Breaches and leaks
Let's start with the ransomware again, shall we?
- Largest cruise line operator Carnival confirms ransomware data theft: link.
- Software AG IT giant hit with $23 million ransom by Clop ransomware: link.
- Massachusetts school district shut down by ransomware attack: link.
- The United Nations International Maritime Organization was breached with what sounds like ransomware but isn't clear: link.
- Children and parent info exposed in Georgia DHS data breach: link.
- US mobile operator Boom had credit skimming malware injected on their website: link.
- Waze leaked data from other drivers: link.
- Sam's Club customer accounts hacked in credential stuffing attacks: link.
- Document-signing service Docsketch discloses security breach: link.
By combining several exploits, anyone with physical access can get full root access and kernel execution privileges on any T2 based Mac. FileVault2 disk encryption will still protect your files, but someone with that level of access could install a keylogger to work around that. It seems that the old adage remains true: any attacker with physical access to your device will be able to compromise you.
Fortunately they weren't downloaded many times before being discovered, about 400 times in total. Still, always a good cautionairy tale.
The title really doesn't do this justice. The article is about how a group of bug bounty hunters worked on Apple for three months and had a bunch of great finds, with an iCloud data stealing worm as one of the bigger ones. They were awarded a total of $300.000, with more maybe to come. I thouroughly enjoyed their own detailed write-up. It's a long read, but even just reading it half way will make you appreciate the work that went into this.
After the roll-out of their code scanning feature last week, they've now announced integrations with a bunch of third-party tools. These tools can communicate with Github's scanning endpoint using a standard static analysis results format. Their results show up in the Github Security Alerts tab.
Some nice additions, like alerting on saved passwords that were involved in data breaches and offering to reset the password, and blocking mixed-content downloads (when files are delivered over HTTP while initiated from an HTTPS website).
You get increased payout, from a 5% to a 20% increase, as you move from "Bronze" towards "Diamond". Once you're in the higher tiers you might also be invited to private programs and real-world events. They also introduced the "Facebook Bug Description Language" (FBDL), offering a 5% increase in bounty if you use it. It would help researchers write better reports.
Some nice things to know about, like FedRamp Moderate certification, outside-US data storage, bring your own encryption keys and a Splunk app.
Last week I included an article that showed that the Trickbot botnet was being disrupted, and it turns out it was the US Cyber Command. They're trying to keep the botnet operators busy and distracted so that they wouldn't interfere with the US elections.
Always a bit of a reality check for me when reading articles as these, where cyber warfare goes hand in hand with actual warfare.
Great write-up on the existence and operational methods of a seemingly very succesful "mercenary hacker group".
Maybe I should start a separate category here called "reads like fiction but isn't".
It's incredible how smooth and seemingly easy these can be for an attacker: compromise the e-mail for a high-up business person, monitor conversations for a while, and step in at the right time. In this case the attacker(s) took off with $15 million. Not bad for two months of work.
Some nice insights into recruitment and job descriptions of the cybercriminal underworld.
Right. I'll just limit myself to quotes from the article on this one: "The chastity cage has a Bluetooth lock that could easily be hacked by almost anyone, leaving the wearer stuck in the device. There is no physical unlock. An angle grinder or other suitable heavy tool would be required to cut the wearer free."