Information

17 Nov

Black Friday and retail season – watch out for PayPal “money request” scams

Information

by Paul Ducklin Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet… …including, of course, right here on Naked Security! As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year. Don’t take cybersecurity seriously only when it’s Thanksgiving, Hannukah, Kwanzaa, Christmas or any other gift-giving holiday, or…

Read More
17 Nov

S3 Ep109: How one leaked email password could drain your business

Information

by Paul Ducklin DON’T LET ONE LOUSY EMAIL PASSWORD SINK THE COMPANY Microsoft’s tilt at the MP3 marketplace. Apple’s not-a-zero-day emergency. Cracking the lock on Android phones. Browser-in-the-Browser revisited. The Emmenthal cheese attack. Business Email Compromise and how to prevent it. Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to…

Read More
17 Nov

OpenSSF Adopts Microsoft-Built Supply Chain Security Framework

Information, News

The Open Source Security Foundation (OpenSSF) on Wednesday announced the adoption of Secure Supply Chain Consumption Framework (S2C2F), a Microsoft-built framework for consuming open source software. In use within Microsoft since 2019 and made public in August 2022, S2C2F defines real-world threats to open source software (OSS) and includes requirements to mitigate them. The consumption-focused framework takes a threat-based, risk-reduction approach to mitigating supply chain threats against the OSS. The framework includes eight different areas…

Read More
16 Nov

Firefox fixes fullscreen fakery flaw – get the update now!

Information

by Paul Ducklin Firefox’s latest once-every-four-weeks security update is out, bringing the popular alternative browser to version 107.0, or Extended Support Release (ESR) 102.5 if you prefer not to get new feature releases every month. (As we’ve explained before, the ESR version number tells you which feature set you have, plus the number of times it’s had security updates since then, which you can reocncile this month by noticing that 102+5 = 107.) Fortunately, there…

Read More
16 Nov

US Gov Warning: Start Hunting for Iranian APTs That Exploited Log4j

Information, Malware, News

The U.S. government on Wednesday issued a blunt recommendation for organizations running VMWare Horizon servers: Initiate threat-hunting activities to find and expel Iranian APT actors that used the Log4j crisis to slip undetected into corporate networks. According to a joint advisory from CISA and the FBI, Iranian government-sponsored hackers hit at least one Federal Civilian Executive Branch (FCEB) organization with an exploit for a Log4j vulnerability in an unpatched VMware Horizon server.  From the advisory…

Read More
16 Nov

Disneyland Malware Team: It’s a Puny World After All

Information, Insights

A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. The Disneyland Team’s Web interface, which allows them to interact with malware victims in real time to phish their login credentials using phony bank websites. The Disneyland Team uses common misspellings for top…

Read More
15 Nov

ESET APT Activity Report T2 2022

Information

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in T2 2022 Today ESET Research publishes the very first ESET APT Activity Report, which summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from May until the end of August 2022 (T2 2022). APT groups are usually operated by a nation-state or by state-sponsored actors. Their aim is to…

Read More
15 Nov

Log4Shell-like code execution hole in popular Backstage dev tool

Information

by Paul Ducklin Researchers at cloud coding security company Oxeye have written up a critical bug that they recently discovered in the popular cloud development toolkit Backstage. Their report includes an explanation of how the bug works, plus proof-of-concept (PoC) code showing how to exploit it. Backstage is what’s known as a cloud developer portal – a sort of business logic backend that makes it easy to build web-based APIs (application programming interfaces) to allow…

Read More
15 Nov

Top Zeus Botnet Suspect “Tank” Arrested in Geneva

Information, Insights

Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources. Wanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (right) was arrested in Geneva, Switzerland. Tank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses. Penchukov…

Read More
15 Nov

Zendesk Vulnerability Could Have Given Hackers Access to Customer Data

Information, News

An SQL injection vulnerability in Zendesk Explore could have allowed a threat actor to leak Zendesk customer account information, data security firm Varonis reports. Zendesk Explore is the analytics and reporting service of Zendesk, a popular customer support software-as-a-service solution. According to Varonis, two vulnerabilities in Zendesk Explore could have allowed an attacker to access conversations, comments, email addresses, tickets, and other information stored in Zendesk accounts with Explore enabled. The two issues, however, were…

Read More