‘Only’ 1.3 million affected by National Public Data breach
The Florida-based data broker officially confirmed the breach which happened earlier this year that’s now been estimated to have impacted 1.3 million people in the U.S., UK, and Canada. However, that estimate is far less than the original 2.9 billion rows of information that the threat actor claimed to have taken. The stolen information included full names, email addresses, phone numbers, and Social Security numbers.
Flaws in Microsoft macOS Apps allows secret recording
Cisco Talos researchers have discovered eight vulnerabilities in Microsoft’s macOS apps, including Teams, Outlook, and Word, that could allow attackers to exploit existing permissions to access microphones and cameras. According to the findings, attackers could send emails from the user’s account without their knowledge, record audio clips, take pictures, or record video without any user interaction. Despite these findings, Microsoft considers these issues “low risk.” Following the report, Microsoft updated Teams and OneNote to address the flaws, while other apps like Excel, PowerPoint, Word, and Outlook remain potentially vulnerable.
Configuration issue exposes flight tracking site
You’ve likely seen the image of all the planes in the sky in real-time, often featured on the news or social media during a busy travel week. You’re likely imagining the flight tracking site, FlightAware, that’s disclosed a “configuration error” has exposed a significant amount of personal information belonging to its customers, including Social Security numbers. The data breach, dates back to January 2021, also exposed names, email addresses, billing and shipping addresses, and the last four digits of credit card numbers. FlightAware has not confirmed if any data was accessed, exfiltrated, or how many people were potentially impacted.
CISA flags Jenkins vulnerability
CISA has added a critical Jenkins vulnerability, CVE-2024-23897, to its catalog of actively exploited security flaws. This vulnerability allows unauthenticated attackers to execute remote code by exploiting a weakness in Jenkins’ command parser. Federal agencies have until September 9 to secure their Jenkins servers
Huge thanks to our sponsor, Nudge Security
North Korean Hackers tied to exploited Windows zero-day
Security researchers at Gen Threat Labs have connected the recent zero-day vulnerability CVE-2024-38193, patched by Microsoft, to North Korea’s Lazarus APT group. The flaw allows attackers to gain SYSTEM privileges on the latest Windows operating systems, with Lazarus reportedly exploiting it via the FudModule rootkit. This vulnerability is one of six zero-days patched in Microsoft’s August update, with another flaw (CVE-2024-38178) also linked to North Korean APT groups targeting South Korea.
Ransomware attack exposes victims and witnesses of crimes
Columbus city leaders have issued a warning to victims and witnesses of crimes after the Rhysida ransomware group leaked sensitive data stolen from the local prosecutor’s office. City officials warned of the heightened risk for individuals with information in the compromised files, especially those potentially trying to escape violent situations including domestic violence . Despite initial assurances that no citizen data was compromised, officials have now confirmed that personally identifiable information (PII) has indeed been released. The city has been dealing with this ransomware attack since mid July with hackers leaking 6.5 terabytes of data after the city did not pay the ransom demands.
Suspects in Holograph cryptocurrency heist arrested
Have you ever heard the saying, I wouldn’t tell anyone if I won the lottery but there would be signs? Four hackers were arrested in Italy after allegedly stealing $14 million worth of cryptocurrency from Holograph- a blockchain tech firm after they were found to be living a lavish lifestyle in a luxury villa in Italy. The suspects are accused of exploiting a smart contract flaw to mint 1 billion HLG tokens and withdrawing them in nine transactions. Holograph confirmed the hack was carried out by a former technical contractor with inside knowledge of the platform’s operations.
Lions, tigers, and hackers—Oh My!
Hackers have managed to steal credit card details from more than 100,000 people by compromising the Oregon Zoo’s online ticketing service. The breach, which took place between December 2023 and June 2024, allowed the attackers to redirect transactions and collect payment card information, including names, card numbers, CVV, and expiration dates. The Oregon Zoo discovered the suspicious activity late last m onth and notified the 117,000 affected last week.