This week's roundup of cybersecurity news stories for the week of May 22, 2023.
Stories about cybersecurity attacks, security incidents, and data breaches.
Meta Faces Hefty €1.2bn Fine For GDPR Breach In EU-US Data Transfers
By Adeola Adegunwa - InformationSecurityBuzz
Facebook’s owner Meta has been fined €1.2bn ($1.3m) by EU regulators for violating the General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on May 22, 2023. The Irish watchdog claimed that Meta’s transfers of personal data to the US on the basis of standard contractual clauses (SCCs) since 16 July 2020 violate GDPR.
See Also: SecurityWeek, SC Media, WSJ, The Verge
Food Distributor Sysco Says Cyberattack Exposed 126,000 Individuals
By Ionut Arghire - SecurityWeek
Food distributor Sysco Corporation is informing over 126,000 individuals that their personal information was compromised in a recent cyberattack. A multinational company headquartered in Houston, Texas, Sysco is one of the largest distributors of food products, kitchen equipment, smallware, and tabletop products to restaurants, lodging establishments, healthcare and education organizations, and other entities. The company initially disclosed the incident in early May, in a Form 10-Q filing with the US Securities and Exchange Commission (SEC), when it revealed that the data breach was identified on March 5, 2023, but said that the attackers likely had unauthorized access to its systems starting January 14, 2023.
ASUS routers knocked offline worldwide by bad security update
By Bill Toulas - Bleeping Computer
ASUS has apologized to its customers for a server-side security maintenance error that has caused a wide range of impacted router models to lose network connectivity. The problem has been extensively reported on social media and discussion platforms since May 16, 2023, with people appearing puzzled by the simultaneous connectivity issues on multiple ASUS routers and others complaining about the lack of communication from the vendor's side.
A different kind of ransomware demand: Donate to charity to get your data back
By AJ Vicens - Cyberscoop
A new and increasingly active ransomware group that’s attacked nearly 200 organizations in less than two months has a different spin on its extortion efforts: Don’t pay us, pay a charity. So far, this unnamed group that is at least publicly claiming to be driven by anti-capitalist sentiment and its own brand of cyber benevolence is largely targeting users of Zimbra, an online workplace collaboration tool.
Dish Network likely paid ransom after recent ransomware attack
By Sergiu Gatlan - Bleeping Computer
Dish Network, an American television provider, most likely paid a ransom after being hit by a ransomware attack in February based on the wording used in data breach notification letters sent to impacted employees. While it didn't directly confirm it paid, Dish implied as much by saying that it "received confirmation that the extracted data has been deleted."
See Also: SecurityAffairs, SecurityWeek
Teen Charged in DraftKings Data Breach
By Waqas - HackRead
In December 2022, an in-depth report by Hackread.com shed light on a series of data breaches that had targeted two prominent online casinos, DraftKings and BetMGM. Now, an 18-year-old Wisconsin man has been accused of orchestrating a credential-stuffing campaign that targeted users of the popular US betting platform DraftKings.
Luxottica confirms 2021 data breach after info of 70M leaks online
By Bill Toulas - Bleeping Computer
Luxottica has confirmed one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was posted this month for free on hacking forums. Luxottica is the world’s largest eyewear company, glasses, and prescription frames maker, and the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many other. The company also operates Eyemed, a vision insurance company in the US.
See Also: HaveIBeenPwned
KeePass exploit helps retrieve cleartext master password, fix coming soon
By Bill Toulas - Bleeping Computer
The popular KeePass password manager is vulnerable to extracting the master password from the application's memory, allowing attackers who compromise a device to retrieve the password even with the database is locked. The issue was discovered by a security researcher known as 'vdohney,' who published a proof-of-concept tool allowing attackers to extract the KeePass master password from memory as a proof-of-concept (PoC).
See Also: DarkReading, The Hacker News
Stories related to U.S. Federal government cybersecurity.
Congress looks to expand CISA’s role, adding responsibilities for satellites and open source software
By Christian Vasquez - Cyberscoop
Lawmakers on Wednesday passed a series of bills to give the Cybersecurity and Infrastructure Security Agency (CISA) new responsibilities when it comes safeguarding open source software, protecting U.S. critical infrastructure and expanding the cybersecurity workforce. The Senate Homeland Security and Governmental Affairs Committee advanced a bill that would require CISA to maintain a commercial public satellite system clearinghouse and create voluntary cybersecurity recommendations for the space sector. Additionally, the committee advanced legislation requiring CISA to create a pilot civilian cyber reserve program to respond to incidents.
#CRESTCon: White House Shifts US Cybersecurity Strategy Towards International Cooperation
By Kevin Poireault - Infosecurity Magazine
The U.S. National Cybersecurity Strategy, launched in March 2023, significantly changes the government’s vision regarding the fight against cyber threats and has encouraged the U.S. to work internationally with ally countries.
