Supply Chain Security: Managing a Complex Risk Profile

NYC — From Delta Airlines to Best Buy, a number of big-name companies were involved this year in data breaches – but even though their names made headlines, the actual security incidents occurred due to flaws in third-party partners. Across the board, companies are scratching their heads trying t...

Facebook Fined $11.3M for Privacy Violations

Facebook faces its second privacy-related fine in Europe, with the most recent action taken by the Italian Competition Authority. On Friday, Facebook was hit with two fines, totaling 10 million Euros about $11.3 million, for violating Italy’s Consumer Code. The Italian Competition Authority ICA...

Zero-Day Bug Patched by Microsoft, Part of December Patch TuesdZero-Day Bug Fixed by Microsoft in December Patch Tuesdayay

Microsoft has patched a zero-day vulnerability actively being used against older versions of the Windows operating system, as part of its December Patch Tuesday updates. According to the software giant, the vulnerability CVE-2018-8611 is an elevation-of-privilege EoP bug that affects Windows 7...

Data Privacy Issues Trigger Soul Searching in Tech Industry

NEW YORK – For the tech industry, Facebook’s Cambridge Analytica scandal has led to a wave of self-examination when it comes to the culture around data collection and utilization – and what the price is for bad data privacy policies. While regulatory efforts, fines and consumer public sentiment...

Cobalt Group Pushes Revamped ThreadKit Malware

Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past...

Adobe December 2018 Security Update Fixes Reader, Acrobat

Adobe has patched 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update, including a slew of critical flaws that would allow arbitrary code-execution. The scheduled update comes less than a week after Adobe released several out-of-band fixes for Flash Player, including a...

Biometrics: Security Solution or Issue?

NYC – With more transactions occurring online – and subsequently, the number of data breaches increasing – biometrics are moving to the forefront in discussions as a top way to authenticate data securely. However, challenges remain. The method is not yet being widely utilized by consumers or...

Linux.org Redirected to NSFW Page Spewing Racial Epithets

The Linux organization said late Friday that its main domain, Linux.org, was hacked and defaced in a DNS hijacking incident. The group said that someone was able to compromise the registrar account for the domain and point its DNS to another server — as well as lock administrators out from changi...

Women in Cyber Take the 2019 Spotlight

As the cybersecurity industry continues to struggle to meet a workforce gap – an estimated 3.5 million jobs are expected to remain unfilled by 2021 – it’s clear that encouraging women and those from diverse backgrounds to pursue careers in the field will be a key factor in staying ahead of the...

Google Accelerates Google+ Shutdown After New Bug Discovered

The discovery of a new API bug in Google+ has led Google to hasten the shuttering of its consumer version of the social-networking platform, the tech giant said Monday. Google was already in the process of shutting down Google+ after a different API software bug in the platform, disclosed in...

Sextortion Emails Force Payment via GandCrab Ransomware

An ongoing sextortion campaign targeting thousands around the United States infects victims with the GandCrab ransomware and demands $500 to decrypt their systems. Sextortion emails typically ask for money in order to keep silent about compromising adult websites that they supposedly looked at. B...

Old-School Bagle Worm Still Ready for Modern Spam Campaigns

The long-running Bagle worm, affecting Microsoft Windows machines, is still out there, a throwback to an earlier time. Also referred to as Beagle, Bagle contains a backdoor that listens on TCP port 6777 which is hardcoded in the worm’s body. This backdoor component provides remote access to the...

Volkswagen Giveaway Scam Peddles Ad Networks

A fake Volkswagen campaign is making its way across social media platforms, luring in victims with promises of a free Volkswagen car giveaway – but instead redirecting them to third-party ad servers. Victims are first sent messages via WhatsApp or Facebook, purporting to be from Volkswagen and...

ThreatList: Gift Card-Themed BEC Holiday Scams Spike

With cyber threats rampant between Black Friday and Christmas, security experts are warning of a wave of business-style email scams hitting inboxes designed to appeal to holiday shoppers. Attacks involve scam messages purporting to be gift card deals or links to corporate donations. According to...

Australia Anti-Encryption Law Triggers Sweeping Backlash

A controversial Australian bill, which could give the government access to data protected by end-to-end encryption, was passed Thursday. The bill, called the Assistance and Access Act, empowers Australian police to essentially force companies that are operating in the country to help the governme...

TA505 Crooks are Now Targeting US Retailers with Personalized Campaigns

Cybercriminals behind the notorious Dridex and Locky ransomware have a new target in their sights – large retail, restaurant and grocery chains located in the US. Researchers are warning the well-known financial criminal group TA505 is behind a new wave of email campaigns distributing personalize...

Using Fuzzing to Mine for Zero-Days

Fuzzing is a term that sounds hard to take seriously. But it needs to be, in light of today’s attack landscape. Fuzzing has traditionally been a sophisticated technique used by professional threat researchers to discover vulnerabilities in hardware and software interfaces and applications. They d...

Microsoft Calls For Facial Recognition Tech Regulation

As facial recognition continues to gain traction in public use cases, Microsoft on Thursday called for regulation of the technology, citing heightened concerns around privacy and consent. Over the past year, facial recognition technology has started to pop up in various government-related...

