Security News > 2020 > August

Google Project Zero last week released a report on the vulnerabilities exploited in attacks in 2019, and its researchers have drawn some interesting conclusions regarding the detection of zero-days. Google Project Zero has been tracking vulnerabilities exploited in the wild since 2014 and last year it made available a spreadsheet showing the flaws it has tracked.

A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup "Group," access the group's member details and even redirect Meetup payments to an attacker-owned PayPal account.

Two high-risk vulnerabilities in Meetup, a popular online service that's used to create groups that host local in-person events, allowed attackers to easily take over any Meetup group, access all group functions and assets, and redirect all Meetup payments/financial transactions to their PayPal account. What's more, attackers could create a worm to take over all meetings on the site - including private ones - and do all of these things.

Intelligence officials confirmed in recent days that foreign actors are actively seeking to compromise the private communications of "U.S. political campaigns, candidates and other political targets" while working to compromise the nation's election infrastructure. Because of such secrecy, at least in part, foreign interference largely remains an afterthought in the 2020 contest, even as Republicans and Democrats alike concede it poses a serious threat that could fundamentally reshape the election at any moment.

Court documents made public last week by U.S. authorities following the announcement of charges against three individuals allegedly involved in the recent Twitter attack revealed how some of the hackers were identified by investigators. According to court documents, a user with the online moniker Kirk#5270 on the chat service Discord claimed to work for Twitter and offered to provide access to any user account.

Microsoft announced Sunday it would continue talks to acquire the US operations of popular video-sharing app TikTok, after meeting with President Donald Trump who seemingly backed off his earlier threats to ban the Chinese-owned platform. "Following a conversation between Microsoft CEO Satya Nadella and President Donald J Trump, Microsoft is prepared to continue discussions to explore a purchase of TikTok in the United States," the company said in a statement, acknowledging the "Importance of addressing the President's concerns" over national security.

Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.

Cisco customers once again find themselves needing to patch critical vulnerabilities in Switchzilla's gear. The equipment maker has emitted fixes or updates for multiple CVE-listed vulnerabilities in the Treck IP stack, Data Center Network Manager, and SD-WAN. Those patches should be applied ASAP. A high-rated path traversal vulnerability was patched in the Adaptive Security Appliance and Firepower Threat Defense software.

In reality, freely granting employees admin status is one of the most common mistakes enterprises make. Granting employees admin status can also expose sensitive information.

Throughout the data lifecycle there are a variety of risks and considerations to manage. Our research shows that exposure of just a single terabyte of data could cost you $129,324; now think about how many terabytes of data your organization stores today.