Insurance firm sees cyberattacks as more likely than fire or theft
New research from Aviva states that “businesses are 67% more likely to experience a cyber incident than a physical theft and almost five times as likely to have an attack as a fire.” This is backed up by their data that shows that “10% of small businesses and 35% of larger businesses experienced an cyber incident in the past year.” Furthermore, 20% of businesses surveyed admit to “not being confident in knowing what to do” should an attack happen.
North Korean hackers steal anti-aircraft system data
The Andariel hacking group apparently linked to the Lazarus Group, has been accused by the Seoul Metropolitan Police of targeting South Korean defense companies, “stealing technical data on anti-aircraft systems — as well as research institutes and pharmaceutical companies.” Some of the companies whose data was stolen were unaware they had been targeted. The hackers allegedly used a South Korean server rental company as their base, which they connected to from downtown Pyongyang.
Vulnerability discovered in fleet management software
This vulnerability “could allow hackers to manipulate a fleet of vehicles at once — including the possibility of shutting down the vehicles.” Discovered by a security consultant at Dutch IT consultancy Xebia, the vulnerability, tracked as CVE-2023-6248 essentially requires just an IP address, some python an access to a Linux server to get access to “live locations, detailed engine diagnostics, speakers, airbags and execute arbitrary code on vulnerable devices.”
Mobile password managers might be exposing your credentials
The vulnerability, named “AutoSpill” comes from an autofill feature in Android apps, that can “expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism.” This according to university researchers at the IIIT Hyderabad, who presented their research at Black Hat Europe this week. It happens when password managers get “disoriented” about where they should target the user’s login information, for example between two competing music player apps. 1Password told TechCrunch they are working on a fix. LastPass stated they already had a mitigation in place via an in-product pop-up. Google and Enpass hade not responded to TechCrunch as of this recording.
Huge thanks to this week’s episode sponsor, Barricade Cyber Solutions
Bluetooth flaw threatens Android, Linux, macOS, and iOS devices
Identified and tracked as CVE-2023-45866, this is an authentication bypass flaw that allows for the injection of keystrokes to achieve code execution. Discovered and reported by security researcher Marc Newlin, “the attack deceives the target device into thinking that it’s connected to a Bluetooth keyboard by taking advantage of an unauthenticated pairing mechanism that’s defined in the Bluetooth specification.
CISA adds Qualcomm vulnerabilities to its KEV catalog
The four flaws include three that have been addressed by Qualcomm in October and according to Google’s Threat Analysis Group, have been actively exploited in targeted attacks. In adding them to its Known Exploited Vulnerabilities Catalog, CISA has ordered federal agencies to fix these vulnerabilities by December 26, 2023. The vulnerabilities are:
- CVE-2023-33106 Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability
- CVE-2023-33063 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
- CVE-2023-33107 Qualcomm Multiple Chipsets Integer Overflow Vulnerability
- CVE-2022-22071 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
(Security Affairs and CISA KEV)
Canadian shoe chain ALDO clarifies LockBit posting
The shoe retailer, which has almost 3,000 stores across the world has clarified that a recent posting from LockBit, claiming that it had attacked the company without giving details on what had been stolen, involved, “the systems of an unspecified franchise partner.” As reported in The Record, “Aldo stores in the U.S., U.K., Canada and Ireland are owned directly by Aldo Group while all others are franchises.” A spokesperson for Aldo confirmed that “no Aldo Group owned or operated systems were affected by this incident,” and that “the affected data is limited to information pertaining to their operations in a specific overseas territory,” and that “the affected data does not contain any Aldo customer financial or payment card information.”
Disney+ spoofing scheme exposes new sophistication
An article published by the CISO of Abnormal Security, Mike Britton, describes a brand impersonation cyberattack that raises the stakes in email fraud scams. In brief, the campaign involves personalized emails sending a notification of a pending charge for a new Disney+ subscription. The emails came with a personalized PDF attachment with careful attention given to a seemingly legitimate customer support service number, Disney+ address, brand colors, and no misspellings or malware-laden attachments. What makes this attack unique, according to Britton, is “the level of sophistication and personalization the threat actors used.” This incudes a time pressure technique, informing the recipient that the new fee will be charged upon receipt of the email, increasing the likelihood of a victim’s response. A link to the report is available in the show notes to this episode.