Cyber Attacks, Threats, and Vulnerabilities
The Ethiopian-Egyptian Water War Has Begun (Foreign Policy) The conflict between Ethiopia and Egypt over the Grand Ethiopian Renaissance Dam has already started. It’s just happening in cyberspace.
Facebook Takes Down Fake Pages Created in China Aimed at Influencing U.S. Election (New York Times) The social media campaign was small but targeted all sides of the debate. Officials said Beijing had not decided whether to wade more directly in the American presidential race.
Facebook deletes several fake Chinese accounts targeting Trump and Biden, in first takedown of its kind (Washington Post) The U.S.-focused content was relatively small. Far bigger was content aimed at the Philippines.
Facebook takes down Chinese accounts active in US and Philippines politics (South China Morning Post) Social media giant says it could ‘act aggressively’ to restrict content in case of turmoil after US election.
Facebook removes Chinese accounts active in Philippines and U.S. politics (1330 & 101.5 WHBL) By Joseph Menn (Reuters) - Facebook Inc said Tuesday it had removed a network of inauthentic Chinese accounts ...
Chinese propaganda network on Facebook used AI-generated faces (TechCrunch) Facebook removed two networks of fake accounts spreading government propaganda on the platform Tuesday, one originating in China and one in the Philippines. In its latest report on this kind of coordinated campaign, the company says it took down 155 Facebook accounts, 11 pages, nine groups and seve…
Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results (Internet Crime Complaint Center (IC3)) The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the potential threat posed by attempts to spread disinformation regarding the results of the 2020 elections.
FBI, CISA warn against foreign efforts to discredit election results (UPI) U.S. federal law enforcement agencies are warning the public that foreign actors may attempt to discredit U.S. democratic institutions by spreading disinformation online about election results.
LokiBot Malware (CISA) This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.
This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).
CISA warns of notable increase in LokiBot malware (ZDNet) "CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020."
()
GE Reason S20 Ethernet Switch (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 6.1
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: General Electric
Equipment: Reason S20 Ethernet Switch
Vulnerabilities: Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow unauthorized accounts manipulation and allow for remote code execution.
GE Digital APM Classic (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: GE Digital
Equipment: APM Classic
Vulnerabilities: Authorization Bypass Through User-controlled Key, Use of a One-Way Hash Without a Salt
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow access to sensitive information.
New Google Search Hacks Push Viruses & Porn (Dark Reading) Three incidents demonstrate how cybercriminals leverage the scourge of black-hat search engine optimization to manipulate search results.
Activision shoots down data breach claims (ComputerWeekly.com) Gaming company denies there has been any data breach after up to 500,000 accounts appeared to have been compromised, but evidence mounts that credential stuffing attacks are to blame.
Activision Refutes Claims of 500K-Account Hack (Threatpost) The Call of Duty behemoth said that the reports of widespread hacks are false.
Rogue Shopify Staff Accessed Customer Records, Says Ecommerce... (HOTforSecurity) Shopify, the major ecommerce platform which powers many online stores, has revealed that it suffered a serious breach of security at the hands of two rogue employees. According to a statement released by the firm, two unnamed members of Shopify's support team...
Massive data breach hit 38 Canadian police forces (CBC) Confidential law enforcement data belonging to 38 Canadian police agencies has been exposed by a group of so-called hacktivists targeting police in the U.S., Radio-Canada has learned.
The Cybersecurity 202: This was the month cyberattacks turned fatal (Washington Post) The world crossed a red line this month when police directly tied a woman’s death to a cyberattack in Germany.
Ministerium: Spur der Uniklinik-Hacker führt offenbar nach Russland (Aachener Zeitung) Nach der Hacker-Attacke auf die Düsseldorfer Uni-Klinik dürfte es schwer werden, an die Täter heranzukommen: Sie sitzen offenbar in Russland. Seinen Anfang nahm der digitale Angriff wohl unbemerkt bereits vor Monaten.
Concord Police Department reports no misuse of personal info from data breach (Wicked Local) A criminal investigation by the Concord Police Department regarding a possible data breach from October 2019 has turned up no criminal activity.
Security Patches, Mitigations, and Software Updates
Paid Google Chrome extensions will go away by next year (9to5Google) Over the next several months, Google is pulling the plug on paid Chrome extensions that use its payment services and licensing APIs.
What is Zerologon? And why to patch this Windows Server flaw now (CSO Online) Attackers have learned how to exploit the Zerologon vulnerability in Windows Server, potentially gaining domain admin control.
