Security Snacks #3 – 2020 Threat landscape, Top 25 exploited vulnerabilities & The cost of a data breach

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

This week’s reports are the perfect occasion to get up-to-date with cyber criminal trends and the favorite vulnerabilities of state-sponsored hackers. Also, don’t forget to patch, encrypt credit card data and use MFA, or else… it’ll be £20m for the data breach!

Read on to know the details!

Notable Security News

British Airways fined £20m for Magecart hack that exposed 400k folks’ credit card details to crooks

The UK’s Information Commissioner’s Office issued its biggest fine ever to British Airways over the theft of 400.000 customers’ data in 2018. The company was compromised through a Citrix vulnerability, stored credit card data without encryption and did not enforce usage of Multi-Factor Authentication for employees.

ENISA Threat Landscape – 2020

The European Union Agency for Cybersecurity published its 8th annual Threat Landscape report that is divided into 22 reports . An interesting read for both technical and non-technical audiences, to understand the top 15 threats in 2020 and how attackers have been adapting and evolving in the context of COVID-19.

Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

The NSA published a list of the top 25 vulnerabilities currently being exploited by Chinese hackers. They all have patches available and many have public exploits. As they are also targeted by criminals and nation-state actors from other countries, it is essential to get familiar with them whether you are a defender or a red teamer/penetration tester.

UK urges orgs to patch severe CVE-2020-16952 SharePoint RCE bug

CVE-2020-16952 is a Microsoft SharePoint Remote Code Execution Vulnerability that was part of last week’s Patch Tuesday. The U.K. National Cyber Security Centre is alerting about the necessity to patch it as exploits were just published.

Seven mobile browsers vulnerable to address bar spoofing attacks

Rafay Baloch and Rapid7 disclosed ten new address bar spoofing vulnerabilities affecting seven mobile browser apps including Apple Safari and Opera Touch. These vulnerabilities would have allowed a malicious site to modify its URL in the address bar and show a fake one instead, which can make phishing pages look legitimate.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Responsible disclosure

Tech

Misc.

Intigriti Customer Story

Kinepolis Improves IT Security through a Global Network of Ethical Hackers

“Having access to intigriti’s global network of researchers was the missing piece of the security puzzle that we needed.”

– Bjorn Van Reet, CIO, Kinepolis Group. Read more