Researcher: I Hacked Trump’s Twitter by Guessing Password

Dutch ethical hacker Victor Gevers claims it only took five attempts to guess the password to President Donald Trump’s Twitter account — “maga2020!”. That’s all he needed to hijack the @realdonaldtrump handle, according a report from Dutch newspaper de Volksrant, because it lacked even the most...

Facebook, News and XSS Underpin Complex Browser Locker Attack

A sophisticated “browser locker” campaign is spreading via Facebook, ultimately pushing a tech-support scam. The effort is more advanced than most, because it involves exploiting a cross-site scripting XSS vulnerability on a popular news site, researchers said. Browser lockers are a type of...

Microsoft Teams Phishing Attack Targets Office 365 Users

Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials. Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote...

Chrome 86 Aims to Bar Abusive Notification Content

Google has added a new feature to Chrome 86 that aims to stomp out abusive notification content. Web notifications are utilized for a variety of applications – such as prompting site visitors to sign up for newsletters. However, they can also be misused for phishing, malware or fake messages that...

Feds: Iran Behind 'Proud Boys' Email Attacks on Democratic Voters

Federal officials claim that Iranian threat actors are behind two separate email campaigns that assailed Democratic voters this week with threats to “vote for Trump or else.” The campaigns claimed to be from violent extremist group Proud Boys. Two specific email campaigns — one on Tuesday Oct. 20...

Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks

Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups. That’s according to the National Security Agency NSA, which released a “top 25”...

Cisco Warns of Severe DoS Flaws in Network Security Software

Cisco has stomped out a slew of high-severity vulnerabilities across its lineup of network-security products. The most severe flaws can be exploited by an unauthenticated, remote attacker to launch a passel of malicious attacks — from denial of service DoS to cross-site request forgery CSRF. The...

Oracle Kills 402 Bugs in Massive October Patch Update

Business software giant Oracle is urging customers to update their systems in the October release of its quarterly Critical Patch Update CPU, which fixes 402 vulnerabilities across various product families. Well over half 272 of these vulnerabilities open products up to remote exploitation withou...

Egregor Claims Responsibility for Barnes & Noble Attack, Leaks Data

The Egregor ransomware gang has reportedly taken responsibility for the Barnes & Noble cyberattack, first disclosed on Oct. 15. The bookseller warned last week that it had been hacked in emailed notices to customers, noting that a cyberattack happened on Oct. 10, “which resulted in unauthorized a...

Cybercriminals Step Up Their Game Ahead of U.S. Elections

With the U.S. presidential elections a mere few weeks away, the security industry is hyper-aware of security vulnerabilities in election infrastructure, cyberattacks against campaign staffers and ongoing disinformation campaigns. Past direct hacking efforts, such as the attack on the Democratic...

Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser

Google released an update to its Chrome browser that patches a zero-day vulnerability in the software’s FreeType font rendering library that was actively being exploited in the wild. Security researcher Sergei Glazunov of Google Project Zero discovered the bug which is classified as a type of...

Ransomware Group Makes Splashy $20K Donation to Charities

The Darkside ransomware group has distinguished itself from its cybercriminal counterparts not by technical innovation, but by slapping a shiny corporate veneer on its attacks. The latest evolution in Darkside’s ransomware-as-a-corporation gimmick is a hefty $20,000 donation that the group made...

Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio

Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Adobe Illustrator was hit the hardest. There are 16 critical bugs, all of which allow arbitrary code execution in the context o...

Facebook: A Top Launching Pad For Phishing Attacks

Facebook has been a top cybercriminal favorite in phishing attacks so far this year, with recent research shedding light on 4.5 million phishing attempts that have leveraged the social media platform between April and September 2020. Behind Facebook, messenger app WhatsApp is the second-top...

Pharma Giant Pfizer Leaks Customer Prescription Info, Call Transcripts

UPDATE Pharma giant Pfizer has leaked the private medical data of prescription-drug users in the U.S. for months or even years, thanks to an unprotected Google Cloud storage bucket. The exposed data includes phone-call transcripts and personally-identifiable information PII, according to...

Office 365 OAuth Attack Targets Coinbase Users

Office 365 users are receiving emails purporting to come from cryptocurrency platform Coinbase, which ask them to download updated Terms of Service via an OAuth consent app. But when they agree to do so, users are unknowingly giving attackers full access to their email. OAuth is an open standard...

Mobile Browser Bugs Open Safari, Opera Users to Malware

A set of address-bar spoofing vulnerabilities that affect a number of mobile browsers open the door for malware delivery, phishing and disinformation campaigns. The bugs, reported by Rapid7 and independent researcher Rafay Baloch, affect six browsers, ranging from the common Apple Safari, Opera...

Confronting Data Risk in the New World of Work

As IT and security professionals, COVID-19 pushed most of us into a “just make it work” mode for much of 2020. We quickly scaled up the use of collaboration platforms like Zoom, Microsoft Teams, Google Meet and Slack, recognizing that circumstances demanded some short-term risk tolerance. It’s...

