Silver Sparrow malware found on 30,000 Macs has security pros stumped

Researchers have yet to observe delivery of any payload from a new malware dubbed Silver Sparrow, leaving its purpose unknown. This suggests that it may spring into action once a condition is met. Silver Sparrow comes with a mechanism to completely remove itself, a capability typically reserved for high-stealth operations, and it runs natively on the new M1 chip. It also uses the macOS Installer JavaScript API to execute commands, which makes it difficult to analyze. Found in found in 153 countries with concentrations in the US, UK, Canada, France, and Germany, researchers are watching carefully for further developments.

(ArtsTechnica)

SolarWinds hackers stole source code for Microsoft Azure, Exchange, Intune

Microsoft on Thursday said it concluded its probe into the SolarWinds hack, finding that the attackers stole some source code but confirmed there’s no evidence that they abused its internal systems to target other companies or gained access to production services or customer data. It said cases involved downloading component source code related to small subsets of Azure, Intune and Exchange components, and that the entire attack is a “moment of reckoning,” furthering the need to proactively embrace a zero-trust mentality.

(The Hacker News)

New hack lets attackers bypass MasterCard PIN by using it as Visa card

Research published by academics from ETH Zurich, building on an earlier PIN bypass attack study, shows how to leverage a victim’s stolen or lost Visa EMV-enabled credit card without knowledge of the PIN, and even fool the terminal into accepting inauthentic offline card transactions. The attack, dubbed “card brand mixup,” takes advantage of the fact a contactless point of sale terminal’s does not properly authenticate a card’s application ID to the payment terminal, making it possible to deceive the terminal and simultaneously performs a Visa and Mastercard transaction with the one card.” In response, Mastercard has already rolled out countermeasures.

(The Hacker News

Sequoia Capital, one of Silicon Valley’s most notable VC firms, told investors it was hacked

Sequoia Capital told its investors on Friday that some personal and financial information may have been accessed by a third party after one of its employees fell victim to a successful phishing attack, although it has not yet seen any evidence of compromised information being traded or exploited on the dark web. The company did not provide a date for the attack, describing it only as “recent.” Sequoia Capital has more than $38 billion in assets under management, and in the past has invested in Airbnb, DoorDash, 23andMe, FireEye, and Carbon Black. It does not appear that the hack was connected to Solarwinds.

(Business Insider)

Thanks to our episode sponsor, PlexTrac

PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time. Check out PlexTrac.com/CISOSeries to learn why PlexTrac is the perfect platform for CISOs!

White hat hacker earned $5,000 reporting a stored XSS flaw in iCloud.com

The vulnerability resides in the Pages and Keynote applications hosted on iCloud. To exploit the issue, the hacker, Vishal Bharad, created a new document and presentation and entered an XSS payload into its name field, then shared a link to it to a targeted user. The attack was completed by tricking the targeted user into accessing the “Browse All Versions” feature from the “Settings” menu. 

(Security Affairs)

Google Alerts being used to push fake Adobe Flash updater

Threat actors are creating fake stories with titles containing popular keywords that Google Search then indexes. Once indexed, Google Alerts notifies people who are following those keywords through its Alert service. When visiting the fake stories using a Google redirect link, the visitor will be redirected to the threat actor’s malicious site. This past weekend, Bleeping Computer observed these fake news stories redirecting to a new campaign that states that a user’s Flash Player is outdated and provides a link to install an updater, which in fact downloads malware called “One Updater.”

(Bleeping Computer)

Malformed URL prefix phishing attacks spike 6,000%

Researchers from GreatHorn report the attacks incorporate a reversed slash line, changing a URL prefix from https:// to https:/\ which is a feature that often goes ignored by humans and email scanning programs alike. The researchers reported they first noticed this new tactic last October, and said that it has been quickly gaining momentum ever since — with attacks between January and early February spiking by 5,933 percent.

(source)

Tracker pixels in emails are now an ‘endemic’ privacy concern

An analysis performed by the email service Hey discovered that two-thirds of emails sent to its users’ private email accounts contained a “spy pixel.” Also known as tracking pixels or web beacons, these are invisible image files as small as a single pixel that are inserted in the content body of an email. When an email is opened, the tracking pixel contacts a marketer’s server, and may also record the number of times an email is opened, the IP address linked to a user’s location, and device usage. Although this is not a new tactic, it is quickly growing. It is possible to prevent tracking pixels from triggering by disallowing automatic image uploads in your web browser, or by downloading email and browser add-ons to block trackers.

(ZDNet)