Here are the top stories of recent weeks:
- FBI Warns Of BEC Attacks Targeting US Government Organizations
- Highly Sophisticated Attackers Use 11 Zero-Day Vulnerabilities to Infect Patched Windows, iOS, and Android Devices
- Hackers Steal Credit Card Data By Hiding Data in JPG Files to Avoid Detection
- B2B Sales Portal Exposes 1.5 Million Sensitive Records
The FBI issued a Private Industry Notification (PIN) warning US private sector companies of increasing business email compromise (BEC) attacks targeting state and local government entities. The number of BEC attacks grew as organizations moved to remote work due to the COVID-19 pandemic, with the FBI noting losses of up to $4 million for local government entities between November 2018 and September 2020. The FBI’s Internet Crime Complaint Center (IC3) also reported $1.8 billion in losses due to BEC attacks in 2020, an increase from last year. BEC attacks continue to be the biggest source of reported losses.
A team of highly skilled hackers chained multiple zero-day exploits together to compromise patched Windows, iOS, and Android devices in a nine-months-long campaign. All exploits were delivered via watering-hole attacks. Compromised websites redirected visitors to malicious infrastructure where different exploits were installed based on the user’s device and browser. The attacker team’s sophistication was highlighted by their use of multiple zero-day vulnerabilities and quick creation of new exploits in response to patched OSes and apps, allowing them to continue to compromise even recently patched devices. The attack was discovered and documented by Google’s Project Zero and Threat Analysis Group.
Hackers have developed clever ways to steal payment card data from compromised online stores without being detected. Instead of downloading stolen card info data directly, hackers are hiding the data in a JPG image stored directly on the infected website. Attackers can evade detection by downloading the JPG file with the encoded payment card data at a later time. While the compromised site may not be detected as malicious, site owners should be able to detect code changes and file uploads with website monitoring services.
B2B sales portal vendor Inside Sales Solutions left a non-password-protected database of 1.5 million records exposed publicly on the internet. The database included customer emails, names, phone numbers, admin account portal passwords in plaintext, and invoice records that could be edited, downloaded, or deleted by anyone. The database was closed to public access once responsible disclosure notice was sent by Jeremiah Fowler, the security expert who discovered the open database.
To learn about secure access service edge (SASE) and how it can protect organizations from exposure of sensitive information, malware, and web-based attacks, download our SASE with Bitglass technical brief below.