Information Technology

A stored cross-site scripting (XSS) vulnerability in the iCloud domain has reportedly been patched by Apple. 

Bug bounty hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a stored XSS issue in icloud.com. 
Stored XSS vulnerabilities, also known as persistent XSS, can be used to store payloads on a target server, inject malicious scripts into websites, and potentially be used to steal cookies, session tokens, and browser data. 
According to Bharad, the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple’s iCloud domain. In order to trigger the bug, an attacker needed to create new Pages or Keynote content with an XSS payload submitted into the name field.  
This content would then need to be saved and either sent or shared with another user. An attacker would then be required to make a change or two to the malicious content, save it again, and then visit “Settings” and “Browser All Versions.”  
After clicking on this option, the XSS payload would trigger, the researcher said.  
Bharad also provided a Proof-of-Concept (PoC) video to demonstrate the vulnerability. 
[embedded content]

The researcher disclosed the bug to Apple on August 7, 2020. The report was accepted and Bharad received a $5000 financial reward for his efforts on October 9. 
Bug bounty programs, such as those offered by HackerOne and Bugcrowd, remain a popular method for external researchers to report security issues to technology vendors. In 2020 alone, Google paid bug bounty hunters $6.7 million for their reports. 
ZDNet has reached out to Apple for comment and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say. 

On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by Kaspersky in 2015 and described as “one of the most sophisticated cyberattack groups in the world.”
Thought to be active since at least 2001, Equation Group has since been linked to the US intelligence agency’s Tailored Access Operations (TAO) unit. 
The Shadow Brokers hacking group released tools and files belonging to Equation Group in 2017, some of which were used to exploit previously-unknown bugs in popular systems including Microsoft Windows — forcing vendors to issue a flurry of emergency patches and fixes to render the exploit tools useless. 
In the same year, Microsoft released a patch for CVE-2017-0005, a zero-day vulnerability in Windows XP to Windows 8 operating systems that could be used for privilege escalation and full system compromise.
Originally, it was thought that a tool created to exploit CVE-2017-0005 was the work of a Chinese advanced persistent threat group (APT) dubbed APT31, also known as Zirconium.
However, Check Point now says that the tool, called Jian, was actually a clone of software used by Equation Group and was being actively utilized between 2014 and 2017 — years before the vulnerability was patched — and was not a custom build by the Chinese threat actors. 

According to the researchers, Jian is a clone of “EpMe,” which was also included in the 2017 Shadow Brokers “Lost in Translation” leak and was “repurposed” to attack US citizens. 
“Both exploit versions for APT31’s “Jian” or Equation Group’s “EpMe” are intended for […] elevating the privileges of the attacker in the local Windows environment,” CPR says. “The tool is used after an attacker gains initial access to a target computer — say, via zero-click vulnerability, phishing email, or any other option — to give the attacker the highest available privileges, so they could “roam free” and do whatever they like on the already infected computer.”
The team notes that Lockheed Martin reported CVE-2017-0005 to Microsoft, which they say is a “rather unusual” footnote in the investigation. 
“To our knowledge, this is the only vulnerability they [Lockheed Martin] reported in recent years,” Check Point says. “It is possible that one of their clients, or even Lockheed Martin itself, was targeted by this actor.”
It is believed that APT31 had obtained access to Equation Group’s exploit module — both 32- and 64-bit versions, and while the cybersecurity researchers cannot be sure how the exploit was acquired by the Chinese APT, it may have been captured during an Equation Group attack on a Chinese target. Alternatively, the tool may have been stolen while Equation Group was present on a network also being monitored by APT31 or during a direct attack by APT31 on Equation Group systems. 
The investigation into Jian also exposed a module containing four privilege escalation exploits that were part of Equation Group’s DanderSpritz post-exploitation framework. 
Two of the exploits in the framework, dating back to 2013, were zero-day flaws. One of the exploits was EpMe, whereas another, dubbed “EpMo,” appears to have been quietly patched in May 2017 by Microsoft as a follow-up fix in response to the Shadow Brokers leak but was not assigned a CVE. The remaining code names are EIEi and ErNi.
This is not the only example of a Chinese APT stealing and repurposing Equation Group tools. In another case documented by Symantec in 2019, APT3 “Buckeye” was linked to attacks using Equation Group tools in 2016, prior to the Shadow Brokers leak. 
While Buckeye appeared to dissolve in mid-2017, the tools were used until 2018 — but it is not known whether or not they were passed on, or to whom.
Update 17.55 GMT: A Lockheed Martin spokesperson told ZDNet:

“Our cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties. Leveraging our Intelligence Driven Defense approach, we have responsibly reported more than 100 zero-day vulnerabilities to multiple vendors over the past six years.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Heye Jensen
Security researchers have spotted a new malware operation targeting Mac devices that has silently infected almost 30,000 systems.