Google’s Waze Can Allow Hackers to Identify and Track Users

A security researcher has discovered a vulnerability in Google’s Waze app that can allow hackers to identify people using the popular navigation app and track them by their location. Security DevOps engineer Peter Gasper discovered an API flaw in the navigation software that allowed him to track...

Rapper Scams $1.2M in COVID-19 Relief, Gloats with 'EDD' Video

Rapper Fontrell Antonio Baines, who goes by the stage name “Nuke Bizzle,” made his first appearance in U.S. District Court in downtown Los Angeles on Friday after being charged with fraudulently applying for more than $1.2 million in jobless benefits under the Coronavirus Aid, Relief and Economic...

DOJ Charges 6 Sandworm APT Members in NotPetya Cyberattacks

The Department of Justice DOJ on Monday announced charges against six Russian nationals who are allegedly tied to the Sandworm APT. The threat group is believed to have launched several high-profile cyberattacks over the past few years – including the destructive NotPetya cyberattack that targete...

GravityRAT Comes Back to Earth with Android, macOS Spyware

The criminals behind GravityRAT spyware have rolled out new macOS and Android variants for the first time. The GravityRAT remote access trojan has been around since at least 2015, according to researchers from Kaspersky, but it has mainly focused on Windows operating systems. The last piece of...

Overlay Malware Targets Windows Users with a DLL Hijack Twist

Brazilians are being warned of a new overlay malware targeting Windows users in order to siphon victims’ financial data and drain their bank accounts. Researchers say what the malware, dubbed Vizom, lacks in sophistication it makes up for in its creative abuse of the Windows ecosystem. Trusteer, ...

Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack

The Ryuk threat actors have struck again, moving from sending a phishing email to complete encryption across the victim’s network in just five hours. That breakneck speed is partially the result of the gang using the Zerologon privilege-escalation bug CVE-2020-1472, less than two hours after the...

Microsoft Exchange, Outlook Under Siege By APTs

New, sophisticated adversaries are switching up their tactics in exploiting enterprise-friendly platforms — most notably Microsoft Exchange, Outlook Web Access OWA and Outlook on the Web – in order to steal business credentials and other sensitive data. Both Microsoft’s Exchange mail server and...

Game Titles Watch Dogs: Legion, Albion Both Targeted by Hackers

A ransomware gang that just emerged this month dubbed Egregor claims to have hacked the source code to the upcoming gaming release, Watch Dogs: Legion. And in separate gaming news, a popular fantasy title called Albion — a massive multiplayer online role-playing game MMORPG — has been hacked...

Microsoft is the Most-Imitated Brand for Phishing Emails

Microsoft is top of the heap when it comes to hacker impersonations – with Microsoft products and services featuring in nearly a fifth of all global brand phishing attacks in the third quarter of this year. That’s according to Check Point, which found that the computing giant leapt from fifth pla...

Phishers Capitalize on Headlines with Breakneck Speed

The speed with which phishers are able to adapt to new messaging based on the latest headlines is accelerating, according to the Proofpoint Threat Research Team, which was able to track backend data from a recent voter-registration scam to uncover just how quickly cybercriminals can pivot to...

Microsoft Fixes RCE Flaws in Out-of-Band Windows Update

Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution. One flaw CVE-2020-17023 exists in Microsoft’s Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other...

Biden Campaign Staffers Targeted in Cyberattack Leveraging Antivirus Lure, Dropbox Ploy

Hackers sent Joe Biden’s presidential campaign staffers malicious emails that impersonated anti-virus software company McAfee, and used a mix of legitimate services such as Dropbox to avoid detection. The emails were an attempt to steal staffers’ credentials and infect them with malware. The...

Phishing Lures Shift from COVID-19 to Job Opportunities

Cybercriminals cashed in on the surge of COVID-19 earlier this year, with email lures purporting to be from healthcare professionals offering more information about the pandemic. However, as the year moves forward, bad actors are continuing to swap up their attacks with savvy lures that match...

Dickey's BBQ Breach: Meaty 3M Payment Card Upload Drops on Joker's Stash

Popular U.S. smoked-meat franchise Dickey’s Barbecue Pit has been hit with a data breach, with cybercriminals posting the fat cap of the compromised data – 3 million payment cards – on the popular Joker’s Stash underground marketplace this week. The Dallas-based franchise, which is a subsidiary o...

TikTok Launches Bug Bounty Program Amid Security SNAFUs

TikTok has expanded its vulnerability disclosure policy to include a global bug-bounty program through a partnership with the ethical hacker platform HackerOne. The bug-bounty program launch signals a new direction for the Chinese-owned video-sharing app, which has been much maligned for its...

