Zoom
A security researcher publicly disclosed a zero-day flaw that enables websites to hijack cameras on Apple Macs that have the Zoom video-conferencing app installed. The researcher initially disclosed the vulnerability to Zoom, giving them 90 days to solve the problem; it didn’t, so he went public. The company now says it has fixed the vulnerability; the researcher disagrees. To read more: https://www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras
Apple also released an update for Mac users to remove the vulnerability in Zoom. Apple’s update will apparently protect past and present users from the app itself. To read more: https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/
Android apps
Researchers at the International Computer Science Institute in California found that some app developers are using questionable techniques for harvesting user data. They discovered that more than 1,300 Android apps use workarounds to collect precise location data even when users have explicitly denied the required permissions. To read more: https://thehackernews.com/2019/07/android-permission-bypass.html
Astaroth malware
Microsoft’s security team is warning users of an ongoing malware campaign to distribute the Astaroth trojan. The campaign consists of a massive spam operation that sends out email with a link to a website hosting an LNK file. If run, the file launches the Windows Management Instrumentation Command-line tool, which starts a chain of events that eventually loads the Astaroth malware. To read more: https://www.zdnet.com/article/microsoft-warns-about-astaroth-malware-campaign/
Croatia
A hacker group believed to be state-sponsored (and probably Russian) targeted Croatian government employees earlier this year. Victims received spear-phishing emails that contained a link to apparently official websites; these faked sites had the ability to infect users’ machines with malware. To read more: https://www.zdnet.com/article/croatian-government-targeted-by-mysterious-hackers/
Torrent sites
An ongoing campaign primarily affecting South Korea is spreading malware via torrent sites. The malware, disguised as Korean movies and TV shows, is a modified version of the GoBot2 backdoor, which enables attackers to connect a compromised computer to a botnet. To read more: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
WannaCry
TechCrunch has published an in-depth story on the “kill switch” that prevented a second WannaCry outbreak, and the two security researchers who stopped the malware from spreading. To read more: https://techcrunch.com/2019/07/08/the-wannacry-sinkhole/
NAS devices
New ransomware is targeting Network Attached Storage (NAS) devices made by QNAP Systems, a Taiwanese company. NAS devices provide dedicated file storage that allows users to store and share data and backups on multiple computers. The ransomware targets QNAP NAS devices through brute-forcing weak credentials and exploiting known vulnerabilities. To read more: https://thehackernews.com/2019/07/ransomware-nas-devices.html
FinSpy
Researchers detected a commercial surveillance spyware known as FinSpy targeting users in Myanmar. The spyware was created by Gamma International, a German company, and targets various mobile platforms and desktop operating systems. To read more: https://thehackernews.com/2019/07/finspy-spyware-android-ios.html
Marriott
This American hotel company was fined $123m for a 2014 data breach under Europe’s General Data Protection Regulation (GDPR). Hackers compromised Marriott’s guest-reservation database and collected the personal details of 339m guests. The penalty notice came within a week of British Airways being fined a record £183m ($227m) for a GDPR breach. To read more: https://thehackernews.com/2019/07/marriott-data-breach-gdpr.html
Dell System Detect
A flaw in Dell System Detect enables an attacker to trigger the program to download and execute arbitrary files without user interaction. To read more: https://tomforb.es/dell-system-detect-rce-vulnerability/
Magecart
Researchers found a new supply-chain attack carried out against 17,000 domains by so-called Magecart hackers, who inject digital card skimmers into websites. The new attack scans the internet for misconfigured Amazon S3 buckets and then injects the skimming code via JavaScript files. To read more: https://thehackernews.com/2019/07/magecart-amazon-s3-hacking.html
Buhtrap
A hacking group known as Buhtrap was found using a Windows zero-day vulnerability that Microsoft fixed in June of this year. The flaw, a privilege escalation issue, only affects older versions of Windows. To read more: https://www.securityweek.com/buhtrap-group-used-windows-zero-day-government-attack
Agent Smith malware
New mobile malware infected 25m Android mobile devices globally, including 15m in India. The malware uses multiple vulnerabilities to inject malicious code into the APK files of targeted apps. To read more: https://thehackernews.com/2019/07/whatsapp-android-malware.html
K12.com
The records of 7m students were exposed when a K12.com MongoDB database was left open on the internet. The exposed database contained information such as email addresses, names and genders. To read more: https://www.comparitech.com/blog/vpn-privacy/report-7-million-student-records-exposed-by-k12-com/
Pale Moon web browser
The team behind the Pale Moon web browser announced that its Windows archive servers were breached, and that hackers had installed malware on all archived installers of Pale Moon 27.6.2. To read more: https://www.bleepingcomputer.com/news/security/hackers-infect-pale-moon-archive-server-with-a-malware-dropper/
Canonical
The GitHub account of Canonical, the company behind Ubuntu, was hacked last weekend, but the Ubuntu Linux source code was not accessed. The hacker created 11 new GitHub repositories in the official Canonical account. To read more: https://www.zdnet.com/article/canonical-github-account-hacked-ubuntu-source-code-safe/
7-Eleven Japan
7-Eleven Japan shut down its mobile payment app after it was hit by a cyberattack that resulted in $506,000 in fraudulent transactions. The hacker accessed user accounts and made fraudulent purchases on cards that were stored on the app. To read more: https://www.mobilepaymentstoday.com/news/7-eleven-japan-suspends-mobile-app-after-data-breach/
Nemadji Research
A contractor with the Los Angeles County Department of Health Services is notifying patients about a phishing attack that exposed the personal information of 14,591 patients. The contractor, Nemadji Research, identifies and verifies patient eligibility for programs that reimburse for care provided by the department. To read more: https://www.smdp.com/citywide-notifications-underway-after-contractor-data-breach-exposes-dhs-patient-data/177282
American Hockey League app
The American Hockey League’s app malfunctioned this week, and started sending push notifications about a workplace dispute between two people. The league says that the problem is now fixed. To read more: https://www.vice.com/en_us/article/bj9ejz/a-sports-app-spammed-push-notifications-about-a-bizarre-violent-workplace-beef
Bitpoint
This Japan-based cryptocurrency exchange announced that it had lost $32m worth of cryptocurrency after a cyberattack. The attackers stole Bitcoin, Bitcoin Cash, Litecoin, Ripple and Ethereal. To read more: https://www.zdnet.com/article/bitpoint-cryptocurrency-exchange-hacked-for-32-million/
Zip bomb
A researcher created a new type of zip bomb when he figured out how to achieve compression rates so high that he managed to get a 46-megabyte file to compress 4.5 petabytes of data. When decompressed, zip bombs can crash a system because they overwhelm a machine’s CPU, RAM and disk space. To read more: https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes
Train Manufacturer
A software engineer stole source code from a train manufacturer based in Chicago. He downloaded more than 3,000 electronic files that contained trade secrets and intellectual property, then fled to China. To read more: https://www.zdnet.com/article/engineer-flees-to-china-after-stealing-source-code-of-us-train-firm/
Vitagene
DNA-testing vendor Vitagene accidentally exposed 3,000 consumers’ personal information through a misconfigured database. To read more: https://healthitsecurity.com/news/dna-testing-service-vendor-reports-years-long-consumer-data-breach
Sign up below and receive these reports and more, directly in your inbox.