Infected WordPress Sites Are Attacking Other WordPress Sites

WordPress sites are being targeted in a series of attacks tied to a 20,000 botnet-strong army of infected WordPress websites. Behind the WordPress-on-WordPress assault is a widespread brute-force password attack leveraged through a Russian proxy provider and targeting a developer application...

Facebook Defends Data Policies On Heels of Incriminating Internal Docs

Facebook has found itself embroiled in yet another data privacy scandal. New internal documents released this week showed the social media giant promoting – and trying to keep secret – the collection of call logs and texts for Android app users. A slew of internal documents were dumped this week ...

White House Facial Recognition Pilot Raises Privacy Alarms

Privacy advocates are up in arms after the Department of Homeland Security unveiled a facial recognition pilot program for surveilling public areas surrounding the White House. The program, outlined last week, will use biometrics to confirm the identity of various U.S. Secret Service USSS...

Adobe Flash Zero-Day Leveraged Via Office Docs in Campaign

An Adobe Flash Player zero-day exploit has been spotted in the wild as part of a widespread campaign, researchers said on Wednesday. Adobe has just issued a patch for the previously unknown critical flaw. The vulnerability, CVE-2018-15982, is a use-after-free flaw enabling arbitrary code executio...

Kubernetes Flaw is a "Huge Deal," Lays Open Cloud Deployments

A critical privilege-escalation vulnerability CVE-2018-1002105 has been uncovered in the Kubernetes open-source container software, which is a fixture in much of today’s cloud infrastructure. It could allow an attacker unfettered, remote access for stealing data or crashing production application...

Adobe Patches Zero-Day Vulnerability in Flash Player

Adobe on Wednesday released several unscheduled fixes for Flash Player, including a critical vulnerability that it said is being exploited in the wild. The critical vulnerability, CVE-2018-15982, is a use-after-free flaw enabling arbitrary code-execution in Flash. “Adobe has released security...

Google Chrome 71 Touts 43 Fixes, Fights Ad Abuse

Google officially lifted the curtain on Chrome 71 for Windows, Mac and Linux on Tuesday. The latest browser version touts new security features and a slew of fixes. Overall, Google issued 43 patches with the security update for Chrome 71. The newest version, 71.0.3578.80, included an array of hig...

1-800-Flowers Becomes Latest Payment Breach Victim

Those buying flowers for Mother’s Day or looking to send a plant for a birthday could find their thoughtful gestures reaping a crop of misery: Payment card data has been lifted from the Canadian online outpost of 1-800-Flowers, in an incident that has persisted for four years. The site’s operatin...

Google Patches 11 Critical RCE Android Vulnerabilities

Remote code-execution RCE vulnerabilities dominated Google’s December Android Security Bulletin. The flaws are part of a total of 53 unique bugs patched by the Android security team, with a total number of 11 critical bugs – six of which are RCE flaws tied to the operating system’s Media Framewor...

Quora Breach Exposes a Wealth of Info on 100M Users

Crowdsourced query site Quora is asking the question of “what happened?” in the wake of a massive data breach that impacts up to 100 million of its users. The hack exposed user names, email addresses, hashed passwords, direct message content and imported data from any networks that users linked t...

Magecart Group Ups Ante: Now Goes After Admin Credentials

A growing threat group within the Magecart family of criminals has evolved to skim data not only from website visitors – but also from site administrators as well. This new capability could allow Magecart bad actors to escalate attacks and infiltrate organizations, researchers said. The group in...

Lawsuit Claims Pegasus Spyware Helped Saudis Spy on Khashoggi

A well-known Saudi dissident previously targeted by the notorious Pegasus spyware has filed a lawsuit against that spyware’s authors, Israel-based NSO Group. The suit claims that Pegasus was instrumental in the Saudi government’s surveillance of Washington Post journalist Jamal Khashoggi leading ...

Chris Vickery on the Marriott Breach and a Rash of Recent High-Profile Hacks

The number of recent breaches from Marriott International, the United States Postal Service, Dell EMC and Dunkin’ Donuts have potentially exposed well over a half-billion customer records ranging from passport data, bankcard information to reward program specifics. Why the sudden influx on what h...

U.S. Military Members Catfished and Hooked for Thousands of Dollars

A sextortion ring that aimed “catfish” efforts at U.S. military service members has been uncovered. The scam bilked 442 service members from the Army, Navy, Air Force and Marine Corps out of more than $560,000. An 11-month investigation, dubbed “Operation Surprise Party” and carried out by the...

Lenovo Ordered to Pay $7.3M in Superfish Fiasco

A federal court has approved a super-sized payout fund for Lenovo, which will be required to create a $7.3 million reservoir, set aside for settling a class action lawsuit over surreptitious adware installations. Last week, the U.S. District Court for the Northern District of California granted...

iOS Fitness Apps Robbing Money From Apple Victims

Two apps that were posing as fitness-tracking tools were actually using Apple’s Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the “Fitness Balance App” and “Calories Tracker App.” Both apps looked normal, and served functions like calculating BMI, tracking...

