The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Trying to help. Apple’s new feature to combat child sexual abuse imagery faces criticism.
- Plaid’s privacy problems. Fintech firm settles for USD 58 million over data privacy violations.
- AllWorld.Cards. One million credit cards have been leaked for free on an underground card shop.
- Home routers hijacked. Attackers exploit authentication-bypass vulnerability in home routers.
- Crypto heist. Hackers steal USD 600 million in cryptocurrency from a decentralised finance provider.
- Patch Tuesday – the calm after the storm. Only 44 vulnerabilities are addressed in this month’s Microsoft Patch Tuesday.
Apple criticised for new feature
Apple’s new iOS15 feature to combat child sexual abuse imagery has been criticised as an invasion of privacy. Critics also argue it could be abused by authoritarian governments as a new form of surveillance – Apple disputes this, maintaining that the feature preserves user privacy.
The new control will use hash technology to compare photos on the device with known images of child sexual abuse. However, only if a photo is a match and subsequently uploaded to iCloud will Apple interpret it as an image. Once a single account receives a certain number of matches, it will be reviewed by Apple.
SO WHAT? This new system seems to contradict Apple’s long-standing reputation as a proponent for user privacy. However, the method through which it works, using hash technology, is actually less invasive than many of the existing measures to combat child sexual abuse imagery used by other email and cloud storage platforms.
Plaid agrees to pay USD 58 million for data privacy violations
Fintech company Plaid reached a USD 58 million settlement with plaintiffs who alleged it used their banking information without their consent. Additionally, Plaid was ordered to improve its data security and processing practices.
The fintech company connects users’ bank accounts to online trading platforms such as Robinhood. Amongst other things, the plaintiffs alleged that Plaid harvested and sold users’ banking transaction histories, a claim the company denies.
SO WHAT? Data protection laws and regulations have become increasingly onerous on organisations. It is important that companies are aware of and comply with their obligations and responsibilities or risk facing large fines and/or lawsuits.
One million credit cards leaked on an underground card shop
One million credit cards have been leaked for free by a representative of AllWorld.Cards, an underground card shop. The leak was advertised on numerous underground forums including XSS and Club2crd.
The leak contains credit card numbers, expiration dates, CVVs, names, countries, addresses, zip codes, and contact information. The affected cards were stolen between 2018 and 2019. Some researchers assess that as many as 50% of the leaked cards may still be valid.
SO WHAT? AllWorld.Cards appeared in May 2021, just three months after Joker’s Stash (formerly the largest stolen credit card marketplace) shut down. Leaking these credit cards for free is likely an attempt to attract customers as AllWorld.Cards looks to replace Joker’s Stash as a leading carding market.
Authentication-bypass vulnerability places millions of home routers at risk
Attackers are actively exploiting an authentication-bypass bug that could affect millions of home routers. The security flaw affects routers from firmware provider, Arcadyan.
Attackers are exploiting the bug to add hijacked routers to a Mirai-variant botnet. This botnet has previously been leveraged to launch distributed denial of service (DDoS) attacks on network devices affected by critical security vulnerabilities.
SO WHAT? Ensure you have updated your router’s firmware to the latest version.
Cryptocurrency heist secures millions for hackerS
Hackers managed to steal over USD 600 million worth of cryptocurrency from user accounts on Poly Network, a decentralised finance provider. After a public outcry, and a security firm reportedly identifying them, the attackers have since returned over half of the stolen funds to Poly Network.
SO WHAT? Cryptocurrency stored with an exchange or broker could be stolen if an attacker is able to compromise their systems. For extra security, consider using hardware wallets kept offline to protect your digital assets.
Relative to last month, 63% fewer vulnerabilities were addressed in this month’s Patch Tuesday. Of the 44 vulnerabilities, seven are rated critical, one of which is being actively exploited in the wild.
Affected software include Microsoft Windows and various Windows components, Office, .NET Core and Visual Studio, Windows Defender, and Windows Update, among others.
SO WHAT? Find further detail on the patches on Microsoft’s website.