Security daily (12-02-2021)

Use tags to manage and secure access to additional types of IAM resources

AWS Identity and Access Management (IAM) now enables Amazon Web Services (AWS) administrators to use tags to manage and secure access to more types of IAM resources, such as customer managed IAM policies, Security Assertion Markup Language (SAML) providers, and virtual multi-factor authentication (MFA) devices. A tag is an attribute that consists of a key […] (AWS Security Blog)

Investigators suggest hackers exploited weak password security to breach Florida water facility

A clearer picture of poor security practices in Oldsmar, Florida prior to the dangerous hack of its water treatment plant is beginning to emerge, even as an investigation into the matter continues one week after the incident. Three federal agencies teamed up with an organization that shares threat information between states to issue an alert late Thursday explaining how the breach, in which a hacker allegedly tried to raise sodium hydroxide levels to amounts that are harmful to humans, might have unfolded. Initial clues suggest the incident, which was detected before it amounted to a threat to public drinking water, was made possible by lax data protection strategies and exploitation of a software tool. “The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” reads the alert from the FBI, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Environmental […] The post Investigators suggest hackers exploited weak password security to breach Florida water facility appeared first on CyberScoop. (CyberScoop)

Ukrainian gets US prison term in decade-old cybercrime, money-laundering case

In a case that stretches back to a much simpler era for cybercrime, a Ukrainian man was sentenced Thursday to more than seven years in prison after pleading guilty to helping launder money for Eastern Europeans who hacked into U.S. bank accounts. The U.S. Department of Justice said Aleksandr Musienko, 38, agreed to an 87-month prison term and $98,751.64 in restitution under the plea deal. From 2009 to 2012, Musienko, who sometimes used the alias Robert Davis, “partnered with Eastern European computer hackers to obtain over $3 million from U.S. victims’ bank accounts and launder the stolen funds from U.S. bank accounts overseas,” the department said Thursday in announcing the deal. Musienko ran a network of “money mules” as part of the scheme, prosecutors said. The FBI’s Charlotte, North Carolina, office took the lead in prosecuting Musienko, focusing on a specific fraud case in that state. According to a 2016 […] The post Ukrainian gets US prison term in decade-old cybercrime, money-laundering case appeared first on CyberScoop. (CyberScoop)

Fallen victim to online fraud? Here’s what to do…

Practical tips on how to avoid getting scammed in the first place, as well as what to do if it does happen. (Naked Security)

SMS tax scam unmasked: Bogus but believable – don’t fall for it!

Everyone loves a tax refund - just don't get so excited that you forget to check for telltale signs of a scam. (Naked Security)

Brazil Probes Data Leak Of 102 Million Consumers

(News ≈ Packet Storm)

Military, Nuclear Entities Under Target By Novel Android Malware

(News ≈ Packet Storm)

Pre-Valentine's Day Malware Attack Mimics Flower, Lingerie Stores

(News ≈ Packet Storm)

Microsoft Is Seeing A Big Spike In Web Shell Use

(News ≈ Packet Storm)

mHealth Apps Expose Millions to Cyberattacks

Researcher testing of 30 mobile health apps for clinicians found that all of them had vulnerable APIs. (Threatpost)

Yandex Data Breach Exposes 4K+ Email Accounts

In a security notice, Yandex said an employee had been providing unauthorized access to users’ email accounts “for personal gain.” (Threatpost)

‘Annoyingly Believable’ Tax Scam Targets Mobile Users

A well-crafted SMS phishing effort is harvesting personal data and credit-card details under the guise of offering tax refunds. (Threatpost)

Singtel Suffers Zero-Day Cyberattack, Damage Unknown

The Tier 1 telecom giant was caught up in a coordinated, wide-ranging attack using unpatched security bugs in the Accellion legacy file-transfer platform. (Threatpost)

Florida Water Plant Hack: Leaked Credentials Found in Breach Database

Researchers discovered credentials for the Oldsmar water treatment facility in the massive compilation of data from breaches posted just days before the attack. (Threatpost)


/security-daily/ 13-02-2021 23:44:23