YouTuber PewDiePie Promoted Via 50K Hacked Printers

A hacker claims to have commandeered 50,000 printers globally in order to print pamphlets promoting YouTube star “PewDiePie.” The alleged widespread hack sheds light on just how insecure printers are, and how precarious printer vulnerabilities could be when they offer an easy route into the...

Podcast: Breaking Down the Magecart Threat (Part Two)

Threatpost editor Lindsey O’Donnell talks to RiskIQ’s threat researcher, Yonathan Klijnsma, about the varying groups under the Magecart umbrella, and the differing characteristics, targets and techniques of these growing number of groups. This is the second in a series of three podcasts featuring...

Bing Warns VLC Media Player Site is ‘Suspicious’ in Likely False-Positive Gaff

Microsoft’s Bing search engine warned its users the official VLC media player website was “suspicious” and dissuaded users from visiting the popular destination, suggesting the site contained “malicious software.” The site is no longer listed as unsafe. In a red warning message presented to users...

Newsmaker Interview: Katie Moussouris on Improving Bug Bounty Programs

Bug bounty programs continue to increase in popularity – but that popularity has its downsides. Since the launch of the Hack the Pentagon program in 2016, bug bounty programs have quickly grown in popularity. Bugcrowd’s State of Bug Bounty report this year found that the number of programs launch...

Marriott Hotel Data Breach: Ongoing Since 2014

UPDATE Marriott said that a massive data breach of its guest reservation system has left up to 500 million guests’ data exposed and available for the taking. Worse, the attackers may have had access to the systems for at least four years before being discovered. The hotel company said in a...

Critical Zoom Flaw Lets Hackers Hijack Conference Meetings

A serious vulnerability in Zoom’s desktop conferencing application could allow a remote attacker to hijack screen controls and kick attendees out of meetings. Researchers at Tenable who on Thursday released a proof of concept exploit for the unauthorized command execution flaw said that bug exist...

Cisco Patches Critical Bug in License Management Tool

Cisco Systems is warning of a critical bug in two of its license management tools that could allow an unauthenticated remote attacker to execute arbitrary queries. A successful attack could allow for an attacker to modify and delete random data in Cisco product lifecycle management applications...

Hackers Breach Dunkin' Donuts Accounts in Credential Stuffing Attack

A credential stuffing attack has allowed hackers to take a big bite out of Dunkin’ Donuts customer data. The donut giant announced Tuesday evening that a data breach in October may have led to customers’ personal information being compromised. Dunkin’ Brands Inc. in an advisory posted to its...

Dell Warns of Attempted Breach on Network

Dell EMC is warning its Dell.com customers of unauthorized activity on its network that occurred on Nov. 9 when it believes adversaries attempted to access names, email addresses and hashed passwords. In response, the company said that it has reset all Dell.com customer passwords. Dell said that...

Microsoft Warns of Two Apps That Expose Private Keys

Microsoft on Tuesday warned users that digital certificates were disclosed in two apps, which could allow a bad actor to remotely spoof websites or content. Headset software company Sennheiser HeadSetup, Microsoft said, had inadvertently installed the root certificates onto two apps, HeadSetup an...

ThreatList: Cryptominers Dominate Malware Growth in 2018

The number of cryptomining attacks increased by more than 83 percent in the past year, with more than 5 million people attacked with the malware in the first three quarters of 2018. That’s compared to 2.7 million people over the same period in 2017, according to stats from Kaspersky Lab. The firm...

FBI Sinkholes $38M Global Ad Fraud Operation

The FBI has taken control of 31 web domains in a widespread takedown of a multi-year, global ad fraud campaign, believed to have stolen at least $38 million, partly via a botnet strategy. In addition, eight defendants face a 13-count indictment from a federal court in Brooklyn in the case. The...

The Nature of Mass Exploitation Campaigns

We’ve all seen the movies where there’s a dark hooded figure sitting behind a keyboard entering a 3D virtualized representation of the internet. Focusing in on their target, the figure sees various bits of information about that person, from their birth date, to headshot of them stepping out of a...

Pegasus Spyware Targets Investigative Journalists in Mexico

The notorious state actor mobile spyware known as Pegasus has resurfaced, targeting the colleagues of a slain Mexican journalist who lived – and died – investigating drug cartels. Journalist Javier Valdez Cárdenas, founder of Río Doce, a Mexican newspaper known for investigating the narco trade,...

Cisco Re-Issues Patch For High-Severity WebEx Flaw

Cisco has re-issued a patch for a high-severity vulnerability in its WebEx Meetings platform, after researchers were able to bypass the first fix. The patch addresses a privilege-escalation vulnerability, CVE-2018-15442, in Cisco’s Webex Meetings Desktop App for Windows. The glitch exists in the...

Cheetah Mobile Blames SDKs for Rampant Ad Fraud in Its Android Apps

Cheetah Mobile is finding itself in a swirl of media attention after being accused of developing mobile apps that contain deliberate ad fraud features. But the mobile giant says it didn’t do it. The Chinese developer, which is listed as a top provider in Google Play’s tool app category, offers...