APT Botnet Breach Bug Credential Stuffing CVE Cyber Security Data leak Hacking Malware Phishing Ransomware RCE Scam Vulnerability

Apple pays $288,000 to hackers who reported vulnerabilities, Google adds password breach alerts to Chrome, and more

Major cybersecurity events on 9th October 2020 (Morning Post): Office of the Comptroller of the Currency fines Morgan Stanley $60 million for 2016 data breach. Sam’s Club customer accounts hacked in credential stuffing attacks. Android ransomware abuses notification services, warns Microsoft.

Round Up of Major Breaches and Scams

Apple pays $288,000 to white-hat hackers who had run of company’s network

For months, Apple’s corporate network was at risk of hacks that could have stolen sensitive data from potentially millions of its customers and executed malicious code on their phones and computers, a security researcher said on Thursday. Sam Curry, a 20-year-old researcher who specializes in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 11 of them critical because they allowed him to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.

Community Health Systems settles charges by 28 states over 2014 data breach

CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.

Google adds password breach alerts to Chrome for Android, iOS

Google is bringing new security features on the Android and iOS versions of its Chrome web browser. Chrome 86, which was released earlier this week, adds features that are aimed at bolstering password protection and as well as adding a more safe and secure browsing experience. Much like with a feature that is already available for Chrome on computers, the browser’s version for mobile platforms will now compare your saved login credentials against a list of login details that are known to have been compromised.

Office of the Comptroller of the Currency fines Morgan Stanley $60 million for 2016 data breach

Morgan Stanley was slapped with a $60 million fine by regulators Thursday for risk management problems tied to a 2016 data breach. The consent order by the Comptroller of the Currency cited failures at both Morgan Stanley Bank, N.A., and Morgan Stanley Private Bank, N.A. related to the shutdown of two wealth management data centers and the company’s use of third-party vendors to help with the closures.

Facebook removes fake accounts it linked to Turning Point

Facebook said it removed hundreds of fake accounts and pages on Thursday that had denigrated Democratic presidential candidate Joe Biden while boosting GOP President Donald Trump. The company also said it had banned a marketing agency as part of the influence operation that it linked to prominent, youth-driven conservative organization Turning Point USA. The marketing firm, Rally Forge, also worked to undermine mail-in voting with comments on news stories posted to its platform, Facebook said.

Round Up of Major Malware and Ransomware Incidents

Massachusetts school district shut down by ransomware attack

The Springfield Public Schools district in Massachusetts has become the victim of a ransomware attack that has caused the closure of schools while they investigate the cyberattack. Springfield is the third largest school district in Massachusetts with over 25,000 students, 4,500 employees, and more than sixty schools. Due to the COVID-19 pandemic, the school district opened in a remote learning model, with a planned transition to hybrid learning towards the end of October.

Sam’s Club customer accounts hacked in credential stuffing attacks

Over the past two weeks, Sam’s Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks. Sam’s Club, owned by Walmart, is an American chain of membership-only retail warehouse clubs operating since 1983. The brand is frequently listed alongside Costco and BJ’s Wholesale Club. BleepingComputer had been closely monitoring these notifications over this period and has heard from Sam’s Club.

Microsoft Warns of Android Ransomware Abusing Notification Services

Microsoft warned users on Thursday that it has spotted a sophisticated piece of Android ransomware that abuses notification services to display a ransom note. Android ransomware typically allows cybercriminals to make a profit not by encrypting files — such as in the case of ransomware targeting desktop systems — but by displaying a full-screen ransom note that is difficult for the user to remove.

HEH P2P Botnet Sports Dangerous Wiper Function

The P2P malware is infecting any and all types of endpoints via brute-forcing, with 10 versions targeting desktops, laptops, mobile and IoT devices. A freshly discovered botnet dubbed HEH by researchers is casting a wide net, looking to infect any and all devices that use Telnet on ports 23/2323. It’s particularly destructive: It contains code that wipes all data from infected systems.

Round Up of Major Vulnerabilities and Patches

QNAP Releases Security Updates for QNAP Helpdesk

QNAP Systems has released security updates to address vulnerabilities in QNAP Helpdesk. An attacker could exploit these vulnerabilities to take control of an affected QNAP network-attached storage (NAS) device. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review QNAP Security Advisory QSA-20-08 and apply the necessary updates.

Microsoft Azure Flaws Open Admin Servers to Takeover

Researchers have disclosed two flaws in Microsoft’s Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers. Azure App Services is an HTTP-based service for hosting web applications, and is available in both Microsoft Azure Cloud and on-premise installations. Researchers found two vulnerabilities in the cloud service that specifically affect Linux servers.

Cisco Fixes High-Severity Webex, Security Camera Flaws

Cisco has issued patches for high-severity vulnerabilities plaguing its popular Webex video-conferencing system, its video surveillance IP cameras and its Identity Services Engine network administration product. Overall, Cisco on Wednesday issued the three high-severity flaws along with 11 medium-severity vulnerabilities. The most severe of these is a flaw (CVE-2020-3544) in Cisco’s Video Surveillance 8000 Series IP Cameras, which ranks 8.8 out of 10 on the CVSS scale.

US Election-Related Websites Vulnerable to Fraud, Abuse

New research finds the vast majority of reputable news, political, and donor-oriented sites don’t use registry locks. The vast majority of websites that link to and do not use basic DNS security controls, new research shows. In August CSC’s Digital Brand Services division identified 988 outgoing and referral domains that link to the two presidential campaign sites – and found more than 90% of them do not use registry locks, says Mark Calandra, executive vice president of CSC DBS.