Cybersecurity Weekly: Securing open source apps, Facebook iPhone bug, multi-year breach
GitHub recruits a team of tech companies to help secure open source software. A new Facebook bug secretly enables the iPhone camera. A tech company discovers a years-long data breach only after an infected server runs out of drive space. All this, and more, in this week’s edition of Cybersecurity Weekly.
Top Security Awareness Posters
1. GitHub Security Lab aims to make open source software more secure
GitHub Security Lab is a new program aimed at researchers, maintainers and companies that want to contribute to the security of open source software. Current contributors include companies like Microsoft, Google, Intel and Mozilla. The team has already issued over 100 CVEs for security vulnerabilities it found.
Read more »
2. DDoS-for-Hire services operator sentenced to 13 months in prison
The defendant made hundreds of thousands of dollars by launching millions of DDoS attacks with his platforms from August 2015 to November 2017. In addition to the jail time, he was forced to forfeit dozens of servers and electronic equipment, as well as $542,925 in proceeds from his illegal scheme.
Read more »
3. Company detected years-long breach only after hacker maxed out servers' storage
Utah-based tech company InfoTrax Systems was reportedly breached in May 2014 when the hacker exploited vulnerabilities to gain remote control of its server. The company discovered the breach several years later, when it began receiving alerts that one of its servers had reached its maximum capacity due to a massive data archive file created by the hacker.
Read more »
4. Silly phishing scam warns that your password will be changed
A phishing campaign is underway which states that your password will expire unless you login and confirm that you want to keep it the same. Once the victim clicks on the "Keep same password" link, they will be brought to a generic mail server login page. With these credentials, hackers can perform BEC scams or password reuse attacks.
Read more »
5. Facebook bug turns on iPhone camera in the background
In early November, several iPhone users started experiencing a glitch while using the Facebook app. This glitch causes the user to clearly see that the phone’s camera is active behind their timeline, which would normally be hidden from view. This can be prevented by revoking Facebook’s camera access in the iPhone’s settings.
Read more »
6. Phishing increasingly targets SaaS and webmail
According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, phishing of SaaS and webmail services has surpassed phishing of payment services for the first time in 2019. SaaS and webmail are now the most targeted sectors, suffering 36% of phishing attacks compared to just 27% for payment services.
Read more »
7. Design flaw could open Bluetooth devices to hacking
The problem lies in the way Bluetooth devices communicate with the mobile apps that control them, stated a professor at Ohio State University. This vulnerability takes advantage of the way Bluetooth devices use a hard-coded unique identifier during the initial connection process. Researchers think that, despite the severity of the issue, there could be a simple fix.
Read more »
8. Web payment card skimmers add anti-forensics capabilities
Researchers have detected compromises on ecommerce sites with a new JavaScript-based payment card skimmer that uses anti-forensics techniques, including the ability to remove itself from the web page’s code after execution. An investigation uncovered 17 online merchant sites infected with this new skimmer.
Read more »
9. Two arrested for stealing $550,000 in cryptocurrency using sim swapping
U.S. authorities arrested two more alleged cybercriminals from Massachusetts this week, charging them with stealing $550,000 in cryptocurrency from at least 10 victims using SIM swapping between November 2015 and May 2018. The two defendants have also been charged for taking over social media accounts of their victims.
Read more »
Phishing simulations & training
10. U.S. Government asks consumers to be wary of holiday scams and malware
Consumers have been consistently targeted by attackers who take advantage of the holiday season to push themed scams via online advertisements, misleading sales calls and phishing emails. For instance, last year’s most popular phishing campaign featured an Amazon order confirmation email for holiday gifts.
Read more »
In this Series
- Cybersecurity Weekly: Securing open source apps, Facebook iPhone bug, multi-year breach
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
