Table of Contents

  1. Vulnerabilities
    1. Critical vulnerability in Drupal core
  2. Apple
    1. Apple security bounty
  3. Facebook
    1. 267M Facebook users IDs and phone numbers exposed online
    2. Facebook Won't Use 2FA Numbers To Suggest Friends Anymore
  4. Crime
    1. SSD with data from Jugendamt sold on ebay
    2. Lithuanian Jailed for Stealing $120 Million From Google, Facebook
    3. Bad Homburg goes offline
    4. Nexus Mods Game Modding Site Discloses Data Breach
    5. Ring Throws Customers Under the Bus After Data Breach
    6. Former IT Employee Jailed for Taking Down Airline Systems
    7. Fake Star Wars Streaming Sites Steal Fans’ Credit Cards
    8. Catholic university in Freiburg has gone offline
  5. Malware
    1. Exploit Kit Starts Pushing Malware Via Fake Adult Sites
    2. Emotet Malware Uses Greta Thunberg Demonstration Invites as Lure

Vulnerabilities

Critical vulnerability in Drupal core

The Drupal project uses the third-party library ArchiveTar, which has released a security update that impacts some Drupal configurations. The security advisory doesn't give many details about the issue, which probably means that arbitrary code execution is possible.

Apple

Apple security bounty

Apple has finally officially started a security bug bounty program, with the minimum $5k payout and maximum $1m, for a zero click remote chain with full kernel execution. The program was previously invite-only

Facebook

267M Facebook users IDs and phone numbers exposed online

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. The data comes again from an Elasticsearch cluster. It most probably originated by illegal scraping operation of Facebook API by criminals in Vietnam before Facebook restricted data access. This isn’t the first time such a database has been exposed. In September 2019, 419 million records across several databases were exposed.

Facebook Won't Use 2FA Numbers To Suggest Friends Anymore

Facebook won’t use the phone numbers some users give it for two-factor authentication for its “people you may know” feature, according to Reuters. The social network tells Reuters the move is “part of a wide-ranging overhaul of its privacy practices.” It previously used phone numbers to serve ads too but says it stopped doing that in June.

Crime

SSD with data from Jugendamt sold on ebay

Heise team has been contacted by a person who has received a used SSD instead of a new one he ordered on ebay. The drive contained sensitive government data. An investigation is still ongoing.

Lithuanian Jailed for Stealing $120 Million From Google, Facebook

A Lithuanian man was sentenced to five years of prison time after tricking Google and Facebook employees into wiring over $120 million into bank accounts he controlled as part of several business email compromise (BEC) fraud attacks spanning from 2013 to 2015.

Bad Homburg goes offline

Another german city suffered an attack. Unlike the Frankfurt attack the telephone system was also affected and is offline for now. Frankfurt is meanwhile already recovered.

Nexus Mods Game Modding Site Discloses Data Breach

The popular game modification site Nexus Mods has announced a security incident that may have exposed the registration information for its users. Nexus Mods is a site where users can download modifications for games such as Skyrim, Fallout, Witcher, Dragon Age, and many more.

Ring Throws Customers Under the Bus After Data Breach

Just a week after hackers broke into a Ring camera in a child’s bedroom, taunting the child and sparking serious concerns about the company’s security practices, Buzzfeed News is reporting that over 3,600 Ring owners’ email addresses, passwords, camera locations, and camera names were dumped online. This includes cameras recording private spaces inside homes. Ring denies that it has been compromised, and it most probably is just because people reuse credentials, and attackers have compiled a list of valid username:password combinations.

Former IT Employee Jailed for Taking Down Airline Systems

Scott Burns, a former employee of information and communications technology (ICT) provider Blue Chip was sentenced to 10 months in prison for taking down the computers of British airline Jet2.com Limited (aka Jet2) for over 12 hours. Chat records found on his phone show Burns saying he is “finally sick and tired of BC/Jet2” and he describes leaving Blue Chip as “freeeedom”. On the same phone, he had looked up the prison sentence for network intrusion in the UK on Google. During interview, Burns admitted that he had illegally accessed the CEO’s inbox “once or twice” to see if anything was being said about the incident – or to see if the company had any evidence of his involvement in the attacks.

Fake Star Wars Streaming Sites Steal Fans’ Credit Cards

Attackers are actively exploiting the hype around the new Star Wars: The Rise of Skywalker movie as a bait designed to lure potential victims on fake streaming sites and steal their credit card data. "Kaspersky researchers found over 30 fraudulent websites and social media profiles disguised as official movie accounts (the actual number of these sites may be much higher) that supposedly distribute free copies of the latest film in the franchise," a press release published today says.

Catholic university in Freiburg has gone offline

The Catholic university of Freiburg (Katholische Hochschule Freiburg) im Breisgau switched off its entire network last Tuesday, and all employees were sent to vacation. According to a Facebook post on Wednesday morning, this step affects "all university IT services, portals, platforms, networks and communication options". Emotet is suspected to be behind the attack.

Malware

Exploit Kit Starts Pushing Malware Via Fake Adult Sites

Spelevo exploit kit's operators have recently added a new infection vector as part of their attacks, attempting to social engineer potential targets into downloading and executing addition malware payloads from decoy adult sites.

Emotet Malware Uses Greta Thunberg Demonstration Invites as Lure

Emotet has started a new spam campaign that is banking off the popularity of environmental activist Greta Thunberg and her dedication to the climate movement. Unsuspecting users who think they are getting info about an upcoming "climate crisis" demonstration, will instead find that they have become infected with Emotet and other malware.