Security daily (16-09-2021)

New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers

Today, we’re happy to announce an update to our online AWS GDPR Data Processing Addendum (AWS GDPR DPA) and our online Service Terms to include the new Standard Contractual Clauses (SCCs) that the European Commission (EC) adopted in June 2021. The EC-approved SCCs give our customers the ability to comply with the General Data Protection […] (AWS Security Blog)

Facebook says it will step up efforts to stop coordinated campaigns that cause harm

Facebook will ramp up efforts to curb coordinated activities from real users who are connected to dangerous activities in the real world, such as promotion of vaccine misinformation and organizing violence, the company said Thursday. The new policy is an attempt to address a gap in the platform’s enforcement against real individuals who band together to repeatedly violate the platform’s standards. The plan is based on Facebook’s existing efforts to scrub its platform of fake accounts. “From a security perspective, our goal is to borrow from the cybersecurity world and build an in-depth approach here, where we have multiple layers to catch violating activity that can cause harm to people on our platform,” Nathaniel Gleicher, Facebook’s head of security policy, said Thursday in a call with reporters. Facebook will take a range of actions against violating accounts, including reducing content reach and disabling violating accounts. The new policies build on […] The post Facebook says it will step up efforts to stop coordinated campaigns that cause harm appeared first on CyberScoop. (CyberScoop)

Bitdefender releases REvil decryptor as ransomware gang shows signs of return

As law enforcement braces for the revival of the REvil ransomware gang, a cybersecurity firm on Thursday released a free decryption tool for early victims of the criminals. The decryptor, which Bitdefender developed in coordination with an unnamed law enforcement partner, will aid victims hit before July 13. The Romania-based company said it was still in the middle of an investigation with its partner, which agreed to release the decryptor before completing the joint inquiry to help as many victims as possible. Bitdefender has a long history of working with Europol to release tools that help victims of digital extortion sidestep the process of making a payment. “We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus,” Bitdefender wrote in a blog post. According to another cybersecurity firm, Flashpoint, REvil is already fully back in business. […] The post Bitdefender releases REvil decryptor as ransomware gang shows signs of return appeared first on CyberScoop. (CyberScoop)

FTC threatens fines for health apps that fail to report compromised data

App developers and device operators that collect health data about Americans must alert consumers in the event their personal information is compromised or shared without permission, the Federal Trade Commission ruled Wednesday. The U.S. consumer protection agency voted 3-2 on a new regulation that is meant to clarify the 2009 Health Notification Rule, which details how companies should tell consumers if their data is improperly shared or breached. The decision Wednesday extends the 2009 rule to cover health apps, fitness trackers and other connected devices that have risen in popularity over the past decade. “The global pandemic has hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health,” FTC chair Lina Khan said in a statement. “As we have seen, however, digital apps are routinely caught playing fast and loose with user data, leaving users’ health information susceptible […] The post FTC threatens fines for health apps that fail to report compromised data appeared first on CyberScoop. (CyberScoop)

OMIGOD, an exploitable hole in Microsoft open source code!

Got Linux? Here's a bug you weren't expecting, in software you might not even know you have. (Naked Security)

Why Government Sites Are Hosting Porn And Viagra Ads

(News ≈ Packet Storm)

Google Is Backing Security Reviews Of These Key Open Source Projects

(News ≈ Packet Storm)

REvil/Sodinokibi Ransomware Universal Decryptor Key Is Out

(News ≈ Packet Storm)

Azure Zero Day Flaws Highlight Lurking Supply Chain Risk

(News ≈ Packet Storm)

Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. The issue — tracked as CVE-2021-41077 — concerns unauthorized access and plunder of secret environment data associated with a public open-source project during the (The Hacker News)

Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released

New details have been revealed about a recently remediated critical vulnerability in Netgear smart switches that could be leveraged by an attacker to potentially execute malicious code and take control of vulnerable devices. The flaw — dubbed "Seventh Inferno" (CVSS score: 9.8) — is part of a trio of security weaknesses, called Demon's Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8) (The Hacker News)

Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks

Microsoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems. "These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon (The Hacker News)

You Can Now Sign-in to Your Microsoft Accounts Without a Password

Microsoft on Wednesday announced a new passwordless mechanism that allows users to access their accounts without a password by using Microsoft Authenticator, Windows Hello, a security key, or a verification code sent via SMS or email. The change is expected to be rolled out in the coming weeks. "Except for auto-generated passwords that are nearly impossible to remember, we largely create our own (The Hacker News)

CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug

The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August. (Threatpost)

Airline Credential-Theft Takes Off in Widening Campaign

A spyware effort bent on stealing cookies and logins is being driven by unsophisticated attackers cashing in on the initial-access-broker boom. (Threatpost)

Financial Cybercrime: Following Cryptocurrency via Public Ledgers

John Hammond, security researcher with Huntress, discusses a wallet-hijacking RAT, and how law enforcement recovered millions in Bitcoin after the Colonial Pipeline attack. (Threatpost)

REvil/Sodinokibi Ransomware Universal Decryptor Key Is Out

Bitdefender worked with law enforcement to create a key to unlock victims encrypted in ransomware attacks before REvil's servers went belly-up on July 13. (Threatpost)

DDoS Attacks: A Flourishing Business for Cybercrooks – Podcast

Imperva’s Peter Klimek on how DDoS attacks started out as inconveniences but evolved to the point where attackers can disrupt businesses for as little as the price of a cup of coffee, (Threatpost)

HP Omen Hub Exposes Millions of Gamers to Cyberattack

A driver privilege-escalation bug gives attackers kernel-mode access to millions of PCs used for gaming. (Threatpost)


/security-daily/ 17-09-2021 23:44:23