I have decided to take a break from writing the newsletter. As much as I enjoy reading and writing about infosec, I want to be more selective about where I dedicate my time and focus, and the newsletter didn't make the top of the list right now. I'm not certain if I'll restart it in the future, we'll see :-)
- I will never sell the newsletter or the list of e-mails it has gathered.
- The website, securitynewsletter.co, will stay online with the archive of previous issues.
- Big shout out to 1Password and Uptycs for being incredibly supportive sponsors. Thank you!
- If, down the line, I start some other non-newsletter project and you want to know when that happens, you can leave your e-mail address here. I won't spam the newsletter for something like that. Or you can just follow me on Twitter I guess :-)
If you want other places to catch up on news, I can recommend:
That's it! I hope you enjoy this issue. Keep fighting the good fight :-)
Breaches and leaks
- Over a billion records belonging to CVS Health exposed online: link.
- South Korea's Nuclear Research agency hacked using VPN flaw: link.
- REvil ransomware hits US nuclear weapons contractor: link.
- Fertility clinic discloses data breach exposing patient info: link.
- Poland blames Russia for breach, theft of Polish officials' emails: link.
- Audi, Volkswagen customer data being sold on a hacking forum: link.
- Carnival Cruise hit by data breach, warns of data misuse risk: link.
This is just a fascinating follow up to the EA breach, and blew my mind a bit. It turns out that there are markets where you can not only buy a cookie that gets you access to some Slack or Okta account, but you can also essentially clone an entire browser from a compromised target. If anyone in your organisation is unknowingly part of a botnet, the attacker can just "become them" and have all the access that that person has. All nice and user friendly, and a great extra income stream for botnet operators. Incredible.
Google released an "end to end framework" to stop supply chain attacks. Definitely a worthy cause. Right now it's just a set of guidelines, but it'll be interesting to see if it evolves into something more. See also Google's own blogpost: link.
It sure is a fine line, but I'm glad to see that cyberattacks are taken more seriously.
Uptycs' threat research team has discovered a new Botnet named ‘Simps’, attributed to Keksec group and primarily focussed on DDOS activities. It even comes with its own Discord server, Youtube channel and Instagram account to showcase its capabilities. (Sponsored)
This is damn bold, but I can absolutely see it paying off for the criminals.
Update all the things
- Apple fixes ninth zero-day bug exploited in the wild this year: link.
- Google fixes seventh Chrome zero-day exploited in the wild this year: link.
- Critical remote code execution flaw in thousands of VMWare vCenter servers remains unpatched: link.
This is just awesome, and should happen far more consistently across far more vendors. I've had to decommission way too many devices that were still in perfect working order just because they were EOL'd.
This is one to keep an eye on. I'm sure we'll see a lot more need for proper identification flows over the years, and I for one trust Stripe a whole lot more to do it properly than just any random company that wants to verify who I am.
The stats seem high to me, but either way, may it serve as a great reminder that you better have everything in order before you prove to the attackers that you're a target that pays up.
Pretty fascinating write-up of the recruitment flows that they employ.
First of all: please use a password manager. Since you're a subscriber here I'm pretty sure you already do, but just in case. Second: if you're not using 1Password yet, give them a try. I've been using them for many years professionally and migrated my personal Vault over two years ago. The experience was super smooth, and I haven't looked back ever since. (Sponsored)