Round Up of Major Breaches and Scams
In a short press conference held today by the US Department of Justice, high-ranking officials with the US government claimed that Iran was behind a wave of emails sent to US voters earlier this week. Spoofing the identity of violent extremist group Proud Boys, the emails threatened registered Democrat voters with repercussions if they didn’t vote for Donald Trump in the upcoming US Presidential Election. The senders claimed to have “gained access into the entire [US] voting infrastructure,” but appeared to use public voter registration databases to target Democrat voters in Alaska, Arizona, and Florida.
The Forum of Incident Response and Security Teams (FIRST) has launched ethics guidelines for incident response and security teams. The group, consisting of Internet emergency response teams from 539 organizations worldwide, seeks to provide cybersecurity professionals with guidance on how to behave ethically during incidents. On the website for ethicsfIRST, there are 12 ethical duties listed and explained. They include duties of trustworthiness, confidentiality, transparency, team health, and evidence-based reasoning.
Criminals are impersonating the boss of a major British multinational retailer to trick victims into sharing their bank account details. Posing as Marks & Spencer CEO Steve Rowe, the scammers have posted fraudulent adverts online that promise victims the chance to win a gift voucher as part of a fictitious prize draw promotion. When victims click on the link in the ad, they are taken to an M&S-branded portal and asked to provide their name, address, mobile phone number, and bank details including SORT code and account number.
Round Up of Major Malware and Ransomware Incidents
The Caribbean’s biggest conglomerate, Ansa McAl, is the victim of ransomware hackers holding some of the company’s IT systems hostage. Newsday understands that work at Tatil, the country’s biggest insurer, has been effectively stalled for about two weeks as the IT department works to find and expel the ransomware from the company’s servers.
Round Up of Major Vulnerabilities and Patches
Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups. That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of Cactus Pete, TA413, Vicious Panda and Winniti.
For the second straight quarter this year, Oracle’s latest critical patch update (CPU) released this week contained more than 400 security patches addressing vulnerabilities in a wide range of the company’s product sets. With 402 patches, Oracle’s October 2020 CPU was slightly smaller than its previous one in July, which contained a record-breaking 444 security patches. But the October CPU addresses more security vulnerabilities across more products than the previous patch update.
Cisco has stomped out a slew of high-severity vulnerabilities across its lineup of network-security products. The most severe flaws can be exploited by an unauthenticated, remote attacker to launch a passel of malicious attacks — from denial of service (DoS) to cross-site request forgery (CSRF). The vulnerabilities exist in Cisco’s Firepower Threat Defense (FTD) software, which is part of its suite of network-security and traffic-management products.
Google has released Chrome version 86.0.4240.111 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary changes.
Starting with Chrome 86, Google is automatically hiding website notification spam on sites showing a pattern of sending abusive notification content to visitors. The “quiet notification permission UI” used to hide the web alert spam from users was introduced in Chrome 80 and improved in Chrome 84 with the addition of auto-enrollment in the notification anti-spam system for sites using deceptive patterns to request notification permissions.
Adobe has released a second out-of-band security update to fix critical vulnerabilities that impact numerous products of the IT giant. The flaws impact Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines. Adobe has released seven critical vulnerabilities in Illustrator, including memory corruption and out of bounds read/write issues that can lead to arbitrary code execution.
The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin. WordPress sites running the Loginizer plugin were forcibly updated this week to Loginizer version 1.6.4. This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 82, Firefox ESR 78.4, and Thunderbird 78.4 and apply the necessary updates.