Welcome to the Cobalt Security Newsletter. When you’re constantly inundated with security news, it can be hard to parse what’s important. We’re here to help you distill updates in the security space whether you’re a CISO, security analyst, or lead product developer. Explore hand selected resources on security trends, tools, new vulnerabilities, and more.
Security News and Trends
The Shayler malware, which Kaspersky stated as the “most common threat” to Macs, was accidentally notarized and approved to run on macOS, reports The Verge. The trojan downloader blasts victims with a surge of adware and appears as an Adobe Flash player update. Apple’s new notarization process, introduced in 2019, requires a developer to review and sign off on each application before running on the OS. Even the most sophisticated technology companies can fall victim to human error, proving change management is key when introducing new processes.
On September 3rd, the United States Ninth Circuit Court of Appeals ruled the National Security Agency’s (NSA) mass collection of phone calls as illegal, stated Techcrunch. The NSA began collecting calls, including whom an individual called and when, by pressuring phone providers using Section 215 of the USA PATRIOT Act. While originally deemed as a vital program to stop terrorist attacks, further congressional scrutiny determined the program had only aided in halting one.
Joe Sullivan, Uber’s former Chief Security Officer, has been charged by federal investigators in relation to Uber’s 2016 security breach, reports The New York Times. The charges levied against Sullivan stem from his attempts to cover up the breach that affected at least 57 million uses and his failure to disclose it to authorities. Sullivan faces up to eight years in prison.
Capital One has been fined with an $80 million penalty as a result of its enormous 2019 data breach, announced Reuters. The Office of the Comptroller of the Currency cites the lack of adequate effort to identify and manage risk as large technological resources and operations moved to the cloud. This included sub-par network security, insufficient prevention controls for data loss, and management shirking responsibility when issues were identified.
Advent, a Boston-based private equity firm, completed its purchase of Forescout on August 17, stated Dark Reading. Forescout, a platform that provides continuous security monitoring and mitigation, was purchased at $29.00 per share and valued at more than $1.16 billion. As part of its new subsidiary status, Forescout is now wholly owned by the Ferrari Merger Sub and will no longer be publicly traded on the NASDAQ dealer market.
Fastly will acquire Signal Sciences, both Los Angeles–based companies, for $775 million to increase the security of its content delivery networking services, detailed TechCrunch. Signal Sciences provides coverage against real threats and attack scenarios. The deal includes $200 million in cash and around $575 in stock shares. Fastly plans to use these services to better secure the connectivity of the applications and APIs under its purview.
Security Tools and Updates
Beginning September 1, TLS certificates will now be limited to a 398-day lifespan (compared to 825 days previously) for major web browsers, details The Hacker News. Popular browsers operators, such as Apple, Google, Mozilla, have come together to reject any public, rooted certificates that do not follow this new standard in bid to increase security. Experts recommend limiting certificates to 397 days and implementing certificate automation tools during the development process if possible.
Have I Been Pwned (HIBP), the online service that allows users to check if their information has been exposed by data breaches, will eventually make a shift to open source, announced Threatpost. After failed M&A efforts and lack of bandwidth, founder Troy Hunt will open the project up so other members of the community can contribute to the service, as well as to allay fears that the service is collecting search data. While a set timeline has not been announced, HIBP already utilizes multiple open-source technologies. Hunt hopes this will create a more sustainable future for the project.
MITRE has released its new active defense framework, Shield, as a publicly available resource that guides security professionals on how to counteract and engage with attackers, explains Dark Reading. The framework includes a matrix that details different tactics practitioners can use to respond to security incidents and hyperlinks the actual techniques on how to implement them. It also builds on MITRE’s ATT&CK framework by tying adversary behavior to its Shield defensive counterpart.
Slack desktop applications running versions 4.4 and below are vulnerable to a RCE bug that would give attackers full control of the application, explains Threatpost. The attack is accomplished through a chained exploit by posting an image containing a hidden HTML injection payload, which is then shared to public Slack users. Afterwards, if a victim opens the image the code will then be executed on their machine. Slack patched the bug back in February but recommends all users upgrade to the latest version as soon as possible.
Major Security Breaches and Incidents
Experian South Africa suffered a security breach that exposed the data of over 24 million individuals and business entities, announced The Hacker News. The company has made a statement that the attacker has been identified and that the compromised information has been deleted from their devices. It is believed the attacker was planning on selling the information as marketing leads to financial-related services. As a precautionary measure, Experian is urging customers and businesses to perform credit checks.
Brown-Forman Corporation, parent company of Jack Daniel’s, was hit by a ransomware attack but claims to have prevented an encryption of its exposed data, including employee information, explains Bloomberg. An anonymous individual asserted that unless a ransom is paid, a copied terabyte of data would be posted to a website linked to victims of the Sodinokibi ransomware. The ransomware, also called REvil, uses a distributed ransomware as a service model and emerged on the scene in 2019.
Intel suffered a data leak from its partner and customer resource center that exposed over twenty gigabytes of intellectual property, which included proprietary data and source code, announced Threatpost. The information was shared prior to public release via its Intel Resource and Design center. The majority of information was confidential and under NDA protection. It is believed the leak came from an individual with access to the files, highlighting the dangers of insider attacks.
The New Zealand stock exchange, NZX Ltd., was hit with five consecutives days of distributed denial of service (DDoS) attacks, reports Reuters. The attack began on August 25 and brought down its website for almost a week. Since the NZX was unable to publish market announcements for the first four days, it decided to halt trading in its cash markets, which further disrupted operations in its debt, shareholders, and derivatives markets. On the fifth day of the offshore attacks, trading was able to continue in light of continued attacks due to contingency measures promised by an agreement with the Financial Markets Authority.
CISA Vulnerability Bulletins
We hope you enjoyed this edition of the Cobalt security newsletter. If you have any suggestions on what you’d like to see, we’d love to hear from you. As always, stay safe and stay healthy!
Explore which web app security vulnerabilities can be found reliably using machines and which require human expertise to manually identify. Learn more in our 2020 State of Pentesting Report.