Menu Icon
< back to main
 • 7 min read

Cobalt Security Newsletter

September 2020

Cobalt Security Newsletter
Cobalt
Cobalt

Cobalt provides a Pentest as a Service (PtaaS) platform that is modernizing the traditional, static penetration testing model by providing streamlined processes, developer integrations, and on-demand pentesters. Our blog is where we provide industry best practices, showcase some of our top-tier talent, and share information that's of interest to the cybersecurity community.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

Security Newsletter September

Welcome to the Cobalt Security Newsletter. When you’re constantly inundated with security news, it can be hard to parse what’s important. We’re here to help you distill updates in the security space whether you’re a CISO, security analyst, or lead product developer. Explore hand selected resources on security trends, tools, new vulnerabilities, and more.

Security News and Trends

The Shayler malware, which Kaspersky stated as the “most common threat” to Macs, was accidentally notarized and approved to run on macOS, reports The Verge. The trojan downloader blasts victims with a surge of adware and appears as an Adobe Flash player update. Apple’s new notarization process, introduced in 2019, requires a developer to review and sign off on each application before running on the OS. Even the most sophisticated technology companies can fall victim to human error, proving change management is key when introducing new processes.

On September 3rd, the United States Ninth Circuit Court of Appeals ruled the National Security Agency’s (NSA) mass collection of phone calls as illegal, stated Techcrunch. The NSA began collecting calls, including whom an individual called and when, by pressuring phone providers using Section 215 of the USA PATRIOT Act. While originally deemed as a vital program to stop terrorist attacks, further congressional scrutiny determined the program had only aided in halting one.

Joe Sullivan, Uber’s former Chief Security Officer, has been charged by federal investigators in relation to Uber’s 2016 security breach, reports The New York Times. The charges levied against Sullivan stem from his attempts to cover up the breach that affected at least 57 million uses and his failure to disclose it to authorities. Sullivan faces up to eight years in prison.

Capital One has been fined with an $80 million penalty as a result of its enormous 2019 data breach, announced Reuters. The Office of the Comptroller of the Currency cites the lack of adequate effort to identify and manage risk as large technological resources and operations moved to the cloud. This included sub-par network security, insufficient prevention controls for data loss, and management shirking responsibility when issues were identified.

Advent, a Boston-based private equity firm, completed its purchase of Forescout on August 17, stated Dark Reading. Forescout, a platform that provides continuous security monitoring and mitigation, was purchased at $29.00 per share and valued at more than $1.16 billion. As part of its new subsidiary status, Forescout is now wholly owned by the Ferrari Merger Sub and will no longer be publicly traded on the NASDAQ dealer market.

Fastly will acquire Signal Sciences, both Los Angeles–based companies, for $775 million to increase the security of its content delivery networking services, detailed TechCrunch. Signal Sciences provides coverage against real threats and attack scenarios. The deal includes $200 million in cash and around $575 in stock shares. Fastly plans to use these services to better secure the connectivity of the applications and APIs under its purview.

Security Tools and Updates

Beginning September 1, TLS certificates will now be limited to a 398-day lifespan (compared to 825 days previously) for major web browsers, details The Hacker News. Popular browsers operators, such as Apple, Google, Mozilla, have come together to reject any public, rooted certificates that do not follow this new standard in bid to increase security. Experts recommend limiting certificates to 397 days and implementing certificate automation tools during the development process if possible.

Have I Been Pwned (HIBP), the online service that allows users to check if their information has been exposed by data breaches, will eventually make a shift to open source, announced Threatpost. After failed M&A efforts and lack of bandwidth, founder Troy Hunt will open the project up so other members of the community can contribute to the service, as well as to allay fears that the service is collecting search data. While a set timeline has not been announced, HIBP already utilizes multiple open-source technologies. Hunt hopes this will create a more sustainable future for the project.

MITRE has released its new active defense framework, Shield, as a publicly available resource that guides security professionals on how to counteract and engage with attackers, explains Dark Reading. The framework includes a matrix that details different tactics practitioners can use to respond to security incidents and hyperlinks the actual techniques on how to implement them. It also builds on MITRE’s ATT&CK framework by tying adversary behavior to its Shield defensive counterpart.

Slack desktop applications running versions 4.4 and below are vulnerable to a RCE bug that would give attackers full control of the application, explains Threatpost. The attack is accomplished through a chained exploit by posting an image containing a hidden HTML injection payload, which is then shared to public Slack users. Afterwards, if a victim opens the image the code will then be executed on their machine. Slack patched the bug back in February but recommends all users upgrade to the latest version as soon as possible.

Major Security Breaches and Incidents

Experian South Africa suffered a security breach that exposed the data of over 24 million individuals and business entities, announced The Hacker News. The company has made a statement that the attacker has been identified and that the compromised information has been deleted from their devices. It is believed the attacker was planning on selling the information as marketing leads to financial-related services. As a precautionary measure, Experian is urging customers and businesses to perform credit checks.

Brown-Forman Corporation, parent company of Jack Daniel’s, was hit by a ransomware attack but claims to have prevented an encryption of its exposed data, including employee information, explains Bloomberg. An anonymous individual asserted that unless a ransom is paid, a copied terabyte of data would be posted to a website linked to victims of the Sodinokibi ransomware. The ransomware, also called REvil, uses a distributed ransomware as a service model and emerged on the scene in 2019.

Intel suffered a data leak from its partner and customer resource center that exposed over twenty gigabytes of intellectual property, which included proprietary data and source code, announced Threatpost. The information was shared prior to public release via its Intel Resource and Design center. The majority of information was confidential and under NDA protection. It is believed the leak came from an individual with access to the files, highlighting the dangers of insider attacks.

The New Zealand stock exchange, NZX Ltd., was hit with five consecutives days of distributed denial of service (DDoS) attacks, reports Reuters. The attack began on August 25 and brought down its website for almost a week. Since the NZX was unable to publish market announcements for the first four days, it decided to halt trading in its cash markets, which further disrupted operations in its debt, shareholders, and derivatives markets. On the fifth day of the offshore attacks, trading was able to continue in light of continued attacks due to contingency measures promised by an agreement with the Financial Markets Authority.

CISA Vulnerability Bulletins

Vulnerability Summary for the Week of September 14, 2020

Vulnerability Summary for the Week of September 7, 2020

Vulnerability Summary for the Week of August 31, 2020

Vulnerability Summary for the Week of August 24, 2020

Vulnerability Summary for the Week of August 17, 2020

Vulnerability Summary for the Week of August 10, 2020

We hope you enjoyed this edition of the Cobalt security newsletter. If you have any suggestions on what you’d like to see, we’d love to hear from you. As always, stay safe and stay healthy!

Explore which web app security vulnerabilities can be found reliably using machines and which require human expertise to manually identify. Learn more in our 2020 State of Pentesting Report.

News

Related Stories

How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens