Weekly Cyber Security News 13/03/2020

A selection of this week’s more interesting vulnerability disclosures and cyber security news. For a daily selection see our twitter feed at #ionCube24

Lots of patching ahead for some folks….

• 48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks

• Critical Zoho Zero-Day Flaw Disclosed – A Zoho zero day vulnerability and proof of concept (PoC) exploit code was disclosed on Twitter.

Then again, for some, no patching for the UK court system it appears. When we all though Windows XP was gone and were almost rid of Windows 7, look what shows up:

• The Reg produces exhibit A1: A UK court IT system running Windows XP

 

Breach and attack galore to follow:

• European Electrical Energy Organization Discloses Breach

• Hackers Get $1.6 Million for Card Data from Breached Online Shops

• Open Exchange Rates Data Breach Affects Users of Well-Known Orgs

• University of Hertfordshire avoids data breach action by UK watchdog

• $100K Paid Out for Google Cloud Shell Root Compromise

• AMD processors from 2011 to 2019 vulnerable to two new attacks

• Android anti-virus products put to the test – which are the best at stopping new malicious apps?

• Avast disables JavaScript engine in its antivirus following major bug

• Card data from the Volusion web skimmer incident surfaces on the dark web

• Critical Vulnerabilities in SAP Solution Manager Expose Companies to Attacks

• Dating App Maker Match Group Backs US Bill Seen as Privacy Threat

• Firefox Bug Opens iPhone AirPods to Third-Party Snooping – Mozilla Foundation snuffs out bugs with the introduction of Firefox 74 and ESR 68.6.

• Flaws Riddle Zyxel’s Network Management Software – Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software.

• FYI: When Virgin Media said it leaked “limited contact info”, it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more

• Hackers Hack Hacking Tools to Hack Hackers

• Intel Patches 27 Vulnerabilities Across Product Portfolio

• Intel’s data center CPUs vulnerability could lead to “devastating” attacks

• Let”s Encrypt Will Not Replace 1 Million Bug-Affected Certificates

• Melbourne professor quits after health department pressures her over data breach

• Misconfiguration Accounts for 82% of Security Vulnerabilities

• More Than Half of IoT Devices Vulnerable to Severe Attacks – A full 98 percent of all IoT device traffic is unencrypted, exposing personal and confidential data on the network.

• NordVPN HTTP POST bug exposed customer information, no authentication required

• Phishing Attack Skirts Detection With YouTube – Attackers are using YouTube redirect links, whitelisted by various security defense mechanisms, to evade detection.

• Tracking Turla: New backdoor delivered via Armenian watering holes

• UK Cops Prevented £31m in Fraud in 2019

• Virgin Media Accused of Downplaying Security Incident

• WatchGuard Technologies to Acquire Panda Security

• Whisper, an anonymous secret-sharing app, failed to keep messages or profiles private

• WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites

• Zoho Working on Patch for Zero-Day Vulnerability in ManageEngine Product

• Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale

• Cookiethief Android malware uses proxies to hijack your Facebook account

• Google Stops Issuing Security Warnings About Microsoft Edge

• Spyware maker NSO runs scared from Facebook over WhatsApp hacking charges, fails to show up in court

• Google could have fixed 2FA code-stealing flaw in Authenticator app years ago

• Months-long trial of alleged CIA Vault 7 exploit leaker ends with hung jury: Ex-sysadmin guilty of contempt, lying to FBI

• That LVI CPU hole wasn’t the only Intel fix: Dozens of flaws patched to stop chips turning into potatoes