Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum. Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors. The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public. READ MORE...
These days, most of us have telephones that display the number that's calling before we answer. This "feature" actually goes right back to the 1960s, and it's known in North American English as Caller ID, although it doesn't actually identify the caller, just the caller's number. Elsewhere in the English-speaking world, you'll see the name CLI used instead, short for Calling Line Identification, which seems at first glance to be a better, more precise term. READ MORE...
The Cybersecurity and Infrastructure Security Agency and Director Jen Easterly have been impersonated on Mastodon this week, including on infosec.exchange, an instance of the fast-growing decentralized social network for the infosec and cybersecurity community. "There were several CISA impersonator accounts across the fediverse on various instances, including one on infosec.exchange, purporting to be [Easterly]," Jerry Bell, the server owner and administrator of infosec.exchange, said via email. READ MORE...
It's called a "patch gap" and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands. According to Google's Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM "promptly" issued a patch in July and August. READ MORE...
An emergency Chrome update that Google announced on Thanksgiving Day addresses an actively exploited zero-day in the popular browser. Tracked as CVE-2022-4135, the high-severity vulnerability is described as a heap buffer overflow in Chrome's GPU component. "Google is aware that an exploit for CVE-2022-4135 exists in the wild," the internet giant notes. Typically leading to crashes, heap-based buffer overflow vulnerabilities could be exploited to cause denial-of-service (DoS) conditions. READ MORE...
The Vice Society ransomware operation has claimed responsibility for a cyberattack on Cincinnati State Technical and Community College, with the threat actors now leaking data allegedly stolen during the attack. The hackers posted a long list of documents on their Tor data leak site they claim was stolen from the college, indicating that a ransom was never paid. The documents date from several years ago until November 24, 2022, possibly indicating that the threat actors maintain access to the breached systems. READ MORE...
The APT group DefrayX appears to have launched a new version of its RansomExx malware, rewritten in the Rust programming language -- possibly to avoid detection by antivirus software. According to IBM Security X-Force Threat researchers, that evasion may be successful, at least for now. IBM reported that one sample that it analyzed "was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission." READ MORE...
The day has come: it's Black Friday, and once-in-a-year promotions, discounts and deals are everywhere. The rush to grab a bargain has started in earnest, and in times of soaring inflation many deal-hungry shoppers are ready to make big purchases, perhaps the kinds of purchases they didn't get to make earlier in the year. As if that weren't enough, Cyber Monday is soon upon us just days later, making us crave yet more deals online! READ MORE...