Armed with iOS 0days, hackers indiscriminately infected iPhones for two years, Google throws bug bounty bucks at mega-popular third-party apps, How MuleSoft patched a critical security flaw and avoided a disaster, Jack Dorsey’s Twitter account got hacked, Attackers are exploiting vulnerable WP plugins to backdoor sites, and much more! We then talk with Larry Alston, who is the GM of Cloud at Tufin. He will be talking about developing and enforcing security policies in the cloud.
Visit https://www.securityweekly.com/hnn for all the latest episodes!
To learn more about our sponsors visit: The Security Weekly Sponsor’s Page
Security News: September 3, 2019
- Armed with iOS 0days, hackers indiscriminately infected iPhones for two years – This is amazing: The 14 vulnerabilities comprised seven flaws in the Webkit package used by Safari, five bugs in the iOS kernel, and two flaws that escaped a browser sandbox that attempts to keep untrusted code from interacting with sensitive parts of the OS. At least one of the five chains was still a zeroday when Project Zero discovered it early this year. The Google researchers reported those flaws to Apple on February 1 with a seven-day deadline for Apple to fix before Google publicly disclosed them. Apple responded with an unscheduled update six days later. “It feels like the amount of effort that went into the exploits is very significant,” said Charles Holmes, a managing principal research consultant who focuses on mobile security at Atredis partners. “Maintaining capabilities off of the last three years of iOS and a combination of hardware devices and firmware—a lot of time and effort went into that. My gut feels like some nation was behind maintaining that capability.”
- Google throws bug bounty bucks at mega-popular third-party apps – In a post from the Android Security & Privacy team’s Adam Bacchus, Sebastian Porst, and Patrick Mutchler , the company said that it’s throwing the security net over not just its own apps, but over all uber-popular third-party software – as in, apps that have more than 100 million installs…This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.
- How MuleSoft patched a critical security flaw and avoided a disaster | ZDNet – This is a snippet of a serious vulnerability disclosure, and even though it required extra work from customers, the way Mulesoft handled it was awesome: Everyone running an on-site Mule engine or API Gateway was getting a call to check if they received and read the email. Furthermore, Sarid said that MuleSoft had taken an unprecedented step of seeking out and talking to each company’s security and DevOps departments, and not just secretaries or sales representatives. They were taking this security flaw very seriously. They wanted their message to reach the proper person in each organization, and they wanted to make sure companies installed the patches. But they didn’t stop here. MuleSoft also scheduled a second wave of calls after companies installed the patches, verifying that customers followed through, and passing on additional mitigation advice.
- Jack Dorsey’s Twitter account got hacked | ZDNet – Some insights into what happened: A Twitter user also pointed out that the source of all the unauthorized tweets was CloudHopper, a company Twitter acquired in 2010. CloudHopper allows users to send out tweets using SMS messages. It’s unclear if hackers breached the old CloudHopper infrastructure, or if they SIM swapped Dorsey’s real phone number to interact with his account via SMS.
- Attackers are exploiting vulnerable WP plugins to backdoor sites – Help Net Security – This campaign has been targeting a number of known vulnerabilities since we began tracking it, and new vulnerabilities are added to the list of targets as they’re discovered. Of particular note is a recently disclosed flaw in the Bold Page Builder plugin. On August 23rd, NinTechNet released a warning that a vulnerability had been discovered in the plugin and had been under attack since the previous day. The Wordfence firewall’s built-in XSS protection detected attacks against this vulnerability as early as August 20th.
- USBAnywhere Bugs Open Supermicro Servers to Remote Attackers – Authentication vulnerabilities in the baseboard management controllers (BMCs) of Supermicro X9-X11 servers have been discovered that allow a remote attacker to easily connect to a server and mount any virtual USB device of their choosing. The bugs, collectively dubbed USBAnywhere, allow an attacker to obtain credentials for the BMCs. Once obtained, an attacker can then perform a range of USB-based attacks against the server remotely, including data exfiltration, booting from untrusted OS images or direct manipulation of the system via a virtual keyboard and mouse, according to researchers at Eclypsium.
- Meet Domen, a New and Sophisticated Social Engineering Toolkit | SecurityWeek.Com – Sounds more like clickjacking: The basic premise is to compromise a website, usually WordPress, and use that to display an overlay (loaded as an iframe) on the viDomensitors’ screens. The overlay entices visitors to install an update that really downloads the NetSupport RAT. In this it is very similar to the Fake Updates campaign described in April 2018. The campaign also has some similarities to the EITest and HoeflerText social engineering scheme reported in January 2017. In that instance, the malware payload was the ad fraud malware known as Fleercivet; but the campaign was later observed spreading the Spora ransomware.
Expert Commentary: Larry Alston, Tufin
Alston has held senior and executive management roles at Teradata, Altisource, FuseSource, IONA, and Excelon. As Tufin champions the adoption of security policy management in the cloud, Alston is responsible for all aspects of Tufin’s cloud-native business.
Developing and enforcing security policies in the cloud.
- We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand