Weekly Cyber Security News 06/09/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. A great example of (half) forgotten linked app this week via, quite unforgettably, from the Twitter CEO. I’m sure we all have linked services together as authentication of to bridge a data conduit just to do a trial or something and neglected to remove it afterwards. Well…. That lapse could come back to bite in the future. Regular reviews, which are quite honestly easily forgotten should be the norm. What about if the services put out a reminder that you have such connections that have been unused for a while?

• About the Twitter CEO ‘@jack hack’

Many of us have been sold on the idea that chip-and-pin is the way forward from card fraud however…

• German bank loses $1.5 million in mysterious cashout of EMV cards

It was inevitable that that deep-fakes would eventually be used in fraud. This one is perhaps the first of many. Stay alert!

• CEO voice deepfake blamed for scam that stole $243,000

 

The rest of the news:

• A huge database of Facebook user’s phone numbers found online

• Data Leak Hits 2.5 Million Customers of Cosmetics Giant Yves Rocher

• DK-Lok data breach exposes global enterprise client data, internal emails

• Foxit Software discloses a data breach that exposed user passwords

• Update on Pearson Breach: Parent Files Class-Action Suit After Data Breach Exposes Nearly 1 Million Schoolchildren’s Personal Information

• XKCD forum goes offline after discovery of data leak affecting 562K members

• 15 Chinese Arrested for Bribing Internet Caf? Administrators to Mine Crypto

• Android Zero-Day Bug Does Not Make It on Google’s “Fix” List

• Belarusian police shut down notorious hacking forum

• Enjoy the holiday weekend, America? Well-rested? Good. Supermicro server boards can be remotely hijacked

• Fake BleachBit Website Built to Distribute AZORult Info Stealer

• Hacked SharePoint Sites Used to Bypass Secure Email Gateways

• Meet Domen, a New and Sophisticated Social Engineering Toolkit

• Newb admits he ran Satori botnet that turned thousands of hacked devices into a 100Gbps+ DDoS-for-hire cannon

• PDF Reader Biz Breached: Foxit Forces Password Reset

• Phishing Campaign Used SharePoint to Bypass Email Perimeter Tech

• Survey Reveals Kubernetes Usage Skyrocketing, but Security Concerns Remain

• Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket

• Today’s data whoopsie is brought to you by CircleCI: Source safe, but look out for phishers

• TrickBot Bypasses Secure Email Gateway Using Google Docs Phishing

• USB4 is coming soon and will (mostly) unify USB and Thunderbolt

• WordPress 5.2.3 Patches Several XSS Vulnerabilities

• WordPress sites under attack as hacker group tries to create rogue admin accounts

• Year-Old Samba Bug Allows Access to Forbidden Root Share Paths

• Coin-mining malware jumps from ARM IoT gear to Intel servers

• Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn The zero-day vulnerability could enable privilege escalation, and is not part of Google’s Android September security update.

• Facebook Drops Default Facial Recognition Tag Suggestions Facebook will not allow users to _opt out_ of its face recognition feature.

• Google finds malicious sites pushing iOS exploits for years

• Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps

• Stealthy Android Trojan Spy Signs You Up For Premium Subscriptions

• Astaroth Trojan Uses Cloudflare Workers to Bypass AV Software

• How MuleSoft patched a critical security flaw and avoided a disaster

• Zyxel Devices Can Be Hacked via DNS Requests, Hardcoded Credentials