Amazon Ring, Alexa accused of privacy violations by FTC
America’s Federal Trade Commission on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy offences. The Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections.” The FTC also challenged Amazon over the data-retention policies of its Alexa devices, stating, “Amazon retained children’s recordings indefinitely—unless a parent requested that this information be deleted,” adding “even when a parent sought to delete that information, Amazon failed to delete transcripts of what kids said from all its databases.”
Kaspersky reports on new mobile APT campaign targeting iOS devices
Kaspersky researchers have uncovered an ongoing mobile Advanced Persistent Threat (APT) campaign targeting iOS devices with previously unknown malware. Dubbed as ‘Operation Triangulation’, the campaign distributes zero-click exploits via iMessage to run malware gaining complete control over the device and user data, with the final goal to hiddenly spy on users. Kaspersky uncovered this APT campaign while monitoring the network traffic of its corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA). Upon further analysis, company researchers discovered the threat actor has been targeting iOS devices of dozens of company employees.
(Kaspersky and Securelist)
White House to choose Army general Hartman to be new No. 2 at Cyber Command
President Biden has chosen Army Maj. Gen. William Hartman to serve as the next deputy of U.S. Cyber Command, finishing a large scale overhaul of the military’s top digital warfighting organization. Hartman would replace Air Force Lt. Gen. Timothy Haugh, the president’s nominee to oversee Cyber Command and the National Security Agency, replacing Army Gen. Paul Nakasone, who is retiring after more than five years in the dual roles.
ISACA pledges to help grow cybersecurity workforce in Europe
The Information Systems Audit and Control Association, better known as ISACA is a global professional organization that has now pledged to the European Commission to grow and empower the cybersecurity workforce in Europe. Its primary focus is on IT governance. The pledge will see ISACA provide 20,000 free memberships to students across Europe to acquire crucial cybersecurity skills and support the identification of qualified cybersecurity candidates for organizations.
Thanks to this week’s episode sponsor, Barricade Cyber Solutions
Microsoft finds macOS bug that lets hackers bypass SIP root restrictions
According to Bleeping Computer, “Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install “undeletable” malware and access the victim’s private data by circumventing Transparency, Consent, and Control (TCC) security checks.” The flaw, dubbed Migraine, was discovered and reported to Apple by a team of Microsoft security researchers, and is now tracked as CVE-2023-32369. Apple patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, on May 18.
New MOVEit Transfer zero-day mass-exploited in data theft attacks
MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of US-based Progress Software Corporation. It allows the secure transfer of files between suppliers and customers via SFTP, SCP, and HTTP-based uploads. It is offered as an on-premise solution managed by the customer and a cloud SaaS platform managed by the developer. According to Progress, MOVEit is used by thousands of enterprises, including Chase, Disney, and GEICO, as well as 1,700 software companies and 3.5 million developers.
BlackCat claims the hack of Casepoint
The BlackCat ransomware gang has added the company Casepoint to its list of victims on its Tor Dark Web site. This discovery was made by cybersecurity researcher Dominic Alvieri. Casepoint provides a legal discovery platform used by several US agencies, including the SEC, FBI, and US Courts. The gang claims to have stolen 2TB of sensitive data, belonging to lawyers, SEC, DoD, FBI, police and more. If this breach is verified, the ransomware group may have compromised sensitive and possibly classified information.
Idaho hospital diverting ambulances after cyberattack
Idaho Falls Community Hospital, which serves a large community in eastern Idaho is diverting ambulances to other clinics after a cyberattack damaged its computer systems. Spokespeople for the hospital stated that some clinics connected to it will be closed until they “feel confident the virus has been fully removed.” They did not confirm if the attack was ransomware-related. They also noted that they are still caring for patients and surgeries are continuing as usual. Their emergency department is still open and most clinics are still seeing patients.