1 min read
Articles of interest from the week of December 11, 2023
John Frasier Dec 14, 2023 10:30:00 AM
23andMe: Data Breach Was a Credential-Stuffing Attack
DNA testing company 23andMe has released further details surrounding an October data breach, where user profile information had been accessed and downloaded at the hands of a threat actor. (Dark Reading)
“This is a reminder to read the fine print. The 23andMe terms of service (ToS) limits their liability on the very scientific data that is the blueprint to your identity.” – Connie Hernandez, Contract Manager at Ingalls Information Security |
New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices
A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS, and iOS devices. Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. (The Hacker News)
AutoSpill Attack Steals Credentials From Android Password Managers
Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection. (BleepingComputer)
Cyberattack on Irish Utility Cuts Off Water Supply for Two Days
The cyberattack was reported by a local newspaper, Western People, and technical details are murky. The attack targeted a private group water scheme in the Erris area, and reportedly impacted 180 people in Binghamstown and Drum, leaving them without water on Thursday and Friday. (SecurityWeek)
Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware
Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector. (The Hacker News)