attacks ease up – especially as businesses decide to allow for remote work more often or full time. Both employers and employees are growing accustomed to this way of working, she adds.
A Security researcher identified that malware that targeted Apple’s M1 processor. He found a Safari web browser extension called GoSearch22 on an antivirus testing platform, and this extension was an updated version for Pirrit. GoSearch22 focused on collecting information for ads to collect money for targeted pop-ups. Once the user installed GoSearch22, it bombards the user with ads, banners, surveys, and other nefarious promotions. The researcher also pointed out that the app was signed with an Apple developer ID in November last year. Although it had been revoked, the antivirus software could not detect GoSearch22 as malware. In the future, we will see many malware or ransomware target on Apple’s new processor, such as M1.
“Cyber security attack reports surge by 65 percent in 2020”
The number of cybersecurity attacks being reported in New Zealand is on the rise, with nearly $17 million lost over the past year as a result. nearly 8000 reports of cybersecurity incidents last year, a 65 percent increase on the year before. Phishing and credential harvesting (where an attacker collects personal data) were the most reported form of attacks and were up 76 percent in 2019. Next, those were scams and fraud reports, up 11 percent, and malware reports, up 8 percent. In total, $16.9m was lost to attackers – the most in a single year since CERT was launched. And while financial loss is the easiest impact of cyber attacks to quantify, there are others: reputational damage can be done, personal data can be lost, and operations can go down causing their own financial blow. https://www.rnz.co.nz/news/national/439011/cyber-security-attack-reports-surge-by-65-percent-in-2020
Twitter Updates 2FA to Enable Use of Multiple Security Keys
Twitter announced that it has updated its two-factor authentication to allow users to enroll and login with more than one physical key on both mobile and web. Previously, they only allowed the use of one key per account. They will also provide the option for users to add and use security keys as their only authentication method. This update will definitely enhance security and provide protection to the accounts as entering password and code or security key will ensure that only the authorized user can access their account.
In application development space there is usually tension between developers and IT security experts is not easing anytime soon. Each side blames the other for security risks in application security and other areas, but digital defense overall will suffer unless the two sides come together. Results from a recent GitLab survey underscore the issue: most security professionals lack faith in developers’ ability to write secure code, while most developers feel they lack proper guidance. What’s worse, many companies surveyed aren’t being serious enough about their defense.
What’s lacking most, however, is clarity. Within a typical group, there needs to be a more explicit consensus on who the onus of defense falls on at the end of the day.
There is work to be done. One-third of security respondents to GitLab’s survey expressed they were on the hook for security, but almost as many (29%) felt that everyone was responsible. Others (21%) put the onus on developers, while12% believe operations should be responsible.
Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail
Recently, a former IT contractor was sentenced to jailtime for exploiting a 2 year old Microsoft Exchange breach and deleting a majority of his former organization’s accounts. This caused the company to shut down for 2 days while they investigate the issue and culprit. In the two years since the attack, the culprit left the United States and went to India. On January 11th, he returned to the US, only to be arrested. The sentence included 2 years in jail and restitution of over $500,000 to the organization affected by the attack. The culprit was let off easy as the normal sentence would be 10 years.
The malware campaign, dubbed Purple Fox, has been active since at least 2018 and the discovery of the new worm-like infection vector is yet another sign that consumer-grade malware continues to reap profits for cybercriminals.
According to Guardicore researcher Amit Serper, the Purple Fox operators primarily used exploit kits and phishing emails to build botnets for crypto-mining and other nefarious uses.
Now, the new SMB brute-force method is being combined with rootkit capabilities to hide and spread widely across internet-facing Windows computers with weak passwords.
“Throughout the end of 2020 and the beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” Serper explained.
Serper said May 2020 saw a “significant amount of malicious activity” where the number of infections climbed by roughly 600% and amounted to a total of 90,000 attacks.
