Security News
Phone numbers of close to 1,900 Signal users were exposed in the data breach Twilio cloud communications company suffered at the beginning of the month. Twilio provides phone number verification services for Signal and last week disclosed that an attacker hacked its network on August 4.
Password security is only as strong as the password itself. Let's look at the Zola breach and why it emphasizes the need for organizations to bolster their password security and protect against various types of password attacks.
Three restaurant ordering platforms MenuDrive, Harbortouch, and InTouchPOS were the target of two Magecart skimming campaigns that resulted in the compromise of at least 311 restaurants. "The online ordering platforms MenuDrive and Harbortouch were targeted by the same Magecart campaign, resulting in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch," cybersecurity firm Recorded Future revealed in a report.
Thai activists involved in the country's pro-democracy protests have had their smartphones infected with the infamous Pegasus government-sponsored spyware. The attacks entailed the use of two zero-click exploits - KISMET and FORCEDENTRY - to compromise the victims' phones and deploy Pegasus, spyware that's capable of intercepting calls and texts as well as amassing other information stored in a phone.
Game publishing giant Bandai Namco has confirmed that they suffered a cyberattack that may have resulted in the theft of customers' personal data. This past Monday, the BlackCat ransomware operation claimed to have breached Bandai Namco and stolen corporate data during the attack.
The $540 million hack of Axie Infinity's Ronin Bridge in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged. According to a report from The Block published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing the individual to download a fake offer document disguised as a PDF. "After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package," the Block reported.
The popular protocol for radio controlled aircraft called ExpressLRS can be hacked in only a few steps, according to a bulletin published last week. The vulnerability in the protocol is tied to the fact some of the information sent over via over-the-air packets is link data that a third-party can use to hijack the connection between drone operator and drone.
The US Department of Defense has created a broad but short bug bounty program for vulnerabilities in public-facing systems and applications. The Hack US program kicked off on Independence Day and is scheduled to run though July 11, with reward totals reflected by the severity of the flaws.
The notorious North Korea-backed hacking collective Lazarus Group is suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge, citing similarities to the Ronin bridge attack in March 2022. The finding comes as Harmony confirmed that its Horizon Bridge, a platform that allows users to move cryptocurrency across different blockchains, had been breached last week.
Google's Threat Analysis Group on Thursday disclosed it had acted to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. In a manner analogous to the surveillanceware ecosystem, hack-for-hire firms equip their clients with capabilities to enable targeted attacks aimed at corporates as well as activists, journalists, politicians, and other high-risk users. "The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients," Shane Huntley, director of Google TAG, said in a report.