Cyber Trends
Global State of the Internet Security & DDoS Attack Reports (Akamai) Akamai State of the Internet Security Reports cover the origins, tactics, types and targets of cyber-attacks, and emerging threats and trends based on analysis of recent DDoS and web application attacks by cybersecurity and DDoS mitigation experts.
2020 (ISC)² Cybersecurity Perception Study ((ISC)²) Research study on perceptions held about the cybersecurity profession and the men and women working within it
Synack's 2020 Trust Report Identifies Sectors Best Equipped to Withstand Crippling Cyberattacks (PR Newswire) The third edition of the Synack Trust Report, a data-driven analysis of cybersecurity preparedness across all sectors and industries, found...
GRC leaders lack confidence in security data they provide to regulators (Global Security Mag Online) Senior risk and compliance professionals within financial services company’s lack confidence in the security data they are providing to regulators, according to Panaseer's 2020 GRC Peer Report. Results from a global external survey of over 200+ GRC leaders* reveal concerns on data accuracy, request overload, resource-heavy processes and lack of end-to-end automation.
2020 GRC Peer Report - Panaseer (Panaseer) Panaseer's 2020 GRC Peer Report
What CEOs Really Think About Remote Work (Wall Street Journal) Top executives are planning ahead after months of adapting to working from home. While many say they’ve seen enough to judge the pros and cons of the new arrangements, they are reaching different verdicts.
Central government told- 7 lakh cyber attacks in the country in last 8 months (Pledge Times) new Delhi: There has been a steady increase in the incidence of cyber attacks in India. Within eight months of the year 2020, there have been about seven lakh
Marketplace
Third Annual DT Challenge - DataTribe (DataTribe) What could your company do with $2 million? The DataTribe Challenge is a unique annual competition where startups have a chance at receiving up to $2 million in seed capital. The Challenge brings together the best entrepreneurs in the world to looking to disrupt cybersecurity and data science. DataTribe selects three finalists that split $20,000 ... Read more Third Annual DT Challenge
NINJIO and IASAP Partner to Uncover Talented Cybersecurity Storytellers (PR Newswire) NINJIO, a cybersecurity awareness training company currently serving some of the largest organizations in the world, has announced the launch...
Snyk Announces Acquisition of DeepCode (PR Newswire) Snyk, the leader in developer-first cloud native application security, announced today that it has signed an agreement to acquire DeepCode, a...
DoD to Award Grants to Bolster Natl Security Industrial Base (Executive Gov) The Department of Defense (DoD) has earmarked $25 million in grants to support six projects that aim
Facebook, YouTube and Twitter ink deal with advertisers on harmful content (NASDAQ:FB) (Seeking Alpha) Back at the start of the summer - at the height of the George Floyd protests - more than 200 companies pulled their advertising from Facebook (NASDAQ:FB), citing problems with hate speech and aggressive content.
Facebook not planning to exit Europe in face of regulator challenge - exec (NASDAQ:FB) (Seeking Alpha) Facebook (FB +1.3%) has "absolutely no desire, no wish, no plans" to exit Europe in the wake of a regulatory challenge there, its head of global affairs says.
Ermetic Named 2021 TAG Cyber Distinguished Vendor (BusinessWire) The Ermetic platform is exciting and we believe it will continue to grow and succeed in our industry said Dr. Edward Amoroso, CEO of TAG Cyber.
AppViewX Names Kevin Mosher as Chief Revenue Officer to Oversee Company's Next Stage of High Growth and Scale Sales Operations (PR Newswire) AppViewX, the pioneer and leader in modular, low-code IT orchestration for certificate and key lifecycle automation, infrastructure...
Automox Accelerates Platform Scale with the Addition of Engineering and Infrastructure Professional Pascal Borghino (BusinessWire) Pascal Borghino joins Automox as VP of Engineering and Architecture.
Products, Services, and Solutions
Barracuda’s global SD-WAN service built natively on Azure gains traction with customers and partners (Barracuda Networks) Barracuda expands Secure Access Service Edge (SASE) offering, adds personal remote access to CloudGen WAN
Auth0 Marketplace Launches and Provides Even Greater Extensibility for Building Identity Solutions (GlobeNewswire) Trusted integrations from industry-leading third-party solutions extend Auth0's functionality to solve increasingly complex identity needs
ConnectWise Launches Bug Bounty Program to Help Detect Security Vulnerabilities (ConnectWise) Crowdsourcing Effort to Uncover Security Issues is Latest Addition to Company’s Broader Cybersecurity Strategy
CyberGRX Delivers the Complete Solution for Third-Party Cyber Security & Privacy (BusinessWire) CyberGRX has released an expanded Privacy section to its assessment framework that allows customers to understand their third party's privacy programs
Retrospect Announces Retrospect Backup 17.5 with Cloud Updates and Latest Apple Support (Retrospect) New Release Certifies Amazon S3 Virtual-Host Style Buckets, Alibaba Cloud, Webair, and Backblaze B2’s New S3 API.
