Categories
APT Breach Bug COVID Credential Stuffing CVE Cyber Security Data leak Espionage Malware Phishing Ransomware Scam Spearphishing Vulnerability

Over 300K Spotify accounts hacked in credential stuffing attack, Fake Minecraft mods swamp over 1M Android devices with ads, and more

Major cybersecurity events on 24th November 2020 (Morning Post): Over 300K Spotify accounts hacked in credential stuffing attack, Fake Minecraft mods swamp over 1M Android devices with ads, Tesla Model X key fobs could be hacked to steal cars.

Round Up of Major Breaches and Scams

Private pictures of four female British athletes posted online in widespread cyberattack

Four British athletes have been the victims of cyber-attack where their intimate photographs and videos were posted online. This attack has affected hundreds of female sports stars and celebrities.

Over 300K Spotify accounts hacked in credential stuffing attack

Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources.

Chinese APT Group Returns to Target Catholic Church & Diplomatic Groups

APT group TA416 Chinese advanced persistent threat (APT) group TA416, whose previous activity has been attributed to “Mustang Panda” and “RedDelta,” re-emerges with new changes to its documented tool sets so it can continue launching espionage campaigns.

Anonymous Hacks Uganda Police Website

Hacktivists have reportedly downed the website of Uganda Police in the wake of protests triggered by the arrest of Robert Kyagulanyi Ssentamu, also known by his pop star alias, Bobi Wine. Wine is the presidential candidate of the center-left progressive political party, the National Unity Platform (NUP).

Chinese E-Commerce Scammers Trade Customer Card Data on Dark Web

A Chinese e-commerce cyber-espionage campaign is suspected to be illicitly collecting payment information of unwitting consumers via hundreds of fraudulent e-commerce websites that appear to be genuine, the latest research from Gemini Advisory revealed. Over 200 of the 600 online scam sites are said to be linked to the Chinese acquiring bank, Jilin Jiutai Rural Commercial Bank.

Fake Minecraft mods swamp over 1M Android devices with ads

Fraudsters bypassed Google’s protections for the official Play Android store and published more than 20 fake modpacks for the popular game Minecraft. The apps are empty shells designed to lure kids and teenagers that want to modify their gameplay. They do not deliver malware but once installed, they make normal use of the phone impossible. Once installed, the bogus modpacks started to display full-screen advertisements aggressively.

Round Up of Major Malware and Ransomware Incidents

Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware

Sonatype’s deep dive research analysis has concluded both “xpc.js” and malicious components identified last week are part of a newly identified family of Discord malware called CursedGrabber.

Round Up of Major Vulnerabilities and Patches

Microsoft Releases Out-of-Band Update for Kerberos Authentication Issues

Microsoft last week released an out-of-band update for Windows to address authentication issues related to a recently patched Kerberos vulnerability. The issue is related to the PerformTicketSignature registry subkey value in CVE-2020-17049, a security feature bypass bug in Kerberos Key Distribution Center (KDC) that Microsoft fixed on November 2020 Patch Tuesday.

Security Researchers Sound Alarm on Smart Doorbells

A new analysis of 11 relatively inexpensive video doorbells uncovered high-risk vulnerabilities in all of them. The most serious among them was the practice by some of the devices to send Wi-Fi names, passwords, location information, photos, video, email, and other data back to the manufacturer for no obvious reason.

Tesla Model X key fobs could be hacked to steal cars, fix released

Researchers at the University of Leuven in Belgium found vulnerabilities in the keyless entry system of the Tesla Model X that would have allowed attackers to steal the $100,000 car within just a few minutes. The security bugs allowed taking full control of the key fob and of the car by remotely updating the Tesla Model X’s BLE chip with specially crafted firmware.