SEC cyber disclosures delayed in several cases
The SEC requires companies to disclose material breaches within four business days, but the government can request delays for national security or public safety reasons. The WSJ reported that the government has delayed the public disclosure of cyber incidents several times since the rules came into effect in December 2023.
TikTok zero-day
Hackers have exploited what has been described as a ‘zero-day’ to hijack the TikTok accounts of high-profile individuals and organizations. Details are scarce, but it has been reported that opening a malicious DM was enough to trigger the exploit. TikTok claims to have patched the vulnerability following attacks on the accounts of CNN, Paris Hilton, Sony, and others, but has refused to share any technical information on the incident.
Shell impacted by data breach at third party
Oil and gas giant Shell recently launched an investigation into a cybersecurity incident and determined that some data was obtained from a third party that provides anonymous mystery shopping services. Shell systems were not affected, the company said.
OmniIndex launches AI threat intelligence tool for fully encrypted log files
OmniIndex has launched LoggerBC, a solution that leverages AI to find threats and vulnerabilities from within logs that are protected by homomorphic encryption. These logs are further stored in a private blockchain for additional protection.
Azure vulnerability leads to firewall rules bypass
Tenable warns of a vulnerability in Azure impacting users that rely on Azure Service Tags for firewall rules. Azure services allow users to craft web requests and control server-side requests. The identified issue allows attackers to control the requests and impersonate Azure services, bypassing network controls that use Service Tags and accessing internal APIs.
$305 million in crypto stolen from DMM Bitcoin
Japanese cryptocurrency exchange DMM Bitcoin fell victim to a cyberattack that resulted in the theft of over $300 million in assets, making this the eighth largest crypto heist in recent history.
Cyberattack hits Germany’s main opposition party
One week ahead of elections across the European Union, the Christian Democratic Union (CDU), the leading opposition party in Germany, fell victim to a serious cyberattack likely perpetrated by a “professional threat actor”. The party took parts of its network offline to contain the incident and prevent “further damage”, which suggests ransomware might have been involved.
Leaked Google database reveals privacy incidents
A leaked internal Google database reportedly shows how the internet giant erroneously collected childrens’ voice data, leaked information on car pool users, and used deleted search histories to make YouTube recommendations. Along with other employee-reported privacy incidents the leak reportedly revealed, most of these mishaps were never publicly disclosed.
Address bar spoofing flaws in mobile browsers
RedSecLabs shared information on address bar spoofing vulnerabilities identified in mobile versions of the Safari, Microsoft Edge, and DuckDuckGo browsers. RedSecLabs’ proof-of-concept (PoC) code shows how constant reloading may confuse the user in regard to the legitimacy of the visited URL. Apple released patches for the issue in October 2023.
Vulnerability in RISC-V open source chip architecture
A major vulnerability in open source chip architecture RISC-V, identified by Chinese researchers, could allow attackers to bypass security protections and steal sensitive information. First reported by China’s CNCERT in April, the security defect was reportedly confirmed in late May by academics at China’s Northwestern Polytechnical University.
Security of 100 free Android VPN apps tested
Top10VPN has tested 100 of the most popular free VPN applications available in the Google Play store and found significant issues. The identified security and privacy problems include encryption issues, leaks, tunnel instability, risky permissions, third-party tracking and data collection, and malware.