Secjuice Squeeze 59
Welcome to the Secjuice Squeeze, a lovingly curated selection of interesting security articles and infosec news that you may have missed.
Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week. This week's volume was curated by Secjuice writers Prasanna, Ross Moore, Andy74, Sinwindie, Muhammad Luqman, Tony Kelly, Devesh Chande, and Alesanco.
In this edition, we have news articles, blog posts, and learning.
News
A Hacker Got All My Texts for $16
A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.
Read more at vice.com and theverge.com
Curated by Prasanna and Sinwindie
Microsoft vulnerabilities report offers key cybersecurity insights
In 2020, a record number of 1,268 Microsoft vulnerabilities were discovered, a 48% increase year over year, a BeyondTrust report finds. Its CISO sits for an interview to dig deep into the findings.
Read more at healthcareitnews.com
Curated by Ross Moore
How Did Multiple Threat Groups Know About Exchange Patches Before Release?
Following CISA's weekend updates on continuing Exchange server hacks, Microsoft is investigating the significant uptick in exploits just days before patches were released.
Read more at breakingdefense.com
Curated by Ross Moore
Cryptophone Service Crackdown: Feds Indict Sky Global CEO
Authorities in the U.S. have extended the international police crackdown against the Sky ECC cryptophone service by indicting both the parent company's CEO and its main distributor.
Read more at databreachtoday.com
Curated by Ross Moore
DuckDuckGo browser extension vulnerability leaves Edge users open to potential cyber-snooping
DuckDuckGo has fixed a universal cross-site scripting (uXSS) flaw in a popular browser extension for Chrome and Firefox.
Read more at portswigger.net
Curated by Andy74
Twitter Users Can Now Secure Accounts With Multiple Security Keys
Twitter announced that users with two-factor authentication (2FA) enabled can now use multiple security keys to protect their accounts.
Read more at securityweek.com and cnet.com
Curated by Andy74 and Sinwindie
Hacker dumps Guns.com database with customers, admin data
As seen by Hackread.com, among other sensitive data, the database includes Guns.com administrator, WordPress, and Cloud log in credentials in plain-text format.
Read more at hackread.com
Curated by Andy74
New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild
Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variant and ZHtrap.
Read more at thehackernews.com
Curated by Andy74
Ransomware soars with 62% increase since 2019
The 2021 SonicWall Cyber Threat Report goes inside the stories that headlined 2020, and takes a closer look at new and disruptive cyber threats to provide insight into the evolving cyber threat landscape.
Read more at securitymagazine.com
Curated by Andy74
Bug In iPhone Call Recorder App Could Expose Users’ Recordings
Exploiting the iPhone Call Recorder app bug could let an adversary access users' recordings just by phone numbers. Bug fixed.
Read more at latesthackingnews.com
Curated by Andy74
Hackers stole NFTs from Nifty Gateway users
Over the weekend, some users of NFT marketplace Nifty Gateway said hackers stole digital artwork worth thousands of dollars from their accounts. Some people who were hacked also said their credit cards on file were used to purchase additional NFTs, also costing thousands of dollars, which were then transferred away to a hacker’s account.
Read more at theverge.com
Curated by Sinwindie
A Hacker Just Stole $5.7 Million From Social Token Startup Roll
Over the weekend, hackers stole millions of dollars in crypto from Roll, a social currency startup that allows so-called “creatives” to launch and manage their own Ethereum blockchain-based money systems.
Read more at gizmodo.com
Curated by Sinwindie
Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix
Public proof-of-concept (PoC) exploits for ProxyLogon could be fanning a feeding frenzy of attacks even as patching makes progress.
Read more at threatpost.com
Curated by Muhammad Luqman
Google Releases Spectre PoC Exploit For Chrome
Google has released the side-channel exploit in hopes of motivating web-application developers to protect their sites.
Read more at threatpost.com
Curated by Muhammad Luqman
Mamma Mia! Compromised passwords are filled with popular music artists
All apologies, but if you use your favorite band as part of your password it's time to turn around and try something else.
Read more at techrepublic.com
Curated by Ross Moore
FBI releases the Internet Crime Complaint Center 2020 Internet Crime Report
The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Report and in the accompanying 2020 State Reports.
