By Anna Hammond
October 9, 2020
Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
Between reports on 2020 attack trends and a new US Treasury policy on ransomware payments, this week’s security news were dominated by ransomware stories. That plus a new alarmingly creative phishing technique, and a couple of new tools to help increase your security posture.
Read on to know the details!
Phishing with Worms – The Greatest Password Theft I’ve Ever Seen
This is the story of a phishing bot that quickly spread from one compromised email account like a worm. It looked at existing emails threads and replied with a link to a phishing page to capture credentials. If there is one takeaway from this read, it is the importance of using Multi-Factor Authentication in the enterprise.
Grindr fixed a bug allowing full takeover of any user account
A French researcher found a security flaw in Grindr that would’ve allowed attackers to easily hijack any Grindr account knowing only the user’s email address. After unsuccessful disclosure attempts, he reached out to Troy Hunt who helped convince Grindr to fix the issue. Now, Grindr is working on starting a new bug bounty program to make vulnerability reporting easier.
Ransomware 2020: Attack Trends Affecting Organizations Worldwide
IBM X-Force reports the latest ransomware trends: Ransomware demands are increasing exponentially, with one in three being caused by Sodinokibi ransomware. Attacks now blend data theft and extortion with ransomware. Also, schools and universities are amongst the most attractive targets.
GitHub: Now our built-in bug checker gets these third-party code-scanning tools
Github rolled out a new Code Scanning feature to help developers identify security issues in their code when submitting it. It works on top of CodeQL, a technology by Github, and also allows leveraging third-party static application security testing (SAST) tools.
Researchers Mixed on Sanctions for Ransomware Negotiators
US Treasury issued a warning that companies that facilitate ransomware payments to sanctioned cybercrime groups may face sanctions, while notifying law enforcement of such attacks will be considered a mitigating factor. Not everyone agrees this would discourage future ransomware payment demands.
How a Chinese malware gang defrauded Facebook users of $4 million
UEFI malware rears ugly head again: Kaspersky uncovers campaign with whiff of China
Microsoft: Iranian hackers actively exploiting Windows Zerologon flaw
REvil ransomware deposits $1 million in hacker recruitment drive
New Ttint IoT botnet caught exploiting two zero-days in Tenda routers
ESET discovers a rare APT that stayed undetected for nine years
Touch and go: Contactless payment security controls defeated by security researchers
HP Device Manager exploit gave attackers full control over thin client servers
Hackers claim they can now jailbreak Apple’s T2 security chip
APWG: SSL Certificates No Longer Indication of Safe Browsing
Cyber scams and ransomware booming amid Covid-19 lockdowns – Europol
Microsoft: Some ransomware attacks take less than 45 minutes
Swiss Post releases bug bounty safe harbor wording under Creative Commons license
Google sets up research grant for finding bugs in browser JavaScript engines
Google: Announcing the launch of the Android Partner Vulnerability Initiative
With API attacks rising, Cloudflare launches a free API security tool
Microsoft Exchange 2010 End of Support and Overall Patching Study
UK, French, Belgian blanket spying systems ruled illegal by Europe’s top court
Five bar and cafe owners arrested in France for running no-log WiFi networks
A few years ago Red Bull realised that writing policies does not hinder anyone in attacking the company. As they have a large, heterogenous structured and fast changing environment, taking care about security of all their public facing assets is nearly impossible. That’s why Red Bull decided that it’s better to invite “Friendly Hackers” (this is how they call security researchers) to hack them and share afterwards how they were able to do this. The alternative is being hacked anyway without knowing.
The jury motivated their decision: “The emphasis in this category is on innovation, and Intigriti developed an innovative platform for ethical hackers. With Intigriti, the jury chose a Belgian company that manages to impress with that platform. The jury is of the opinion that it is not only about a very high-quality platform, but that the company can now also present good references. The recent funding round of more than 4 million euros proves that this young company is also ready for further growth. ”
Today it was announced that Inti de Ceukelaire (25), Head of Hackers at Intigriti, has been voted “IT Person of the Year” by Computable. He also has the honor of being the youngest winner ever. Inti has been selected from a long list of 55 Belgian candidates compiled by the magazine’s editors. The public votes were decisive for Computable to determine the final winner.
“Intigriti offers an international platform, where ethical hackers have to register. That makes it more trustworthy for us as clients. They also offer a platform for ethical hackers to get recognition. There’s a hall of fame for where ethical hackers earn points for reporting issues and get a ranking accordingly.”
– Eric de Smedt, Manager Cyber Security, Telenet Group. Read more