Cybersecurity Weekly: Apple flaws, Azure vulnerabilities, hackers buying network access

October 13, 2020 by Sam Fay

Fifty-five new security flaws were reported in Apple software and services. Researchers find vulnerabilities in Microsoft Azure cloud service. Security staff are being forced to upskill in their own time. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. Fifty-five new security flaws reported in Apple software and services

A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity. The flaws meant a bad actor could easily hijack a user’s iCloud account and steal all the photos, calendar information, videos and documents, in addition to forwarding the same exploit to all of their contacts.
Read more »


2. Researchers find vulnerabilities in Microsoft Azure cloud service

Two security flaws in Microsoft’s Azure App Services could have enabled a bad actor to carry out server-side request forgery attacks or execute arbitrary code and take over the administration server. This enables an attacker to quietly implant malicious phishing pages through Azure Portal to target system administrators.
Read more »

3. Ransomware gangs can buy network access in cyberattack shortcut

For prices ranging between $300 and $10,000, ransomware groups have the opportunity to easily buy initial network access to already-compromised companies on underground forums. Researchers warn this opportunity gives groups like Maze or Sodinokibi the ability to more easily kickstart ransomware attacks across various industries.

Read more »


4. Security staff are being forced to upskill in their own time

With a skills gap widening, security workers aren’t able to fully develop their skills at work and are instead turning to development training in their free time. Around half of employees (48%) have committed time before and after work to improve their skills, for example, with 20% also training themselves on weekends, according to a recent report.
Read more »


5. Hackers targeting IoT devices with a new P2P botnet malware

Cybersecurity researchers took the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform malicious tasks and illicit cryptocurrency coin mining. The HEH Botnet spreads via a brute-force attack of the Telnet service on ports 23/2323 and can execute arbitrary shell commands.
Read more »


6. New MosaicRegressor malware found active in the wild

Last week, cybersecurity researchers spotted a rare kind of malware that targets a machine’s booting process to drop persistent malware. The campaign involved the use of a compromised UEFI containing a malicious implant, making it the second known public case where a UEFI rootkit has been used in the wild.
Read more »


7. Unknown hackers targeted the U.S. Census Bureau network

The U.S. Department of Homeland Security said that unknown threat actors have targeted the US Census network during the last year in its first-ever Homeland Threat Assessment report released last week. The DHS mentions in the report multiple instances when unknown threat actors have tried gaining access to systems on the U.S. Census network.
Read more »


8. Fitbit gallery can be used to distribute malicious apps

A security researcher discovered malicious apps for Fitbit devices can be uploaded to the legitimate Fitbit domain and users can install them from private links. Using social engineering, hackers could take advantage of this and trick users into adding apps to obtain the wealth of personal information typically collected from Fitbit device sensors or the phone.
Read more »


9. Ransomware gang now using critical Windows flaw in attacks

Microsoft warned about cybercriminals who have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater in the second half of September. Over the years, the actor has been in attacks delivering a wide variety of malware.
Read more »


10. Sam’s Club customer accounts hacked in credential stuffing attacks

Over the past two weeks, Sam’s Club started sending automated password reset emails and security notifications to customers who were hacked in credential-stuffing attacks. In emails sent out to Sam’s Club members, the company is alerting members that an unauthorized party may have gained access to their accounts.
Read more »

Posted: October 13, 2020
Sam Fay
View Profile