Krebs on Security: Patch Tuesday Lowdown, October 2019 Edition
On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it. By most accounts, it’s a relatively light patch batch this month. Here’s a look at the highlights. Happily, only about 15 percent of the bugs patched this week earned Microsoft’s most dire “critical” rating. Microsoft labels flaws critical when they could be exploited by miscreants or malware to seize control over a vulnerable system without any help from the user.
Twitter: We accidentally used security data to target users with ads
Twitter announced Tuesday that email addresses and phone numbers used to secure accounts had accidentally been used for advertising purposes. In a blog post, the company says the addresses and numbers were used in its “Tailored Audiences” product, which allows advertisers to target ads to customers based on the advertiser’s own marketing lists. Twitter does not know how many people were impacted by the error.
Group said to be behind attempted campaign hack has also gone after cybersecurity researchers
An Iran-linked hacking group that targeted a U.S. presidential campaign in recent months also has a history of trying to compromise cybersecurity analysts who have exposed the hackers’ operations, the analysts told CyberScoop. The hackers have previously sent researchers at Israeli company ClearSky Cyber Security malware-laced emails purporting to be from an antivirus company, according to Ohad Zaidenberg, the company’s senior cyber intelligence researcher.
Microsoft Blocks Credential Theft Attack Targeting Dozens of Orgs
Roughly 100 organizations were targeted in a large scale spear-phishing attack during early July by a malspam campaign distributing LokiBot information stealer payloads. The attackers targeted businesses from all over the world in their credential theft attack, with a focus on companies from the United Arab Emirates, Germany, and Portugal. The info-stealing Lokibot malware was the threat actors' tool of choice for harvesting and exfiltrating sensitive data once they would manage to compromise and infect their targets' computers.
Phishing attempts increase 400%, many malicious URLs found on trusted domains
1 in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 exploits have grown 75% since January. A new Webroot report also highlights the importance of user education, as phishing lures have become more personalized as hackers use stolen data for more than just account takeover. Tyler Moffitt, Senior Threat Research Analyst, Webroot: “We are beginning to see hackers create more personalized phishing emails using data gathered in recent massive breaches."
BEC explodes as attackers exploit email’s identity crisis
850,000 domains worldwide now have DMARC records, a 5x increase since 2016, according to Valimail. However, less than 17% of global DMARC records are at enforcement — meaning fake emails that appear to come from those domains are still arriving in recipients’ inboxes. Among large companies, only one in five enterprise DMARC records is at enforcement, a significant factor in the wild success of business email compromise (BEC) attacks.
Malwarebytes Labs Explained: War Shipping
Yesterday, Mike from the mailroom came up and asked whether I knew anyone called “Simon Smith.” He received an envelope addressed to our company and to the attention of Mr. Smith, but there was no one by that name on his list of employees. So, the package was a mystery and I told Mike to return it to sender, which he did. A few weeks later, our firm was hit by ransomware. Who would’ve ventured a guess the two were related?
Researcher Adds $100,000 Worth of Credit to Voi E-Scooter App
A Swedish security enthusiast was able to take advantage of some weaknesses in the Voi scooter mobile app to get $100,000 worth of free rides. Voi is a Scandinavian micro-mobility startup that offers electric scooter riding services in partnership with cities and local communities. The company has raised over $80 million over three investment rounds since its launch in August 2018. Voi boasts having at least three million riders in 34 cities in 10 countries.
