Cyber Security Headlines: NortonLifeLock password breach, Canadian liquor hack, severe jsonwebtoken flaw

NortonLifeLock warns that hackers breached Password Manager accounts

Gen Digital (formerly known as Symantec) is sending data breach notifications to customers. This is as a result of a breach of Norton Password Manager accounts. Hackers used credential-stuffing in these attacks. Per a letter shared with the Office of the Vermont Attorney General, “the attacks did not result from a breach on the company but from account compromise on other platforms.” According to the customer notification, on or around December 1, 2022, an attacker used pairs of usernames and password purchased from the dark web. These were used to attempt to log in to Norton customer accounts, and the company further warns users of the Norton Password Manager feature, that “attackers might have obtained details stored in the private vaults.”

(Bleeping Computer)

Hacker steals credit card info from Canada’s largest alcohol retailer

Canada’s largest beverage alcohol retailer, the Liquor Control Board of Ontario (LCBO), has disclosed a Magecart attack on that occurred on January 10. According to their statement, customers who made payments through the LCBO website between January 5 and 10 may have had their information compromised, including names, email and mailing addresses, air travel loyalty card numbers, LCBO.com account passwords, and credit card information. The company pointed out that the security breach did not impact users who placed orders through the retailers’ mobile app or their specialty vintagesshoponline.com website.

(Security Affairs)

Cacti servers under attack as majority fail to patch critical vulnerability

Most internet-exposed Cacti servers have yet to be patched against a critical security vulnerability that has come under active exploitation in the wild, says attack surface management platform Censys, who discovered only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0). The issue relates to CVE-2022-46169 (CVSS score: 9.8), which is “a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution.”

(The Hacker News)

Thanks to this week’s episode sponsor, Cerby

Did you know that over 60% of the cloud applications used by your company don’t support identity standards like single sign-on? And that these applications are the leading cause of breaches? Cerby can help. Cerby discovers new applications, eliminates manual security tasks like offboarding, and addresses misconfigurations like disabled 2FA while increasing employee productivity. Wait. A security tool that increases productivity? Yup. Learn more at cerby.com.

Cisco warns of two vulnerabilities affecting end-of-life routers

Cisco issued a warning to customers last week that it will not be releasing updates or workarounds to address two vulnerabilities affecting an outdated line of routers, last sold in 2020. Cisco Small Business router models RV016, RV042, RV042G and RV082 – are affected by two vulnerabilities, CVE-2023-20025 and CVE-2023-20026 rated 9 and 6 respectively. The bugs allow a remote attacker to “bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.” They added that the vulnerabilities are not dependent on one another. 

(The Record)

Twitter’s laid-off workers cannot pursue claims via class-action lawsuit

According to Reuters, “Twitter has secured a ruling that will force several laid-off workers who are suing over their termination to pursue their claims via individual arbitration rather than a class-action lawsuit.” A U.S. District Judge ruled against five former Twitter employees who are accusing the company of failing to give adequate notice before laying them off after its acquisition by Elon Musk.

(Reuters)

Europol takes down call centers that scammed people out of €2 million

On Thursday, Europol announced the arrest of scammers who were selling fake cryptocurrency in Europe, Australia, and Canada. Through a cross-border investigation launched in June 2022, police arrested 14 suspects in Serbia and one in Germany. “More than 260 other suspects, including people in Bulgaria and Cyprus, have been questioned and some are awaiting prosecution.” The network operated from at least four call centers in Bulgaria, Cyprus, and Serbia. The police searched these locations and seized three digital wallets with about $1 million in cryptocurrencies, about €50,000 ($54,000) in cash, three cars, computers, and documents. The victims, mainly from Germany, lost over €2 million in an online investment campaign similar to a Ponzi scam.

(The Record)

Last week in ransomware 

LockBit took center stage in the ransomware news last week with their attack on the UK’s Royal Mail which is considered a critical infrastructure in the country. The ransomware attack encrypted the computers used to print customs dockets required for international shipping. Vice Society claimed responsibility for the ransomware operation that attacked Fire Rescue Victoria,  in Australia. The Cuba ransomware operation has been exploiting the Microsoft Exchange OWASSRF flaw, and as a result, CISA now requires federal agencies to patch this flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

(Bleeping Computer)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.