Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

This week’s reports are the perfect occasion to get up-to-date with cyber criminal trends and the favorite vulnerabilities of state-sponsored hackers. Also, don’t forget to patch, encrypt credit card data and use MFA, or else… it’ll be £20m for the data breach!

Read on to know the details!

Notable Security News

British Airways fined £20m for Magecart hack that exposed 400k folks’ credit card details to crooks

The UK’s Information Commissioner’s Office issued its biggest fine ever to British Airways over the theft of 400.000 customers’ data in 2018. The company was compromised through a Citrix vulnerability, stored credit card data without encryption and did not enforce usage of Multi-Factor Authentication for employees.

ENISA Threat Landscape – 2020

The European Union Agency for Cybersecurity published its 8th annual Threat Landscape report that is divided into 22 reports . An interesting read for both technical and non-technical audiences, to understand the top 15 threats in 2020 and how attackers have been adapting and evolving in the context of COVID-19.

Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities

The NSA published a list of the top 25 vulnerabilities currently being exploited by Chinese hackers. They all have patches available and many have public exploits. As they are also targeted by criminals and nation-state actors from other countries, it is essential to get familiar with them whether you are a defender or a red teamer/penetration tester.

UK urges orgs to patch severe CVE-2020-16952 SharePoint RCE bug

CVE-2020-16952 is a Microsoft SharePoint Remote Code Execution Vulnerability that was part of last week’s Patch Tuesday. The U.K. National Cyber Security Centre is alerting about the necessity to patch it as exploits were just published.

Seven mobile browsers vulnerable to address bar spoofing attacks

Rafay Baloch and Rapid7 disclosed ten new address bar spoofing vulnerabilities affecting seven mobile browser apps including Apple Safari and Opera Touch. These vulnerabilities would have allowed a malicious site to modify its URL in the address bar and show a fake one instead, which can make phishing pages look legitimate.

Other Interesting News

Cybercrime

• Barnes & Noble hit by Egregor ransomware, strange data leaked

• Three npm packages found opening shells on Linux, Windows systems

• Overlay Malware Targets Windows Users with a DLL Hijack Twist

• UK says Russia was preparing cyber-attacks against the Tokyo Olympics

• MobileIron enterprise MDM servers under attack from DDoS gangs, nation-states

Vulnerabilities

• If you want to practice writing exploits and worms, there’s a big hijacking hole in SonicWall firewall VPNs

• New Google Chrome version fixes actively exploited zero-day bug

• T2 exploit team demos a cable that hacks Mac without user intervention

Reports

• The State of Exploit Development: 80% of Exploits Publish Faster than CVEs

• Google says it mitigated a 2.54 Tbps DDoS attack in 2017, largest known to date

• How we’re tackling evolving online threats – Updates from Threat Analysis Group (TAG)

• The Geography of BEC: The Global Reach of the World’s Top Cyber Threat

• Political campaign emails contain dark patterns to manipulate donors, voters

Responsible disclosure

• Microsoft unveils plans for Project Zero-style Chromium research program

• TikTok Launches Bug Bounty Program Amid Security SNAFUs

• New HP Bug Bounty Program Targets Vulns in Printer Cartridges

Tech

• Zoom Rolls Out End-to-End Encryption After Setbacks

Misc.

• Ransomware Group Makes Splashy $20K Donation to Charities

• Security much? Twitter should have had a CISO to prevent Bitcoin hack, says US state financial body & Twitter Investigation Report

• Microsoft says it took down 94% of TrickBot’s command and control servers

• US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks

• German police raid tech firm FinFisher over spyware allegations

• 20 Arrests In Qqaazz Multi-million Money Laundering Case

Intigriti Customer Story

Kinepolis Improves IT Security through a Global Network of Ethical Hackers

“Having access to intigriti’s global network of researchers was the missing piece of the security puzzle that we needed.”

– Bjorn Van Reet, CIO, Kinepolis Group. Read more