FCC implements new classification to combat robocall groups
A classification fit for royalty; well I should say robocall royalty. The Federal Communications Commission (FCC) is targeting an entity named Royal Tiger, marking it as the first to be designated under its new Consumer Communications Information Services Threat (C-CIST) classification, aimed at combating robocall fraud. Royal Tiger, which operates out of India, the UK, the UAE, and the U.S. has been involved in scams such as impersonating government agencies, offering fake credit card rate reductions, and soliciting bogus purchase authorizations. This designation is part of a broader FCC effort to enhance its ability to track and combat robocall threats, including the use of AI voice cloning and spoofing technologies.
MITRE releases threat-modeling framework for embedded devices
The MITRE Corporation has officially released a new threat-modeling framework named EMB3D. According to MITRE, this framework was designed to enhance the security of embedded devices in critical infrastructure by providing a comprehensive knowledge base of cyber threats and mitigation strategies. Similar to the ATT&CK framework, EMB3D is designed to evolve over time to address emerging threats, vulnerabilities, and attack vectors specific to embedded systems. The initial release of the framework includes the device properties and threats enumerations. The full set of mitigations is expected to be released in the summer 2024 update.
(The Hacker News), (MITRE EMB3D)
World renowned auction house attacked ahead of mega-auction
$840 million dollars of artwork is at stake, as Christie’s auction house experienced what they’re calling a “technology security issue.” As of this recording, the main website is offline, but visitors are being redirected to a temporary website. The auction house says it plans to continue its upcoming auction, which, according to the New York Times, accounts for nearly half of its annual revenue. This incident marks the second security breach at Christie’s in less than a year, following an earlier breach that exposed the locations of high-end art owners who were looking to sell their paintings at auction. Christie’s claims that, at the moment, no customer data has been found to be stolen from this recent incident.
(The Register), (The New York Times)
Hackers exploit unpatched flaw on Finland’s capital city
The city of Helsinki is investigating a data breach that’s impacted the city’s education division. The city reports they are investigating a significant volume of data belonging to tens of thousands. Hackers are believed to have gained access to usernames and email addresses of all city personnel and personal IDs and addresses of students. According to the city, threat actors exploited a vulnerability in the Education Division network server to remotely access it. Although a patch to fix this vulnerability was available, it was not updated.
(Bleeping Computer), (Security Affairs)
Huge thanks to our sponsor, Vanta
With the largest network of Trust Centers, Vanta can help you streamline security reviews to win customer trust, save time, and close deals fast.
Proactively demonstrate security by showcasing key resources like your SOC 2 or ISO 27001 and provide real-time evidence for passing controls. And when a security questionnaire is required, Vanta takes the first pass for you.
Visit vanta.com/ciso to take a tour.
Apple issues critical security updates for iOS and macOS
Apple has released critical security updates for its mobile and desktop operating systems after identifying 16 vulnerabilities in iPhones and iPads, including a memory corruption bug, CVE-2024-23296, which may have already been exploited. The company also fixed 14 security issues in the latest iOS versions that could allow code execution, data breaches, and system crashes. The company also issued updates for macOS Sonoma, Ventura, and Monterey to address similar risks.
Android and iOS introduce alerts for unwanted tracking devices
Do you remember a few years ago when news stories kept popping up of people claiming they were unknowingly being tracked by an Apple Airtag? There have been quite a few changes since then and now Google and Apple have teamed up to create a new industry specification called “Detecting Unwanted Location Trackers”. This new capability enables alerts on both Android and iOS devices when an unknown Bluetooth tracking device is detected. This feature, which notifies users with a “Tracker traveling with you” alert, is now available on Android 6.0+ devices and iOS 17.5.
Exclusive offer: ransomware-as-a-service operation for sale
In the market to buy a ransomware group? You’re in luck! According to Bleeping Computer, a cybercriminal using the name “salfetka” claims to be selling the source code of the ransomware-as-a-service (RaaS) operation, INC Ransom, for $300,000. The threat actor announced the sale of both the Windows and Linux/ESXi versions of INC on the Exploit and XSS hacking forums, but stated they would be limiting the number of potential buyers to just three. While there are a couple signs that point to this sale being legitimate, INC has not posted any public announcement on their old o r new websites.
26 million potentially exposed in Post Millennial hack
The stolen information of more than 26 million people was added to the Have I Been Pwned website following an attack on the conservative news website, The Post Millennial. According to Bleeping Computer, although it has not been confirmed that the data was stolen directly from the site, the exposed data allegedly includes names, emails, account passwords, and physical addresses of the news organization’s writers, editors, and subscribers