Pokémon game developer breached
Japanese video game developer Game Freak, the company behind Pokémon, confirmed it was hacked earlier this year, resulting in a data breach affecting over 2,600 current and former employees. While the company hasn’t confirmed the leak of any upcoming or unreleased projects, some reports suggest that source code, design documents, and other never before seen Pokémon-related materials may have surfaced online. The attack, which occurred in August, involved unauthorized access to Game Freak’s servers, exposing personal data like names and email addresses.
TrickMo hits with 40 new trojan variants
A new wave of TrickMo malware is stealing Android PINs with fake lock screens, targeting users in Canada, the UAE, Turkey, and Germany. Security firm Zimperium reports that the malware, which has evolved into 40 variants, now includes features like one-time password interception, remote control, and PIN theft via a deceptive unlock screen. By abusing Android’s Accessibility Services, TrickMo delivers phishing overlays to steal banking credentials, unlocking infected devices to commit on-device fraud. Zimperium estimates at least 13,000 victims have been affected to date.
Nation-state actor exploits Ivanti zero-days
A suspected nation-state actor has been exploiting three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) to gain unauthorized access and carry out malicious activities, according to Fortinet FortiGuard Labs. The vulnerabilities, including command injection and path traversal flaws, allowed attackers to steal admin credentials, drop web shells, and deploy tools like ReverseSocks5 for internal network attacks. After Ivanti disclosed one of the vulnerabilities, the attackers attempted to patch the flaws themselves, likely to block other hackers and maintain exclusive access.
(The Hacker News), (Security Affairs)
Trump campaign secures ‘unhackable’ phones
Less than a month till election day, the Trump campaign says they’ve turned to military-grade “unhackable” phones to prevent any more intrusions by Iranian hackers. To prevent a repeat of stolen emails and data, the campaign is using secure phones and computers with Green Hills Software’s highly secure operating system, which is used in stealth bombers and fighter jets. With claims of being “unhackable,” the company says this system uses just 10,000 lines of code and that they lock down “absolutely everything” they can to minimize intrusions. Green Hills is also offering this tech to the Harris campaign team to protect against similar threats, with this type of technology not commercially available to the public.
Thanks to today’s episode sponsor, Conveyor
Conveyor’s market leading AI automates the most time-consuming parts of customer security reviews: answering security questionnaires and sharing security docs like your SOC 2 with customers.
Get instant AI answers to questionnaires and host an enterprise-grade trust center where customers can download documents and self-serve answers to their own questions.
End the horror show. Try it for free at www.conveyor.com.
Entry point vulnerabilites lead to supply chain attacks
Security researchers have uncovered vulnerabilities in multiple programming ecosystems like PyPI, npm, and Ruby Gems that allow attackers to stage software supply chain attacks through abused entry points. This tactic enables hackers to execute malicious code by impersonating popular commands, effectively bypassing traditional security measures and going undetected. By using techniques like command-jacking and command wrapping, malicious actors can stealthily compromise systems while still maintaining normal functionality, making these attacks difficult to spot. Researchers are highlighting the need to account for entry point exploitation in an organization’s security program.
Must patch flaw exposes tens of thousands
We are now getting a clearer idea of just how many IPs are vulnerable to the Fortinet vulnerability that CISA placed on its critical patch list last week. According to CyberScoop, around 87,000 IPs are likely susceptible to the vulnerability, which has a 9.8 rating on the CVSS scale. Fortinet released a fix in February, but the issue remains widespread, with the majority of vulnerable IPs located in Asia, North America, and Europe. Federal agencies are required to address the issue by the end of October.
Firefox zero-day update to include Tor
Shortly after Firefox rolled out version 131.0.2 with a fix for a critical zero-day vulnerability (CVE-2024-9680), the Tor browser was also updated to patch the issue. The bug, which could lead to remote code execution via a use-after-free flaw in the Animation timeline, had been actively exploited in the wild, as confirmed by Mozilla and reported by ESET. Both Firefox and Tor quickly responded to the exploit, delivering fixes within 25 hours of identifying the issue.
Robot vacuums gone rogue
This is one of those stories that’s funny to imagine happening to other people, but I definitely wouldn’t want it happening in my home. Multiple reports across the U.S. have surfaced of robot vacuums yelling obscenities and chasing pets after hackers gained access to the devices’ live camera feeds and remote control features. The affected robots were all Chinese-made Ecovacs Deebot X2 models. The company has since stated that it ‘identified a credential stuffing event’ and blocked the IP address responsible, promising a security update for ‘further enhanced security’ in November.