Round Up of Major Breaches and Scams
Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums. Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees. Subscribers who need extra money to pay a bill can get a payday loan up to $100, but cannot receive another loan until it is repaid.
During a recently concluded 12-month study of the Alexa Skills Store review process, academics said they managed to smuggle 234 policy-breaking Alexa skills (apps) into the official Alexa store. The study’s results are actually worse than it looks because academics tried to upload 234 policy-breaking apps, and managed to get them all approved, without serious difficulties.
A new campaign of malicious photo apps on Google Play floods Android devices with random ads instead of functioning as advertised. They also elude detection by making its icon disappear from the device home screen soon after it’s downloaded. Researchers at the White Ops Satori Threat Intelligence and Research Team discovered the Android apps — 29 in total — which they said “manifested suspiciously high volumes of ad traffic” during threat-hunting investigations, according to a recent report.
Round Up of Major Malware and Ransomware Incidents
Hundreds of unsecured databases exposed on the public web are the target of an automated ‘meow’ attack that destroys data without any explanation. The activity started recently by hitting Elasticsearch and MongoDB instances without leaving any explanation, or even a ransom note. Attacks then expanded to other database types and to file systems open on the web.
An unknown vigilante hacker has been sabotaging the operations of the recently-revived Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected. The sabotage, which started three days ago, on July 21, has grown from a simple joke to a serious issue impacting a large portion of the Emotet operation. According to Cryptolaemus, a group of white-hat security researchers tracking the Emotet botnet, the vigilante is now poisoning around a quarter of all Emotet’s payload downloads.
Round Up of Major Vulnerabilities and Patches
Leading commercial drone maker DJI is hitting back against researcher allegations that its Android mobile application is riddled with privacy holes. One includes that the app continues to run in the background even after it’s been closed and collects sensitive data from users without consent. The privacy issues discovered in the DJI GO 4 application, which is the complementary app used to control DJI drones, and which has over 1 million Google Play downloads.
The U.S. CISA is warning of the active exploitation of the unauthenticated remote code execution CVE-2020-5902 vulnerability affecting F5 Big-IP ADC devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the active exploitation of the unauthenticated remote code execution (RCE) CVE-2020-5902 vulnerability affecting F5 Big-IP ADC devices.
Power plants, factories, oil and gas refineries and more are all in the sights of foreign adversaries, the U.S. warns. The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert warning that adversaries could be targeting critical infrastructure across the U.S. Separately, ICS-CERT issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module.