The 20-21 state of web applications security report was released by Radware and the findings from it are somewhat alarming. 98% of respondents said their apps were subject to some kind of attack in 2020, while only 36% of mobile apps had integrated security. The mention only 27% trusting the security of the public cloud platform even though 70% have apps through that platform. In addition to this, due to a growing dependence on web-enabled apps, APIs are the future and attacks on them are seen as the most frequent attack vector going forward. All of the info in the article references back to there not being enough security or a lack of quality of the security being used to protect web apps as well as mobile apps and until this is resolved, organizations should be concerned with the health of their information system and platform.
Ransomware gang leaks data stolen from Colorado, Miami universities 3/24/2021
This week, the Clop ransomware gang started publishing screenshots of files stolen from Accellion FTA servers used by the University of Miami and Colorado. In February, the University of Colorado (CU) disclosed that they suffered a cyberattack where threat actors stole data via the Accellion FTA vulnerability.
“While the full scope has not yet been determined, early information from the forensic investigation confirms that the vulnerability was exploited and multiple data types may have been accessed, including CU Boulder and CU Denver student personally identifiable information, prospective student personally identifiable information, employee personally identifiable information, limited health and clinical data, and study and research data,” CU’s data breach notification stated.
The Clop ransomware has begun to post screenshots of the stolen data, including university financial documents, student grades, academic records, enrollment information, and student biographical information.
At this time, the ransomware gang has only released a few screenshots for each University but will likely release more files in the future to pressure the victims to pay. https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-stolen-from-colorado-miami-universities/?&web_view=true
#IMOS21: The Critical Role of Culture in DevSecOps
Organizations should take initiative to develop and maintain an effective DevOps culture from the top-down, the CEO and the culture of the company set the tone on what DevSecOps strategies should be used. There should be consideration of the relationship between the different teams collaborating and are allocating responsibilities. Building and gaining trust between the teams are most essential, the four key factors to consider are sincerity, reliability, competence, and care. By building this trusting relationship between the collaborating teams, DevSecOps can ensure secure stack of the code, secure delivery, security governance, and security empowerment as the teams interact with the security to acquire its knowledge.
US Retailers More Vulnerable to Web App Attacks Than EU Counterparts
Retailers in the US (35 -calculated risk factor) are more vulnerable to web application attacks than EU (31 -calculated risk factor retailers as per a report by the outpost24. US retailers have a wider attack surface, since they run more publicly exposed web apps compared to EU retailers. However, EU retailers are running a higher number of applications with old components that have known vulnerabilities.
The three biggest attack vectors affecting retailers in both US and EU retailers were;
1) Security mechanisms – Use of HTTP websites and unrestricted access to unsecured/unencrypted areas of the site.
2) Active content – Scripts running on the websites
3) Degree of distribution – The difficulty of securing all product pages on large e-commerce sites.
My article this week is about the Verkada security camera hack and what interested me most about the article is the motivation of the attackers seemed to be focused on anti-capitalism activism. In this breach the attackers focused on gaining root access by finding a superuser’s account name and password exposed on the internet. They used the credential to access the cameras and execute their own code to hijack the cameras and to use as a launch for future hacks. They obtained root access via a built in superuser feature of the camera software. While the methods for gaining access were not very sophisticated the motivation seems to highlight a new type of activist hackers where hacking occurs for a cause rather than for financial or reputational impacts.
Zibai Yang says
New XcodeSpy Mac Malware Targets Software Developers
Unknown threat actors have used a recently discovered Mac malware to target software developers who use Apple’s Xcode integrated development environment.
Endpoint security company SentinelOne reported on Thursday that the malware, which it has named XcodeSpy, appears to deliver a custom variant of a backdoor known as EggShell, which allows its operators to spy on users. The backdoor can be used to upload and download files and capture data from the victim’s camera, microphone, and keyboard.
