Round Up of Major Breaches and Scams
An API bug exposed personal information of users like political leanings, astrological signs, education, and even height and weight, and their distance away in miles. After taking a closer look at the code for popular dating site and app Bumble, where women typically initiate the conversation, Independent Security Evaluators researcher Sanjana Sarda found concerning API vulnerabilities. These not only allowed her to bypass paying for Bumble Boost premium services, but she also was able to access personal information for the platform’s entire user base of nearly 100 million.
Japanese game giant Capcom has announced a data breach after confirming that attackers stole sensitive customer and employee information during a recent ransomware attack. Capcom is the developer of well-known game franchises, including Street Fighter, Resident Evil, Ghosts and Goblins, Devil May Cry, and Mega Man.
Round Up of Major Malware and Ransomware Incidents
Cybercriminals are tricking adult website visitors including sites such as bravoporn[.]com and hamster[.]com in malvertising attacks that redirect victims to malicious websites serving up malware. The campaign, which is part of a larger malvertising effort dubbed malsmoke, has been tracked throughout 2020.
Round Up of Major Vulnerabilities and Patches
Three bugs in the Citrix SD-WAN Center would allow remote code-execution and network takeover, according to researchers. The flaws affect the Citrix SD-WAN Center (in versions before 11.2.2, 11.1.2b and 10.2.8). They consist of an unauthenticated path traversal and shell injection problem in stop_ping (CVE-2020-8271); a ConfigEditor authentication bypass (CVE-2020-8272); and a CreateAzureDeployment shell injection issue (CVE-2020-8273). Severity scores have not yet been issued.
Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released to address CVE-2020-17049 during this month’s Patch Tuesday, on November 10. Kerberos replaced the NTLM protocol to be the default authentication protocol for domain connected devices on all Windows versions above Windows 2000.
A group of researchers from the University of Birmingham has devised a new attack that can break the confidentiality and integrity of Intel Software Guard Extensions (SGX) enclaves through controlling the CPU core voltage. The attack relies on VoltPillager, a low-cost tool for injecting messages on the Serial Voltage Identification bus between the CPU and the voltage regulator on the motherboard, and can be used to fault security-critical operations.