Named Silver Sparrow, the malware was discovered by security researchers from Red Canary and analyzed together with researchers from Malwarebytes and VMWare Carbon Black.
“According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany,” Red Canary’s Tony Lambert wrote in a report published last week.
But despite the high number of infections, details about how the malware was distributed and infected users are still scarce, and it’s unclear if Silver Sparrow was hidden inside malicious ads, pirated apps, or fake Flash updaters —the classic distribution vector for most Mac malware strains these days.
Furthermore, the purpose of this malware is also unclear, and researchers don’t know what its final goal is.
Once Silver Sparrow infects a system, the malware just waits for new commands from its operators —commands that never arrived during the time researchers analyzed it, hoping to learn more of its inner workings prior to releasing their report.
But this shouldn’t be interpreted as a failed malware strain, Red Canary warns. It may be possible that the malware is capable of detecting researches analyzing its behavior and is simply avoiding delivering its second-stage payloads to these systems.

The large number of infected systems clearly suggests this is a very serious threat and not just some threat actor’s one-off tests.
Silver Sparrow supports M1 chips
In addition, the malware also comes with support for infecting macOS systems running on Apple’s latest M1 chip architecture, once again confirming this is a novel and well-maintained threat.
In fact, Silver Sparrow is the second malware strain discovered that can run on M1 architectures after the first was discovered just four days before, showing exactly how cutting-edge this new threat really is.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Lambert warned in his report.
“Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”
The Red Canary report contains indicators of compromise, such as files and file paths created and used by the malware, which can be used to detect infected systems. More

Melbourne’s RMIT University has said significant progress has been made in restoring its systems, following reports on Friday the university had fallen victim to a phishing attack.
“RMIT has made significant progress in restoring access to many of the IT systems that were affected by an outage last week,” an RMIT spokesperson said on Monday.
“On-campus classes are proceeding as scheduled and we look forward to welcoming students to a range of orientation activities on campus this week.”
RMIT staff will continue to work remotely to “make it easier for restoration activities to continue at pace”, however.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
RMIT took to Twitter on Thursday at 9:45pm AEDT to inform students its IT services team was working to resolve issues that had impacted access to some of the university’s supported applications and systems. 
The university on Friday morning had cancelled in-person classes. RMIT said this would allow it to resolve the issues as quickly as possible and ensure students were still provided with access to the systems they need. 

Following reports the outage was a result of a “significant cyber attack”, RMIT said on Friday at 5pm AEDT there was no evidence to suggest a breach.
“From the analysis undertaken to date, which has been independently validated, there is currently no evidence to suggest any data breaches as a result of these issues,” it said.
“RMIT staff will continue to work remotely, with access to critical systems including Office 365 and Canvas.”
More to come
HERE’S MORE FROM RMIT
RMIT University researchers develop ultra-thin photodetector that can detect shades of light
The technology could potentially be used to help advance the early detection of cancer.
Monash University and RMIT develop AI and AR device to read emotional cues
Designed to augment emotional communication beyond traditional settings.
The human brain inspires RMIT researchers to develop a light-powered AI chip
The chip could potentially be used to power drones, robotics, smart watches, and bionic implants. More

Dell Technologies has established an innovation facility in Singapore that focuses on research and development (R&D) work in key digital transformation technologies, including edge computing, data analytics, and augmented reality. The result of a three-year investment totalling $50 million, it is the company’s first such facility to be built outside the US. 
It also houses a team dedicated to enhancing user experience, according to Dell’s president of Asia-Pacific Japan and global digital cities, Amit Midha. Of the total investment, $23 million alone will be invested this year. 
The facility also accommodates Dell’s existing R&D work in Singapore that is responsible for the company’s global design and development work for product categories that include monitors and client peripherals. In addition, it encompasses a hardware prototyping lab focused exclusively on product design, including the development of artificial intelligence (AI) technologies. 