More recently, a piece of Mac malware named XCSSET was seen spreading through code injected into Xcode projects, with the payload being executed when the project was built. XCSSET allows its operators to launch ransomware attacks and steal data from victims. It was recently analyzed by researchers at Kaspersky, who discovered a variant designed to run on devices powered by Apple’s M1 chip.
https://www.securityweek.com/new-xcodespy-mac-malware-targets-software-developers
Jonathan Castelli says
WhiteHat Security, a wholly-owned, independent subsidiary of NTT Ltd. and a world leader in application security, today released AppSec Stats Flash Volume 2. This article mentions that web applications are polymorphic with many attacks surfaces which include web, mobile and API-based interfaces. This is making web application security a multi-dimensional challenge.
Within the report they had these findings:
Research indicated at least 50 percent of applications in industries such as manufacturing, public services, healthcare, retail, education and utilities, are vulnerable throughout the year due to one or more serious exploitable vulnerabilities.
Data analysis found as more industries pivot to become online-first, the Window of Exposure continues to remain abnormally high, leading to increased vulnerability.
Since last month, statistics showed there was a 5-day improvement in a 12-mo rolling average in time to fix critical applications, decreasing to 189 days from 194 days.
The February volume found that only five of WhiteHat’s ten most common risk detections are represented in the OWASP Top 10.
With so much risk, organizations have to be proactive with their detection and mitigation. For more information, you can listen to their podcast where they go over more details about the findings.
https://www.darkreading.com/application-security/whitehat-security-50–of-apps-are-vulnerable/d/d-id/1340214
Anthony Wong says
BlackRock trojan is a banking malware that is capable of stealing user data, intercept and modify SMS messages, hide device notifications, and even lock the device’s screen. Recently, it has been hidden in a fraudulent Android application that is mimicking a popular iOS only application called Clubhouse. Clubhouse is an invitation-only audio chat application that allow users to listen to conversations in real-time. With the fake application installed on the user’s device and the user tries to access another app such as Twitter, Facebook, and Netflix, an overlay appears requesting the user’s credentials. Once the credentials are submitted, the data in sent to the malware.
https://www.zdnet.com/article/fraudsters-jump-on-clubhouse-hype-to-push-malicious-android-app/
Vanessa Marin says
ZOOM! Yes, we use it everyday at school, work, with our mom, grandma, colleague, boss, etc. It’s insane how our dependency went from 25% to 100% in the span of ONE pandemic! 🙂 All sarcasm aside, however, Zoom has suffered a series of attacks since the pandemic hit. Given that my key take away from this weeks CH 8 Web App Security was on the SQL injection threats, I found this nifty little article on SQL injection attacks in ZOOM. The article is actually written by the person who FOUND the vulnerability and then kindly reported it to Zoom causing Zoom to issue a patch release within 5 days for macOS and 7 days for Linux clients.
The author, Keegan Ryan, a PhD student, delves into the article head first into the technical process of hunting down vulnerabilities in zoom and uncovering this one which “allowed a remote attacker to alter a victim’s settings, including camera privacy options” for mac and Linux users.
There is a whole lot of technical mumbo jumbo that maybe one day in the future I will be able to understand but for those that are well versed it is an interesting article that gives it to you from the attackers perspective.
https://medium.com/@keegan.ryan/patched-zoom-exploit-altering-camera-settings-via-remote-sql-injection-4fdf3de8a0d
Vanessa Marin says
There’s even a POC video that shows you just how the attacker would get into the zoom meeting after the user has logged off. Creepy AF.
Pardon the acronym french.
Ting-Yen Huang says
New CopperStealer Malware Hijacks Social Media Accounts
The Copperstealer malware attempts to steal the account passwords to Facebook, Instagram, Google, and other major service providers, according to Proofpoint. The stolen passwords are used to run malicious ads for-profit and spread more malware. Researchers were first alerted to the malware sample in late January. The earliest discovered samples date back to July 2019. “CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks,” says Sherrod DeGrippo, senior director of threat research at Proofpoint. “These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”
https://www.darkreading.com/attacks-breaches/new-copperstealer-malware-hijacks-social-media-accounts/d/d-id/1340454
Zhen Li says
Which Web Browser attack are most severe?
