The Week in Cyber Security News, Sept. 21 - 27
01.A cybersecurity researcher has uncovered a flaw in the Cloudflare Web Application Firewall SQL injection protection mechanism.
02.The Department of Homeland Security (DHS) gave government agencies four days' notice to patch a critical vulnerability - the CVE-2020-1472 vulnerability, also known as Zerologon - in Windows Server that could allow an attacker to hijack federal networks, via a flaw in the Netlogon authentication system.
03.Less than 13% of small and medium-sized businesses have cyber-insurance, potentially leaving large numbers exposed to the serious financial impact of online attacks.
04.A back-end server associated with Microsoft Bing exposed sensitive data of the search engine's mobile application users, including search queries, device details, and GPS coordinates, among others.
05.Rogue Shopify support team have been caught accessing customer transaction details and other data from online merchants.
06.A tip from a child has led to the discovery of seven adware scam apps, available on the Apple App Store and Google Play Store, which have been downloaded more than 2.4 million times and raked in at least $500,000.
07.CVE-2020-1472, which is one of the highest-impact Windows vulnerabilities patched this year and allows hackers to instantly take control of the Active Directory, is under active exploitation by malicious hackers.
08.A new ransomware operation named Mount Locker is underway stealing victims' files before encrypting and then demanding multi-million dollar ransoms.
09.Twitter has emailed developers stating that their API keys, access tokens, and access token secrets may have been exposed in a browser's cache.
10.Ring’s newly announced robot drone – a connected device that flies around homes taking security footage – is causing concern privacy experts, who are concerned about how Ring will collect, use and share data.
11.A warning has been issued by America's Cybersecurity and Infrastructure Security Agency, after a malicious cyber-actor used valid log-in credentials for multiple users’ Microsoft Office 365 accounts and domain administrator accounts to gain access to an un-named United States federal agency.
12.KuCoin, a major cryptocurrency exchange based in Singapore, has confirmed a security breach of its ERC20, Ethereum, and Bitcoin hot wallets, with hackers reportedly stealing more than $150 million worth of crypto and transferred funds to an unknown wallet.
13.The National Australia Bank has launched a bug bounty program in partnership with a crowdsourced cyber security platform, stating that vetted security researchers will be able to work in live environments to help test the bank’s security.
14.Google has removed 17 Android applications from the official Play Store, after it was discovered that they were infected with the Joker (aka Bread) malware.
Thanks for visiting SecAlerts and reading our weekly cyber security news roundup. We offer a free weekly CVE alert service, or an hourly service from $US20/mth, both of which include software updates and news relating to your software stack. Join more than 1,300 other users and sign up.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.