Millions of Android users’ data exposed due to cloud authentication failures

A report issued by researchers at Check Point reveals serious cloud misconfigurations which have potentially exposed data belonging to over 100 million Android app users. The report indicates that the 23 popular Android apps examined, including a taxi app, logo maker, screen recorder, fax service, and astrology software, leaked data including email records, chat messages, location information, user IDs, passwords, and images. In 13 instances, sensitive data was publicly available in unsecured cloud configurations accounting for between 10,000 and 10 million downloads each. The report notes that the security failures are a result of developers failing to follow, “best practices when configuring and integrating third party cloud services into their applications.”

(ZDNet)

UK regulator fines AmEx for spamming violations

American Express has been fined £90,000 by Britain’s Information Commissioner’s Office (ICO) for spamming customers with 50 million unwanted emails after they’d opted out of its email marketing program. In an attempt to justify its actions, AmEx claimed the spam was internally classified as service messages instead of marketing. ICO head of investigations Andy Curry stated, “This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.”

(The Register)

Russian hacker sentenced to 5 years for $1.5 million tax fraud

The DOJ reported that a Russian national, Anton Bogdanov, was sentenced to five years in prison for attempting to steal $1.5 million by hacking into tax preparation firms. The 35-year-old Russian known online as “Kusok,” participated in a scheme between June 2014 and November 2016 that included stealing personal information to alter tax returns. The tax refunds were then directed to pre-paid credit cards which were cashed out in the U.S. and wired to Bogdanov in Russia. Bogdanov was arrested in Bangkok in 2018 while on vacation and extradited to the U.S. where he plead guilty back in January of this year.

(The Record)

Threat actors leveraging Google and Microsoft cloud to proliferate phishing operations

A report issued earlier this week by ProofPoint shows that, in the first quarter of 2021, a whopping 52 million malicious emails were discovered in popular could services including Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase storage. The report indicates that the volume of malicious messages found in these cloud services exceeds that of any botnet in 2020. The report also shows that 95% of organizations were targeted by a cloud account attack in the past year, with over half of them being victimized by at least one compromise. The report then notes that email has reclaimed its status as top threat vector for ransomware and asserts that, “the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders.”

(Threatpost and Proofpoint)

Thanks to our episode sponsor, Trend Micro

Want to discover new ways to simplify and strengthen your security? Join Trend Micro Perspectives on June 16, where industry experts and practitioners will share deep insights and real-world examples on how security can play a pivotal role in accelerating your digital transformation. Featuring speakers from Gartner, Forrester, ESG, AWS, and Microsoft. Visit TrendMicro.com/Perspectives today to register.

Watering hole attack targeted Florida water utilities

An investigation performed in the wake of the attack earlier this year that attempted to poison the water at a treatment plant in Oldsmar, Florida, has uncovered malicious code appearing to target water utilities hosted on a construction contractor’s website. The malicious code, known as a watering hole attack, infected the site using a vulnerable WordPress plugin and then exfiltrated computer fingerprint data to a Heroku app site database. While the attack is not thought to be directly linked to the Oldsmar incident, Dragos researcher Kent Backman stated that it represents, “an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS) environments.”

(The Hacker News and Dragos)

Israel launches bomb strikes on Hamas cyber operations

Over the past week, Israeli Defense Forces (IDF) launched two separate bomb strikes against Hamas cyber operations sites. The IDF indicated that the latter of the two airstrikes, which occurred on Thursday May 19th, struck an apartment which was, “used by the terror operatives for offensive cyber activity against Israeli targets.” Shortly before the bombings, IDF officials asked Gaza Strip residents and business owners to turn off security cameras claiming that they could be leveraged by Hamas to spy on residents or Israeli troops. The IDF carried out a similar operation in May 2019 against what it believed to be the Hamas cyber unit’s headquarters.

(The Record)

May Android security updates patch 4 zero-days exploited in the wild

Google’s Project Zero team reported this week that four Android security vulnerabilities were exploited in the wild as zero-day bugs before being patched earlier this month. The vulnerabilities impact Qualcomm and ARM Mali GPU components and could be exploited by attackers to remotely execute arbitrary malicious code as part of privileged processes. Qualcomm and ARM have published vulnerability details via separate security advisories and Android users are encouraged to install this month’s security updates as soon as possible. Unfortunately, Android users using older devices might not be able to install these patches. Refer to the May 2021 Android Security Bulletin for more details.

(BleepingComputer)

Google Chrome Makes It Easier to Update Compromised Passwords

Earlier this week, Google announced that is launching a new Chrome feature which will alert a user when one of their passwords is compromised and help them automatically update to a new one. The new feature will leverage Google’s somewhat controversial Duplex technology, first introduced back in 2018, which could perform automated tasks such as calling businesses and scheduling appointments. The new feature will soon begin rolling out to Chrome and Android users in the U.S. and will initially have compatibility with a limited number of applications which includes Twitter.

(TechCrunch)

TikTok releases features to help combat online abuse

On Thursday, TikTok introduced new features that will allow creators to bulk delete and report comments as well as block users. While the new capabilities are intended to help better protect against online harassment, they could also be used by creators to make their persona appear to be more favorable. The new features will allow users to select and delete or report up to 100 comments or accounts, as opposed to having to go through them one by one. According to TikTok, the new feature will first be rolled out to select areas of Europe, Middle East, and Asia, and will continue to expand to other markets, including the U.S., in the coming weeks.

(TechCrunch)