Google’s Threat Analysis Group warns of social engineering hack aimed at security researchers
The hackers, allegedly based in North Korea, have been targeting individual security researchers who work on “vulnerability research and development.” They are using a cybersecurity blog focused on writing up vulnerabilities that were already public and amplifying this with a series of Twitter accounts and YouTube videos to build credibility with the targets. The campaign asked researchers to collaborate on their work, which enabled the hackers to transmit malware disguised as sample data files. Although Google’s TAG could not confirm a direct motive for this activity, they suggest the attackers may be trying to learn more about non-public vulnerabilities that they can use in future state-sponsored attacks. They have listed the specific hacker accounts in their its January 25 blog post and suggest that anyone who’s interacted with these accounts should scan their systems for any indication they’ve been compromised and move their research activities onto a separate computer from their other day-to-day usage.
(The Verge and Google TAG)
Verizon outage started in Brooklyn
A major internet outage struck the US eastern seaboard yesterday affecting a range of services including Verizon, Google, Slack, Microsoft Teams, and Azure. The affected area ranges from Massachusetts to Washington DC. In a tweet, Verizon identified the cause of the outage to a fiber that had been accidentally severed in Brooklyn, although it is not clear that this single event was responsible for the entire outage.
TikTok fixes flaws allowing theft of private user information
The vulnerability located in its “Find Friends” feature allowed attackers to bypass the platform’s privacy protections enabling them to gain access to users’ private personal information that could be used for spearfishing attacks. ByteDance the firm behind TikTok, had been alerted to the vulnerability and its 4-step procedure by researchers at CheckPoint.
Grindr is fined $11.7 million under European privacy law
The Norwegian Data Protection Authority said on Monday that it would fine the dating app for illegally disclosing private details about its users to advertising companies. The agency said the app had transmitted users’ precise locations, user-tracking codes and the app’s name to at least five advertising companies through its relationship with Twitter’s mobile advertising platform, MoPub, essentially tagging individuals as L.G.B.T.Q. without obtaining their explicit consent, in violation of European data protection law. Tobias Judin, head of the Norwegian Data Protection Authority’s international department, said Grindr’s data-mining practices not only violated European privacy rights but also could have put users at serious risk in countries where consensual same-sex sexual acts are illegal.
And now our sponsor Nucleus Security brings you “The Top 5 Antipatterns in Vulnerability Management”:
Fake coronavirus phishing scam hits UK
Britain’s National Health Service has warned people to be vigilant about fake email invitations to click to register for vaccinations. The scam email and also asks for bank details either to verify identification or to make a payment. The NHS states that in reality no registration for a vaccination is required, it would never ask for bank details, and the vaccine is free. Cybersecurity consultant Daniel Card told BBC News that traffic data indicates thousands of people had clicked the link to the fake site, although it is unclear how many then filled in the form.
(BBC News)
Insurers are funding organized crime by paying ransomware claims, says cybersecurity expert
Ciaran Martin, who ran Britain’s National Cyber Security Centre until last August, said he feared that ransomware was “close to getting out of control” because there is no legal barrier to companies paying ransoms to cyber gangs and then claiming back on insurance. “People are paying bitcoin to criminals and claiming back cash,” Martin said. Britain’s extortion laws prohibit the payment of ransoms to terrorists, but cyber-attacks are not carried out by terror groups, and so there is no bar to paying ransom demands – and it is possible to make an insurance claim if no personal data was involved.
South African government releases its own browser to re-enable Flash
The South African Revenue Service has released this week a custom web browser for the sole purpose of re-enabling Adobe Flash Player support, rather than port its existing website from using Flash to HTML-based web forms. Despite having three years advance notice, SARS recognized that once Flash reached its end of life, as it did in December, the agency would be unable to receive any tax filings via its web portal, which uses Flash widgets. The new SARS eFiling Browser is a stripped-down version of the Chromium browser that only speaks with the official SARS website. It is only available for Windows.
(ZDNet)
The White House hidden job ad seems to have worked
The Biden administration placed a “help wanted” sign for crack computer coders on its revamped White House website, shortly after the inauguration on January 20. A line of of HTML code was added to Whitehouse.gov, inviting applicants to apply to work for the United States Digital Service (USDS), a non-partisan technology unit in the Executive Office of the President. The message read, “’If you’re reading this, we need your help building back better,” along with a link to usds.gov/apply. Clearly intended to be seen by developers and others who enjoy seeing what’s under the hood, the link now no longer points to a specific job posting, due to a high volume of applications.
(MSN Money and Naked Security)