Latest cyber threats, vulnerabilities, data breaches and security updates
Wednesday April 25, 2018:
Apple security updates for iOS, macOS and Safari

Apple has released security updates to address vulnerabilities in multiple products.

The updates include: 
Four vulnerabilities were addressed in the iOS 11.3.1 update, to include flaws in Crash Reporter, LinkPresentation and WebKit. Two vulnerabilities were also fixed with each of the macOS and Safari updates.


Leaky Mongo server spills personal data

A leaky Mongo database exposed nearly 25,000 personal records from a Bezop cryptocurrency server. Bezop is one of over 1,000 cryptocurrencies.

The unprotected personal data included full names, scanned passports, driver’s licenses, physical and email addresses, encrypted passwords and wallet information. The leaked data appears to belong to investors or potential investors in the Bezop cryptocurrency,
according to Kromtech researchers who discovered the leaked data and as reported by Threatpost

Kromtech also revealed that the organization behind the cryptocurrency, Bezop.io, immediately secured the data after they were notified. The leaked data was discovered on March 30, 2018.


 
Tuesday April 24, 2018:
APT group is exploiting unpatched IE vulnerability

An advanced persistent threat (APT) hacking group has been exploiting an unpatched Internet Explorer (IE) vulnerability to infect Windows PCs with malware. According to the latest research made available by Qihoo 360's Core security team and reported by ZDNet, the hacking group is launching attacks on a "global scale" via phishing emails loaded with malicious Office documents. 

Victims are tricked into opening the malicious Office docs, which in turn launches a web page used to deliver malware via remote server. According to the researchers, the malware exploits a known user account control (UAC) bypass and also uses file steganography (e.g., used to embed messages, images or files within another message, image or file). 

The researchers have reported the zero-day threat to Microsoft and urges the company to issue a patch to address the vulnerability. 


 
Monday April 23, 2018:
Medical devices get a new safety action plan

In an effort to protect patient safety and promote public health, the US Food and Drug Administration (FDA) released a new Medical Device Safety Action Plan. 

The FDA regulates over 190,000 different medical devices that are manufactured by more than 18,000 companies in more than 21,000 medical device facilities worldwide. Such medical devices provide a broad range of medical benefits, but also poses risks according to the FDA guidance

The Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health "outlines a vision for how FDA can continue to enhance our programs and processes to assure the safety of medical devices throughout the TPLC, to provide for the timely communication and resolution of new or increased known safety issues, and to advance innovative technologies that are safer, more effective and address unmet needs."

The FDA action plan and guidance focuses on the following:
  1. Establish a robust medical device patient safety net in the United States.
  2. Explore regulatory options to streamline and modernize timely implementation of postmarket mitigations.
  3. Spur innovation towards safer medical devices
  4. Advance medical device cybersecurity
  5. Integrate the Center for Devices and Radiological Health’s (CDRH’s) premarket and postmarket offices and activities to advance the use of a TPLC approach to device safety.
The FDA emphasizes the importance of a “Total Product Life Cycle” (TPLC) approach to medical devices throughout the lifecycle of medical devices (e.g., premarket review, manufacturing quality and postmarket surveillance).

The FDA will continue to maintain a robust program in evaluating the safety and security of medical devices throughout their lifecycles.


Cybersecurity news

Also in the news recently...

SunTrust insider steals data on 1.5M clients: ""SunTrust Banks said on Friday a former employee may have attempted to download some information on nearly 1.5 million clients and share it with a criminal third-party," CNBC reports.

Excel data leak leads to fine: "London’s Royal Borough of Kensington & Chelsea has been fined £120,000 (approximately US $170,000) by the Information Commissioner’s Office (ICO) after it unlawfully identified 943 people who owned vacant properties in the borough," Tripwire reports


 
Friday April 20, 2018:
Stresspaint malware targets Facebook credentials

Beware of a painting application called ‘Relieve Stress Paint' that hackers are using to download malware dubbed "Stresspaint" and steal Facebook user credentials/cookies.

The attackers have allegedly infected over 40,000 users and infections have grown rapidly, according to the Radware threat researchers who discovered the threat. The victim targets appear to be Facebook page owners and pages that contain stored payment methods. 

Radware also said that Amazon may be the next group's target. 

The attack vector appears to come from phishing emails or directly on Facebook itself. Users who click the link appear to be directed to a legitimate "AOL.net" link, but are sent instead to a fake site where the malicious app is made available to download. 


"Trustjacking" iOS vulnerability

Security researchers from Symantec have disclosed a new iOS vulnerability dubbed 'Trustjacking' that allows an attacker to exploit an iTunes Wi-Fi Sync feature and take control of a victim's device. 

The findings were disclosed at the RSA Conference on Wednesday and described on the Symantec blog:

 
"This vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer. A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device."

Some mechanisms were introduced in iOS 11 to mitigate the threat after the vulnerability was disclosed to Apple. For example, users can make sure only the real owner of the iOS device can choose to trust a connected new computer (e.g., by requiring the user to enter a passcode when choosing to authorize and trust a new computer).

However, Symantec noted this only partially mitigates the issue. Symantec further recommends users clean any unwanted computers from the trusted computers list by going to Settings > General > Reset > Reset Location & Privacy. Users should also enable encrypted backups in iTunes and choose a strong password to further protect sensitive information.


 
Thursday April 19, 2018:
Drupal security update addresses XSS vulnerability

Drupal issued a new security update (SA-CORE-2018-003) for Drupal core (versions 7 and 8) to address a moderately critical cross-site scripting (XSS) vulnerability.
CKEditor is a third-party JavaScript library included in Drupal core.

According to the update, it is possible for an attacker to execute XSS inside CKEditor when using the 'image2' plugin (which Drupal 8 core also uses).