News Wrap: Barnes & Noble Hack, DDoS Extortion Threats and More

The Threatpost editors break down the top security stories of the week ended Oct. 16, including: Patch Tuesday insanity, with Microsoft and Adobe releasing fixes for severe vulnerabilities – including a critical, potentially wormable remote code execution bug known as the “Ping of Death” Barnes a...

Critical Magento Holes Open Online Shops to Code Execution

Two critical flaws in Magento – Adobe’s e-commerce platform that is commonly targeted by attackers like the Magecart threat group – could enable arbitrary code execution on affected systems. Retail is set to boom in the coming months – between this week’s Amazon Prime Day and November’s Black...

FIFA 21 Blockbuster Release Gives Fraudsters an Open Field for Theft

The hotly anticipated release of blockbuster video game FIFA 21 on Oct. 6, along with the return of professional play, are giving soccer fans reason to celebrate. And, unsurprisingly, cybercriminals are already figuring out how to capitalize. A report from researcher Christopher Boyd at...

Zoom Rolls Out End-to-End Encryption After Setbacks

Video-conferencing giant Zoom is rolling out a technical preview of its end-to-end encryption E2EE next week. Zoom has faced various controversies around its encryption policies over the past year, including several lawsuits alleging that the company falsely told users that it offers full...

Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts

UPDATE Broadvoice, a well-known VoIP provider that serves small- and medium-sized businesses, has leaked more than 350 million customer records related to the company’s “b-hive” cloud-based communications suite. The data includes hundreds of thousands of voicemail transcripts, many involving...

Barnes & Noble Hack: A Reading List for Phishers and Crooks

UPDATE Barnes & Noble is warning that it has been hacked, potentially exposing personal data for shoppers – and offering phishers an early holiday gift. The book purveyor sent out emailed notices to customers very late Wednesday night and in the wee hours of Thursday morning, warning that a...

Carnival Corp. Ransomware Attack Affects Three Cruise Lines

Hackers accessed personal information of guests, employees and crew for three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed. Carnival Cruise Line, Holland America Line and Seabourn were the brands...

Travelex, Other Orgs Face DDoS Threats as Extortion Campaign Rages On

Companies worldwide have continued to receive extortion emails threatening to launch a distributed denial-of-service DDoS attack on their network, unless they pay up – with British foreign-exchange company Travelex reportedly being one recent high-profile threat recipient. Researchers said that...

BEC Attacks: Nigeria No Longer the Epicenter as Losses Top $26B

A study of more than 9,000 instances of business email compromise BEC attacks all over the world shows that the number has skyrocketed over the past year, and that the social-engineering scam has expanded well beyond its historic roots in Nigeria. The report from Agari’s Cyber Intelligence Divisi...

Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE

UPDATE A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution RCE, researchers said. The flaw CVE-2020-5135 is a stack-based buffer overflow in the SonicWall...

Silent Librarian Goes Back to School with Global Research-Stealing Effort

The Silent Librarian campaign has re-emerged for the fall school session, actively targeting students and faculty at universities via spear-phishing campaigns. The threat group also known as TA407 and Cobalt Dickens, which operates out of Iran, has been on the prowl since the start of the 2019...

FIN11 Cybercrime Gang Shifts Tactics to Double-Extortion Ransomware

The FIN11 financial crime gang is shifting its tactics from phishing and credential-theft to ransomware, researchers said. According to FireEye Mandiant researchers, FIN11 is notable for its “sheer volume of activity,” known to run up to five disparate wide-scale email phishing campaigns per week...

Intel Adds Memory Encryption, Firmware Security to Ice Lake Chips

Intel’s third-generation Xeon Scalable server processors, code-named Ice Lake, will be rolled out with new security upgrades that the chip giant claims will better protect devices from firmware attacks. The upcoming chips are based on Ice Lake, Intel’s 10nm CPU microarchitecture, which was first...

Google, Intel Warn on 'Zero-Click' Kernel Bug in Linux-Based IoT Devices

Google and Intel are warning of a high-severity flaw in BlueZ, the Linux Bluetooth protocol stack that provides support for core Bluetooth layers and protocols to Linux-based internet of things IoT devices. Click to Register! According to Google, the vulnerability affects users of Linux kernel...

Cybercriminals Steal Nearly 1TB of Data from Miami-Based International Tech Firm

Hackers have stolen nearly a terabyte of data from a Miami-based tech firm, leaking a number of the pilfered files including full credit-card information, scans of sensitive documents such as passports, bank statements and financial documents, and even customer databases on a Russian hacker forum...

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those is potentially wormable. There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public...

Lemon Duck Cryptocurrency-Mining Botnet Activity Spikes

Researchers are warning of a recent dramatic uptick in the activity of the Lemon Duck cryptocurrency-mining botnet, which targets victims’ computer resources to mine the Monero virtual currency. Click to Register! Researchers warn that Lemon Duck is “one of the more complex” mining botnets, with...