Category: Uncategorized

According to a recent report, Finnish researcher Jouko Pynnönen discovered a cross-site scripting (XSS) vulnerability affecting Yahoo! Mail. This was the third time for Pynnönen to report an XSS flaw with Yahoo!. He discovered the flaw in December 2018, which he then reported to Yahoo!. In January, Yahoo! fixed the flaw and acknowledged Pynnönen’s efforts with a bug bounty of $10,000.

Read more about it here.

The Internet Corporation for Assigned Names and Numbers (ICANN) declared “an ongoing and significant risk” key parts of the Domain Name System (DNS) infrastructure. “There have been targeted attacks in the past, but nothing like this”. The attacks go back to 2017. “There isn’t a single tool to address this”, as ICANN called for an overall hardening of web defenses. ICANN urged broader implementation of DNSSEC to prevent traffic hijacking and to prevent internet users from being misdirected from intended websites.

Read more about it here.

Google recently began the rollout of the February 2019 Android security update, that addresses 42 issues. One of the vulnerabilities fixed could enable a remote attacker using a specially crafted PNG file to execute arbitrary code. That means, access to the device it is viewed on.

The vulnerability affects Android 7.0 and above versions. While Google has released a fix, the fix is currently available on for Pixel smartphones, the Pixel C tablet, and the Essential Phone.

What can you do in the meantime ? Don’t open an image, especially a PNG file received from an untrusted source. And apply the security update as soon as it becomes available.

Read more about it here.

According to the European Union Agency for Network and Information Security (ENISA) 2018 Threat Landscape Report, which was published on January 28, 2019, the cyber threat landscape changed significantly. The most important threat agent groups were cyber-criminals and state-sponsored actors. Monetization motives have contributed to the appearance of crypto-miners in the top 15 threats.

The main trends in the 2018’s cyberthreat landscape are:

• Mail and phishing messages have become the primary malware infection vector.
• Exploit Kits have lost their importance in the cyberthreat landscape.
• Cryptominers have become an important monetization vector for cyber-criminals.
• State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
• Skill and capability building are the main focus of defenders. Public organisations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents.
• The emergence of IoT environments remains a concern, due to missing protection mechanisms in low-end IoT devices and services. The need for generic IoT protection architectures/good practices remains pressing.

Read more about it here.

Security experts at Check Point Research discovered several cybersecurity flaws in popular online battle game Fortnite. One of the flaws is an OAuth account takeover vulnerability that could allow a remote attacker to take over gamer accounts, tricking players into clicking a specially crafted link.

Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems at Facebook, Google+, Xbox Live and Sony PlayStationNetwork, to steal the user’s access credentials and take over their account.

Once the token has been obtained, the attacker could access personal information, buy in-game currency at the user’s expense, eavesdrop on and record players’ in-game chatter and background home conversations.

One way to minimize the thread of falling victim to such an attack is to use a two-factor authentication.

Checkpoint published a demo video of the attack:

Read more about it here.

Security experts at Pen Test Partners have discovered thousands of connected hot tubs are vulnerable to remote cyber attacks. Pen Test Partners, the UK security company that carried out the research, wrote: “Like most internet of things devices, the Wi-Fi module acts initially as in AP mode. The mobile app can connect as a client and control the tub locally. However, it can also configure the tub controller to be a client on your home network, so remote control from anywhere is possible through an API. The AP is open, no PSK, so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.”

Pen Test Partners e-mailed the manufacturer, Balboa Water Group, already in November 2018. The manufacture promised a fix by the end of February 2019.

Read more about it here.

A vulnerability in the Guardzilla All-in-One home video surveillance system could be exploited by users to watch Guardzilla footage of other users.

The GZ501W camera model contains a shared, hard-coded credential for Amazon Web Services Simple Storage Service (S3), which stores video footage. This means that any user of the Guardzilla All-in-One video surveillance system could access other users’ saved home videos.

While waiting for a patch, users should disable the cloud based storage function, or disconnect the device.

Read more about it here.

A new report published by non-profit Amnesty International details how threat actors are able to bypass 2FA (Two-Factor Authentication) that leverages a text (SMS) message as the second authentication factor.

The process is automated and the 2FA can be cracked within seconds.

Typically in a 2FA, when you open an account, you give the service – Google, Twitter, etc. – your mobile phone number. When you later login with your password, the service sends you a text (SMS) message, which you are prompted to enter. This serves as the second form of authentication.

Amnesty International reported widespread phishing of Google and Yahoo! mail accounts in the Middle East and North Africa throughout 2017 and 2018.

The attackers sent to the victims fake alarms, informing them that their account has been compromised, and asking them to urgently change their password. The phishing e-mail included a link that redirected victims to a well-crafted Google or Yahoo! Mail phishing web site. After the users entered their password, they were prompted to enter the code that was sent to them via SMS.

Read more about it here.

Marriott International Inc. announced it suffered a massive data breach, involving the theft of personal information from 500 million hotel guests. The breach lasted 4 years, possibly longer. Stolen information included a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some of the guests, payment information may have also been breached. The Marriott brand includes hotel chains such as Starwood, Westin, Sheraton, W Hotels and more.

Marriott is still investigating the root cause of the breach.

In the meantime, investigators suspect China is behind the data breach.

Marriott offered to pay for new passports for guests experiencing fraud following the data breach.

Read more about it here.

Security experts from Symantec discovered a malware, named FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs across Asia and Africa. The hackers exploited an outdated, unsupported, version of IBM AIX, a flavor of the popular Unix operating system.

Lazarus is considered responsible for the massive 2017 WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the 2014 Sony Pictures hack.

“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”

Read more about it here.