Breaches
‘Satanic’ data thief hits 350M Hot Topic shoppers • The Register - HotTopic, Torrid, and Lunchbox shoppers (around 350m) of them have had a few bits of info stolen; names, emails, physical addresses, dates of birth, last four digits of customers’ credit cards, card types, hashed expiration dates, and account holder names. Likely just watch out for My Neighbor Totoro-themed phishes and you’ll be ok.
Skyscraper-high sewage plume erupts in Moscow • The Register - A Ukranian hacker group claims to have disrupted 87k alarms, destroyed 70 servers, and wiped 90TBs of data to pull off the hack. The RU govt say it was a “planned air release after pressure testing during the construction of a gas pipeline”. Weird to know who is telling the truth as Russia’s state controlled media says that the Moscow sewage is in desperate need of repair.
Research & Vulns
OpenAI’s voice API can build AI agents for phone scams • The Register - If you thought getting caught in a phone tree was bad, OpenAI has decided to unleash hell on IVR systems. AGENT HUMAN REP-RE-SENTATIVE
VMware patches critical RCE, make-me-root bugs — again • The Register - VMWare has a make-me-root vuln again, no work around. Patch patch patch. Both bugs were originally patched on September 17. But, as VMware owner Broadcom noted on Monday, the fixes “did not completely address” either CVE. VMware fixes bad patch for critical vCenter Server RCE flaw Remember this CVE is at a 9.8 (out of 10) and doesn’t require user interaction.
Perfctl malware strikes again via Docker Remote API servers • The Register - Perfctl is now being used to break into Docker Remote API servers. If you’re not familiar, perfctl is generally used for mining but is a malware that combines 15-20 obfuscation techniques to make itself as invisible as possible from prying eyes. Even going so far as to cease operations should an interactive or remote user begin investigating the system. Details from Aqua
Zero Day Initiative — Pwn2Own Ireland - The Full Schedule - Pwn2Own is this week, with players already winning over $200k in the first few days.
Admins Spring into action over latest open source vuln • The Register - New CVSS score 9 vuln in Spring for Java. Or maybe its a 7? Jury’s out.
AWS CDK flaw exposed accounts to full takeover • The Register - Users of the AWS CDK were still susceptible to Bucket Monopoly, the AWS attack that leverage pre-staged S3 buckets with malicious code. New protections are in place, and effected users are notified to update their bootstrap resources.
New tool bypasses Google Chrome’s new cookie encryption system - Users with admin can still run malicious code that results in cookie theft. Google said, Yeah. So?
Researchers Discover Command Injection Flaw in Wi-Fi Alliance’s Test Suite - Wi-Fi test suite, which shouldn’t be part of production code bases, but often is left behind is found vulnerable on tens of thousand of routers. CVE-2024-41992. Users should remove the Wi-Fi Alliance’s test suite from their software or upgrade it past version 9.
Feds
TSMC alerts US to potential sanctions breach from Huawei • The Register - TSMC playing ball with the US Commerce department and proactively reporting after…someone ordered chips that look amazingly like the Huawei Ascend 910B, a LLM specific processor. The US is also asking Japan to stop selling chip-making equipment to Beijing.
Senator says domain reg firms aiding Russian disinfo spread • The Register - Senate Intelligence committee chair Mark Warner (D-VA) sent letters to NameCheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo, and Versign this week demanding answers as to why 32 of the 32 domains used to spreak pro-Russian propaganda, and seized by the Biden admin were from these companies. Warner called out several enablements of bad behavior including withholding registrar information from good-faith researchers, ignoring inaccuracies in registration information, failing to remove typo-squatted domains, and said that maybe a legislative solution would be in order.
Feds probe China’s Salt Typhoon amid Trump hack report • The Register - Fed’s continue to dig into Verizon, AT&T and Lumen’s networks after CALEA infrastructure was broken into. So far, Trump, Vance, Harris, and Senate Majority Leader Schumer (D-NY) have all been targeted.
Dems want tax prep firms charged for improper data sharing • The Register - Warren (D-MA), Wyden (D-OR), Blumenthal (D-CT) and Rep. Porter (D-CA) have asked US Dep. Attorney General Monaco to hold TaxSlayer, H&R Block, TaxAct, and Ramsey Solutions responsible for sharing tax returns with Meta and Alphabet. (Facebook and Google). The advertising firms bought your personal information, income and tax refund amounts, filing status, exemptions, and deductions info and shared it with advertisers. Reports from the IRS and Treasury Inspector General for Tax Administration (TIGTA) have confirmed the behavior and the violations of taxpayer privacy law.
Worker surveillance must comply with credit reporting rules • The Register - Fair Credit Reporting Act (FCRA) was enacted in 1970 to ensure accuracy, fairness, and privacy of info in credit reporting agency profiles. These now extend to worker surveillance.
For example, some employers now use third parties to monitor workers’ sales interactions, to track workers’ driving habits, to measure the time that workers take to complete tasks, to record the number of messages workers send and the quantity and duration of meetings they attend, and to calculate workers’ time spent off-task through documenting their web browsing, taking screenshots of computers, and measuring keystroke frequency," the agency reported. “In some circumstances, this information might be sold by ‘consumer reporting agencies’ to prospective or current employers.”
Mobile
Macron’s bodyguards show his location by sharing Strava data • The Register - Macron, Biden, and Putin all susceptible to the security missteps of the people around them.
WeChat among apps banned from Hong Kong govt computers • The Register
Samsung phone users exposed to EoP attacks, Google warns • The Register
AWS, Azure auth keys found in Android and iOS apps used by millions Millions of mobile app users at risk from hardcoded creds • The Register
Fines
Penn State settles cybersecurity compliance case for $1.25M • The Register - DoJ fines Penn State $1.25m after they falsely reported their compliance.
JPMorgan Chase sues ‘infinite money glitch’ scammers • The Register - Yep. What did you think would happen?
Delta files lawsuit against CrowdStrike over $500M outage • The Register
SEC
4 tech firms settle with SEC over SolarWinds disclosures • The Register - Avaya, Check Point, Mimecast, and Unisys will pay $1m, $995k, $990k, and $4m respectfully for their minimization of the SolarWinds attacks.
LongForm
How the ransomware attack at Change Healthcare went down: A timeline | TechCrunch
Mobile Ad Tracking
The Global Surveillance Free-for-All in Mobile Ad Data – Krebs on Security