IT Security Newsletter

IT Security Newsletter - 5/24/2022

Written by Cadre | Tue, May 24, 2022

General Motors credential stuffing attack exposes car owners info

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points. READ MORE...

RansomHouse: Bug bounty hunters gone rogue?

A new cybercrime outfit that calls itself RansomHouse is attempting to carve out a niche of the cyber extortion market for itself by hitting organizations, stealing their data, and offering to delete it and provide a full report on how and what vulnerabilities were exploited in the process - all for a fee, of course. How the group breaches the target companies is known at this time, but they profess they do not to encrypt organizations' data, just steal it and promise to delete it if they get paid. READ MORE...

Hackers Can 'Pre-Hijack' Online Accounts Before They Are Created by Users

Threat actors could gain access to users' online accounts by leveraging a new type of technique that involves pre-hijacking an account before it's actually registered by the victim. "Account pre-hijacking" is a new class of attacks that can be used to gain access to a targeted account, and many online services could be vulnerable. Account pre-hijacking was analyzed by independent researcher Avinash Sudhodanan and Andrew Paverd of the Microsoft Security Response Center. READ MORE...

Screencastify fixes bug that would have let rogue websites spy on webcams

Screencastify, a popular Chrome extension for capturing and sharing videos from websites, was recently found to be vulnerable to a cross-site scripting (XSS) flaw that allowed arbitrary websites to dupe people into unknowingly activating their webcams. A miscreant taking advantage of this flaw could then download the resulting video from the victim's Google Drive account. READ MORE...

"Tough to forge" digital driver's licenseā€¦ is easy to forge

In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades. READ MORE...

Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems

Public repositories of open source code are a critical part of the software supply chain that many organizations use to build applications. They are therefore an attractive target for adversaries seeking to distribute malware to a mass audience. The latest case in point is a malicious package for distributing Cobalt Strike on Windows, macOS, and Linux systems, which was uploaded to the widely used Python Package Index (PyPI) registry for Python application developers. READ MORE...

  • ...in 1883, the Brooklyn Bridge is opened over the East River in New York City, after 14 years of construction.
  • ...in 1935, the Cincinnati Reds beat the Philadelphia Phillies 2-1 in baseball's first-ever night game, played at Crosley Field in Cincinnati.
  • ...in 1941, Germany's largest battleship, the Bismarck, sinks the pride of the British fleet, HMS Hood, during the Battle of the Atlantic.
  • ...in 1963, novelist Michael Chabon ("The Amazing Adventures of Kavalier & Clay", "The Yiddish Policeman's Union") was born in Washington, D.C.