SyncDog Partners With Halodata To Advance Secure.Systems Across Southeast Asia (PR Newswire) SyncDog, Inc., the leading Independent Software Vendor (ISV) for next generation mobile security and data loss prevention, today announced...
Trusona's Windows 10 Passwordless MFA Solution Deployed by Customers Worldwide (PR Newswire) Trusona, the pioneering leader in passwordless identity authentication, today announced the successful and rapidly growing deployment of its...
HSB Provides Tailored Cyber Insurance with Cyberwrite's Cyber Risk Analytics Platform (PR Newswire) Cyberwrite, a leading cyber risk analytics firm, and HSB announced today that HSB is renewing its subscription to Cyberwrite's cyber risk...
How to stay secure on social media – free course from KnowBe4 (Gadget Guy) KnowBe4 is providing a no-cost ‘Social Media: Staying Secure in a Connected World’ course. It is part of a global effort to increase online safety during National Cyber Security Awareness Month.
Czech National Cyber and Information Security Agency Hardens Security of the Civil Service with Flowmon (PR Newswire) Flowmon Networks, a global network intelligence leader, announced that the National Cyber and Information Security Agency (NÚKIB) has...
Technologies, Techniques, and Standards
Cyber insurer's security scans reduced ransomware claims by 65% (BleepingComputer) A cyber insurer's security scans during the underwriting phase and post-issuance have led to a 65% reduction in ransomware claims.
The Census Bureau's move to zero trust begins with the cloud (FedScoop) The Census Bureau needs time to move to a zero-trust security architecture because it’s still in the early stages of cloud migration, said Chief Information Security Officer Beau Houser. While the bureau uses cloud services, it can’t abandon its wide network perimeter in favor of smaller ones around particular IT assets until more of those assets are in …
Zerologon Vulnerability Spurs Rare DHS CISA Emergency Order (Data Center Knowledge) The Windows Active Directory vulnerability is severe, and blueprints for exploiting it are open source.
Election Engineering: How US Experts Are Making Sure Your Vote Will Count (Medium) In February, the 2020 RSA security conference quickly settled on a cohesive narrative: America had, more or less, figured out how to do…
How Natural Language Processing Can Improve Legal Search Results (Kira) Attorneys working smarter and more efficiently positively
impacts their clients, too. AI legal research allows attorneys to provide their clients with work products that are more accurate and completed more quickly, without a corresponding increase in legal costs.
Design and Innovation
TikTok says it removed 104M videos in H1 2020, proposes harmful content coalition with other social apps (TechCrunch) As the future of ByteDance’s TikTok ownership continues to get hammered out between tech and retail leviathans, investors and government officials, the video app today published its latest transparency report. In all, over 104.5 million videos were taken down; it had nearly 1,800 legal reques…
How has the global pandemic changed identity management? (Computing) Cloud-first vendors are making big gains as the remote working trend accelerates
Ex FBI agent explains how critical it is to save your company against cyber criminals (ETCIO.com) Paying cybercriminals for data doesn't ensure that you will have your systems back. says Jeff Lanza, retired FBI agent.
Navy's fifth annual cybersecurity event goes online (UPI) The Navy is holding the first track of its fifth annual HACKtheMACHINE competition this week.
Research and Development
Race for quantum supremacy gathers momentum with several companies joining bandwagon, says GlobalData (GlobalData) Quantum computers are a step closer to reality to solve certain real life problems that are beyond the capability of conventional computers. However, the biggest...
Tel Aviv-based QEDIT jumps on board US gov't cryptography project (Israel Hayom) DARPA funding $12.6 million initiative to harness advanced cryptography to preserve the integrity of complex software.
Legislation, Policy, and Regulation
WSJ News Exclusive | DOJ to Seek Congressional Curbs on Immunity for Internet Companies (Wall Street Journal) The Justice Department will submit a proposal to Congress to curb longstanding legal protections for internet companies like Facebook, Alphabet’s Google and Twitter, a senior department official said.
TikTok’s Zero Hour: Haggling With Trump, Doubts in China and a Deal in Limbo (Wall Street Journal) After months of maneuvering over the future of TikTok, it took last-minute phone calls to persuade President Trump to sign off in principle on the outlines of an agreement to keep the app operating in the U.S. Even that outcome—an M&A deal like no other—remains uncertain.
