Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week. This week's volume was curated by Secjuice writers Prasanna, Ross Moore, Andy74, Sinwindie, Muhammad Luqman, Tony Kelly, Devesh Chande, and Alesanco.

In this edition, we have news articles, blog posts, and learning.

News

A Hacker Got All My Texts for $16

A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.

Read more at vice.com and theverge.com
Curated by Prasanna and Sinwindie

Microsoft vulnerabilities report offers key cybersecurity insights

In 2020, a record number of 1,268 Microsoft vulnerabilities were discovered, a 48% increase year over year, a BeyondTrust report finds. Its CISO sits for an interview to dig deep into the findings.

Read more at healthcareitnews.com
Curated by Ross Moore

How Did Multiple Threat Groups Know About Exchange Patches Before Release?

Following CISA's weekend updates on continuing Exchange server hacks, Microsoft is investigating the significant uptick in exploits just days before patches were released.

Read more at breakingdefense.com
Curated by Ross Moore

Cryptophone Service Crackdown: Feds Indict Sky Global CEO

Authorities in the U.S. have extended the international police crackdown against the Sky ECC cryptophone service by indicting both the parent company's CEO and its main distributor.

Read more at databreachtoday.com
Curated by Ross Moore

DuckDuckGo browser extension vulnerability leaves Edge users open to potential cyber-snooping

DuckDuckGo has fixed a universal cross-site scripting (uXSS) flaw in a popular browser extension for Chrome and Firefox.

Read more at portswigger.net
Curated by Andy74

Twitter Users Can Now Secure Accounts With Multiple Security Keys

Twitter announced that users with two-factor authentication (2FA) enabled can now use multiple security keys to protect their accounts.

Read more at securityweek.com and cnet.com
Curated by Andy74 and Sinwindie

Hacker dumps Guns.com database with customers, admin data

As seen by Hackread.com, among other sensitive data, the database includes Guns.com administrator, WordPress, and Cloud log in credentials in plain-text format.

Read more at hackread.com
Curated by Andy74

New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild

Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variant and ZHtrap.

Read more at thehackernews.com
Curated by Andy74

Ransomware soars with 62% increase since 2019

The 2021 SonicWall Cyber Threat Report goes inside the stories that headlined 2020, and takes a closer look at new and disruptive cyber threats to provide insight into the evolving cyber threat landscape.

Read more at securitymagazine.com
Curated by Andy74

Bug In iPhone Call Recorder App Could Expose Users’ Recordings

Exploiting the iPhone Call Recorder app bug could let an adversary access users' recordings just by phone numbers. Bug fixed.

Read more at latesthackingnews.com
Curated by Andy74

Hackers stole NFTs from Nifty Gateway users

Over the weekend, some users of NFT marketplace Nifty Gateway said hackers stole digital artwork worth thousands of dollars from their accounts. Some people who were hacked also said their credit cards on file were used to purchase additional NFTs, also costing thousands of dollars, which were then transferred away to a hacker’s account.

Read more at theverge.com
Curated by Sinwindie

A Hacker Just Stole $5.7 Million From Social Token Startup Roll

Over the weekend, hackers stole millions of dollars in crypto from Roll, a social currency startup that allows so-called “creatives” to launch and manage their own Ethereum blockchain-based money systems.

Read more at gizmodo.com
Curated by Sinwindie

Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix

Public proof-of-concept (PoC) exploits for ProxyLogon could be fanning a feeding frenzy of attacks even as patching makes progress.

Read more at threatpost.com
Curated by Muhammad Luqman

Google Releases Spectre PoC Exploit For Chrome

Google has released the side-channel exploit in hopes of motivating web-application developers to protect their sites.

Read more at threatpost.com
Curated by Muhammad Luqman

All apologies, but if you use your favorite band as part of your password it's time to turn around and try something else.

Read more at techrepublic.com
Curated by Ross Moore

FBI releases the Internet Crime Complaint Center 2020 Internet Crime Report

The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Report and in the accompanying 2020 State Reports.

