Apple MacOS Mojave
A zero-day vulnerability in Apple Mojave was disclosed on the same
day that the version of the MacOS operating system left beta and
became available to the public. To read more: https://www.zdnet.com/article/macos-mojave-zero-day-privacy-bypass-bug-revealed-on-the-day-of-download/
SHEIN
US online fashion retailer SHEIN suffered a significant data breach
after a hacker stole the personally identifiable information of 6.5
million customers. The attack began in June and lasted until August
when the company became aware of the breach. To read more: https://thehackernews.com/2018/09/shein-data-breach.html
Facebook
Facebook said that an attack on its computer network led to the
exposure of 50 million users’ personal information. The attackers
exploited a feature in Facebook’s code that allowed them to take
over a user’s account. To read more: https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
Port of San Diego
Two major international ports were cyber attacked within the space
of a week. Both Barcelona, Spain and San Diego, California reported
attacks. The port authorities have not revealed any details about
the nature of the attacks. To read more: https://www.zdnet.com/article/port-of-san-diego-suffers-cyber-attack-second-port-in-a-week-after-barcelona/
Chegg
A US-based education technology company plans to reset passwords
for 40 million users after discovering a security incident that
occurred in April of this year. The hack was discovered on
September 19th. To read more: https://www.zdnet.com/article/chegg-to-reset-passwords-for-40-million-users-after-april-2018-hack/
UK Conservative Party
A mobile conferencing app used by the UK Conservative Party leaked
the private details of people who registered to attend conferences
via the app. These private details included party members and UK
government officials. To read more: https://www.zdnet.com/article/uk-conservative-party-conference-app-leaks-mps-personal-details/
NewsNow
An online news aggregation service has admitted that it suffered a
security breach. The service sent an email to its users
acknowledging the incident and that “an encrypted version of your
password may have been accessed.” To read more: https://www.grahamcluley.com/newsnow-suffers-security-breach-passwords-should-be-considered-compromised/
United Nations
The United Nations experienced a data breach that leaked passwords
and other sensitive information. A variety of misconfigured apps
including Trello Jira and Google Docs were the cause of the breach.
To read more: https://www.macobserver.com/news/united-nations-data-breach/
SingHealth
The server that was exploited by hackers which led to the breach of
SingHealth’s critical systems had not received security software
updates for more than a year. To read more: https://www.straitstimes.com/singapore/hacked-singhealth-server-had-not-had-security-update-for-14-months-cyber-attack-coi-finds
Cisco
Cisco has provided users a patch for its Video Surveillance Manager
software to erase hardcoded default credentials for the root
account. The company is urging users to patch immediately. To read
more: https://www.zdnet.com/article/cisco-weve-killed-another-critical-hard-coded-root-password-bug-patch-urgently/
Linux kernel
Security researchers published a Proof of Concept attack that
exploits an integer overflow vulnerability in the Linux kernel.
This bug could allow an unprivileged user to gain superuser access
to the targeted system. To read more: https://thehackernews.com/2018/09/linux-kernel-vulnerability.html
UEFI Rootkit
Researchers have found what they claim to be the first-ever UEFI
rootkit being used in the wild. Called LoJax, the rootkit is part
of a malware campaign conducted by APT28 to target several
governments. To read more: https://thehackernews.com/2018/09/uefi-rootkit-malware.html
iPhone XS
The Chinese hacking team Pangu managed to jailbreak iOS 12 running
on a brand-new iPhone XS. To read more: https://thehackernews.com/2018/09/ios12-iphone-jailbreak-exploit.html
Telegram
A bug was found in Telegram’s desktop clients for Windows, Mac, and
Linux that reveals users’ IP addresses during voice calls. Telegram
has patched the vulnerability. To read more: https://www.zdnet.com/article/telegram-fixes-ip-address-leak-in-desktop-client/
Apple’s Device Enrollment Program
Security researchers discovered an issue with the Apple Device
Enrollment Program that allows organizations to manage MacBooks and
iPhones. Duo Security was able to use device serial numbers to gain
access to sensitive data. To read more: https://betanews.com/2018/09/27/apple-device-enrollment-program-security-vulnerability/
Sign up below and receive these reports and more directly in your inbox.