Apple issues urgent updates to fix new zero-day linked to Pegasus spyware

Apple released emergency security updates Monday after it was discovered that an Israeli cyber surveillance company’s spyware could infect iPhones and other devices without the owner even clicking on a link. Apple has released iOS 14.8, iPadOS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and Safari 14.1.2 to fix two actively exploited vulnerabilities, one of which defeated extra security protections built into the operating system. The updates are in response to a zero-day exploit called “FORCEDENTRY” (aka Megalodon) that was weaponized by Israeli surveillance vendor NSO Group and allegedly used to install Pegasus spyware on the phones of activists in Bahrain. Apple iPhone, iPad, Mac, and Apple Watch users are advised to immediately update their software to mitigate any potential threats arising out of active exploitation of the flaws.

(The Hacker News and Axios)

Update Google Chrome to patch 2 new zero-day flaws under attack

Google on Monday released security updates for its Chrome web browser to address a total of 11 security issues, two of which it says are actively exploited zero-days in the wild. Tracked as CVE-2021-30632 and CVE-2021-30633, the vulnerabilities concern an out of bounds write in V8 JavaScript engine and a use after free flaw in Indexed DB API respectively. Chrome users are advised to update to the latest version (93.0.4577.82) for Windows, Mac, and Linux to mitigate the risk associated with the flaws.

(The Hacker News)

New Zloader attacks disable Windows Defender to evade detection

According to Microsoft’s stats, Microsoft Defender Antivirus (formerly Windows Defender) is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10. An ongoing campaign using the banking trojan Zloader uses a new infection chain to disable it to evade detection. The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites. From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.

(Bleeping Computer)

Walmart hoax causes Litecoin to spike 20%

A fake press release, issued by GlobeNewswire, claimed Walmart had announced a significant partnership with Litecoin. The news caused Litecoin to spike and quickly tank after the news was exposed as a hoax. According to some reports, Litecoin (LTC-USD) spiked at 25% in under half an hour, spurring LTC up from $174 to a “session high of $232.” Experts quickly pointed out inconsistencies in the press release, noting how critical it is to conduct thorough research before falling for entirely fabricated news presented as factl.

(Security Magazine)

Thanks to our episode sponsor, Sonrai

Sonrai is gaelic for data – and that’s what Sonrai Security is all about. Finding, classifying, and locking down sensitive data in AWS, Azure, or Google Cloud. Sonrai can see every identity’s path to every piece of data – continuously. Learn more at sonraisecurity.com.

WooCommerce multi-currency bug allows shoppers to change ecommerce pricing

WooCommerce is a popular eCommerce plugin for WordPress-powered websites; the Multi Currency plugin from Envato allows e-tailers using WooCommerce to set pricing for international shoppers. It automatically detects a customer’s location and displays pricing in the appropriate currency, with the exchange rate set manually or automatically using current exchange rates. According to the Ninja Technologies Network (NinTechNet), the issue is a broken access-control vulnerability in version 2.1.17 and below, impacting Multi Currency’s “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, thus overwriting any prices calculated automatically by exchange rate.

(Threatpost)

Close to half of on-prem databases contain vulnerabilities, with many critical flaws

A five-year study has concluded with a sobering fact for businesses using on-premise servers: close to half contain vulnerabilities that may be ripe for exploitation. Imperva released the results of the study on Tuesday, which analyzed roughly 27,000 databases and their security posture. In total, 46% of on-premises databases worldwide, accounted for in the scan, contained known vulnerabilities. On average, each database contained 26 security flaws, with 56% ranked as a “high” or “critical” severity bug — including code execution vulnerabilities that can be used to hijack an entire database and the information contained within. All it may take, in some cases, is a scan on Shodan, the search engine that can find anything that connects directly to the internet, to find a target and execute a malicious payload. “This indicates that many organizations are not prioritizing the security of their data and neglecting routine patching exercises,” Imperva says. “Based on Imperva scans, some CVEs have gone unaddressed for three or more years.”

(ZDNet)

Alibaba slides on report China plans to break up payment app

Shares in Chinese technology giant Alibaba have fallen sharply after a report that its financial affiliate Ant Group is again under scrutiny. Regulators want to break up Alipay, which is China’s biggest payments app with more than a billion users, according to the Financial Times. A separate platform for the app’s profitable lending operation would be created under the plan. This would be the latest move by Beijing to tighten its grip on big businesses, and Ant could also be forced to hand over the user data that underpins its loans decisions to a new credit scoring firm, which would be partly state-owned, the report said. Alibaba shares closed 4.2% lower in Hong Kong trade on Monday.

(BBC News)

Brits open doors for tech-enabled fraudsters because they ‘don’t want to seem rude’

That’s according to the trade association UK Finance, which found that the number of “impersonation scam cases” more than doubled in the first half of 2021 to 33,115 – up from 14,947 during the same period last year. The industry body reckons these particular frauds – whether by text, email, or voice calls – have duped “even the savviest” Brits out of almost £200m over the last year or so and a SMS phishing (smishing) attacks in the UK grew by nearly 700 per cent in the first half of 2021 compared to the previous six months.

(The Register)