Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week. This week's volume was curated by Secjuice writers Prasanna, Ross Moore, Andy74, Sinwindie, Muhammad Luqman, Tony Kelly, Devesh Chande, and Alesanco.
In this edition, we have news articles, blog posts, and learning.
A Hacker Got All My Texts for $16
A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.
Microsoft vulnerabilities report offers key cybersecurity insights
In 2020, a record number of 1,268 Microsoft vulnerabilities were discovered, a 48% increase year over year, a BeyondTrust report finds. Its CISO sits for an interview to dig deep into the findings.
How Did Multiple Threat Groups Know About Exchange Patches Before Release?
Following CISA's weekend updates on continuing Exchange server hacks, Microsoft is investigating the significant uptick in exploits just days before patches were released.
Cryptophone Service Crackdown: Feds Indict Sky Global CEO
Authorities in the U.S. have extended the international police crackdown against the Sky ECC cryptophone service by indicting both the parent company's CEO and its main distributor.
DuckDuckGo browser extension vulnerability leaves Edge users open to potential cyber-snooping
DuckDuckGo has fixed a universal cross-site scripting (uXSS) flaw in a popular browser extension for Chrome and Firefox.
Twitter Users Can Now Secure Accounts With Multiple Security Keys
Twitter announced that users with two-factor authentication (2FA) enabled can now use multiple security keys to protect their accounts.
Hacker dumps Guns.com database with customers, admin data
As seen by Hackread.com, among other sensitive data, the database includes Guns.com administrator, WordPress, and Cloud log in credentials in plain-text format.
New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild
Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variant and ZHtrap.
Ransomware soars with 62% increase since 2019
The 2021 SonicWall Cyber Threat Report goes inside the stories that headlined 2020, and takes a closer look at new and disruptive cyber threats to provide insight into the evolving cyber threat landscape.
Bug In iPhone Call Recorder App Could Expose Users’ Recordings
Exploiting the iPhone Call Recorder app bug could let an adversary access users' recordings just by phone numbers. Bug fixed.
Hackers stole NFTs from Nifty Gateway users
Over the weekend, some users of NFT marketplace Nifty Gateway said hackers stole digital artwork worth thousands of dollars from their accounts. Some people who were hacked also said their credit cards on file were used to purchase additional NFTs, also costing thousands of dollars, which were then transferred away to a hacker’s account.
A Hacker Just Stole $5.7 Million From Social Token Startup Roll
Over the weekend, hackers stole millions of dollars in crypto from Roll, a social currency startup that allows so-called “creatives” to launch and manage their own Ethereum blockchain-based money systems.
Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix
Public proof-of-concept (PoC) exploits for ProxyLogon could be fanning a feeding frenzy of attacks even as patching makes progress.
Google Releases Spectre PoC Exploit For Chrome
Google has released the side-channel exploit in hopes of motivating web-application developers to protect their sites.
Mamma Mia! Compromised passwords are filled with popular music artists
All apologies, but if you use your favorite band as part of your password it's time to turn around and try something else.
FBI releases the Internet Crime Complaint Center 2020 Internet Crime Report
The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Report and in the accompanying 2020 State Reports.
California bans website 'dark patterns', confusing language when opting out of having your personal info sold
State privacy rules add pressure on lawmakers to craft national standards.
Florida Teen Pleads Guilty in 2020 Twitter Hack
The Florida teen whom prosecutors call the mastermind behind last year's hack of 130 high-profile Twitter accounts to wage a cryptocurrency scam pleaded guilty.
Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites
A pair of critical vulnerabilities found in bulletin board software called MyBB could have been chained together to achieve remote code execution.
Twitter images can be abused to hide ZIP, MP3 files — here's how
Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter.
Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud
U.S. yesterday announced updates on two separate cases involving cyberattacks—a Swiss hacktivist and a Russian who planned to plant malware in Tesla.
Hackers Infecting Apple App Developers With Trojanized Xcode Projects
Hackers are leveraging Xcode as an attack vector to compromise Apple platform developers with a backdoor.
Computer giant Acer hit by $50 million ransomware attack
The REvil ransomware operation claims to have stolen unencrypted data after hacking electronics and computer giant Acer.
Bogus Android Clubhouse App Drops Credential-Swiping Malware
The malicious app spreads the BlackRock malware, which steals credentials from 458 services – including Twitter, WhatsApp, Facebook and Amazon.
Tax-Themed Phishing Campaign Emerges
This tax season, as in years past, a major phishing campaign is targeting U.S. taxpayers in an effort to deliver malware, according to researchers at security firm.
TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise
CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations.
Users could gain root privilege through three flaws sitting in Linux kernel
The unearthed vulnerabilities in the Linux kernel are located in the iSCSI module used for accessing shared data storage facilities.
How your iPhone could tell you if you're being stalked
The latest Apple iOS beta suggests that iPhone users will be warned about hidden tracking devices in the future, but questions remain.
How to Regex: A Practical Guide to Regular Expressions (Regex) for Hackers
Come check out this new How-to blog from @hakluke. A guide to Regular Expressions and how to bypass Regex-Based Security Controls in the wild!
OSINT Tools for Pivoting, Automating Google Search, and API Testing
Another week, another set of OSINT tools. This week we'll be looking at tools for OSINT investigations for pivoting, automating Google search, and APIs.
Nessus CSV Parser and Extractor
Yanp.sh is simple yet powerfull Nessus CSV parser. It extracts information from multiple Nessus results and creates a consolidated version from all reports combined.
About The Artwork
‘Soviet Ghosts’ is a personal experimental work, intended to express the beauty hidden in the broken and decayed. This work is inspired by British photographer Rebecca Litchfield's collection of photographs of the same name. Published in 2013, she sensitively and beautifully records many abandoned locations within thirteen countries which were once part of the Soviet Union or occupied territories. I also referenced a large number of images of the remains of the former Soviet Union from the internet. During the creative process I tried to construct and restore the strong sense of realistic representation that was vivid in the photography. At the same time I reorganize the subject and scene and integrate this with my own creativity and understanding in light and shadow and composition. Trying to find a balance point that satisfies myself between hyper-realism and artistic stylization is also a challenge. - Link Lee