NIST Launches Cybersecurity Initiative for Small Businesses
By Jonathan Reed - Security Intelligence
For small organizations, the current cyber threat landscape is brutal. While big-name breaches steal the headlines, small businesses suffer the most from ransomware attacks. Additionally, other studies reveal that only half of all small businesses are prepared for a cyberattack. In the face of these challenges, NIST is creating a new initiative to help. To help smaller organizations face the growing cyber threat, NIST recently launched its Small Business Cybersecurity Community of Interest (COI). Here’s how this new association can help your organization move forward with a cyber readiness plan today.
"How To" Guides, tutorials, and education related to cybersecurity.
How to Switch to Using Passkeys With Your Google Accounts
By David Nield - CSO
The future is passkeys, not passwords: Google accounts are the latest to make the switch, following similar moves by Apple and Microsoft over the last couple of years (with other smaller names also making the switch). It means more convenience and more security for your account, and no need to have to remember dozens of lengthy passwords. This article gives a brief explanation of passkeys and shows how to use passkeys with your Google accounts.
Ethical Hacking Cheatsheet: A Beginner’s Guide to Penetration Testing
By Mic Johnson - LHN
The realm of ethical hacking is an exciting one, enabling security professionals to safeguard systems by thinking like a malicious hacker. This ethical hacking cheatsheet serves as your beginner’s guide to the intriguing world of penetration testing.
Certified Ethical Hacker (CEH) Cheatsheet
By Mic Johnson - LHN
The Certified Ethical Hacker (CEH) is a prestigious professional certification provided by the EC-Council. It’s designed for cybersecurity practitioners who are primarily responsible for securing information systems. A CEH is skilled in understanding and knowing how to look for weaknesses and vulnerabilities in target systems, using the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner.
Educating Your Board of Directors on Cybersecurity
By Jennifer Gregory - Security Intelligence
Many, if not the majority of, big decisions at organizations come from the boardroom. Typically, the board of directors focuses on driving the direction of the company. Because most boards approve yearly budgets, they have significant oversight of resources and areas of investment. As cybersecurity attacks continue to increase, organizations must make key budgeting decisions that can affect the future of the company. Cybersecurity issues are now increasingly brought up to the board of directors at organizations across all industries.
Editorials and opinions on cybersecurity trends.
Anton’s Security Blog Quarterly Q2 2023
By Anton Chuvakin
Great blog posts are sometimes hard to find (especially on Medium), so Dr. Anton Chuvakin decided to do a periodic list blog with his favorite posts of the past quarter. The posts are ranked by lifetime views. This covers both Anton on Security and posts from Google Cloud blog, and the Cloud Security Podcast too.
News related to exploits and security vulnerabilities.
The Real Risks in Google’s New .Zip and .Mov Domains
By Lily Hay Newman - WIRED
While the company’s new top-level domains could be used in phishing attacks, security researchers are divided on how big of a problem they really pose. AT THE BEGINNING of May, Google released eight new top-level domains (TLDs)—the suffixes at the end of URLs, like “.com” or “.uk.” These little addendums were developed decades ago to expand and organize URLs, and over the years, the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) has loosened restrictions on TLDs so organizations like Google can bid to sell access to more of them. But while Google's announcement included light-hearted offerings like “.dad” and “.nexus,” it also debuted a pair of TLDs that are uniquely poised to invite phishing and other types of online scamming: “.zip” and “.mov”.
Android phones are vulnerable to fingerprint brute-force attacks
By Bill Toulas - Bleeping Computer
Researchers at Tencent Labs and Zhejiang University have presented a new attack called 'BrutePrint,' which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device. The Chinese researchers managed to overcome existing safeguards on smartphones, like attempt limits and liveness detection that protect against brute-force attacks, by exploiting what they claim are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).
CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2004-1464 Cisco IOS Denial-of-Service Vulnerability, CVE-2016-6415 Cisco IOS, IOS XR, and IOS XE IKEv1 Information Disclosure Vulnerability, and CVE-2023-21492 Samsung Mobile Devices Insertion of Sensitive Information Into Log File Vulnerability
CISA warns of Samsung ASLR bypass flaw exploited in attacks
By Sergiu Gatlan - Bleeping Computer
CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection. ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device's memory.
Researchers show ways to abuse Microsoft Teams accounts for lateral movement
By Lucian Constantin - CSO
Researchers from security firm Proofpoint investigated how attackers could abuse access to a Teams account and found some interesting attack vectors that could allow hackers to move laterally by launching further phishing attacks or getting users to download malicious files. "Our analysis of past attacks and ongoing trends within the dynamic cloud threat landscape indicates that attackers progressively pivot to more advanced attack vectors," the Proofpoint researchers said in their report. "The adoption of new attack techniques and tools, when combined with apparent security flaws, including dangerous functionalities in first-party apps, exposes organizations to a variety of critical risks."
41 Madison Avenue, 37th Floor
New York, NY 10010
