DOD announces expansion of bug bounty program

On Wednesday, the Department of Defense announced plans to expand its “Hack the Pentagon” program, which offers bug bounties to ethical hackers who find vulnerabilities in DOD systems. The program, originally launched in 2016, only allowed testing against a limited set of systems, now permits cyber professionals to test all publicly-accessible DOD systems including, networks, IOT devices and industrial control systems. The Director of the Defense Digital Service, Brett Goldstein, stated, “This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DOD.”

(CyberScoop)

Data leak uncovers Amazon product review scam

An online elastic search server has leaked the identities of more than 200,000 users and marketplace vendors involved in an Amazon fake product review scam. Customers who appear to have been enticed into leaving positive product reviews in exchange for payment, had details including their names, email addresses, and PayPal and Amazon account details exposed. The unsecured server was discovered and secured back in March but it remains unclear who owns it.  An Amazon spokesperson stated, “We want Amazon customers to shop with confidence knowing that the reviews they read are authentic and relevant,”

(ZDNet)

DHS to embark on historic hiring initiative

The Department of Homeland Security kicked off its latest hiring sprint on Wednesday, aiming to increase diversity while bolstering the U.S. government’s cyber defenses.  DHS Secretary Alejandro Mayorkas stated, “We’re extraordinarily energetic about this effort and we intend to execute the most significant hiring initiative the Department of Homeland Security has undertaken in its history,.” While Mayorkas did not provide further details, It is anticipated that the bulk of the new staff will be allocated to CISA, who has recently been called upon by the government to play an expanded role defending against cyber crime in the wake of the Solar Winds attack.   

(The Record)

New phishing campaign ditches links and files to avoid detection

Hackers have recently launched two related phishing campaigns which have taken unusual measures to coerce its victims into self-infecting. Cofense has reported that, instead of sending links or files attachments, bad actors have sent users instructions for accessing malicious sites or provided phone numbers to fake representatives who give those same instructions. Once connected to the site, the user’s computer is infected with the BazarBackdoor malware. Ironscales CEO Eyal Benishti stated that threat actors, “know that companies are better protected against malware and have better threat intel capabilities, but that the human link is still a weak link.”

(SC Media)

Thanks to our episode sponsor, Boxcryptor

We think CISOs also have a right to sleep peacefully at night. Therefore, we recommend encrypting your sensitive business data for an extra layer of protection. Now in its 10th year, Boxcryptor offers strong end-to-end encryption for more than 30 cloud providers, NAS, file servers, and local data to organizations of all sizes. Start your free trial now at Boxcryptor.com.

Panda Stealer embedded in Excel files to swipe crypto currency 

Trend Micro reported this week that the Panda Stealer malware has been targeting victims in the U.S., Australia, Japan, and Germany. The attacks, which started off as phishing emails, use Excel files to hide or execute Panda Stealer which then attempts to detect cryptocurrency keys for Ethereum, Litecoin, Bytecoin, and Dash. The malware is also capable of taking screenshots, exfiltrating system data, and stealing browser cookies and credentials. Trend Micro indicates that the cyber criminals responsible have not been identified, but that the malware’s virtual private server has been located and shut down.

(ZDNet)

Recycled phone numbers pose security threats

Researchers at Princeton University have discovered several issues associated with recycled phone numbers. The study, which analyzed phones newly assigned to T-Mobile and Verizon Wireless subscribers, found that 66% of those phones were still linked to their previous owners online. Using online interfaces offered by the two carriers, attackers could identify recycled numbers, purchase them before a number change is confirmed and takeover the associated account. While both Verizon and T-Mobile have made related updates to notices on their support pages, both carriers have yet to take measures that would prevent such attacks from occurring.

(The Hacker News)

Qualcomm chip flaw could allow hackers to spy on Android users

Details have been released about a bug in Qualcomm’s MSM chip that could allow bad actors to insert malicious code into Android phones. Researchers from Check Point have stated that attackers could utilize the exploit to gain access to text messages and audio of phone conversations. An estimated 30% of all smartphones are equipped with the vulnerable MSM chip. Qualcomm has stated that it plans to include information about the bug in Android’s June public bulletin and encourages users to update their devices as patches become available.

(The Hacker News)

Google announces plan to automatically enable 2SV

Google announced on Thursday, which was World Password Day, that it would automatically enroll some accounts in two-step verification, referred to as “2SV.” While 2SV has been an optional feature for years, Google has indicated that users who have their phones appropriately configured will soon be automatically enrolled. A representative at Google clarified that “appropriately configured” refers to devices which have added recovery information, such as email addresses or phone numbers, to their Google accounts. Users can check the status of their accounts through Google’s Security Checkup feature.

(SecurityWeek)