Cyber Security Headlines – August 18, 2020

Trend Micro finds Mac malware in Xcode projects

Researchers at Trend Micro published a report detailing malware found in Apple’s Xcode IDE. The XCSSET malware family can use two zero day vulnerabilities found in Safari. The first exploits a flaw in Data Vault to expose information in cookie files. The second vulnerability bypasses required user authentication in Safari to perform malicious operations in an unsandboxed Safari instance. Ultimately these allow for JavaScript-based backdoors to be injected into displayed pages through a Universal Cross-site Scripting attack. The researchers also found that XCSETT includes a ransomware module to encrypt data. Currently the malware has only been found in two xCode projects, but the researchers warn it could spread by developers sharing code or using compromised repositories as dependencies for other projects. 


Chrome to warn of insecure forms

Starting in version 86, Google’s Chrome browser will warn when users when an HTTPS website will send form responses over an HTTP connection. These mixed forms are open to attackers reading or modifying the submitted information. The browser will disable auto-filling of mixed forms, and display a red colored text below an input field that the form is insecure. Google had previously said Chrome 86 will fully block similar mixed content downloads. 

(Bleeping Computer)

Security breach numbers decrease, but severity increases in 2020

Researchers at Risk Based Security report that in the first half of 2020, organizations publically disclosed 2,037 data breaches, the lowest number since 2014, and down 52% on the year. According to EVP of Risk Based Security Inga Goddijn, this decrease may be the result of less organizations public disclosing breaches, and that dispite the decreased number, H1 2020 saw a record 27 billion records exposed. The reesarchers found that three breaches in 2020 accounted for 84% of these.

(Dark Reading)

Canadian government accounts hacked

Canada’s GCKey is an online portal used to access government services by over 30 federal departments. The Treasury Board of Canada Secretariat announced that passwords and usernames of 9,041 GCKey account holders had been compromised in an attempt to fradulantly access government services. Of the affected accounts, 5,500 were from the Canada Revenue Agency. The Treasury Board suspended access to all impacted accounts, and an investigation into potential privacy breaches is ongoing. 

(Security Week)

COVID tracking app contained AWS access keys in code

A student at Albion College found that the school’s COVID-19 tracking and data gather app, Aura Sequential Testing, contained hardcoded Amazon Web Services Access Keys in its code. This would allow anyone viewing the code to use the keys to access backend data and virtual machines, which contain student COVID-19 test result and medical insurance information. The student warned that bots commonly scan iOS and Android app stores for hardcoded credentials, and said she twice sent warnings about the keys to the app’s developer. An update to the Android app on August 13th removed the keys. 

(The Register)

Emotet botnet went dark for six months thanks to killswitch

The Emotet botnet has been around since 2014, but seemingly went dark from February through early August this year. Now James Quinn with Binary Defense revealed this caused by a killswitch he created called EmoCrash, which exploited a buffer overflow vulnerability in Emotet’s installation. The killswitch stopped being effective when Emotet’s developers sent out a  core loader update, which removed a vulnerable registry value code used to create the buffer overflow. 

(Threat Post)

FireEye opens bug bounty program to the public

The cybersecurity company FireEye announced its bug bounty program is now open to the public. The program had previously been invite-only, and focuses on business applications and corporate infrastructure security for FireEye’s services and domains. The program pays up to $2500 for critical vulnerabilities. 

(CISO Magazine)

Advent International closes on Forescout acquisition

The private equity firm  Advent International announced it closed on its acquisition of Forescout Technologies. The acquisition was originally announced back in February. Forescout’s Michael DeCesare will continue to serve as president and CEO of the now wholly-owned subsidiary. 

(Dark Reading)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.