Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

This week’s news are all about a frightening Windows vulnerability some call “The Godzilla of bugs”, an impressive $288,500 bug bounty from Apple, the world’s first bug bounty loyalty program and the latest cybercrime attacks and trends. Read on for all the details!

Notable Security News

Patch Tuesday: Microsoft remedies critical TCP/IP remote code execution bug

Microsoft released patches for 87 vulnerabilities. One of them, CVE-2020-16898, is a Remote Code Execution in the Windows IPv6 stack. It is considered critical with a 9.8/10 CVSS v3 score, and we haven’t heard the last of it as it will likely be weaponized by Advanced Persistent Threat (APT) actors.

Five bag $300,000 in bug bounties after finding 55 security holes in Apple’s web apps, IT infrastructure

A team of five seasoned bug bounty hunters hacked Apple for three months and discovered no less than 55 vulnerabilities. Apple rewarded them with payouts totaling $288,500. This news shook the bug bounty community as they shared many of these findings with a profusion of technical details.

Facebook launches bug bounty ‘loyalty program’

Facebook has launched the world’s first loyalty program for bug bounty. Security researchers will be placed into tiers based on their bug reports and will be rewarded with bonuses on top of bounty awards.

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

The FBI and CISA are alerting about threat actors chaining VPN and Windows vulnerabilities to attacks US government networks. Interestingly, they are combining legacy vulnerabilities with the newer ZeroLogon privilege escalation, which highlights the importance of keeping systems up to date.

Researchers map threat actors’ use of open source offensive security tools

There are ongoing disputes amongst security professionals about the ethics of publishing Offensive Security Tools (OST). Some consider that it does more harm than good since these tools are often used by both ethical hackers and criminals. While this research does not settle the argument, it helps understand how OSTs are leveraged by criminals, the ones that are most used and how they can be turned against them.

Other Interesting News

Cybercrime

• TrickBot botnet survives takedown attempt, but Microsoft sets new legal precedent

• This stealthy hacker-for-hire group is using phishing, malicious apps and zero-day attacks against its victims

• FIN11 uncovered: Hacking group promoted to financial cybercrime elite

• RainbowMix apps generate $150,000 in daily ad fraud profit

• Microsoft warns of Android ransomware that activates when you press the Home button

• Bitcoin wallet update trick has netted criminals more than $22 million

Vulnerabilities

• Google and Intel warn of high-severity Bluetooth security bug in Linux

• Fitbit allowed spyware on official app store – research

• ‘You’ve got the old cheeky Corona’: Ireland’s pandemic advice SMS service can be spoofed, warns researcher

Reports

• KELA’s 100 Over 100: September 2020 in Network Access Sales

Responsible disclosure

• Concluding the Azure Sphere Security Research Challenge, Microsoft Awards $374,300 to Global Security Research Community & Why we invite security researchers to hack Azure Sphere

• Vulnerabilities in HashiCorp Vault could lead to authentication bypass

Tech

• Western governments double down efforts to curtail end-to-end encryption

• Creepy covert camera “feature” found in popular smartwatch for kids

• Chrome changes how its cache system works to improve privacy

Misc.

• US healthcare provider pays $5 million in 2014 data breach settlement

• How to Avoid Amazon Prime Day Scams

Intigriti Customer Story

MuuseLabs protects children’s IoT devices through Intigriti’s ethical hacking platform

“We sell a lot of Jooki in the run up to Christmas. An intigriti researcher found a critical bug in our webstore a few months before. We were very grateful that we could patch and fix that bug so that we didn’t lose sales over the Christmas period.”

– Will Moffat, CTO MuuseLabs. Read more