Wenyao Ma says
TikTok Pays Out $11,000 Bounty for High-Impact Exploit
A researcher has earned over $11,000 from TikTok after disclosing several vulnerabilities in the TikTok app for Android. He discovered a couple of cross-site scripting (XSS) vulnerabilities, an issue related to starting arbitrary components, and a so-called Zip Slip archive extraction vulnerability. Chaining these vulnerabilities could have allowed an attacker to remotely execute arbitrary code on the targeted user’s Android device simply by convincing them to click on a malicious link. And it was enough for the victim to click on a link posted on a website or sent to their TikTok inbox.
If the victim has given the storage permission to the TikTok application, the exploit can access the storage’s file. If bad people exploit this vulnerability, they may chain it with an Android vulnerability to take over the whole device, even if the TikTok app doesn’t have permission to do anything.
TikTok acted quickly and rolled out a temporary fix within a week and the researcher’s blog post contains proof-of-concept (PoC) code, as well as information on how TikTok addressed the vulnerabilities.
https://www.securityweek.com/tiktok-pays-out-11000-bounty-high-impact-exploit
Anthony Messina says
RDP Attacks Persist Near Record Levels in 2021
Remote Desktop Protocol (RDP) became a hot target for cybercrime as businesses shifted to remote work due to the COVID-19 pandemic. A year later, the trend shows no sign of slowing. In the spring of 2020, when many organizations shut their office doors, attacks targeting RDP began to skyrocket: Kaspersky reported a spike from 93.1 million global RDP attacks in February to 277.4 million in March – a 197% increase, researchers note. The trend went up and down throughout the year but saw another significant jump as winter lockdowns were announced. By February 2021, Kaspersky reported 377.5 million brute-force attacks targeting RDP, underscoring a massive spike from the 91.3 million observed at the start of 2020. In some countries these attacks tripled, while in others they grew as much as 10 times, says Kaspersky researcher Maria Namestnikova. RDP has long interested attackers because it allows them to easily gain complete control over a machine, but their attacks have ramped up in the past year. Much of the attacks researchers are seeing against RDP are brute-force attacks. These require minimal effort from attackers, Namestnikova says, but remain effective because people continue to use simple passwords that can be brute-forced with several attempts. It’s worth noting that attackers may exploit vulnerabilities to target RDP, and Microsoft patched a number of remote desktop flaws in 2020. And RDP isn’t the only protocol in use; if a company uses other means of remote access, such as the VNC protocol, it will still be at risk. The attack vector, already popular, has become even more accessible in terms of the number of users and level of security. “The primary measure that you should take in your company if you use RDP is, firstly, to educate employees on how complex passwords should be,” she says. (The answer is very, and it is better to store them using password managers.) Namestnikova also advises using a corporate VPN for RDP access. Further, RDP allows additional authentication before establishing a server connection, which organizations should be using. If they don’t use RDP, the protocol should be turned off. Now that criminals have identified RDP as an effective attack vector, it’s unlikely we’ll see these attacks ease up – especially as businesses decide to allow for remote work more often or full time. Both employers and employees are growing accustomed to this way of working, she adds.
https://www.darkreading.com/threat-intelligence/rdp-attacks-persist-near-record-levels-in-2021/d/d-id/1340444
Cami Chen says
A Security researcher identified that malware that targeted Apple’s M1 processor. He found a Safari web browser extension called GoSearch22 on an antivirus testing platform, and this extension was an updated version for Pirrit. GoSearch22 focused on collecting information for ads to collect money for targeted pop-ups. Once the user installed GoSearch22, it bombards the user with ads, banners, surveys, and other nefarious promotions. The researcher also pointed out that the app was signed with an Apple developer ID in November last year. Although it had been revoked, the antivirus software could not detect GoSearch22 as malware. In the future, we will see many malware or ransomware target on Apple’s new processor, such as M1.
