The latest edition of the ISMG Security Report discusses the ramifications of the U.K's decision to allow limited use of Huawei's equipment in 5G networks. Plus: Updates on Wawa's stolen card data offered for sale and nascent security threats from social networks and drones.
Conferencing service provider Zoom has fixed a vulnerability that - under certain conditions - could have allowed an uninvited third party to guess a meeting ID and join a conference call. The exploitation of the flaw revolves around guessing IDs for meetings that aren't password-protected.
A long-running marketplace for selling stolen payment card data claims it has 30 million stolen payment cards that experts believe are linked to the breach at Wawa convenience stores late last year. The breach is one of the largest ever involving card-related data.
Deception technologies offer a way to shift away from a purely defensive "detect and response" posture toward a more proactive offensive approach that draws stealth cyberattackers into the open before a breach.
Bad news on the ransomware front: Victims that choose to pay attackers' ransom demands - in return for the promise of a decryption tool - last quarter paid an average of $84,116, according to Coveware. But gangs wielding Ryuk and Sodinokibi - aka REvil - often demanded much more.
A spear-phishing campaign targeted a U.S. government agency for several months last year using emails with content about North Korea geopolitics as a lure, according to an analysis from Palo Alto Networks' Unit 42.
It's a seductive story line: A chat app belonging to Saudi Arabia's crown prince is used to deliver malware to an American billionaire's phone. But a forensic investigation of Amazon CEO Jeff Bezos' phone raises more questions than it answers.
Emotet malware alert: The U.S. Cybersecurity and Infrastructure Security Agency says it's been "tracking a spike" in targeted Emotet malware attacks. It urges all organizations to immediately put in place defenses to not just avoid infection, but also detect lateral movement in their networks by hackers.
Microsoft accidentally internet-exposed for three weeks 250 million customer support records stored in five misconfigured Elasticsearch databases. While the company rapidly locked them down after being alerted, it's an embarrassing gaff for the technology giant, which has pledged to do better.
Apple previously scuttled plans to add end-to-end encryption to iCloud backups, Reuters reports, noting that such a move would have complicated law enforcement investigations. But the apparent olive branch hasn't caused the U.S. government to stop vilifying strong encryption and the technology giants that provide it.
Since the EU's General Data Protection Regulation went into full effect in May 2018, European data protection authorities have received more than 160,900 data breach reports and imposed $126 million in fines under GDPR for a wide variety of infringements, not all involving data breaches.
Mitsubishi Electric says hackers exploited a zero-day vulnerability in its anti-virus software, prior to the vendor patching the flaw, and potentially stole trade secrets and employee data. The Japanese multinational firm announced the breach more than six months after detecting it in June 2019.
Microsoft says it's prepping a patch to fix a memory corruption flaw in multiple versions of Internet Explorer that is being exploited by in-the-wild attackers, and it's issued mitigation guidance. Security firm Qihoo 360 says the zero-day flaw has been exploited by the DarkHotel APT gang.
P&N Bank in Perth, Australia, says a server upgrade gone wrong led to the breach of sensitive personal information in its customer relationship management system. The incident is another example how organizations can be imperilled by mistakes on the part of their suppliers.