<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

IT Security Newsletter - 10/8/2019

SHARE

Breaches_ITSEC-1

DoorDash reveals third-party data breach hit 4.9 million users

 DoorDash has revealed that an unauthorised third party accessed the data of approximately 4.9 million of its customers, drivers and merchants earlier in this year. The information taken included the last four digits of payment cards from both customers and the companies that use DoorDash for delivery. The San Francisco-based food delivery firm revealed the breach in a blog post confirming it affected members who joined on or before 5 April 2018.

Hacking_ITSEC

Muhstik Ransomware Victim Hacks Back, Releases Decryption Keys

A victim of the Muhstik Ransomware has hacked back against his attackers and released close to 3,000 decryption keys for victims along with a free decryptor to get their files back. Since the end of September, an attacker has been hacking into publicly exposed QNAP NAS devices and encrypting the files on them. This ransomware has been named Muhstik based on the .muhstik extension appended to encrypted files. The attacker would then demand 0.09 bitcoins, or approximately $700 USD, for a victim to get their files back.


Toms Shoes newsletter “hacked by a nice man”

Footwear retailer Toms has had its email newsletter compromised by someone who calls himself “a nice man”. As Motherboard reports, someone going by the name of “Nathan” sent an unauthorised message to the firm’s newsletter subscribers with the subject line “Toms hacked by a nice man.” And, rather than be told about the hottest deals for flip-flops, slip-ons and espadrilles were instead advised to spend a little less time looking at a screen:

Software_ITSEC

Signal immediately fixed FaceTime-style eavesdropping bug

Remember the FaceTime bug that allowed a caller to eavesdrop on your phone? Well, researchers recently discovered a similar one – this time in super-secret messaging app Signal. Reported in January 2019, the FaceTime bug allowed an attacker to call someone in Apple’s FaceTime and then add themselves to the chat session, even if the other party didn’t pick up. A bizarre logic flaw triggered an audio stream from the receiving phone, turning it into a digital eavesdropping device.

Exploits_ITSEC

D-Link Home Routers Open to Remote Takeover Will Remain Unpatched

D-Link won’t patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code. D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers).


APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn

State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials. The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August.


Cisco WebEx and Zoom video hit by security flaw

 Security researchers have uncovered a way for attackers to snoop on video conferences run on the Cisco WebEx and Zoom platforms. Dubbed "Prying Eye", the flaw spotted by Cequence Security is a weakness in web conferencing APIs that would allow attackers to use an enumeration attack to find open calls or meetings. Enumeration attacks refer to the practice of using brute force to guess ID numbers – in this case, for meetings or calls.