https://techxplore.com/news/2021-02-malware-apple-m1-based.html
Haozhe Lin says
“Cyber security attack reports surge by 65 percent in 2020”
The number of cybersecurity attacks being reported in New Zealand is on the rise, with nearly $17 million lost over the past year as a result. nearly 8000 reports of cybersecurity incidents last year, a 65 percent increase on the year before. Phishing and credential harvesting (where an attacker collects personal data) were the most reported form of attacks and were up 76 percent in 2019. Next, those were scams and fraud reports, up 11 percent, and malware reports, up 8 percent. In total, $16.9m was lost to attackers – the most in a single year since CERT was launched. And while financial loss is the easiest impact of cyber attacks to quantify, there are others: reputational damage can be done, personal data can be lost, and operations can go down causing their own financial blow.
https://www.rnz.co.nz/news/national/439011/cyber-security-attack-reports-surge-by-65-percent-in-2020
Priyanka Ranu says
Twitter Updates 2FA to Enable Use of Multiple Security Keys
Twitter announced that it has updated its two-factor authentication to allow users to enroll and login with more than one physical key on both mobile and web. Previously, they only allowed the use of one key per account. They will also provide the option for users to add and use security keys as their only authentication method. This update will definitely enhance security and provide protection to the accounts as entering password and code or security key will ensure that only the authorized user can access their account.
https://www.infosecurity-magazine.com/news/twitter-2fa-security-keys/
Prince Patel says
https://securityintelligence.com/articles/application-security-developers-who-is-responsible/
Developers vs. Security: Who is Responsible for Application Security?
In application development space there is usually tension between developers and IT security experts is not easing anytime soon. Each side blames the other for security risks in application security and other areas, but digital defense overall will suffer unless the two sides come together. Results from a recent GitLab survey underscore the issue: most security professionals lack faith in developers’ ability to write secure code, while most developers feel they lack proper guidance. What’s worse, many companies surveyed aren’t being serious enough about their defense.
What’s lacking most, however, is clarity. Within a typical group, there needs to be a more explicit consensus on who the onus of defense falls on at the end of the day.
There is work to be done. One-third of security respondents to GitLab’s survey expressed they were on the hook for security, but almost as many (29%) felt that everyone was responsible. Others (21%) put the onus on developers, while12% believe operations should be responsible.
Krish Damany says
Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail
Recently, a former IT contractor was sentenced to jailtime for exploiting a 2 year old Microsoft Exchange breach and deleting a majority of his former organization’s accounts. This caused the company to shut down for 2 days while they investigate the issue and culprit. In the two years since the attack, the culprit left the United States and went to India. On January 11th, he returned to the US, only to be arrested. The sentence included 2 years in jail and restitution of over $500,000 to the organization affected by the attack. The culprit was let off easy as the normal sentence would be 10 years.
https://threatpost.com/office-365-cyberattack-disgruntled-contractor-jail/164986/
Xinyi Zheng says
Purple Fox Malware Squirms Like a Worm on Windows
The malware campaign, dubbed Purple Fox, has been active since at least 2018 and the discovery of the new worm-like infection vector is yet another sign that consumer-grade malware continues to reap profits for cybercriminals.
According to Guardicore researcher Amit Serper, the Purple Fox operators primarily used exploit kits and phishing emails to build botnets for crypto-mining and other nefarious uses.
Now, the new SMB brute-force method is being combined with rootkit capabilities to hide and spread widely across internet-facing Windows computers with weak passwords.
“Throughout the end of 2020 and the beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” Serper explained.
