Cybersecurity Weekly: Industrial VPN flaws, Zoom bug, New side-channel attacks
Industrial VPN flaws let attackers target critical infrastructures. A new Zoom bug allowed snoopers to crack private meeting passwords in minutes. A new attack leverages HTTP/2 for effective remote timing side-channel leaks. All this, and more, in this week’s edition of Cybersecurity Weekly.
Phishing simulations & training
1. Industrial VPN flaws let attackers target critical infrastructures
Cybersecurity researchers discovered critical vulnerabilities in industrial VPN implementations primarily used to provide remote access to operational technology networks. These flaws could allow hackers to overwrite data, execute malicious code and compromise industrial control systems.
Read more »
2. Zoom bug allowed snoopers to crack private meeting passwords in minutes
Zoom meetings are by default protected by a six-digit numeric password, but the lack of rate limiting enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people's private Zoom meetings. The company addressed this vulnerability by issuing a patch shortly after discovery.
Read more »
3. New attack leverages HTTP/2 for effective remote timing side-channel leaks
Security researchers outlined a new technique that renders a remote timing-based side-channel attack more effective regardless of the network congestion. The new method leverages multiplexing of network protocols and simultaneous execution by applications, thus making the attacks immune to network conditions.
Read more »
4. Office 365 phishing abuses Google Ads to bypass email filters
An Office 365 phishing campaign abused Google Ads to bypass secure email gateways, redirecting victims to phishing landing pages and stealing their Microsoft credentials. The domains used by Google's Ads platform are overlooked by secure email gateways, which allows them to deliver their phishing messages to their targets' inboxes bypassing email filters.
Read more »
5. KDE archive tool flaw let hackers take over Linux accounts
A vulnerability exists in the default KDE extraction utility—called ARK—that allows attackers to overwrite files or execute code on victim's computers simply by tricking them into downloading an archive and extracting it. The flaw was reported to KDE in late July, and was quickly patched with a hotfix.
Read more »
6. Startups disclose data breaches after massive 386M records leak
Startups are beginning to disclose data breaches after a massive leak of stolen databases was published on a hacker forum this month. The threat actors announced that they released the databases for free to benefit the community and as they already made enough money from selling them in private sales.
Read more »
7. Hidden property abusing allows attacks on Node.js applications
A team of security researchers from the Georgia Institute of Technology found a way to exploit Node.js applications by manipulating the hidden properties used to track internal program states. The new tool, dubbed Lynx, will be released during the virtual Black Hat security conference.
Read more »
8. Business ID theft soars amid COVID closures
Identity thieves are having a field day with all of the closures and economic uncertainty brought on by the COVID-19 pandemic. With so many small enterprises going out of business or sitting dormant during the COVID-19 pandemic, organized fraud rings have an unusually rich pool of targets to choose from.
Read more »
9. Vermont taxpayers warned of data leak over the past three years
The Vermont Department of Taxes may have exposed taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. The department said it discovered the vulnerability — which could allow a threat actor to use a person’s credentials to access tax info — on July 2.
Read more »
Phishing simulations & training
10. Expert discloses details of five zero-day Tor flaws
The security researcher published technical details about two zero-day Tor vulnerabilities over the past week and promised to release three more. Oppressive regimes could exploit these flaws to prevent users from accessing the popular anonymizing network. The expert confirmed that one of these issues can de-anonymize Tor servers revealing their real IP address.
Read more »
In this Series
- Cybersecurity Weekly: Industrial VPN flaws, Zoom bug, New side-channel attacks
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
