Supply chain attack targets iOS developers with XcodeSpy malware per Bleeping Computer
We love all the cool fun stuff Apple makes. To enable the creativity there is a free application development environment known as Xcode, where devs can share things. Collaboration is powerful, saving time and money when you can use something already made. Over 2020 we saw more attackers accessing online repositories to mess with the code, which can become a supply chain attack when tainted code gets distributed by a trusted source.
A malicious version of legit iOS “TabBarInteraction” Xcode was found by SentinelOne researchers. It had an obfuscated command that opens a remote shell back home and uses the EggShell backdoor. Apple devices have an established rep for being secure, which comes with the expectation that associated apps and services will be too. For attackers, this presents a major opportunity to gain access by abusing that inherent trust.
Deception. Or, what you can’t see may hurt you. Steganography continues to evolve as an attack tactic that lets attackers hide their malicious code inside media files. Hide in plain sight. There were two new developments this week.
In one, security researcher David Buchanan shared how to hide MP3 audio files and ZIP archives in PNG images on Twitter, because of how Twitter handles PNG uploads. There are some limitations, but nothing a motivated attacker couldn’t work around.
In the other, researchers at Sucuri found Magecart attackers were hiding the stolen payment card data they skimmed in JPG files on websites they injected with malicious code. Magecart attacks are hard to detect unless you know where to look in the code and are actively watching for them. Over 2020 these attacks rose sharply and Magento sites are a favourite target.