Security experts warn of Amazon Prime Day scams
With Amazon Prime Day in full swing, security experts are warning of a deluge of phishing activity designed to capitalize on a major Amazon promotional event taking place this week, in this unusual year. Amazon Prime Day is said to be bigger for Amazon than Black Friday and Cyber Monday combined. Scams may include fake Amazon website with special deals, fake customer support sites for returns and cancellations, and Amazon loyalty surveys. As always, experts remind people to use common sense, look for unfamiliar URLs, poor grammar, and excessive requests for personal information.
Office 365 remains a favorite for cyberattack persistence
The COVID-19 pandemic’s “work from home” culture has led to Office 365 user account takeover to become one of the most effective ways for attackers to penetrate an organization’s network. Researchers at Vectra AI identify three primary weak points: OAuth, an open standard for access authentication, Power Automate, which creates workflows between Office 365 applications, and to third-party applications, eDiscovery, which is an internal search tool. To mitigate these threats, researchers recommend moving away from static, prevention-based, one-off mitigations and move to a more contextual security approach.
Homomorphic encryption finally finds the spotlight
Homomorphic encryption allows computation to be performed on encrypted data without requiring access to a secret key. This decade-old process is finding new life due to the economics of privacy regulations such as HIPAA. This technique allows social services organizations to share client accounts without revealing personal information, allows tabulation of secret ballots in elections and helps with money laundering investigations across multiple banks, in some cases reducing the time required from months to minutes.
Windows update can be abused to execute malicious programs
The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems. LoLBins are Microsoft-signed executables (pre-installed or downloaded) that can be abused by threat actors to evade detection while downloading, installing, or executing malicious code. They can also be used by attackers to bypass Windows User Account Controls (UAC) or Windows Defender Application Controls (WDAC) and to gain persistence on already compromised systems.
Thanks to this week’s sponsor, Trusona
Authentication bug opens Android smart-TV box to data theft
Researchers at Sick.Codes, a security resource for developers, have discovered a critical bug in the Hindotech HK1 TV Box that would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said. The bug scores 9.3 out of 10 on the CvSS severity scale. The HK1 Box allows users to access YouTube, Netflix, and other streaming content “over-the-top,” without a cable subscription. The Hong Kong based vendor, Shenzhen Hindo Technology, has to date been unresponsive.
Twitter slaps warning on President Trump tweet claiming coronavirus immunity
Shortly after the President tweeted out on Sunday that he was now “immune” to the coronavirus, Twitter attached a warning label on the tweet that stated this, “violated the Twitter Rules about spreading misleading and potentially harmful information related to COVID-19.” Mr. Trump, who is arguably Twitter’s most famous user, has previously accused it of “interfering” with the U.S. 2020 election due to the platform’s fact-checking policies.
Microsoft October Patch Tuesday fixes 87 bugs, six publicly disclosed
With the October 2020 Patch Tuesday security updates release, Microsoft has released fixes for 87 vulnerabilities in Microsoft products and an advisory about today’s Adobe Flash Player update, relating to Adobe’s own security update for a critical remote code execution vulnerability in Adobe Flash Player that could be exploited by simply visiting a website. This month’s Patch Tuesday security updates include six publicly disclosed vulnerabilities. The good news is that Microsoft states that none of them have been seen publicly exploited.
Bitcoin wallet update trick nets criminals more than $22 million
Holders of the Electrum bitcoin wallet app got a rude surprise this August when they received an unexpected security update request via a popup message. The wallet holders who updated their wallet accordingly found that their funds were immediately stolen and sent to an attacker’s bitcoin account. This theft was made possible due to Electrum’s open ecosystem, where anyone can set up an ElectrumX gateway server and connect it to a blockchain node. Cybercrime gangs have been abusing this loophole for two years, spinning up malicious servers and waiting for users to connect to their systems.