Speaking to media in the lead up to the hub’s official launch Monday, Midha said more than 160 new roles would be added by year-end to support the innovation hub, including designers and developers, with most of the positions currently already filled. These new hires would push R&D initiatives for the vendor’s customers and partners across the globe. 
Pointing to Dell’s goal of creating technologies that “drive human progress”, he said key investment areas for the Singapore facility would be in line with the company’s focus areas comprising 5G, edge, data management, hybrid cloud, AI and machine learning, and cybersecurity. 
“The world needs technology now more than ever,” he added. “In encouraging the adoption of digital solutions and new technologies, strengthening our product and process innovation system, and engaging the talent pipeline, we believe we are paving the path for a more resilient, progressive, inclusive, and sustainable economy.” 
Dell earlier this month launched a skills accelerator programme in Singapore, offering to equip 3,000 students, fresh graduates, and mid-career professionals over the next two years with skills in cloud computing, data protection, data science, and big data analytics. The scheme encompassed two separate programmes, including a partnership with Singapore Management University that would see more than 1,000 of the school’s undergraduates experience cloud-native technologies and content as part of their curriculum. A five-week training programme also would be offered to 1,000 employees of Dell’s local partners and customers that had enrolled in Singapore’s SGUnited Traineeship or Mid-Career Pathways programme. 

Asked what challenges companies currently faced in their efforts to innovate, Midha said the COVID-19 pandemic had expanded every organisation’s remote workforce. It underscored the need to figure out how innovation could be facilitated while employees worked from home or remotely, he noted. 
This was where collaboration and digital tools came into play, he said. He added that companies also would need to establish the right polices and culture that would drive innovation in the new work environment and enable colleagues build on each other’s ideas.
RELATED COVERAGE More

Most Brazilian companies have not increased their investments in information and cyber security since the Covid-19 pandemic emerged despite an increase in threats, according to a new study on perceptions of cybersecurity risk in Latin America since the start of the crisis.
According to the survey, carried out by consulting firm Marsh on behalf of Microsoft, 84% of organizations failed to boost their security spend since March 2020, even though 30% of those polled saw an increase in malicious attacks as a consequence of the novel coronavirus crisis, with phishing and malware being the most frequent types of occurrences.
Despite the increase in security threats, 56% of the Brazilian companies polled currently invest 10% or less of their IT budget in cybersecurity. According to the study, 52% of Brazilian organizations said investment in security has not changed since the start of the pandemic.

In terms of employee practices around security, only 23% of the Brazilian organizations that took part in the study said their workforce is using company-provided equipment to work. At a regional level, 70% of Latin organizations allowed their employees to use their personal devices following the shift to remote working.
According to the study this significantly increased exposure to some type of cyber incident, but remote access security is a priority for only 12% of respondents and the second item on the list for 7% of respondents.
Only a quarter of the Latin companies surveyed increased their cyber security budgets after the pandemic, while the increase in the data protection budget was 26%. Moreover, only 17% of organizations in Latin America have insurance against cyber threats.
“Many results found in this analysis are really worrying, such as the low rates of companies with insurance against cyber risks and security investment”, said Marta Schuh, cyber risks superintendent at Marsh Brazil.

“Now that companies are more exposed to remote work and the use of personal devices, it is worrying that few companies have increased their cybersecurity budget after the pandemic and some have even reduced this investment, despite the notable increase in cyber attacks”, she added. The study follows the news on massive data leaks in Brazil, which have emerged over recent weeks. More

After receiving feedback from Experian over a massive data leak in Brazil, São Paulo state consumer rights foundation Procon described the company’s explanations as “insufficient” and said it is likely that the incident was initiated in a corporate environment.
Procon notified the credit information multinational following the emergence of a leak that exposed the personal data of more than 220 million citizens and companies, which is being offered for sale in the dark web. Security firm PSafe discovered the incident, which exposed all manner of personal details, including information from Mosaic, a consumer segmentation model used by Serasa, Experian’s Brazilian subsidiary.

