Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
This week’s news are all about a frightening Windows vulnerability some call “The Godzilla of bugs”, an impressive $288,500 bug bounty from Apple, the world’s first bug bounty loyalty program and the latest cybercrime attacks and trends. Read on for all the details!
Notable Security News
Microsoft released patches for 87 vulnerabilities. One of them, CVE-2020-16898, is a Remote Code Execution in the Windows IPv6 stack. It is considered critical with a 9.8/10 CVSS v3 score, and we haven’t heard the last of it as it will likely be weaponized by Advanced Persistent Threat (APT) actors.
A team of five seasoned bug bounty hunters hacked Apple for three months and discovered no less than 55 vulnerabilities. Apple rewarded them with payouts totaling $288,500. This news shook the bug bounty community as they shared many of these findings with a profusion of technical details.
Facebook has launched the world’s first loyalty program for bug bounty. Security researchers will be placed into tiers based on their bug reports and will be rewarded with bonuses on top of bounty awards.
The FBI and CISA are alerting about threat actors chaining VPN and Windows vulnerabilities to attacks US government networks. Interestingly, they are combining legacy vulnerabilities with the newer ZeroLogon privilege escalation, which highlights the importance of keeping systems up to date.
There are ongoing disputes amongst security professionals about the ethics of publishing Offensive Security Tools (OST). Some consider that it does more harm than good since these tools are often used by both ethical hackers and criminals. While this research does not settle the argument, it helps understand how OSTs are leveraged by criminals, the ones that are most used and how they can be turned against them.
Other Interesting News
- TrickBot botnet survives takedown attempt, but Microsoft sets new legal precedent
- This stealthy hacker-for-hire group is using phishing, malicious apps and zero-day attacks against its victims
- FIN11 uncovered: Hacking group promoted to financial cybercrime elite
- RainbowMix apps generate $150,000 in daily ad fraud profit
- Microsoft warns of Android ransomware that activates when you press the Home button
- Bitcoin wallet update trick has netted criminals more than $22 million
- Google and Intel warn of high-severity Bluetooth security bug in Linux
- Fitbit allowed spyware on official app store – research
- ‘You’ve got the old cheeky Corona’: Ireland’s pandemic advice SMS service can be spoofed, warns researcher
- Concluding the Azure Sphere Security Research Challenge, Microsoft Awards $374,300 to Global Security Research Community & Why we invite security researchers to hack Azure Sphere
- Vulnerabilities in HashiCorp Vault could lead to authentication bypass
- Western governments double down efforts to curtail end-to-end encryption
- Creepy covert camera “feature” found in popular smartwatch for kids
- Chrome changes how its cache system works to improve privacy
- US healthcare provider pays $5 million in 2014 data breach settlement
- How to Avoid Amazon Prime Day Scams
Intigriti Customer Story
“We sell a lot of Jooki in the run up to Christmas. An intigriti researcher found a critical bug in our webstore a few months before. We were very grateful that we could patch and fix that bug so that we didn’t lose sales over the Christmas period.”
– Will Moffat, CTO MuuseLabs. Read more