In the Nightfall InfoSec Roundup, we summarize the latest information security news, breaches, vulnerabilities & advancements. In this week's edition:
A Facebook update bug causes a user data leak.
The Citrix ACD vulnerability which has yet to be patched has a proof of concept exploit that hackers are likely already taking advantage of.
What to expect from Iranian state hackers or those who might conduct cyberattacks using their name.
Read these stories and other timely infosec news below.
Cyber Attacks & Breaches
Google Agrees to Pay US$ 7.5M Over Google+ Data Breaches (CISO Mag) January 10th
In a recent data leak incident, which exposed the private data of around 500,000 former Google+ users to outside developers, Google has agreed to pay US$7.5 million in a settlement to resolve a class-action lawsuit against the firm.Microsoft contractors in China listened to Skype recordings with woefully bad levels of cybersecurity, report reveals (Business Insider) January 10th
An anonymous Microsoft contractor who worked grading audio snippets from Skype conversations and Cortana recordings revealed to the Guardian that "no security measures" were taken to protect graded Skype and Cortana recordings.A Facebook Bug Exposed Anonymous Admins of Pages (Wired) January 10th
A recent Facebook update caused a bug that allowed anyone to easily reveal which accounts posted to Facebook Pages—including celebrities and politicians—for several hours.Amazon fires employees for leaking customer email addresses and phone numbers (TechCrunch) January 10th
Amazon has fired a number of employees after they shared customer email addresses and phone numbers with a third-party in violation of Amazon policies.Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? (The Register) January 9th
A white-hat hacker operating under the handle Lynx discovered a database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – served from a computer with a Chinese IP address.Dixons Carphone fined £500,000 for massive data breach (The Guardian) January 9th
UK company Dixons Carphone has been hit with the maximum possible fine by the Information Commissioner’s Office (ICO) after its shops were compromised by a cyberattack that affected at least 14 million people.US Samsung Pay users can't send money internationally after Travelex hack (Engadget) January 9th
Travelex's ransomware attack continues to affect people and businesses around the globe. Samsung Pay's international money transfer service -- which relies on the Travelex platform -- was suspended last week as a result of the issues faced by its partner.
Vulnerabilities & Exploits
Unpatched Citrix Flaw Now Has PoC Exploit (Threatpost) January 13th
Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. Over 25,000 servers globally are vulnerable to the critical Citrix remote code execution vulnerability (CVE-2019-19781).Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability (ZDNet) January 10th
A team of four Danish security researchers has disclosed a security flaw that impacts cable modems that use Broadcom chips. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer and is believed to impact an estimated 200 million cable modems in Europe alone.A billion medical images are exposed online, as doctors ignore warnings (TechCrunch) January 10th
Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world.PayPal Confirms ‘High-Severity’ Password Security Vulnerability (Forbes) January 10th
PayPal has confirmed that researcher Alex Birsan found a high-severity security vulnerability that could expose user passwords to an attacker. Birsan discovered the high-severity vulnerability when he was "exploring" the main authentication flow at PayPal.Threat Actor Abuses Mobile Sensor to Evade Detection (PhishLabs Blog) January 9th
In a recent campaign, PhishLabs discovered a new and unique evasion technique that abuses an experimental feature available in select web browsers, device motion and orientation events.Mozilla patches Firefox zero-day as attackers exploit flaw (Computer World) January 9th
On Wednesday, Mozilla issued Firefox 72.0.1, which included one change: A patch for the vulnerability identified as CVE-2019-17026. "We are aware of targeted attacks in the wild abusing this flaw," Mozilla said in the short description of the flaw.TikTok Riddled With Security Flaws (Threatpost) January 8th
Researchers say they have discovered several major vulnerabilities in the short form video app TikTok. The reported vulnerabilities come as scrutiny around the Chinese-owned platform increases. The most serious vulnerability in the platform could allow attackers to remotely take control over parts of victims’ TikTok account, such as uploading or deleting videos and changing settings on videos to make “hidden” videos public. Researchers also discovered a separate vulnerability that allowed them to obtain personal data of victims, such as email addresses and more.
Risks & Warnings
Why The Threat Of An Iranian Cyberattack Should Matter To Your Organization (Mondaq) January 10th
The ongoing Iran-US tensions, and potential for retaliatory cyberattacks, call attention to the need for all organizations to consider whether they are prepared to defend against a cyberattack. Of all the tools Tehran has to retaliate, including its large military, Iranian-backed proxies around the Middle East and robust disinformation operations, international experts believe there is a strong likelihood that Iran will utilize its well-known cyber-warfare capabilities to inflict further damage over time.“That’s Where Things Get Really Scary:” Gaming Out an Iranian Cyberattack (Vanity Fair) January 9th
While several possible scenarios could manifest from the latest global conflict, the big worry in Washington right now isn’t simply what Iran might do, but what other countries, specifically Russia or North Korea or even China, could do and then blame Iran.These will be the main cybersecurity trends in 2020
(World Economic Forum) January 7th
Dorit Dor, product VP at Check Point Software Technologies forecasts five major trends for cybersecurity in the coming year.Protecting manufacturing from cyber breaches (TechRadar) January 7th
Manufacturing has been revolutionized by the development of increasingly sophisticated and connected operational technology (OT). But as with any integration, there are always going to be teething problems. The crucial bump in the road towards Industry 4.0 is cybersecurity. OT systems have rarely been subject to the same upgrade and replacement cycles as their IT systems and connecting OT to the wider network brings with it all of the security risks to which IT has been beholden for decades.