The Week in Cyber Security News, Oct 28 - Nov 3
A selection of this week's cyber security stories from around the internet.
Microsoft says that Russian hackers APT28 are targeting sporting organizations ahead of the Tokyo Olympics, including "at least 16 national and international sporting and anti-doping organizations."
The data of nearly 7.5 million Adobe Creative Cloud users have been exposed courtesy of an Elasticsearch database without a password. The data included users' email addresses, the Adobe products they use, subscription status and member IDs.
Google Chrome devs have had a little rant about "misinformation", repeating that DNS-over-HTTPS (DoH) will be supported but won't necessarily be automatically used in upcoming builds of the browser. Chrome insisted it was not going to "force users to change their DNS provider" after building the technology into Chrome 78.
A security researcher has discovered an unpatched flaw in the way Facebook handles account privacy, so that, even if you block someone on Facebook, your name remains dynamically linked to their profile.
Facebook has sued Israeli cyber surveillance firm NSO Group, alleging it hacked WhatsApp users including journalists, diplomats, human rights activists, political dissidents, and senior government officials.
A civil liberties watchdog is suing the FBI and other federal agencies, claiming the government is improperly withholding information on how it uses a facial recognition database of millions of Americans.
Chinese government-linked hackers APT41 are monitoring mobile text messages of specific users, and for certain keywords as part of a new surveillance campaign meant to track individuals in a vast trove of telecommunication data.
Malware has been found on the administrative network of the Kudankulam Nuclear Power Plant in India. The malware has been identified as one used by North Korean state hackers, Lazarus Group.
Utah renewable energy developer sPower was hit by a first-of-its-kind cyberattack that briefly cut contact to a dozen wind and solar farms. The Salt Lake City-based company suffered "denial of service" attacks that left grid operators temporarily blinded to generation sites totaling 500 megawatts.
A phishing campaign is using fake emails and voicemail messages to lure victims at high-profile companies into revealing their Office 365 email credentials.
After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability - that can enable an automated worm to spread malware from computer to computer - has arrived. But so far it's fallen short of the worst case scenario.
More than 1.3 million payment cards, with a possible value in excess of US$130 million, have been put up for sale on the dark web.
Researchers are warning users to delete the Ai.type app, which allows users to personalize their keyboard with various fonts and emojis, because it makes unauthorized purchases of premium digital content. Google have removed the app from its Google Play marketplace, but researchers say it was downloaded on at least 40 million phones worldwide and thus remains a threat.
A previously unseen Chrome bug has been caught being exploited in the wild. The vulnerability - CVE-2019-13720 - is a use-after-free vulnerability in the browser's audio component.
The scariest hacks and vulnerabilities of 2019.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.
