IT Security Newsletter - 10/09/2020
Sam's Club customer accounts hacked in credential stuffing attacks
Over the past two weeks, Sam's Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks. Sam's Club, owned by Walmart, is an American chain of membership-only retail warehouse clubs operating since 1983. The brand is frequently listed alongside Costco and BJ's Wholesale Club. BleepingComputer had been closely monitoring these notifications over this period and has heard from Sam's Club. READ MORE...
Negligent data center shutdowns bring $60 million fine for Morgan Stanley
Investment bank Morgan Stanley is paying a $60 million fine to the U.S. government for mishandling the decommissioning of two data centers in 2016, and potentially exposing customer information. The bank reported the problem to wealth management customers this summer, saying that pieces of hardware from the facilities still had some customer data on them after they reached a recycler. In 2019, a similar situation arose during the decommissioning of network devices that stored customer data. READ MORE...
Massachusetts school district shut down by ransomware attack
The Springfield Public Schools district in Massachusetts has become the victim of a ransomware attack that has caused the closure of schools while they investigate the cyberattack. Springfield is the third largest school district in Massachusetts with over 25,000 students, 4,500 employees, and more than sixty schools. Due to the COVID-19 pandemic, the school district opened in a remote learning model, with a planned transition to hybrid learning towards the end of October. READ MORE...
Fitbit gallery can be used to distribute malicious apps
A security researcher discovered that malicious apps for Fitbit devices can be uploaded to the legitimate Fitbit domain and users can install them from private links. With some social engineering, hackers could take advantage of this and trick users into adding apps to obtain the wealth of personal information typically collected from Fitbit device sensors or the phone. Fitbit develops fitness activity tracking wearables (smartwatches, bands) providing the user with metrics. READ MORE...
Cisco Fixes High-Severity Webex, Security Camera Flaws
Three high-severity flaws exist in Cisco's Webex video conferencing system, Cisco's Video Surveillance 8000 Series IP Cameras and Identity Services Engine. Cisco has issued patches for high-severity vulnerabilities plaguing its popular Webex video-conferencing system, its video surveillance IP cameras and its Identity Services Engine network administration product. Overall, Cisco on Wednesday issued the three high-severity flaws along with 11 medium-severity vulnerabilities. READ MORE...
Ransomware gang now using critical Windows flaw in attacks
Microsoft is warning that cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater (SeedWorm) in the second half of September. This time, the threat actor is TA505, an adversary who is indiscriminate about the victims it attacks, with a history starting with the distribution of Dridex banking trojan in 2014. Over the years, the actor has been in attacks delivering a wide variety of malware, READ MORE...
IBM to split into two companies by end of 2021
IBM announced this morning that the company would be spinning off some of its lower-margin lines of business into a new company and focusing on higher-margin cloud services. During an investor call, CEO Arvind Krishna acknowledged that the move was a "significant shift" in how IBM will work, but he positioned it as the latest in a decades-long series of strategic divestments. "We divested networking back in the '90s, we divested PCs back in the 2000s, we divested semiconductors about five years ago..." READ MORE...
Console hackers are shocked after DOJ arrests prominent mod-chip makers
Anyone who follows the console-hacking scene is by now used to the familiar stories of legal efforts to put a stop to the practice. Companies like Nintendo frequently make use of court orders, cease and desist letters, and civil lawsuits to stop the distribution of game ROMs and/or devices that allow those ROMs (and homebrew software) to run on their hardware. Still, some members of the console-hacking community expressed surprise at the recent arrests of Gary "GaryOPA" Bowser and Max "MAXiMiLiEN" Louarn. READ MORE...
- ...in 1919, the Cincinnati Reds win the World Series after eight members of the Chicago White Sox throw the game, resulting in the infamous "Black Sox" Scandal.
- ...in 1962, the visible light-emitting diode (LED), now the basis for most modern video, computer, and phone screens, is first demonstrated in Syracuse, New York.
- ...in 1964, Mexican-American film director Guillermo del Toro ("The Shape of Water", "Pan's Labyrinth") is born in Guadalajara.
- ...in 1980, Pope John Paul II greets the Dalai Lama during a private audience in Vatican City.