When It Comes To IoT Security, Liability Is Muddled

BOSTON—From hacked connected cars to power grids, the implications of IoT security issues seem to be getting graver – yet when it comes to pointing fingers for security troubles, many times victims don’t even know where to start. IoT experts said at the Security of Things Forum today said that a...

Olympic Destroyer Returns to Target Biochemical Labs

Olympic Destroyer, the threat actor that caused a crippling sabotage attack on the networks supporting this year’s Winter Games in Pyeongchang, South Korea, has resurfaced with a spy campaign – and with a wider target range. The new campaign began last month and is ongoing, employing spear-phishi...

“Unbreakable” Smart Lock Tapplock Issues Critical Security Patch

Tapplock, a smart padlock that received positive reviews and media hype when it was released earlier this year, has issued a critical patch after researchers discovered several security issues enabling them to easily hack into and unlock the device. The $100 lock is Bluetooth-based and can be...

Google Home, Chromecast Leak Location Information

Google Home and Chromecast devices allow attackers to uncover the precise physical locations of the connected gadgets thanks to two common internet of things issues present in both. A fix from Google is incoming in July. At issue is, like many other IoT devices, they don’t require authentication...

macOS QuickLook Feature Leaks Data Despite Encrypted Drive

Researchers are cautioning macOS users that not all the data they store on their encrypted hard drive is protected. In a report published Monday, Apple security expert Patrick Wardle revealed that a macOS feature called QuickLook stores unprotected previews of images and other file types. “Apple...

22K Open, Vulnerable Containers Found Exposed on the Net

More than 22,000 container orchestration and API management systems are unprotected or publicly available on the internet – highlighting the reality of the risks of operating workloads in the cloud. According to research from Lacework, the containers Kubernetes, Mesos, Docker Swarms and more suff...

Axis Cameras Riddled With Vulnerabilities Enabling “Full Control”

A slew of vulnerabilities in Axis cameras could enable an attacker to access camera video streams, control the camera, add it to a botnet or render it useless. Researchers at VDOO, who disclosed the vulns on Monday, recommended that customers update immediately after finding that more than 400 Ax...

Vermont Librarian Wins Small-Claims Suit Against Equifax

In a David-and-Goliath moment, a 49-year-old librarian has won damages against credit giant Equifax, in the wake of its head-spinningly massive 2017 data breach. It’s a small but significant victory: a small claims court awarded $600 to Jessamyn West, native of the small town of Randolph in Orang...

WannaCry Kill Switch Hero Faces New Charges, But Code Evals Say Little

A fresh FBI charge against Marcus Hutchins has led to the Kronos banking trojan and the UPAS Kit backdoor being linked in the news over the past week. However, a fresh analysis this week shows that, at least on a code level, the similarities and differences between the two are far from conclusive...

New Banking Trojan Can Launch Overlay Attacks on Latest Android Versions

Researchers have discovered a new Android banking trojan that holds striking similarities to the infamous Lokibot – but packed with new tricky features, most notably its ability to implement an overlay attack on Android 7 and 8. Researchers at ThreatFabric, who discovered the trojan, said...

Apple Removes iPhone USB Access Feature, Blocking Out Hackers, Law Enforcement

Apple said an upcoming iOS software update will remove the infamous iPhone USB access feature, blocking out both hackers – and law enforcement – from accessing a locked phones’ data via the device port. Apple confirmed that new upcoming default settings will disable the iPhone’s Lightning port, i...

U.S. Intelligence Cautions World Cup Travelers on Mobile Use

The 2018 FIFA World Cup is kicking off in Russia today, with at least 1 million visitors expected to travel to Moscow alone to take in the world’s biggest sporting event in person. But the event will feature more than just breathtaking goals and soccer superstars: According to researchers and at...

Podcast: The Growing Social Media Threat Landscape

Facebook’s Cambridge Analytica scandal in March was just the tip of the social-media iceberg, as malware, hacks and basic privacy concerns continue to increase on social-media platforms. Threatpost’s Lindsey O’Donnell talks with Zack Allen, ZeroFOX’s manager of threat operations, about the threat...

Malicious Docker Containers Earn Cryptomining Criminals $90K

UPDATE Seventeen malicious Docker containers earned cryptomining criminals $90,000 in 30 days in what could be a harbinger of things to come. The figure may seem tame compared to some of the larger paydays that cryptojackers have earned. But, researchers at Kromtech Security Center warn container...

Microsoft Reveals Which Bugs It Won’t Patch

Microsoft has put out initial clarification around which bugs it will rapidly patch, and which ones must wait for a new product release – and which ones it won’t address at all. In a draft document posted online on Tuesday, the software giant laid out the criteria that the Microsoft Security...

Two Bugs in WordPress Tooltipy Plugin Patched

WordPress has issued fixes for two bugs rated “medium” in its tooltips plugin, including one that can allow bad actors to do anything an administrative user would be able to do on a WordPress site. The Tooltipy plugin allows users to automatically create responsive “tooltip” boxes for technical...

Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist

A cyberattack against Chile’s largest financial institution last month, which reportedly destroyed 9,000 workstations and 500 servers, was actually cover for a larger plot to compromise endpoints handling transactions on the SWIFT network. When the dust settled on the attacks, investigators said...

Dixons Carphone Cyberattack Targets 5.9M Bank Cards

European electronic and telecom retailer Dixons Carphone has discovered a massive cyber-attack that may have compromised millions of payment cards and personal data records, it said Wednesday. The U.K.-based retail giant, whose subsidiaries include Carphone Warehouse, Currys, PC World, Elkjøp and...

June Patch Tuesday: Microsoft Issues Critical Fixes for DNS, Cortana

Microsoft has fixed 11 critical bugs in its June Patch Tuesday update, including a Windows DNS-related remote code execution flaw. It also patched an easily exploitable problem in the Cortana voice engine. One of the most serious issues is a critical remote code execution vulnerability...

Android Devices With Misconfigured ADB, a Ripe Target for Cryptojacking Malware

Poorly configured Android devices, where the Android Debug Bridge is left enabled, have become an attractive target for hackers. According to researchers, adversaries are using the common misconfiguration to install cryptojacking malware on a wide selection of Android-based IoT devices ranging fr...

Bypass Glitch Allows Malware to Masquerade as Legit Apple Files

Masquerading as an official Apple system file sounds like a wonderful way for malware to worm its way onto Macs – and a recently discovered code-signing bypass flaw allows bad code to do just that. The way some developers have implemented Apple’s official code-signing API can be exploited by...

FBI’s BEC Crackdown Leads To 74 Arrests Globally

The FBI announced Monday the results of a major crackdown on scammers behind business email compromise BEC campaigns that resulted in 74 arrests and the retrieval of millions of dollars. Several U.S. federal authorities and police from other countries were involved in Operation WireWire, a...

Foscam Issues Patches For Vulnerabilities in IP Cameras

Foscam is urging customers to update their security cameras after researchers found three vulnerabilities in that could enable a bad actor to gain root access knowing only the camera’s IP address. The vulnerability trifecta includes an arbitrary file-deletion bug, a shell command-injection flaw a...

InvisiMole Burrows into Targets with Rich Espionage Tools

Researchers are expressing concern over a versatile spyware called InvisiMole that has been spotted in highly targeted campaigns targeting Windows PCs in Russia and the Ukraine. The malicious code, which comes in 32-bit and 64-bit versions, has a modular architecture, with two different,...

Report: Chinese Hackers Siphon Off ‘Massive’ Amounts of Undersea Military Data

Nation-state attackers affiliated with the Chinese government have made off with a trove of undersea military secrets, according to a report. Hackers were able to mount a lateral attack after compromising the networks of a Navy contractor working for the Naval Undersea Warfare Center in Rhode...

Unprotected Server Exposes Weight Watchers Internal IT Infrastructure

A critical server for popular weight-loss service Weight Watchers was left unprotected, allowing researchers to take a bite out of dozens of exposed S3 buckets containing company data and AWS access keys. Researchers at Kromtech Security said that they discovered a Weight Watchers Kubernetes...

Lenovo Finally Patches Ancient BlueBorne Bugs in Tab and Yoga Tablets

Nine months after researchers warned of the BlueBorne remote code execution bug, Lenovo said Thursday that a patch is finally available for three popular lines of its Android tablets. Lenovo, the world’s No. 3 Android tablet-maker, said BlueBorne patches are now available for four Lenovo Tab...

Creative Spam Thinks Outside the Macro with .IQY Attachments

The Necurs botnet is driving a fresh spam campaign that uses Excel Web Query .IQY file attachments to skim under the antivirus radar. If successful, the attack ultimately delivers the remote access trojan RAT known as FlawedAmmyy. This is the third wave in an offensive that started in late May. T...

Google Tackles AI Principles: Is It Enough?

Google has released its manifesto of principles guiding its efforts in the artificial intelligence realm – though some say the salvo isn’t as complete as it could be. AI is the new golden ring for developers, thanks to its potential to not just automate functions at scale but also to make...

Threatpost News Wrap Podcast for June 8

Threatpost editors Tom Spring, Tara Seals and Lindsey O’Donnell discuss the week’s information security news, including a bevy of IoT device privacy incidents, a critical Adobe Flash vulnerability, and an update on the breadth and impact of the VPNFilter malware found last month by Cisco Talos...

Facebook Software Bug Made Some Private Posts Public: 14 Million Affected

A Facebook software bug in May switched the “suggested audience” for posts to “public” for 14 millions of users. The glitch meant Facebook users who though they were sharing content with just friends or small groups actually made their posts available to the general public. The incident is the...

Zero-Day Flash Exploit Targeting Middle East

A zero-day vulnerability is being exploited in the wild in targeted attacks against Windows users in the Middle East, researchers warned Thursday. The Flash Player vulnerability CVE-2018-5002, a stack-based buffer overflow bug that could enable arbitrary code execution, was patched earlier today ...

GDPR: A Compliance Quagmire, for Now

The European Union’s General Data Protection Regulation GDPR has gone into effect – but questions as to what compliance actually means are far from settled. While the GDPR is a European regulation, it affects any organization that handles data on E.U. citizens, whether they be customers or...

