Here we are again with another issue, and unfortunately another long list of breaches.
I struggle sometimes with the balance between sharing every item I find interesting, and keeping the newsletter short. It's supposed to be a curated experience after all, and I feel like I often fail at that and make it too long.
Maybe I should hard-cap it to something like the five or six top items, plus the special sections like "breaches and leaks" and this weeks "exploits and issues", since those are easier to skim to see if anything is relevant to you.
Any feedback on this is welcome. As always, you can just reply to this email to reach me.
Have a good one!
Breaches and leaks
- Johnson & Johnson discloses IBM data breach impacting patients: link.
- Freecycle confirms massive data breach impacting 7 million users: link.
- Alleged LockBit attack shuts down city networks in Seville: link.
- Minneapolis school district says data breach affected more than 100,000 people: link.
- See Tickets alerts 300,000 customers after web skimmer attack: link.
- Golf gear company Callaway exposes info of 1.1 million: link.
- Crypto casino Stake.com loses $41 million to hot wallet hackers: link.
- Coffee Meets Bagel says recent outage caused by destructive cyberattack: link.
- Insurer fined $3M for exposing data of 650k clients for two years: link.
Microsoft thinks it has figured out how Chinese hackers were able to get the signing key needed for their big Outlook hack earlier this year, and it's a doozy.
In short: the signing system had a crash in 2021. When such a system crashes it creates a snapshot of the crashed process, also known as a "crash dump". Crash dumps shouldn't contain sensitive data, but in this case it did. The hackers gained access to an employee's account, that also happened to have access to the crash dump. They combed through it and found the key.
Those are some highly motivated attackers, that's for sure.
There are patches available for two vulnerabilities that were used by the NSO group to infect iPhones remotely without user interaction. All they had to do was send an iMessage with an attachment. Other platforms like Mac, Apple Watch and iPads are vulnerable too, so make sure to run that update on all of them.
Okta released a warning that four of their high-profile customers were targeted by sophisticated social engineering and lateral movement techniques, which they detail in a blogpost.
Interesting report on the "W3LL store", a community where you can buy phishing kits targeted at MS365 accounts. They're effective too, compromising roughly 8,000 accounts and earning the creators about $500,000 in sales.
Exploits and issues
This is an experimental section: I'll gather the exploits and vulnerabilities that make the news, but wouldn't otherwise make the newsletter because they are too specific. But since they might be super relevant to you if you happen to run the affected software, I still want to share them.
- Apache RocketMQ: critical vulnerability being exploited in the wild: link.
- Cisco BroadWorks: critical vulnerability rated 10/10: link.
- AtlasVPN: zero-day that reveals IP address: link.
- MinIO storage system: large scale exploitation of two recent vulnerabilities: link.
- VMware's Aria Operations for Networks analysis tool: proof-of-concept exploit code for a critical SSH vulnerability: link.
- PHPFusion CMS: critical vulnerability: link.
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
No real news in this one but it's an interesting read on how more botnets might be taken down in a similar fashion, while also pointing out that eventually the botnet controllers will adapt and/or rebuild.
You can use the Flipper Zero to generate a range of spoofed Apple-related Bluetooth notifications, overwhelming a user with them. Good to know about if it starts happening to you. Or yet another reason to buy one if you want to try it out yourself, which I still haven't gotten around to.
I haven't listened to all of it yet but it seems like an interesting podcast episode about Ukraine's cyber defenses and the cooperation with Western cybersecurity forces. It's transcribed so you can read it as well.
Definitely true, and definitely worth a read.
I had no idea that the first ransomware incident happened on a 1989 WHO conference, and asked victims to send their ransom to a PO box in Panama. The article then goes over all the things that have changed since then.
More privacy than security, but interesting (and infuriating) research from the Mozilla Foundation. From the article: "Every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.". Great, just great.
Visma is a European powerhouse that builds software for schools, governments, accounting departments and more. Listen along as Vlad Boldura, security manager at Visma, joins the Random but Memorable podcast to discuss why they chose 1Password, how they rolled it out and what impact it has had. (Sponsored)