Hello! Here’s your quick fix on what’s new in cyber security.
Hackers are using new techniques to break into systems we thought were secure, such as finding hidden doors in locked homes. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some large companies were affected by the attacks, while others patched their vulnerabilities in time. It’s a constant struggle. For you, staying protected means keeping your devices and apps up to date.
In this newsletter, we’ll break down the top news. Whether you’re protecting personal data or managing security for your business, we’ve got tips to help you stay safe.
Let’s get started!
⚡ Threat of the week
China called the Volt Typhoon a US invention: China’s National Computer Virus Response Center (CVERC) claims that the threat actor tracked by Volt Typhoon is an invention of US intelligence agencies and their allies. He also accused the US of conducting false flag operations in an attempt to hide its own malicious cyber attacks and of creating a “large-scale global online surveillance network”.
Trending CVEs
CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164
🔔 Top news
- An Apple macOS issue allows you to bypass privacy controls in the Safari browser: Microsoft has released details about the fix Apple’s lack of securityA Transparency, Consent and Control (TCC) framework in macOS that can be abused to bypass user privacy settings and gain access to data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, could have been exploited by AdLoad adware companies. The problem was fixed in macOS Sequoia 15, released last month.
- Legitimate abuse of the Red Team tool in real attacks: Threat actors are trying arm the open source EDRSilencer tool as part of efforts to intervene in Endpoint Detection and Response (EDR) solutions and to conceal malicious activity. The goal is to make EDR software ineffective and make it much more difficult to identify and remove malware.
- TrickMo can now steal Android PINs: Researchers have noticed new variants TrickMo Android Banking Trojan which include features to steal a device’s unlock pattern or PIN by presenting victims with a fake web page that mimics the device’s actual unlock screen.
- FIDO Alliance Debuts New Specifications for Access Key Transfer: One of the major design limitations of passkeys, the new password-less login method that’s becoming increasingly common, is that they can’t be transferred between platforms like Android and iOS (or vice versa). The FIDO Alliance has now announced that it is committed to doing just that make access keys more compatible with new draft protocols such as the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF) that enable the secure exchange of credentials.
- Hijack Loader uses legitimate code signing certificates: Malware companies now use a family of bootloaders called Hijack bootloader who signed legitimate code signing certificates to avoid detection. These attacks usually consist of tricking users into downloading a binary file disguised as pirated software or movies.
📰 Around the cyber world
- Apple publishes a draft bulletin to reduce certificate lifetime to 45 days: Apple has published a draft bulletin that proposes to gradually increase the lifetime of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum lifetime of public SSL/TLS certificates from 398 days to 90 days.
- More than 87,000 Internet-facing Fortinet devices vulnerable to CVE-2024-23113: About 87,390 Fortinet IP addresses are still stored probably susceptible to a critical code execution error (CVE-2024-23113CVSS score: 9.8) which was recently added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Catalog of Known Exploited Vulnerabilities (KEV). watchTowr Labs Researcher Elise Hammond described it’s like a “super sophisticated vulnerability” that could lead to remote code execution. Development is going like Google revealed that of the 138 security system vulnerabilities that were discovered in 2023, 97 of them (70%) were first used as zero-day weapons. Time in use (TTE) has fallen from an average of 63 days in 2018-19 to just five days in 2023.
- Researchers describe an early cascade injection: Researchers have uncovered a new but stealthy process injection technique called Early Cascade Injection that avoids detection by endpoint security software. “This new early cascading method targets the custom build part of the process and combines elements of the well-known APC Early Bird Introduction Technique with recently published EDR-Preload technique,” Outflank researcher Guido Miggelenbrink said. “Unlike Early Bird APC Injection, this new technique avoids inter-process queuing of Asynchronous Procedure Calls (APCs) with minimal remote process interaction.”
- ESET’s Israeli partner hacked to supply Wiper malware: In a new campaign, threat actors infiltrated ESET’s cybersecurity partner in Israel, ComSecure, to send phishing emails which distributed windshield wipers to Israeli companies under the guise of antivirus software. “Based on our initial investigation, the limited malicious email campaign was blocked within ten minutes,” the company said in a statement. said in a message to X, adding that it was not compromised by the incident.
- Google describes a two-pronged approach to addressing memory security issues: Google said it is migrating to memory-safe languages like Rust, Kotlin, Go, and is also exploring interoperability with C++ via Carbon to ensure a seamless transition. In tandem, the tech giant stressed that it is focusing on mitigating risks and curbing memory-threatening code using techniques such as hardening C++, expanding security boundaries such as sandboxing and privilege reduction, and using artificial intelligence techniques such as Nap time to detect security flaws. How recently disclosedthe number of memory security vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant also detailed how it uses Chrome’s Accessibility API to find security bugs. “We’re now ‘delimiting’ this accessibility tree, that is, interacting with different UI controls in a semi-random fashion to see if we can force anything to break,” Chrome’s Adrian Taylor said.
Cyber security resources and information
LIVE WEBINARS
1. DSPM Cracked: Learn how Global-e has transformed its data protection: Is your data protection falling apart? Learn how Data Security Posture Management (DSPM) has become Global-e’s secret weapon. In this unmissable webinar, CISO Global-e discusses:
- The exact steps that changed their data security overnight
- Insider tricks for implementing DSPM with minimal disruption
- A roadmap that reduced security incidents by 70%
2. Identity Theft 2.0: Protection against advanced LUCR-3 attacks: LUCR-3 picks the locks on your digital kingdom. Is your gem data already in their sights?
Join Ian All, former Mandiant threat intelligence mastermind, as he:
- Deciphers LUCR-3 shadow tactics that disrupt 9 out of 10 targets
- Uncovers an Achilles’ heel in your cloud defense that you didn’t even know existed
- Arms you with a counter that causes the LUCR-3 to stagger
This is not a webinar. This is your lesson in war strategy against the most elusive threat on the Internet. Spaces are filling up fast – sign up now or risk becoming the next LUCR-3 trophy.
Cyber security tools
- Vulnhuntr: AI-powered open source bug finder — What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced artificial intelligence models to find complex security flaws in Python code. In just a few hours, he discovered many vulnerabilities in large open source projects.
Tip of the week
Protect your accounts with a hardware security key: For enhanced protection, hardware security keys like the YubiKey are game changers. But here’s how to take it to the next level: Combine two keys—one for everyday use and a backup that’s stored safely offline. This ensures that you are never locked out even if one key is lost. Also, enable the “FIDO2/WebAuthn” protocols when setting up your keys – these prevent phishing by ensuring that your key only works with legitimate websites. For enterprises, hardware keys can streamline security with centralized management, allowing you to assign, track, and revoke access across your team in real-time. It is physical, intelligent and almost foolproof security.
Conclusion
This is a summary of this week’s cybersecurity news. Before you log out, take a moment to review your security practices—small steps can make a big difference. And don’t forget that cybersecurity isn’t just for the IT team; it is everyone’s duty. We’ll be back next week with more information and tips to help you stay ahead.
Take care and we’ll see you next Monday!