Targeted Spy Campaign Hits Russian Service Centers

A series of espionage attacks have been uncovered, targeted at service centers in Russia that provide maintenance and support for a variety of electronic goods. The payload is a commercial version of the Imminent Monitor tool, which is freely available for purchase as legitimate software. Its...

Shipping Industry Cybersecurity: A Shipwreck Waiting to Happen

The global shipping industry is vulnerable to a range of hacks, including one that can send multi-million dollar vessels on a collision course for disaster, according researchers. Worse, the flaws are trivial to execute and easy to mitigate against, according to a report by Pen Test Partners. “Sh...

Operation Prowli Profits On Weak IoT Devices, Servers

A malicious campaign has compromised more than 40,000 machines globally, carrying out traffic-hijacking and cryptomining. Researchers at Guardicore Labs, who called the campaign Operation Prowli, said it targets a variety of platforms – including Drupal CMS websites, WordPress sites, backup serve...

CloudPets May Be Out of Business, But Security Concerns Remain

More than a year after CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach, Amazon, Target and Walmart have pulled the toys from their online markets. But it’s the installed base of the connected...

Baby Cam Creeper Actively Watched New Mom

It’s a bad week for connected parents: A South Carolina mom says a stranger hacked into her baby monitor to spy on her and her family. She shared the experience on Facebook after she noticed someone had taken control of the 360-degree motion feature and was moving the camera toward her bed to see...

Adobe Patches Critical Flash Player Bug With Active Exploit

Adobe has patched two critical and two important vulnerabilities in its Flash Player on Thursday, including one that is being exploited in the wild in targeted attacks against Windows users. The critical vulnerability with an existing exploit CVE-2018-5002 is a stack-based buffer overflow bug tha...

PageUp Malware Scare Sheds Light On Third Party Risks

UPDATE Human resource firm PageUp warned customers its backend infrastructure was infected with malware and as a result customers’ sensitive information such as names, contacts and passwords may have been breached. A week after the initial announcement of the malware, on June 12, PageUp said that...

VPNFilter Malware Impact Larger Than Previously Thought

Researchers say the impact of the VPNFilter malware discovered last month is larger than originally reported. On Wednesday, Cisco Talos researchers said they now believe the malware has infected twice the number of router brands than previously stated. They added that VPNFilter also delivers a mo...

Zip Slip Flaw Affects Thousands of Open-Source Projects

A known critical vulnerability has been given the moniker Zip Slip this week in an effort to raise awareness of its prevalence. A recent analysis shows the bug affects multiple open-source ecosystems, including JavaScript, Ruby, .NET and Go. As a result, thousands of developer projects, including...

Auth0 Glitch Allows Attackers to Launch Phishing Attacks

UPDATE Researchers are warning of a glitch in the Auth0 identity-as-a-service offering, which could allow bad actors to spoof a legitimate website and collect sensitive information from visitors. Researchers at Imperva on Tuesday found that the subdomain names of Auth0 are susceptible to security...

World Cup, Vacation Scams Lead in Phishing Trips this Summer

Summer is one of the traditional seasons of scamming, and this summer is shaping up to be a hot one on that front, with active campaigns swirling around supposed “security incidents,” vacation bookings and, of course, the World Cup. Scammers, for instance, recently targeted Booking.com customers...

DNA Testing Service MyHeritage Leaks User Data of 92 Million Customers

Account data tied to 92 million users of the genealogy and DNA testing service MyHeritage were found on a third-party “private” server in a breach that exposed usernames and passwords of customers. The breach is the largest since last year’s Equifax leak of 147.9 million pieces of private data...

WARDroid Uncovers Mobile Threats to Millions of Users Worldwide

An analysis of 10,000 mobile apps has found that a significant portion of them are open to web API hijacking – something that potentially affects the privacy and security of tens of millions of business users and consumers globally. The root of the threat lies in the inconsistencies that are ofte...

Drupalgeddon 2.0 Still Haunting 115K+ Sites

More than 115,000 sites are still vulnerable to a highly critical Drupal bug – even though a patch was released three months ago. When it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal – including major U.S. educational...

Google Patches 11 Critical Android Bugs in June Update

Google patched 57 vulnerabilities Monday affecting the Android operating system and kernel and chipset components tied to third-party firms MediaTek, NVIDIA and Qualcomm. Eleven of the bugs are rated critical and 46 are rated high. Google said the most severe of the vulnerabilities are remote cod...

Social Media Privacy Dominates Apple iOS 12, macOS Launches

Social media privacy is top of mind for Apple on the heels of the Facebook-Cambridge Analytica controversy. On Monday, Apple released the latest versions of its desktop and mobile operating systems at the Worldwide Developers Conference WWDC, which addresses a bevy of security and privacy concern...

Federal Agencies Face an Uphill Battle in Cyber-Preparedness

In the wake of the elimination of the federal cybersecurity czar position, the latest federal cybersecurity preparedness report from the Office of Management and Budget OMB and the Department of Homeland Security DHS shows that U.S. government is nowhere near ready for prime time when it comes to...