Read more at securitymagazine.com
Curated by Andy74

California bans website 'dark patterns', confusing language when opting out of having your personal info sold

State privacy rules add pressure on lawmakers to craft national standards.

Read more at theregister.com
Curated by Ross Moore

Florida Teen Pleads Guilty in 2020 Twitter Hack

The Florida teen whom prosecutors call the mastermind behind last year's hack of 130 high-profile Twitter accounts to wage a cryptocurrency scam pleaded guilty.

Read more at databreachtoday.com
Curated by Ross Moore

Critical RCE Flaw Reported in MyBB Forum Software—Patch Your Sites

A pair of critical vulnerabilities found in bulletin board software called MyBB could have been chained together to achieve remote code execution.

Read more at thehackernews.com
Curated by Andy74

Twitter images can be abused to hide ZIP, MP3 files — here's how

Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter.

Read more at bleepingcomputer.com
Curated by Ross Moore

Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud

U.S. yesterday announced updates on two separate cases involving cyberattacks—a Swiss hacktivist and a Russian who planned to plant malware in Tesla.

Read more at thehackernews.com
Curated by Andy74

Hackers Infecting Apple App Developers With Trojanized Xcode Projects

Hackers are leveraging Xcode as an attack vector to compromise Apple platform developers with a backdoor.

Read more at thehackernews.com
Curated by Andy74

Computer giant Acer hit by $50 million ransomware attack

The REvil ransomware operation claims to have stolen unencrypted data after hacking electronics and computer giant Acer.

Read more at bleepingcomputer.com
Curated by Tony Kelly

Bogus Android Clubhouse App Drops Credential-Swiping Malware

The malicious app spreads the BlackRock malware, which steals credentials from 458 services – including Twitter, WhatsApp, Facebook and Amazon.

Read more at threatpost.com
Curated by Tony Kelly

Tax-Themed Phishing Campaign Emerges

This tax season, as in years past, a major phishing campaign is targeting U.S. taxpayers in an effort to deliver malware, according to researchers at security firm.

Read more at databreachtoday.com
Curated by Devesh Chande

CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations.

Read more at us-cert.cisa.gov
Curated by Devesh Chande

Users could gain root privilege through three flaws sitting in Linux kernel

The unearthed vulnerabilities in the Linux kernel are located in the iSCSI module used for accessing shared data storage facilities.

Read more at scmagazine.com
Curated by Alesanco

Blogs

How your iPhone could tell you if you're being stalked

The latest Apple iOS beta suggests that iPhone users will be warned about hidden tracking devices in the future, but questions remain.

Read more at malwarebytes.com
Curated by Ross Moore

How to Regex: A Practical Guide to Regular Expressions (Regex) for Hackers

Come check out this new How-to blog from @hakluke. A guide to Regular Expressions and how to bypass Regex-Based Security Controls in the wild!

Read more at bugcrowd.com
Curated by Tony Kelly

Learning

OSINT Tools for Pivoting, Automating Google Search, and API Testing

Another week, another set of OSINT tools. This week we'll be looking at tools for OSINT investigations for pivoting, automating Google search, and APIs.

Read more jakecreps.com
Curated by Tony Kelly

Nessus CSV Parser and Extractor

Yanp.sh is simple yet powerfull Nessus CSV parser. It extracts information from multiple Nessus results and creates a consolidated version from all reports combined.

Read more at infosecmatter.com
Curated by Tony Kelly

The beautiful artwork used in this article was created by the talented Link Lee.

About The Artwork
‘Soviet Ghosts’ is a personal experimental work, intended to express the beauty hidden in the broken and decayed. This work is inspired by British photographer Rebecca Litchfield's collection of photographs of the same name. Published in 2013, she sensitively and beautifully records many abandoned locations within thirteen countries which were once part of the Soviet Union or occupied territories. I also referenced a large number of images of the remains of the former Soviet Union from the internet. During the creative process I tried to construct and restore the strong sense of realistic representation that was vivid in the photography. At the same time I reorganize the subject and scene and integrate this with my own creativity and understanding in light and shadow and composition. Trying to find a balance point that satisfies myself between hyper-realism and artistic stylization is also a challenge. - Link Lee