It's been a pretty intense week for me, and next week will probably be too, so I'm a bit more succint in my summaries than usual and sending it out a bit earlier to get a head start :) Enjoy!
Breaches and leaks
- SitePoint discloses data breach after stolen info used in attacks: link.
- Eletrobras and Copel energy companies hit by ransomware attacks: link.
- Security firm Stormshield discloses data breach, theft of source code: link.
- Oxfam Australia investigates data breach after database sold online: link.
- Trucking company Forward Air said its ransomware incident cost it $7.5 million: link.
- Female escort review site data breach affects 470,000 members: link.
- Data breach exposes 1.6 million Washington unemployment claims: link.
- Hacked road sign talks back after driver complains to council: link. (I know it's irresponsible but I admit to having a soft spot for road sign pranks.)
- Next to Russia it seems that China was already exploiting Solarwinds: link.
- More critical vulnerabilities have been found in Solarwinds Orion: link.
Exploit code is available, and unfortunately there is no patch yet.
It seems likely that this is the issue used against security researchers last week.
If you use this library anywhere you'll definitely want to patch.
More good news for the Rust ecosystem (among other things).
Great blogpost by Liran Tal on typosquatting attacks, highlighting the case where an attacker tricked people into downloading the malicious package crossenv instead of the popular and benign cross-env package. When installed it proceeded to upload your environment variables to a third party server.
Reaching 1.4 million reports in a single year, mostly aimed at COVID related unemployment benefits.
A total of $6.7 million, rewarded across 662 researchers.
- The full Google blogpost refered to in the article: link.
- Related: Launching OSV - Better vulnerability triage for open source: link.
One of the more awesome features of 1Password Business is the ability to get reports on things like: who has access to which vaults, which devices are authorised, who in your team has 2fa enabled, and even who accessed which item when. Super powerful for forensics and audits.