Hello readers!
In today's Inside Security, our premium content includes:
- SECURITY FUNDING: A summary of the latest security funding news
- PATCH WATCH: The latest patches from Apple, Google, IBM, Mozilla, and more.
On Thursday, don't miss my SECURITY TRENDS and PODCAST NOTES features for premium subscribers.
Don't miss out. If you'd like to read this premium content, Inside Security is offering a 14-day free trial, so you can sample the perks paid readers enjoy and see if you like it. To sign up for the trial, click here.
Stay safe!
|
Fred
|
|
|
|
|
Nearly two-thirds of C-level IT and security executives believe their organization is more likely to experience a data breach due to COVID-19, according to a HackerOne survey. At the same time, 30% of in-house security teams have been cut and a quarter has had their budgets reduced since March.
More from HackerOne:
- 36% of businesses have sped up digital initiatives to support remote work, which has created new vulnerabilities.
- Hackers have been able to find more than twice the number of vulnerabilities in 2020 than in 2019.
- Over $44.75M has been awarded in bug bounties over the past year.
- The average bounty paid for critical bugs increased to $3,650 in the past year, an 8% year-over-year jump.
HACKER ONE
|
|
PATCH WATCH:
Google fixed 10 security bugs in the latest stable channel update of Chrome (85.0.4183.121) for Windows, Mac, and Linux, including critical flaws that could enable an attacker to take control of a vulnerable system.
To receive the full list of security patches and receive this feature weekly, start your FREE 14-day trial of premium!
|
|
The Chinese state-controlled media is signaling that China opposes the TikTok deal announced over the weekend and initially endorsed by President Donald Trump. The media is calling the deal "an American trap" and a "dirty and underhanded trick." Part of the problem stems from the different understands of the deal by the Chinese and U.S. parties.
More:
- Oracle and Walmart said in a statement that they would have a combined 20% stake in the new company, called TikTok Global, and that U.S. investors would own a majority of the stock once the company holds an initial public offering within 12 months.
- TikTok's Chinese parent ByteDance said that it would retain 80% ownership of TikTok Global after the U.S. companies take a 20% stake.
- President Trump initially supported the deal, but then said he wouldn't support it if ByteDance did not sell all of its interest in TikTok Global.
- Also, Oracle, Walmart, and Trump all said that ByteDance had agreed to contribute $5B toward U.S. educational programs, something which ByteDance denies.
BLOOMBERG
|
|
A new ransomware group called OldGremlin is targeting large organizations in Russia. It employs a self-made backdoor called TinyNode, file encryption malware, and third-party software, such as Cobalt Strike for reconnaissance and lateral movement. Most of the group's victims are in Russia, including a large medical company that had its systems held for a $50K ransom, according to security firm Group IB.
More from Group IB:
- Since this spring, OldGremlin has carried out at least seven phishing campaigns.
- To trick victims, the group has impersonated a Russian self-regulatory organization, a Russian metallurgical holding company, a Belarusian tractor plant, a Russian dental clinic, and a Russian media holding company.
- OldGremlin appears to have broken an unspoken rule among Russian hackers that Russian targets are off-limits.
BLEEPING COMPUTER
|
|
Airbnb accounts can be hijacked through phone number recycling, creating a new account with a phone number that belonged to another customer. The bug was discovered by accident when the husband of a SecurityWeek reader created an Airbnb account and gained access to an account set up by a woman in North Carolina who previously had the same phone number.
More:
- Airbnb said that only a very small number of users are impacted by the flaw.
- Airbnb has a bug bounty program through HackerOne and has paid more than $1M in bounties so far.
- In 2018, the security risks of recycled phone numbers were highlighted in a study by security firm Detectify.
SECURITY WEEK
|
|
Microsoft has consolidated its extended defense and response (XDR) products under the Defender brand and split the product line into Microsoft 365 Defender for end-users and Azure Defender for cloud and hybrid infrastructure. The company's long-term plan is to unify its cybersecurity products under a simpler naming scheme so customers can better understand the range of its security products.
More from Microsoft:
- Microsoft Defender for Endpoint is available for all major platforms, including Android devices and a preview for iOS.
- Azure Defender has a new unified dashboard that provides visibility into security alerts and resources being monitored.
- Azure Defender has new protections for SQL on-premises, Azure Kubernetes, Azure Key Vault, and the Internet of Things (IoT).
- Azure Defender for IoT has expanded protections for industrial IoT, operational technology, and building management systems.
ZDNET
|
|
Attacks against U.S. manufacturers increased by 11% in the second quarter compared to the first quarter, according to stats from security firm Rapid7. Three-quarters of those attacks focused on small manufacturers. The most common types of cyberattacks were credential stuffing using valid accounts, deception, and exploiting bugs in third-party software.
More from Rapid7:
- After manufacturing, finance, retail, and healthcare were the most targeted industries in the second quarter.
- Account compromise made up 35% of attacks detected by Rapid7, followed by malware at 33.5%, trojans at 29%, remote access trojans at 11%, phishing at 7.6%, and bots at 6.8%.
- Rapid7 saw an increase in credential-based attacks on cloud services and virtual private networks and in spearphishing attacks on end-users in the second quarter.
DARK READING
|
|
Two "rogue employees" at Shopify tried to steal customer transaction records of some merchants, the Canadian e-commerce platform admitted this week. The company said it terminated the employees when it found out and has no evidence that the data was misused.
More from Shopify:
- The breach involved data of around 200 online merchants.
- Data that was exposed included email, name, address, and order details, but not payment card numbers or other financial data.
- Shopify is working with the FBI and other international law enforcement agencies to investigate the breach.
CTV NEWS
|
|
QUICK HITS:
- The U.S. government is warning that it has seen a surge in LokiBot data-stealing trojan attacks against enterprises.
- Europol said that an international sting operation has resulted in the arrest of 179 dark web vendors.
- The FBI and Cybersecurity and Infrastructure Security Agency (CISA) are cautioning that foreign hackers are likely to spread disinformation about the 2020 elections.
- The Trump administration plans to update its maritime cybersecurity strategy in the coming months.
- Brands see 18.5% of e-commerce revenue from SMS marketing. See 6 top SMS campaigns here.*
*This is sponsored content.
|
|
|