Skip to main content

Friday Five 11/12

Posted on Friday November 12, 2021

Contact Us
Free Demo

Apple fixes a macOS zero day, Microsoft warns of HTML smuggling phishing attacks, and more - catch up on the infosec news of the week with the Friday Five!

1. Jen Easterly Wants Hackers to Help US Cyber Defense by Graham Hacia

The Cybersecurity and Infrastructure Security Agency's (CISA) Jen Easterly continues to make the rounds. Fresh off a seemingly nonstop series of Cybersecurity Awareness Month summits, she joined the World Economic Forum and WIRED's RE:WIRED event this week. Graham Hacia recapped Easterly's chat with WIRED's Garrett Graff, which largely centered around the challenges the United States faces on the cybersecurity front and how CISA is going to help the country play defense. Easterly remains the optimist: “I’m an optimist but I'm more optimistic than I’ve ever been about how we can work together, in the government, as a team sport and with the private sector as trusted partners.”

Read more

2. Google warns of hackers using macOS zero-day flaw to capture keystrokes, screengrabs by Liam Tung

Feels like this one slid under the radar a bit: Google’s Threat Analysis Group disclosed this week that it reported a nasty zero-day vulnerability, since patched, in macOS to Apple hat was being used by a nation state group to spy on users in Hong Kong. The bug took advantage of an XNU privilege escalation vulnerability in macOS Catalina. Once a user navigated to a website, it could install a backdoor and siphon up data on the user, including the device fingerprint. It could also capture screenshots, upload/download files record audio and keystrokes, and execute terminal commands. While it's unlikely you or any of your friends would have been targeted - Google says the websites used included a "media outlet and a prominent pro-democracy labor and political group," so pretty niche stuff - it’s still great to learn the story behind the patch. Those interested in learning more about the vulnerability, like its exploit chain and IOCs, should head to Google's TAG blog for the write up.

Read more

3. Microsoft warns of surge in HTML smuggling phishing attacks by Bill Toulas

Microsoft sounded the alarm this week around an uptick in malware campaigns leveraging HTML smuggling, in which HTML5 and JavaScript are used to hide malicious payloads in attachments and webpages. As soon as someone stumbles across a rigged website, the browser opens the HTML, runs the script, fetches the payload, skipping mitigations like web proxies and email gateways. The attacks have been dropping a cocktail of malware on machines, including the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot. Previously Microsoft saw it in attacked associated with the Nobelium hacking group, formerly Solorigate, Microsoft's name for the Russian group behind the SolarWinds hack. To prevent the attacks, defenders will want to follow Microsoft's advice, by implementing behavior rules and potentially blocking or auditing activity associated with HTML smuggling.

Read more

4. Google Wins Dismissal of Data Privacy Suit by U.K. Top Court by Ellen Milligan

If you're interested in the machinations of the court system as they pertain to data protection, you've likely already heard this news: Google won a bid this week to dismiss a data privacy lawsuit stemming from a claim that it breached its data collection duties by collecting and using data 10 years ago, from 2011 to 2012. As Bloomberg reports, the UK Supreme Court said Google couldn't be hit with a class action suit. In the eyes of the court, the individuals would have to show that they suffered damage. “In order to recover compensation for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that individual suffered some damage as a result.” The news could help set a precedent for future class action lawsuits.

Read more

5. How Facebook’s Outage Could Shape Public Preferences on Cybersecurity Policy by Lauren Sukin, Kathryn Hedgecock

Following its global outage a few weeks ago, Facebook went on the record and insisted it was the result of an internal DNS outage. While the downtime wasn't the result of hackers or anything overtly malicious, this Lawfare piece suggests that the company could have used the outage to better outline the important role that cybersecurity plays. Because the website (and services like Instagram and WhatsApp) are so immensely popular, the authors posit the public could be more attuned to cybersecurity issues and data privacy if Facebook used the outage as a means to prioritize a discussion around vulnerabilities. This, in turn, could help sway public opinion when it comes to the regulation of cyberspace and policy solutions.

Read more

Tags:  Apple Data Protection Phishing

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.