Weekly Breach Report – October 12th

Most dangerous celebrity

A report named NBA star Stephen Curry as New Zealand’s most dangerous celebrity to search for on the internet, because many such searches lead to malicious websites. 1 News: https://www.tvnz.co.nz/one-news/new-zealand/nba-star-stephen-curry-named-nzs-most-dangerous-celebrity-cybersecurity-company

Apple’s T2 chip

Apple macOS devices with Intel processors and T2 chips are vulnerable to an unfixable exploit. Any attacker would need to plug a USB-C cable into the targeted device, however. AppleInsider: https://appleinsider.com/articles/20/10/05/apples-mac-t2-chip-has-an-unfixable-vulnerability-that-could-allow-root-access

Apple

A team of security researchers discovered 55 vulnerabilities in Apple’s online services. Eleven of the vulnerabilities are believed to be of critical severity. The Hacker News: https://thehackernews.com/2020/10/apple-security.html

UEFI bootkit

Researchers found malware in the UEFI or Unified Extensible Firmware Interface required to boot up almost every modern computer. Arstechnica: https://arstechnica.com/information-technology/2020/10/custom-made-uefi-bootkit-found-lurking-in-the-wild/

Microsoft Azure

Researchers discovered two security flaws in Azure App Services that could enable server-side request forgery attacks or execution of arbitrary code to take over an administration server. The Hacker News: https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html

Chowbus

An Asian food-delivery service announced that a data breach had exposed hundreds of thousands of customer records. SiliconAngle: https://siliconangle.com/2020/10/06/customer-records-stolen-data-breach-asian-food-delivery-service-chowbus/

Microsoft Windows

Hackers are using a new fileless attack that, to remain undetected, buries itself in executables embedded in Windows Error Reporting. ZDNet: https://www.zdnet.com/article/hackers-exploit-windows-error-reporting-service-in-new-fileless-attack/

Edureka

A massive data breach at an Indian e-learning platform impacted almost 2m users. Mashable India: https://in.mashable.com/tech/17419/edureka-suffered-data-breach-affecting-up-to-2-million-users

Software AG

Germany’s second-largest software company suffered a ransomware attack that breached its internal network and encrypted files. ZDNet: https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/

WP Bakery

Researchers discovered a cross-site scripting vulnerability in the WP Bakery page-builder that enables an attacker to inject malicious JavaScript into WordPress pages. Search Engine Journal: https://www.searchenginejournal.com/wp-bakery-wordpress-vulnerability/383383/#close

Crown Prosecution Service

The CPS, which conducts most criminal prosecutions in England and Wales, recorded more than 1,600 data breaches this year, up 18% from last year. Infosecurity Magazine: https://www.infosecurity-magazine.com/news/cps-under-fire-data-breach-cases/

Georgia DHS

A security breach at Georgia DHS exposed the personal and health information of children and adults involved in Child Protective Services cases. ZDNet: https://www.zdnet.com/article/children-and-parent-info-exposed-in-georgia-dhs-data-breach/

Verimatrix

Verimatrix confirmed a data breach but, after an investigation, said it could not identify any impact on customer-facing products or services. Benzinga:https://www.benzinga.com/pressreleases/20/10/b17861543/verimatrix-reports-a-data-breach

Docsketch

Electronic document-signing company Docsketch notified customers of a security breach in which hackers gained access to a copy of its database. ZDNet:https://www.zdnet.com/article/document-signing-service-docsketch-discloses-security-breach/