SECURITY TRENDS: PCI DSS compliance declines

Many organizations are not implementing basic security controls for payment cards, warned Verizon in its 2020 Payment Security Report.

In fact, compliance with the Payment Card Industry Data Security Standard (PCI DSS) continues to decline, the report found... 

To read more, sign up for our 14-day free premium content trial! 

Microsoft has beefed up protections against consent phishing, an application-based phishing attack, to Office 365. Microsoft is adding OAuth app publisher verification and app consent policies to Office 365.

More:

• In consent phishing, the victim is tricked into granting a malicious app access to sensitive data and other resources.
• The SANS Insitute recently fell victim to a consent phishing attack that led to the theft of 28,000 records containing personal data.
• Microsoft is providing three updates to improve Office 365 app security: general availability of app publisher verification, user consent updates for unverified publishers, and general availability of app consent policies. 

The Securities and Exchange Commission (SEC) has reached a settlement with a trader who used hacked data from the SEC's EDGAR filing system to make millions of dollars on insider trading. The trader, Sungjin Cho, made 66 illegal stock trades under his own name using the stolen data and directed four stock trading accounts in his mother's name. The terms of the settlement were not disclosed. 

More:

• Cho was one of six traders involved in a scheme to hack into EDGAR, an online system for submitting company documents to the SEC and using the information to make more than $4M for the traders.
• The scheme was masterminded by Ukranian nationals Oleksandr Ieremenko and Artem Radchenko, who hacked into the EDGAR system.
• The U.S. State Department is offering up to a $1M each for information leading to the arrests of Ieremenko and Radchenko.
• The traders used the information to make stock trades before the EDGAR filings were released to the public.

An ATP group called MontysThree has been conducting cyberespionage campaigns against industrial targets since 2018, according to Kaspersky Lab researchers. MontysThree, which appears to be a Russian group, used a number of tools to avoid detection, such as using the public cloud, encrypting communications, and hiding its malware using steganography.

More from Kaspersky:

• The attackers used malicious files with names related to employees’ phone lists, technical documentation, and medical test results to trick recipients into opening them.
• MontysThree searched for specific Microsoft Office and Adobe Acrobat documents stored in directories and removable media.
• Kaspersky said it found no similarities between MontysThree and known espionage campaigns at the level of code, infrastructure, or tactics, techniques, and procedures.

A new botnet, called HEH, is targeting exposed Internet of Things devices with malware able to wipe all data from infected devices, warned 360Netlab researchers. The attackers are spreading the malware through brute-force attacks against servers, routers, and other internet-connected devices with exposed SSH ports 23/2323.

More from 360Netlab:

• The botnet is written in the Go language and uses a proprietary peer-to-peer protocol. 
• The botnet's malware contains a self-destruct function, which wipes out everyone on all disks through Shell commands.
• The researchers found that the botnet's attack function has not been implemented, suggesting that it is still in development.

PODCAST NOTES: 

Every Thursday, I summarize a podcast about cybersecurity so you can read it in about five minutes or less. This week features Caleb Barlow, CEO and president of CynergisTek, who spoke with Dave Bittner of Hacking Humans (#119) about the dangers of ransomware attacks targeting hospitals. [Note: Questions and answers were edited for brevity and clarity.]

QUICK HITS:

• Bugs in Microsoft's Azure App Services could enable an attacker to take control of administrative servers.
• Cloud security startup Accurics has raised $20M in Seed and Series A funding rounds.
• The U.S. Department of Justice seized 92 Iranian domains that DoJ says were used for global disinformation campaigns.
• Hackers are hiding malware in bogus news reports about President Trump's COVID-19 infection.
• See how leading sales teams are solving their challenges of selling remotely.*
• Top executives from Netflix, Calm, T-Mobile, and Okta discuss identity access management. Don’t miss the event. Sign up here.*

*This is a sponsored post.

We're hiring! Check out our available positions:

• Business Researcher
• Director of Research
• Growth Marketing Manager
• Sales Representative
• Copy Editor