Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.
Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!
Urgent Call to Action: Uninstall QuickTime for Windows Today
Apple has new guidance regarding an immediate request to uninstall QuickTime for Windows as soon as possible. Apple will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX. The Trend Micro Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows.
Badlock is Not So Bad
Microsoft released its April security patches, including addressing the hyped-up Badlock vulnerability. In the chatter after the controversial partial disclosure of the “Badlock” vulnerability in March, some people predicted that it could be as bad as MS08-067, the vulnerability that the Conficker worm exploited. Instead of MS16-047, what should be at the top of your priority list are the security updates focused on Adobe Flash, Microsoft Windows, Microsoft Internet Explorer and Microsoft Edge.
ATM Malware is on the Rise
Automated Teller Machines (ATM) are no longer just affected by the physical attempt of emptying the money safe. Now logical attacks on ATMs are slowly being recognized as an emerging threat by the security industry and law enforcement agencies. ATM malware had been detected by various researchers for a few years now and we have already seen incidents of their successful use.
U.S. and European Companies are Top Targets of CEO Fraud
The FBI has issued a warning on the dramatic increase of Business Email Compromise (BEC) scams, swindling over US$2.3 billion from companies worldwide, notably the US and Europe. The scams do not discriminate, with targets ranging from small businesses to large corporations. All the perpetrators need is the company executive’s email address (or someone close, like their personal assistant) and the ability to make a convincing fake email.
Mobile Devices Are Being Used to Execute DNS Malware Against Home Routers
Attacks against home routers have been going around for years—from malware that rigs routers to DNS rebinding attacks and backdoors, among others. We recently came across an attack that proves how the Internet of Things (IoT) can be an entry point for cybercriminal activities. This attack requires users to access malicious websites hosting the JavaScript via their mobile devices. Accessing these sites via mobile devices enable the JavaScript to download another JavaScript with DNS changing routines.
A Huge Cyberattack on the Power Grid Could Cost Billions
A catastrophic hack could cost billions to the economy, warns researchers. Governments have long worried about the potential for a cyberattack on their country’s critical national infrastructure, and now researchers have attempted to calculate just how much such an event would cost the economy.
Bait and Switch Mobile Ransomware Has Weaknesses
We have recently caught sight of a mobile ransomware distributed by fake adult websites. It not only locks the device screen and display a warning supposedly coming from law enforcement—a tactic reminiscent of the Police Trojan that plagued desktops before—it also activates the unit’s front facing camera to add to its scare tactic. However, while it has routines unique to mobile ransomware, it also has a particular set of weaknesses that stand out.
Georgetown University was Hit by a Cyberattack
Georgetown University confirms it fell victim to a cyberattack last week, but the school said hackers were not able to get any university data, including student records. An email sent to the school community said the outage from the attack was a result of the firewall closing the network in order to protect the system and data. They said the issue was separate from computer problems at MedStar, a clinic partner with Georgetown.
US CIO Tony Scott Addressed Cybersecurity’s Talent Gap
At a Passcode event Tuesday, the US chief information officer said the federal government wants candidates who know languages, biology and anthropology to fill cybersecurity roles – and one of its most important hires, the new chief information security officer, will be announced within 30 days. U.S. government agencies and businesses are scrambling to bolster security operations teams to defend against breaches such as last year’s massive data spill at the Office of Personnel Management.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.