Security News

Hackers breached CircleCi in December after an engineer became infected with information-stealing malware that their 2FA-backed SSO session cookie, allowing access to the company's internal systems. In a new security incident report on the attack, CircleCi says they first learned of the unauthorized access to their systems after a customer reported that their GitHub OAuth token had been compromised.

Air France and KLM have informed Flying Blue customers that some of their personal information was exposed after their accounts were breached. KLM's official Twitter account confirmed the attack and told one of the impacted customers that "The attack was blocked in time and no miles were charged."

"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the breach notification reads. After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts.

In security updates released today, Apple has fixed the tenth zero-day vulnerability since the start of the year, with this latest one actively used in attacks against iPhones. In October, Apple fixed a zero-day in the iOS Kernel.

Pwn2Own is now a multi-million "Hackers' brand" in its own right, having been bought up by anti-virus outfit Trend Micro and extended to cover many more types of bug than just browsers and desktop operating systems. Even in the Pwn2Own Toronto 2022 contest, where the cash amounts of the prizes far exceeded the value of the devices up to be hacked, winners got to take home the actual kit they broke into, thus retaining the original, literal sense of the competition.

Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks targeting law firms throughout 2020 and 2021 involved a revamped variant of a malware called Janicab that leverages a number of public services like YouTube as dead drop resolvers, Kaspersky said in a technical report published this week.

Were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution on the Exchange server itself. It does mean that an automated Python script can't just scan the whole internet and potentially exploit every Exchange server in the world in a matter of minutes or hours, as we saw happen with ProxyLogon and ProxyShell in 2021.

Time-triggered Ethernet is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. On Tuesday, researchers published findings that, for the first time, break TTE's isolation guarantees.

Australian health insurer Medibank today confirmed that personal data belonging to around 9.7 million of its current and former customers were accessed following a ransomware incident. "This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers, and around 1.8 million international customers," Medibank noted.

Communication services provider Twilio this week disclosed that it experienced another "Brief security incident" in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information. "In the June incident, a Twilio employee was socially engineered through voice phishing to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers," Twilio said.