Cyber Security Headlines: NortonLifeLock password breach, Canadian liquor hack, severe jsonwebtoken flaw

NortonLifeLock warns that hackers breached Password Manager accounts

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms. The notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts. For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults.

(Bleeping Computer)

Hacker steals credit card info from Canada’s largest alcohol retailer

The Liquor Control Board of Ontario (LCBO), Canada’s largest beverage alcohol retailer, has disclosed a Magecart attack on that occurred on January 10. According to their statement, customers who made payments through the LCBO website between January 5 and 10, may have had their information compromised, including names, email and mailing addresses, air travel loyalty card numbers, account passwords, and credit card information. The company pointed out that the security breach did not impact users who placed orders through the retailers’ mobile app or their specialty website.

(Security Affairs)

Severe security flaw found in “jsonwebtoken” library

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. Palo Alto Networks Unit 42 researcher Artur Oleyarsh confirmed that remote code execution (RCE) could occur on a server verifying a maliciously crafted JSON web token (JWT) request.” Tracked as CVE-2022-23529 (CVSS score: 7.6), the issue impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0 shipped on December 21, 2022. The flaw was reported by the cybersecurity company on July 13, 2022.

(The Hacker News)

Cacti servers under attack as majority fail to patch critical vulnerability

A majority of internet-exposed Cacti servers has not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That’s according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0). The issue in question relates to CVE-2022-46169 (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution.

(The Hacker News)

Thanks to this week’s episode sponsor, Cerby

Did you know that over 60% of the cloud applications used by your company don’t support identity standards like single sign-on? And that these applications are the leading cause of breaches? Cerby can help. Cerby discovers new applications, eliminates manual security tasks like offboarding, and addresses misconfigurations like disabled 2FA while increasing employee productivity. Wait. A security tool that increases productivity? Yup. Learn more at

Cisco warns of two vulnerabilities affecting end-of-life routers

Cisco warned customers last week that it will not release software updates or workarounds to address two vulnerabilities affecting a line of routers that were last sold in 2020. Cisco Small Business router models RV016, RV042, RV042G and RV082 – are affected by two vulnerabilities, CVE-2023-20025 and CVE-2023-20026 rated 9 and 6 respectively. The bugs allow a remote attacker to “bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.” They added that the vulnerabilities are not dependent on one another. 

(The Record)

Twitter’s laid-off workers cannot pursue claims via class-action lawsuit

Twitter has secured a ruling that will force several laid-off workers who are suing over their termination to pursue their claims via individual arbitration rather than a class-action lawsuit. U.S. District Judge James Donato on Friday ruled against five former Twitter employees who are accusing the company of failing to give adequate notice before laying them off after its acquisition by Elon Musk.


Europol takes down call centers that scammed people out of €2 million

International police have arrested scammers selling fake cryptocurrency in Europe, Australia, and Canada, Europol announced Thursday. Through a cross-border investigation launched in June 2022, police arrested 14 suspects in Serbia and one in Germany. More than 260 other suspects, including people in Bulgaria and Cyprus, have been questioned and some are awaiting prosecution. The criminal network consisted of a number of groups operating from at least four call centers in Bulgaria, Cyprus, and Serbia. The police searched these locations and seized three digital wallets with about $1 million in cryptocurrencies, about €50,000 ($54,000) in cash, three cars, computers, and documents. The victims, mainly from Germany, lost over €2 million in an online investment campaign similar to a Ponzi scam.

(The Record)

Last week in ransomware 

LockBit took center stage in the ransomware news last week with their attack on the UK’s Royal Mail which is considered a critical infrastructure in the country. The ransomware attack encrypted the computers used to print customs dockets required for international shipping. Vice Society claimed responsibility for the ransomware operation that attacked Fire Rescue Victoria,  in Australia. The Cuba ransomware operation has been exploiting the Microsoft Exchange OWASSRF flaw, and as a result, CISA now requires federal agencies to patch this flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

(Bleeping Computer)