Serper said May 2020 saw a “significant amount of malicious activity” where the number of infections climbed by roughly 600% and amounted to a total of 90,000 attacks.
https://www.securityweek.com/purple-fox-malware-squirms-worm-windows
Austin Mecca says
https://www.techrepublic.com/article/report-5-ways-web-apps-suffered-in-2020-and-will-continue-to-suffer-in-2021/
The 20-21 state of web applications security report was released by Radware and the findings from it are somewhat alarming. 98% of respondents said their apps were subject to some kind of attack in 2020, while only 36% of mobile apps had integrated security. The mention only 27% trusting the security of the public cloud platform even though 70% have apps through that platform. In addition to this, due to a growing dependence on web-enabled apps, APIs are the future and attacks on them are seen as the most frequent attack vector going forward. All of the info in the article references back to there not being enough security or a lack of quality of the security being used to protect web apps as well as mobile apps and until this is resolved, organizations should be concerned with the health of their information system and platform.
Zhen Li says
Ransomware gang leaks data stolen from Colorado, Miami universities 3/24/2021
This week, the Clop ransomware gang started publishing screenshots of files stolen from Accellion FTA servers used by the University of Miami and Colorado. In February, the University of Colorado (CU) disclosed that they suffered a cyberattack where threat actors stole data via the Accellion FTA vulnerability.
“While the full scope has not yet been determined, early information from the forensic investigation confirms that the vulnerability was exploited and multiple data types may have been accessed, including CU Boulder and CU Denver student personally identifiable information, prospective student personally identifiable information, employee personally identifiable information, limited health and clinical data, and study and research data,” CU’s data breach notification stated.
The Clop ransomware has begun to post screenshots of the stolen data, including university financial documents, student grades, academic records, enrollment information, and student biographical information.
At this time, the ransomware gang has only released a few screenshots for each University but will likely release more files in the future to pressure the victims to pay.
https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-stolen-from-colorado-miami-universities/?&web_view=true
Mei X Wang says
#IMOS21: The Critical Role of Culture in DevSecOps
Organizations should take initiative to develop and maintain an effective DevOps culture from the top-down, the CEO and the culture of the company set the tone on what DevSecOps strategies should be used. There should be consideration of the relationship between the different teams collaborating and are allocating responsibilities. Building and gaining trust between the teams are most essential, the four key factors to consider are sincerity, reliability, competence, and care. By building this trusting relationship between the collaborating teams, DevSecOps can ensure secure stack of the code, secure delivery, security governance, and security empowerment as the teams interact with the security to acquire its knowledge.
https://www.infosecurity-magazine.com/news/imos21-culture-in-devsecops/
Humbert Amiani says
US Retailers More Vulnerable to Web App Attacks Than EU Counterparts
Retailers in the US (35 -calculated risk factor) are more vulnerable to web application attacks than EU (31 -calculated risk factor retailers as per a report by the outpost24. US retailers have a wider attack surface, since they run more publicly exposed web apps compared to EU retailers. However, EU retailers are running a higher number of applications with old components that have known vulnerabilities.
The three biggest attack vectors affecting retailers in both US and EU retailers were;
1) Security mechanisms – Use of HTTP websites and unrestricted access to unsecured/unencrypted areas of the site.
2) Active content – Scripts running on the websites
3) Degree of distribution – The difficulty of securing all product pages on large e-commerce sites.
https://www.infosecurity-magazine.com/news/us-retailers-vulnerable-web-app/
https://marketing.outpost24.com/mkg/whitepaper/2020-web-application-security-for-retail-ecommerce-report?utm_campaign=Download-Retail-Scout-Report-2020&utm_source=Referral&utm_medium=PR
Heather Ergler says
https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams
My article this week is about the Verkada security camera hack and what interested me most about the article is the motivation of the attackers seemed to be focused on anti-capitalism activism. In this breach the attackers focused on gaining root access by finding a superuser’s account name and password exposed on the internet. They used the credential to access the cameras and execute their own code to hijack the cameras and to use as a launch for future hacks. They obtained root access via a built in superuser feature of the camera software. While the methods for gaining access were not very sophisticated the motivation seems to highlight a new type of activist hackers where hacking occurs for a cause rather than for financial or reputational impacts.