By Anna Hammond
November 27, 2020
Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
This week, Facebook dodged a pretty serious cybersecurity bullet. A couple of reports showed interesting links between stress and email data beaches, as well as the effects of vulnerability disclosure on exploitation and remediation. And a researcher described a relatively novel ransomware attack leveraging SEO.
Read on for details!
Salesforce released JARM, a TLS fingerprinting tool that has multiple applications. It can determine whether a group of servers have the same TLS configuration, whether they belong to the same cloud provider, and whether they are part of a malware command & control infrastructure. This is helpful to both defenders who want to identify malicious servers, and network engineers who want to verify the consistency of their TLS configuration.
Facebook Messenger bug allowed Android users to spy on each other
Facebook fixed a vulnerability in Facebook Messenger for Android that allowed callers to connect video and audio calls before callees accepted the call. This allowed for spying on people without their knowledge or permission. Natalie Silvanovich who is part of Google’s Project Zero reported the bug through Facebook’s bug bounty program and was rewarded with a $60,000 bounty, reflecting the severity of the bug.
Malware creates scam online stores on top of hacked WordPress sites
Search Engine Optimization (SEO) scams are not new, but they might be a new type of ransomware. An Akamai researcher heard of criminals poisoning search engine results for companies, then demanding ransoms to reverse the effects. He shows how such malware works by detailing a real attack against his WordPress honeypot.
Egress surveyed IT security leaders in the UK and US across different industries on data breach risks related to email use. The findings are interesting: 93% have experienced data breaches via outbound email in the last 12 months, with the most common root cause cited being “an employee being tired or stressed.”, followed by “remote working”. So, phishing training awareness is important, but stress also plays a significant role. The more stressed, the more likely to click on the wrong file or link!
Responsible Exposure and What It Means for the Industry
Kenna Security analyzed 473 vulnerabilities from 2019 looking for links between their public disclosure and exploitation by criminals. Considering the ongoing debate on this topic, their findings are very interesting. For instance, attackers have a 47-day head start in average once an exploit is published. Also, disclosing exploits before a vulnerability is patched makes it harder for security teams to remedy it (even after patch publication!). This shows that publishing exploits isn’t the expected motivator for improving security, and responsible disclosure yields better results.
Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names
Alert: Multiple actors are attempting to exploit MobileIron vulnerability CVE 2020-15505
Passwords exposed for almost 50,000 vulnerable Fortinet VPNs
New Grelos skimmer variant reveals overlap in Magecart group activities, malware infrastructure
Google Project Zero to form ‘crystal ball’ forecast panel to help improve vulnerability disclosure
Facebook: Marking the 10th Anniversary of Our Bug Bounty Program
Fearing drama, Mozilla opens public consultation before worldwide Firefox DoH rollout
Google is rolling out end-to-end encryption for RCS in Android Messages beta
Microsoft’s new ‘Pluton’ security processor gets buy-in from Intel, AMD
Websites that use mix of HTTP, HTTPS schemes may break under new Chrome SameSite rules
IoT Cybersecurity Improvement Act Passed, Heads to President’s Desk
Romanian Duo Arrested For Running Malware Encryption Service To Bypass Antivirus Software
Baidu’s Android apps caught collecting sensitive user details
Yesterday it was announced that Intigriti has won the Rising Star award. The Rising Star 2020 by Deloitte ranks the fastest-growing tech companies in Belgium, based on their level of innovation, growth potential and scalability. Read more…