Cybersecurity Weekly: Competing bug bounties, Disney+ password reuse attack
Google offers up to $1.5 million for Pixel Titan M exploits in 2020. A hacker offers $100,000 for corporate secrets. Disney+ suffers a password reuse attack less than a week after launch. All this, and more, in this week’s edition of Cybersecurity Weekly.
Phishing simulations & training
1. Google offering up to $1.5 million for Pixel Titan M exploits
According to Google, it paid out over $4 million for more than 1,800 reported vulnerabilities since the launch of its Android Security Rewards program in 2015. In the past year, payouts totaled over $1.5 million and the highest single reward paid out in 2019 was just over $161,000. Google plans to increase its investment into this program in 2020.
Read more »
2. Data-enriched profiles on 1.2 billion people exposed in gigantic leak
An open Elasticsearch server exposed the rich profiles of more than 1.2 billion people to the open internet. If accessed by cybercriminals, the data, which includes several accounts tied to each individual, could be used for highly effective, targeted phishing attacks, business email compromise and identity theft.
Read more »
3. DDoS-for-Hire boss gets 13 months jail time
A 21-year-old Illinois man was sentenced to 13 months in prison last week for running multiple DDoS-for-hire services that launched millions of attacks over several years. In just the first 13 months of the 27-month long conspiracy, users of the hacker’s tools ordered approximately 4 million DDoS attacks.
Read more »
4. Hacker offers $100,000 for leaks of corporate secrets
A phishing campaign is underway which states that your password will expire unless you login and confirm that you want to keep it the same. Once the victim clicks on the "Keep same password" link, they will be brought to a generic mail server login page. With these credentials, hackers can perform BEC scams or password reuse attacks.
Read more »
5. Android camera app bug lets apps record video without permission
A new vulnerability has been found in the camera apps for millions, if not hundreds of millions, of Android devices that could allow other apps to record video and take pictures without the required permissions.This vulnerability is known to affect the Google Camera and Samsung Camera apps if they have not been updated since July 2019.
Read more »
6. Ransomware bites 400 veterinary hospitals
A California veterinary company is still working to recover from a ransomware attack late last month that affected more than half of its 700 animal care facilities, separating many veterinary practices from their patient records, payment systems and practice management software. The company said it expects to be fully operational within the next week.
Read more »
7. Disney+ credentials land in dark web hours after service launch
Stolen user accounts for the new Disney+ streaming service appeared on Dark Web sites just hours after it went live on November 12. Researchers found credentials for sale in the underground for $3 to $11 per account as attackers took advantage of users who share their accounts. Some victims were locked out of their accounts entirely.
Read more »
8. Official Monero site hacked to distribute cryptocurrency-stealing malware
On November 18, an anonymous hacker quietly replaced legitimate Linux and Windows binaries available for download with malicious versions designed to steal funds from users’ wallets. This was revealed on Monday after a Monero user spotted that the cryptographic hash for binaries he downloaded from the official site didn’t match the hashes listed on it.
Read more »
9. T-Mobile discloses data breach affecting prepaid wireless customers
T-Mobile’s U.S. branch disclosed a security breach that, according to the company, impacted a small number of customers of its prepaid service. Exposed data included name, billing address, phone number and account number, but did not include any financial information, social security numbers or passwords.
Read more »
Phishing simulations & training
10. Macys.com Magecart attack yields payment, personal info
Hackers accessed macys.com’s “Checkout” and “My Wallet” pages early last month and added malicious script to steal shoppers’ personal information, such as credit card data. The company discovered the hack on October 15 when it observed a suspicious connection between macys.com and a remote website, the company said in a data breach notification.
Read more »
In this Series
- Cybersecurity Weekly: Competing bug bounties, Disney+ password reuse attack
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
