Security News > 2020 > July

For the protection of our customers, Apple doesn't disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available. Of course, we know now that Apple did know about the Vim issue mentioned above, and has patched it at last, so any users who were wondering about it can now scratch that one off their list of concerns.

Virtual private network service ExpressVPN this week announced the launch of a bug bounty program managed by crowdsourced security testing platform Bugcrowd. ExpressVPN has been running a bug bounty rewards program for four years, paying tens of thousands of dollars to security researchers who reported vulnerabilities in its apps, network, servers, site, and routers, among other assets.

CISOs are asked how secure their organization is against cyberattacks. "It's not, how secure are we, it's how ready are we to respond?" said Andrew Stanley, who was one of three CISO participants in the MIT Sloan CIO Digital Learning Series panel discussion Wednesday on "Keeping our organizations cyber-secure in the COVID-19 environment. How secure are we?".

Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems. The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS. The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.

Twitter has said that around 130 accounts were targeted by miscreants this week as high-profile individuals and businesses had their accounts hijacked to promote a Bitcoin scam. The estimate comes days after the social media biz admitted the blitz - which snared the accounts of Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber and former President Barack Obama - was the result of "Coordinated social engineering".

Several high-profile Twitter accounts were targeted recently in an attack that involved the hackers accessing internal Twitter systems and tools. Twitter has only shared limited technical information about the attack, but some victims say the attackers hijacked their accounts by changing the associated email address and initiating the password reset process.

In a recently released report by the UK National Cyber Security Centre, whose findings have been backed by Canada's Communications Security Establishment and the US NSA and CISA, the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine. On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.

Someone has been scanning the internet in search of SAP systems affected by the recently disclosed vulnerability dubbed RECON. The scanning activity started just as a researcher released a proof-of-concept exploit. Onapsis, a company specializing in the protection of business-critical applications, revealed on Tuesday that many SAP products that use the NetWeaver AS Java technology stack could be exposed to remote attacks due to a critical vulnerability tracked as CVE-2020-6287 and dubbed RECON. A remote and unauthenticated attacker who has access to the targeted system can exploit CVE-2020-6287 to create a new SAP admin user, allowing them to gain full control of the system.

Motherboard is reporting that this week's Twitter hack involved a bribed insider. While I know everyone wants to speculate about the details of the hack, we just don't know - and probably won't for a couple of weeks.

Approximately 130 accounts were targeted during the recent attack on Twitter, the social media giant has revealed. The accounts were compromised after the attackers managed to gain access to internal Twitter systems and tools.