Cybersecurity Weekly: Apple flaws, Azure vulnerabilities, hackers buying network access
Fifty-five new security flaws were reported in Apple software and services. Researchers find vulnerabilities in Microsoft Azure cloud service. Security staff are being forced to upskill in their own time. All this, and more, in this week’s edition of Cybersecurity Weekly.
Top Security Awareness Posters
1. Fifty-five new security flaws reported in Apple software and services
A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity. The flaws meant a bad actor could easily hijack a user's iCloud account and steal all the photos, calendar information, videos and documents, in addition to forwarding the same exploit to all of their contacts.
Read more »
2. Researchers find vulnerabilities in Microsoft Azure cloud service
Two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery attacks or execute arbitrary code and take over the administration server. This enables an attacker to quietly implant malicious phishing pages through Azure Portal to target system administrators.
Read more »
3. Ransomware gangs can buy network access in cyberattack shortcut
For prices ranging between $300 and $10,000, ransomware groups have the opportunity to easily buy initial network access to already-compromised companies on underground forums. Researchers warn this opportunity gives groups like Maze or Sodinokibi the ability to more easily kickstart ransomware attacks across various industries.
4. Security staff are being forced to upskill in their own time
With a skills gap widening, security workers aren’t able to fully develop their skills at work and are instead turning to development training in their free time. Around half of employees (48%) have committed time before and after work to improve their skills, for example, with 20% also training themselves on weekends, according to a recent report.
Read more »
5. Hackers targeting IoT devices with a new P2P botnet malware
Cybersecurity researchers took the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform malicious tasks and illicit cryptocurrency coin mining. The HEH Botnet spreads via a brute-force attack of the Telnet service on ports 23/2323 and can execute arbitrary shell commands.
Read more »
6. New MosaicRegressor malware found active in the wild
Last week, cybersecurity researchers spotted a rare kind of malware that targets a machine's booting process to drop persistent malware. The campaign involved the use of a compromised UEFI containing a malicious implant, making it the second known public case where a UEFI rootkit has been used in the wild.
Read more »
7. Unknown hackers targeted the U.S. Census Bureau network
The U.S. Department of Homeland Security said that unknown threat actors have targeted the US Census network during the last year in its first-ever Homeland Threat Assessment report released last week. The DHS mentions in the report multiple instances when unknown threat actors have tried gaining access to systems on the U.S. Census network.
Read more »
8. Fitbit gallery can be used to distribute malicious apps
A security researcher discovered malicious apps for Fitbit devices can be uploaded to the legitimate Fitbit domain and users can install them from private links. Using social engineering, hackers could take advantage of this and trick users into adding apps to obtain the wealth of personal information typically collected from Fitbit device sensors or the phone.
Read more »
9. Ransomware gang now using critical Windows flaw in attacks
Microsoft warned about cybercriminals who have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater in the second half of September. Over the years, the actor has been in attacks delivering a wide variety of malware.
Read more »
See Infosec IQ in action
10. Sam's Club customer accounts hacked in credential stuffing attacks
Over the past two weeks, Sam's Club started sending automated password reset emails and security notifications to customers who were hacked in credential-stuffing attacks. In emails sent out to Sam's Club members, the company is alerting members that an unauthorized party may have gained access to their accounts.
Read more »
In this Series
- Cybersecurity Weekly: Apple flaws, Azure vulnerabilities, hackers buying network access
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
