"This is not white-hat hacking; it is extortion."
01 July 2024A total of 22 breaches
were found and analysed resulting in 20,007,669 leaked accounts
containing a total of 25 different data types
. The breaches found publicly and freely available included Russian Electronic School, Stealer Log 0470, piZap, USA Mobile Device Management Software (MDM) User Database and Ticketmaster. Sign in to view the full
BreachAware
Breach Index which includes, where available, reference articles relating to
each breach.
SPOTLIGHT
The European Kraken crypto exchange is having a bad week. The exchange disclosed that they received a bug bounty program alert from security researchers. The Chief Security Officer (CSO) at Kraken announced on Twitter on June 19th that they had received a vague bug report which allowed the researchers to artificially inflate their balance on the platform. This exploit took advantage of a UX bug that allowed the trade of credited currency before it had been cleared on the market and blockchain. The security researchers managed to extract $3 million from the exchange. The Kraken team found the bug within hours and resolved it within the day; no user information or crypto was compromised.
However, it seems the security researchers haven’t played fair. The CSO took to Twitter again, saying, “They demanded a call with their business development team and have not agreed to return any funds until we provide a speculated amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking; it is extortion.” The CSO said they were taking the matter to law enforcement and treating it as theft. Last Wednesday, CertiK took responsibility for the breach and defended its actions. They claimed that the Kraken team demanded a “mismatched” amount of crypto that was extracted, which they say is just over 1 million dollars. They also claimed that the Kraken team gave them a very short period of time to return the funds.
The online community and law enforcement have breathed a sigh of relief. The Lockbit ransomware group posted on their dark-web site claiming a breach from the United States Federal Reserve. This obviously raised eyebrows because there was no mention of the breach in the news, and the Federal Reserve website seemed to be running as normal. When the timer hit zero for the authenticity of the documents, it turned out not to be the Federal Reserve but Evolve Bank & Trust. It doesn’t seem like the data was critical or extremely important because the facility is still operational. VX Underground summed up the event nicely: “We suspected the affiliate (who probably doesn't know English) saw a document that said 'United States Federal Reserve' and thought it was that.”
VULNERABILITY CHAT
In a significant supply chain attack, over 100,000 websites using Polyfill.io, a popular JavaScript CDN service, were compromised. Earlier this year, a Chinese company called Funnull took over the ownership of the polyfill.io domain. Following the takeover, the CDN delivered malicious JavaScript code which was automatically deployed on websites embedding scripts from cdn.polyfill.io. This code redirected mobile visitors to scam sites. As a result of this attack, Google has informed advertisers about possible impacts on their landing pages that might be contaminated with malicious scripts. Safe mirrors of Polyfill have been set up by Fastly and Cloudflare to mitigate the issue.
Progress Software has released an advisory about a new vulnerability that has alarmed experts due to its resemblance to a previous issue which led to one of the largest data theft campaigns on record. A patch was released on June 11, and the company has been working with customers to resolve the issue since then.
GitLab has announced security patches for its Community Edition (CE) and Enterprise Edition (EE), addressing 14 vulnerabilities, including one critical and three high-severity flaws. Reported via GitLab’s bug bounty program, the issue was resolved by modifying the workflow so that “a pipeline will not automatically run when a merge request is automatically re-targeted due to its previous target branch being merged.”
A new joint guidance released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and partners warns of the widespread and costly prevalence of memory safety vulnerabilities in critical open-source projects. The report emphasises the urgent need for software manufacturers to adopt memory-safe programming practices, revealing that 52% of analysed critical open-source projects contain code written in memory-unsafe languages, accounting for 55% of the total lines of code across these projects.
CISA has raised the alarm on threat actors exploiting known vulnerabilities in GeoServer, the Linux kernel, and Roundcube Webmail. The issue relates to the use of the scripting language Jiffle: Jiffle scripts are compiled into Java code via Janino and then executed.
A new firmware update for Apple's AirPods addresses a Bluetooth-related bug. The update, detailed on Apple's security website, patches a vulnerability that allowed potential attackers to spoof devices to connect to AirPods. The patches, 6F8 and 6A326, focus on "bug fixes and other improvements," specifically targeting this security flaw.
3 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Roundcube (Webmail). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 544 vulnerabilities last week, making the 2024 total 20,436. For more information visit https://nvd.nist.gov/vuln/search/
INFORMATION PRIVACY HEADLINES
A recent survey by identity and access management provider Okta reveals a high level of optimism about AI among technology-focused executives globally. The survey found that 46% of executives feel both concern and excitement about AI becoming more integrated into daily life, while 44% are more excited than concerned. This indicates a strong belief among executives in the potential benefits of AI despite existing concerns.
The House Energy and Commerce Committee abruptly canceled a hearing to discuss the American Privacy Rights Act (APRA) on Thursday. The bill, which has faced significant criticism from civil rights and privacy advocates, reportedly also faces opposition from Republican leadership, contributing to the hearing's cancellation.
George Zhao, CEO of Chinese smartphone company Honor, emphasised the importance of data security in AI during an exclusive interview with CNBC. Zhao stated that AI is "worthless" without proper user data protection and highlighted that Honor adheres to principles ensuring user data remains on the device.
Posidex Technologies has introduced a new Privacy Enhancing Technology (PET) designed to facilitate secure data collaboration between entities such as financial institutions and government departments. The technology, developed by co-founders Bhavani Shanker Chittor, K. Venkat Reddy, and G. Venugopal Rao, uses an algorithm to convert plain text data into "Vectorised, Anonymised, Randomised, Encrypted Tokens" (VARE Tokens). These tokens enable AI/ML models to perform data comparison while ensuring privacy and compliance with data localisation norms.
Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan
DATA CATEGORIES DISCOVERED
Contact Data, Technical Data, Locational Data, Transactional Data, Financial Data, Socia-Demographic Data, Usage Data, Documentary Data, Social Relationships Data.