Security News > 2020 > August

As tensions soared between the world's two biggest economies, President Donald Trump signed an executive order on August 6 giving Americans 45 days to stop doing business with TikTok's Chinese parent company ByteDance - effectively setting a deadline for a sale of the app to a US company. "Today we are filing a complaint in federal court challenging the administration's efforts to ban TikTok in the US," the company said in a blog post.

Researchers at developer security company Snyk claim to have identified malicious behavior in an advertising SDK that is present in more than 1,200 iOS applications offered in the Apple App Store. Snyk says it has only identified the malicious behavior in iOS versions of the Mintegral advertising SDK; the code does not appear to be present in Android versions.

SEE: Top 5 programming languages for security admins to learn. The programming languages below will assist professionals in working smarter but not harder by automating defensive tasks, performing penetration tests that will aid in identifying bugs and malicious code, and writing code that serves to patch security holes.

While the ransomware was previously used by advance persistent threat actors, its source code surfaced in March 2020, making it available to a wider breadth of attackers. "The fact Dharma source code has been made widely available led to the increase in the number of operators deploying it," Oleg Skulkin, senior digital forensics specialist with Group-IB, said in an analysis of the attacks posted Monday.

The Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have issued an alert to warn of a voice phishing campaign targeting the employees of multiple organizations. According to the two agencies, the attackers used social media, recruiter and marketing tools, open-source research, and publicly available background check services to harvest information on employees at the targeted organizations, including their names, addresses, and phone numbers, along with information on their position and duration at the company.

According to Snyk, SourMint actively performed ad fraud on hundreds of iOS apps and brought with it major privacy concerns to hundreds of millions of consumers. On the surface, the MintegralAdSDK posed as a legitimate advertising SDK for iOS app developers, but its malicious code appeared to commit ad attribution fraud by secretly accessing link clicking activity within thousands of iOS apps that use the SDK. SourMint also spied on user link click activity, improperly tracking requests performed by the app and reporting it back to Mintegral's servers.

Freepik Company, the organization behind the Freepik and Flaticon websites, has disclosed a data breach that impacted approximately 8.3 million of their users. On Flaticon, users can find over 3 million vector icons in various file formats.

Most APIs have /API/V1/login as an authentication endpoint. With all the possible activity in view, I can search for common misconfigurations or APIs that don't protect user data correctly.

Security threats in the second quarter of 2020 continue to target remote workers, but attackers aren't relying on COVID-19-themed phishing: They're going straight for vulnerable home networks where workers are conducting business. Managed security provider Nuspire's report on security threats in Q2 2020 said that phishing attempts have ditched the coronavirus in favor of exploiting the upcoming election and Black Lives Matter movement, but that there's been a 12% decline in malware attacks during Q2. SEE: Identity theft protection policy.

Video app TikTok said Saturday it will challenge in court a Trump administration crackdown on the popular Chinese-owned platform, which Washington accuses of being a national security threat. As tensions soar between the world's two biggest economies, President Donald Trump signed an executive order on August 6 giving Americans 45 days to stop doing business with TikTok's Chinese parent company ByteDance - effectively setting a deadline for a potential pressured sale of the app to a US company.