Following the emergence of the leak in January, Procon notified the credit bureau, and asked the company for a confirmation of the incident, and an explanation of the reasons that caused the leak, the steps taken to contain it, how it will repair the damage to consumers impacted and the measures taken to prevent it from happening again.
“No hypothesis has been ruled out, and at the moment we consider it is more likely that the leak came from inside companies rather than hackers,” said Procon’s executive director Fernando Capez, adding that Experian’s feedback prompts more questions than answers. The explanations from the company will be analyzed by the board of the consumer rights body, and a fine may be applicable if any wrongdoing becomes evident.
According to Procon, Experian informed that all its activities that involve personal data comply with the Brazilian data protection regulations, and that processing of such data can legally serve several purposes. That part of the answer was insufficient, the consumer rights body said, since “there is no legal basis for the treatment and use of data in an indiscriminate manner” and that includes data of deceased individuals, also exposed in the leak.
In addition, Procon noted that Serasa Experian did not specify the technical and organizational measures adopted to implement its data protection policy. Moreover, the company reinforced what it had said in a statement released last week in its response to the notification, that there is no evidence that credit data has been illegally obtained from its Brazilian subsidiary. The company also argued that there is no evidence that its technology systems had been compromised.
In relation to Serasa Experian’s risk mitigation policy that may occur in such circumstances, Procon said the company only stated that a “comprehensive information security program” is currently in place. Regarding damage repair to consumers, Serasa Experian stated that its website has instructions on what to do in case of fraud. Procon’s stance is that this is a preventive measure rather than a reparative action.

Contacted by ZDNet, Serasa Experian did not answer to requests for comment on Procon’s response to its feedback. The agency’s demands for answers follow calls from the Brazilian Institute for Consumer Protection (IDEC) for urgent measures to investigate and punish those responsible for exposing the population’s data, as well as improved citizen information and transparency. More

One of the top challenges and misunderstandings that I continue to see is what the definition of Zero Trust actually is. Zero Trust is not one product or platform; it’s a security framework built around the concept of “never trust, always verify” and “assuming breach.” Attempting to buy Zero Trust as a product sets organizations up for failure. 

ZDNet Recommends

Vendors would have you believe that the security solution, platform, or widget they are selling is Zero Trust and that you can just purchase their solution to address your needs. This is false. Vendors enable Zero Trust; they are not Zero Trust itself.  
There Is No Easy Button To Zero Trust 
Starting down the path of Zero Trust is complicated. It’s difficult to figure out where to start, so we’ve established a handy guide on how to practically enable Zero Trust from an implementation standpoint. Don’t buy into vendor hype that you can purchase something and immediately be Zero Trust. That’s not the reality of the situation. 
Organizations need to build a strategy to get to a Zero Trust architecture that encompasses more than technology and buzzwords. One example is the Zero Trust eXtended (ZTX) ecosystem which, at a bare minimum, requires: 

Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps. 

Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve. 

Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects. 

Zero Trust Is A Security Framework, Not An Individual Tool Or Platform 
ZTX is an ecosystem with both technology and non-technology pieces. Protecting the perimeter and other prior security strategies didn’t easily adapt to change because they were designed around monolithic point solutions that didn’t integrate with each other. Zero Trust, however, is designed to be in a state of continuous review and optimization. 
The fluid, integrated nature of Zero Trust is designed to easily adapt to business changes. Organizations need to be cautious about vendor messaging, dive into details about vendor offerings, and call them out when the technology they’re pitching seems too good to be true. 
Ask the vendor you’re considering where the capability they’re describing fits in the ZTX ecosystem. If they can’t describe it, it’s a very clear sign that they don’t understand Zero Trust. Security vendors need to update their messaging to reflect the reality that Zero Trust is a journey that’s different for every organization and stop advertising Zero Trust as a product that can be bought. By selling their solutions as Zero Trust easy buttons, they continue to set their customers up for failure by perpetuating this false paradigm. 
Zero Trust isn’t a race; It’s a continuous journey 

While Zero Trust continues to be marketed as the cool new thing, at the end of the day we need to ground ourselves. Zero Trust is the new normal. COVID-19 has significantly changed the way we work and forced a lot of organizations to accelerate their digital transformation and security strategies. Take a second to see if these security solutions are the real deal by scrutinizing how they fit into the different pillars of the ZTX ecosystem and, most importantly, your organization’s overall Zero Trust strategy. They should be helping to enable organizations reach Zero Trust while improving the employee experience and should not be just another security tool that gets in the way of doing business. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Analyst Steve Turner, and it originally appeared here.  More