For those who celebrate, I hope you all enjoyed a wonderful Christmas, and are about to enjoy a wonderful New Year's!
Because I don't want you to spend all your time reading security news I tried to keep it short, although the breaches section is much longer than I'd like. Maybe just skim that one, ok? ;-)
Have a good one folks!
Researchers from Kaspersky revealed details of an incredibly sophisticated backdooring campaign targeting iPhones, iPads and Mac's. It uses a set of hardware functions that aren't documented anywhere, leaving researchers to guess as to how it was created.
Attribution seems difficult, because it's very different from other known campaigns, although the Russian CERT attributes the attacks to the NSA, with the FSB alleging that Apple themselves helped out, although Apple denies that.
It used a total of four zero-days, in a very impressive exploit chain, shown and described in the article. All four vulnerabilities have now been patched.
Coordinated by Europol and spearheaded by Greece, a two-month international operation involving law enforcement from 17 countries and private entities such as Group-IB and Sansec identified skimmer infections on 443 websites. They were notified with the help of national CSIRT teams. Impressive campaign.
The Chrome Safety Check will also alert you when using extensions that are dangerous (as in, having been taken down from the Web Store), automatically revoke permissions such as access to location or microphone for sites that you haven't visited in a long while, and flag sites that produce excessive notifications.
If you think doing a quick pentest every few quarters isn’t enough, you are correct. GlitchSecure combines continuous vulnerability assessments with real-time pentesting - all verified by highly skilled (and wonderful) humans in a user friendly platform. (Sponsored)
If you contribute code on Github, you will have to enable 2FA by January 19th or be limited in your access until you do. It doesn't count for business or enterprise accounts though, unfortunately. Not yet anyway. After the 19th you won't be able to disable 2fa, only replace it with other methods. They offer pretty much any method available: security keys, passkeys, their mobile app, authenticator apps (TOTP), and SMS text messages. I'm all for this, way to go Github.
Lapsus member Arion Kurtaj has been sentenced indefinitely in a 'secure hospital' by a UK judge, due to his autism. Another Lapsus member, aged 17, was also found guilty. It's easy to be dismissive over their age, but it is impressive, in a bad way, to see their list of corporate victims: Rockstar Games, Okta, Uber, Revolut, Microsoft, Samsung, NVIDIA, and many others.
Isovalent is the company behind much of the work on eBPF and Cilium, two technologies that have made quite an impact in the worlds of EDR and containers. This, combined with the recent acquisition of Splunk, makes it seem that Cisco is trying to up its game significantly. Let's see if it works out.
Securing GraphQL shouldn’t be this hard. Learn from Staff Security Engineer at Thinkific, why Escape stands out as the sole security scanner for GraphQL that is both engine-aware and developer-friendly. (Sponsored)
Breaches and leaks
- Lockbit ransomware disrupts emergency care at German hospitals: link.
- EasyPark discloses data breach that may impact millions of users: link.
- Albanian parliament, telecom company hit by cyberattacks: link.
- Australian healthcare provider St. Vincent’s has data stolen during cyberattack: link.
- Kroll reveals FTX customer info exposed in August data breach: link.
- First American Financial takes systems offline after cyber incident: link.
- Fidelity National Financial subsidiary says 1.3 million affected by November cyberattack: link.
- Ohio Lottery hit by cyberattack claimed by DragonForce ransomware: link.
- Crypto drainer steals $59 million from 63k people in Twitter ad push: link.
- Nissan Australia cyberattack claimed by Akira ransomware gang: link.
- Ubisoft says it's investigating reports of a new security breach: link.
- Mint Mobile discloses new data breach exposing customer data: link.
- GTA 5 source code reportedly leaked online a year after Rockstar hack: link.
- Integris Health patients get extortion emails after cyberattack: link.
- Yakult Australia confirms 'cyber incident' after 95 GB data leak: link.
- Panasonic discloses data breach after December 2022 cyberattack: link.
- Eagers Automotive halts trading in response to cyberattack: link.
- Game mod on Steam breached to push password-stealing malware: link.
- Entertainment giant National Amusements says more than 82,000 affected by cyberattack: link.
Issues and fixes
- OpenAI rolls out imperfect fix for ChatGPT data leak flaw: link.
- Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers: link.
- Barracuda fixes new ESG zero-day exploited by Chinese hackers: link.
You probably use SSH to push code to GitHub, access servers, and more. So why is it such a pain to set up new keys? Well, fret no longer. You can now easily generate, store, and use SSH Keys directly from 1Password 8 and the built-in SSH agent. Securely sync your keys across devices, authenticate SSH workflows, and even sign code commits. (Sponsored)