Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Between reports on 2020 attack trends and a new US Treasury policy on ransomware payments, this week’s security news were dominated by ransomware stories. That plus a new alarmingly creative phishing technique, and a couple of new tools to help increase your security posture.

Read on to know the details!

Notable Security News

Phishing with Worms – The Greatest Password Theft I’ve Ever Seen

This is the story of a phishing bot that quickly spread from one compromised email account like a worm. It looked at existing emails threads and replied with a link to a phishing page to capture credentials. If there is one takeaway from this read, it is the importance of using Multi-Factor Authentication in the enterprise.

Grindr fixed a bug allowing full takeover of any user account

A French researcher found a security flaw in Grindr that would’ve allowed attackers to easily hijack any Grindr account knowing only the user’s email address. After unsuccessful disclosure attempts, he reached out to Troy Hunt who helped convince Grindr to fix the issue. Now, Grindr is working on starting a new bug bounty program to make vulnerability reporting easier.

  Ransomware 2020: Attack Trends Affecting Organizations Worldwide

IBM X-Force reports the latest ransomware trends: Ransomware demands are increasing exponentially, with one in three being caused by Sodinokibi ransomware. Attacks now blend data theft and extortion with ransomware. Also, schools and universities are amongst the most attractive targets.

GitHub: Now our built-in bug checker gets these third-party code-scanning tools

Github rolled out a new Code Scanning feature to help developers identify security issues in their code when submitting it. It works on top of CodeQL, a technology by Github, and also allows leveraging third-party  static application security testing (SAST) tools.

Researchers Mixed on Sanctions for Ransomware Negotiators

US Treasury issued a warning that companies that facilitate ransomware payments to sanctioned cybercrime groups may face sanctions, while notifying law enforcement of such attacks will be considered a mitigating factor. Not everyone agrees this would discourage future ransomware payment demands.

Other Interesting News

Cybercrime

• How a Chinese malware gang defrauded Facebook users of $4 million

• UEFI malware rears ugly head again: Kaspersky uncovers campaign with whiff of China

• Microsoft: Iranian hackers actively exploiting Windows Zerologon flaw

• REvil ransomware deposits $1 million in hacker recruitment drive

• New Ttint IoT botnet caught exploiting two zero-days in Tenda routers

• ESET discovers a rare APT that stayed undetected for nine years

• Microsoft Office 365 Phishing Attack Uses Multiple CAPTCHAs

Vulnerabilities

• Male Chastity Device Comes with Massive Security Flaws

• Touch and go: Contactless payment security controls defeated by security researchers

• HP Device Manager exploit gave attackers full control over thin client servers

• Hackers claim they can now jailbreak Apple’s T2 security chip

• Infosec researchers pwned Comcast’s voice-activated remote control so it could snoop on household chit-chat

Reports

• APWG: SSL Certificates No Longer Indication of Safe Browsing

• Cyber scams and ransomware booming amid Covid-19 lockdowns – Europol

• Microsoft: Some ransomware attacks take less than 45 minutes

Responsible disclosure

• Swiss Post releases bug bounty safe harbor wording under Creative Commons license

• Google sets up research grant for finding bugs in browser JavaScript engines

• Google: Announcing the launch of the Android Partner Vulnerability Initiative

• Concluding the Azure Sphere Security Research Challenge, Microsoft Awards $374,300 to Global Security Research Community

Tech

• With API attacks rising, Cloudflare launches a free API security tool

• New service checks if your email was used in Emotet attacks

• Microsoft Exchange 2010 End of Support and Overall Patching Study

Misc.

• UK, French, Belgian blanket spying systems ruled illegal by Europe’s top court

• Five bar and cafe owners arrested in France for running no-log WiFi networks

Intigriti News

Red Bull rewards friendly hackers at the Intigriti platform in their own unique way

A few years ago Red Bull realised that writing policies does not hinder anyone in attacking the company. As they have a large, heterogenous structured and fast changing environment, taking care about security of all their public facing assets is nearly impossible. That’s why Red Bull decided that it’s better to invite “Friendly Hackers” (this is how they call security researchers) to hack them and share afterwards how they were able to do this. The alternative is being hacked anyway without knowing.

Read more

Intigriti wins ‘Cybersecurity Innovator of the Year’

The jury motivated their decision: “The emphasis in this category is on innovation, and Intigriti developed an innovative platform for ethical hackers. With Intigriti, the jury chose a Belgian company that manages to impress with that platform. The jury is of the opinion that it is not only about a very high-quality platform, but that the company can now also present good references. The recent funding round of more than 4 million euros proves that this young company is also ready for further growth. ”

Read more

Inti De Ceukelaire voted “IT Person of the Year”

Today it was announced that Inti de Ceukelaire (25), Head of Hackers at Intigriti, has been voted “IT Person of the Year” by Computable. He also has the honor of being the youngest winner ever. Inti has been selected from a long list of 55 Belgian candidates compiled by the magazine’s editors. The public votes were decisive for Computable to determine the final winner.

Read more

Intigriti Customer Story

What Telenet, UZ Leuven and an ethical hacker say about Intigriti’s ethical hacking and bug bounty platform.

“Intigriti offers an international platform, where ethical hackers have to register. That makes it more trustworthy for us as clients. They also offer a platform for ethical hackers to get recognition. There’s a hall of fame for where ethical hackers earn points for reporting issues and get a ranking accordingly.”

– Eric de Smedt, Manager Cyber Security, Telenet Group. Read more