Security News

An investigation into last month's 3CX supply chain attack discovered that it was caused by another supply chain compromise where suspected North Korean attackers breached the site of stock trading automation company Trading Technologies to push trojanized software builds. According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group used harvested credentials to move laterally through 3CX's network, eventually breaching both the Windows and macOS build environments.

Apple has released emergency security updates to address two new zero-day vulnerabilities exploited in attacks to compromise iPhones, Macs, and iPads. Last week, Google TAG and Amnesty International exposed two recent series of attacks using exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy mercenary spyware.

Cybersecurity researcher Sam Sabetan yesterday went public with insecurity revelations against IoT vendor Nexx, which sells a range of "Smart" devices including door openers, home alarms and remotely switchable power plugs. Sabetan deliberately didn't publish precise details of the bugs, or provide any proof-of-concept code that would allow just anyone to start hacking away on Nexx devices without already knowing what they were doing.

On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3. The first to fall was Adobe Reader in the enterprise applications category after Haboob SA's Abdul Aziz Hariri used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.

A threat actor is selling on a Russian-speaking hacking forum what they claim to be hundreds of gigabytes of data allegedly stolen from U.S. Marshals Service servers. The announcement, titled "350 GB from US Marshal Service law enforcement confidential information," was added earlier today using an account registered yesterday afternoon.

AT&T is notifying roughly 9 million customers that some of their information was exposed after a marketing vendor was hacked in January. "The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers."

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program.

The massive breach at LastPass was the result of one of its engineers failing to update Plex on their home computer, in what's a sobering reminder of the dangers of failing to keep software up-to-date. The embattled password management service last week revealed how unidentified actors leveraged information stolen from an earlier incident that took place prior to August 12, 2022, along with details "Available from a third-party data breach and a vulnerability in a third-party media software package to launch a coordinated second attack" between August and October 2022.

Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company's Fortra GoAnywhere MFT secure file-sharing platform. As reported by TechCrunch, data breach notifications sent to impacted customers and filed with Attorney General's offices warned that hackers exploited a vulnerability in the GoAnywhere MFT software to steal the data of 139,493 customers.

A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk files, marking a deviation from the ISO optical disc image format. "These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games," AhnLab Security Emergency response Center said in a report last week.