What To Watch As Data Privacy Again Grabs Focus In Senate (Law360) Data privacy will be back in the spotlight at the U.S. Senate on Wednesday, with California's attorney general among those set to advise a key committee on long-running efforts to craft federal privacy legislation that would tighten the reins on companies' data handling practices.
Trump officials hint at update for US maritime cybersecurity (CyberScoop) The Trump administration wants to reexamine America's approach to maritime cybersecurity, two senior administration officials said Tuesday.
CISA Expects ‘Handful’ of Agencies to Have Reliable AWARE Scores by Sept. 30 (Meritalk) The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency set out to have reliable cyber data for 24 CFO Act Federal agencies by the end of the September, but a new update from the agency says only a “handful of agencies” are on track for that, and the goal is not likely to be accomplished until next fiscal year.
FCC Says Only Senders Face Liability For Fraudulent Faxes (Law360) The Federal Communications Commission has clarified its stance on who assumes liability when faxes are sent in violation of the Telephone Consumer Protection Act, ruling that "fax broadcasters" are liable for sending unsolicited advertisements rather than the advertisers themselves.
Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy (Government Accountability Office) Federal entities have a variety of roles and responsibilities for supporting efforts to enhance the cybersecurity of the nation.
Information Security and Privacy: HUD Needs a Major Effort to Protect Data Shared with External Entities (Government Accountability Office) The Department of Housing and Urban Development (HUD) is not effectively protecting sensitive information exchanged with external entities.
Wracked by American Sanctions, Russia Cuts Defense Spending (Washington Free Beacon) For the first time since 2014, Russia will spend more on resuscitating its economy than on funding its military as it suffers an economic nosedive precipitated by Western sanctions, the Financial Times reported Monday.
Litigation, Investigation, and Law Enforcement
Supreme Court Review of Hacking Law Puts Cybersecurity Researchers on Alert (Wall Street Journal) The Supreme Court is scheduled to hear a case in late November that could have broad implications for the main U.S. hacking law, and tempers are already flaring between its opponents and supporters.
International Law Enforcement Operation Targeting Opioid Traffickers on the Darknet Results in over 170 Arrests Worldwide and the Seizure of Weapons, Drugs and over $6.5 Million (US Department of Justice) Today, the Department of Justice, through the Joint Criminal Opioid and Darknet Enforcement (JCODE) team joined Europol to announce the results of Operation DisrupTor, a coordinated international effort to disrupt opioid trafficking on the Darknet.
The dark web won't hide you anymore, police warn crooks (ZDNet) 'Operation Disruptor' involved agencies from nine countries and the seizure of over $6.5m in cash and cryptocurrencies as criminals warned law enforcement will track them down.
WikiLeaks published unredacted cables after password was disclosed in book (ComputerWeekly) WikiLeaks published a cache of unredacted government cables after the publication of a book containing the password led to their publication on other parts of the internet, court told.
Will US Indictments of Iranian Hackers Be a Deterrent? (BankInfo Security) Will recent U.S. indictments of several alleged Iranian hackers - as well as government sanctions against an APT group - have a deterrent effect? Security experts
Arkady Bukh: Man in the Middle (CyberScoop) How a New York-based immigrant from the former Soviet bloc emerged as the go-to defense lawyer for the cybercrime underworld.
Judge Slams Firm's 'Deceptive' Facebook Privacy Deal Ads (Law360) Levi & Korsinsky LLP wrongly ran online advertisements designed to "mislead and deceive" consumers into opting out of a recently secured $650 million biometric privacy settlement with Facebook to pursue their own claims, a California federal judge said during a hearing Tuesday, slamming the law firm's "artful" deception.
Capital One, Amazon Can't Escape Suit Over 2019 Data Breach (Law360) A Virginia federal court kept alive a proposed class action filed against Capital One and Amazon after the bank's 2019 data breach, finding that consumers have plausibly claimed that the episode led to an "imminent threat" of identity theft.
Cruise Line Must Face Robocall Suit Disputing Website Click (Law360) A Florida federal judge has rejected a cruise line's bid to toss a suit accusing it of violating the Telephone Consumer Protection Act, ordering it to appear at a bench trial in the case claiming that a user's website click assenting to arbitration didn't sufficiently form a contract.
Legal action under way over University of Cumbria data breach (The Westmorland Gazette) Students, staff and partners of universities across the UK who may have had their personal details leaked online are preparing to take legal action…
Babylon to face 'no further action' for data breach of GP at Hand (Digital Health) Babylon admitted in June that three patients were able to view recordings of other patient’s consultations using the GP at Hand app.