Read more at securitymagazine.com
Curated by Andy74
California bans website 'dark patterns', confusing language when opting out of having your personal info sold
State privacy rules add pressure on lawmakers to craft national standards.
Read more at theregister.com
Curated by Ross Moore
Florida Teen Pleads Guilty in 2020 Twitter Hack
The Florida teen whom prosecutors call the mastermind behind last year's hack of 130 high-profile Twitter accounts to wage a cryptocurrency scam pleaded guilty.
Read more at databreachtoday.com
Curated by Ross Moore
Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites
A pair of critical vulnerabilities found in bulletin board software called MyBB could have been chained together to achieve remote code execution.
Read more at thehackernews.com
Curated by Andy74
Twitter images can be abused to hide ZIP, MP3 files — here's how
Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter.
Read more at bleepingcomputer.com
Curated by Ross Moore
Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud
U.S. yesterday announced updates on two separate cases involving cyberattacks—a Swiss hacktivist and a Russian who planned to plant malware in Tesla.
Read more at thehackernews.com
Curated by Andy74
Hackers Infecting Apple App Developers With Trojanized Xcode Projects
Hackers are leveraging Xcode as an attack vector to compromise Apple platform developers with a backdoor.
Read more at thehackernews.com
Curated by Andy74
Computer giant Acer hit by $50 million ransomware attack
The REvil ransomware operation claims to have stolen unencrypted data after hacking electronics and computer giant Acer.
Read more at bleepingcomputer.com
Curated by Tony Kelly
Bogus Android Clubhouse App Drops Credential-Swiping Malware
The malicious app spreads the BlackRock malware, which steals credentials from 458 services – including Twitter, WhatsApp, Facebook and Amazon.
Read more at threatpost.com
Curated by Tony Kelly
Tax-Themed Phishing Campaign Emerges
This tax season, as in years past, a major phishing campaign is targeting U.S. taxpayers in an effort to deliver malware, according to researchers at security firm.
Read more at databreachtoday.com
Curated by Devesh Chande
TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise
CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations.
Read more at us-cert.cisa.gov
Curated by Devesh Chande
Users could gain root privilege through three flaws sitting in Linux kernel
The unearthed vulnerabilities in the Linux kernel are located in the iSCSI module used for accessing shared data storage facilities.
Read more at scmagazine.com
Curated by Alesanco
Blogs
How your iPhone could tell you if you're being stalked
The latest Apple iOS beta suggests that iPhone users will be warned about hidden tracking devices in the future, but questions remain.
Read more at malwarebytes.com
Curated by Ross Moore
How to Regex: A Practical Guide to Regular Expressions (Regex) for Hackers
Come check out this new How-to blog from @hakluke. A guide to Regular Expressions and how to bypass Regex-Based Security Controls in the wild!
Read more at bugcrowd.com
Curated by Tony Kelly
Learning
OSINT Tools for Pivoting, Automating Google Search, and API Testing
Another week, another set of OSINT tools. This week we'll be looking at tools for OSINT investigations for pivoting, automating Google search, and APIs.
Read more jakecreps.com
Curated by Tony Kelly
Nessus CSV Parser and Extractor
Yanp.sh is simple yet powerfull Nessus CSV parser. It extracts information from multiple Nessus results and creates a consolidated version from all reports combined.
Read more at infosecmatter.com
Curated by Tony Kelly
About The Artwork
‘Soviet Ghosts’ is a personal experimental work, intended to express the beauty hidden in the broken and decayed. This work is inspired by British photographer Rebecca Litchfield's collection of photographs of the same name. Published in 2013, she sensitively and beautifully records many abandoned locations within thirteen countries which were once part of the Soviet Union or occupied territories. I also referenced a large number of images of the remains of the former Soviet Union from the internet. During the creative process I tried to construct and restore the strong sense of realistic representation that was vivid in the photography. At the same time I reorganize the subject and scene and integrate this with my own creativity and understanding in light and shadow and composition. Trying to find a balance point that satisfies myself between hyper-realism and artistic stylization is also a challenge. - Link Lee