Weekly cyber news update

This weeks cyber news includes content from NCSC, Trend Micro and Wired:


Popular VPNs targeted by password stealing hackers

Users of Fortigate SSL VPN and Pulse Secure are being warned that hackers are attempting to steal passwords, as well as encryption keys and other sensitive data from unpatched servers.  At the Black Hat security conference in Las Vegas, researchers explained that the vulnerabilities could be exploited with web requests that contain a special sequence of characters.  Other vulnerabilities found could also allow attackers to remotely execute malicious code and change passwords.

Users of these VPN products should look to install patches for the products as soon as possible. The Fortigate update was issued in May whilst the Pulse Secure update was made available back in April


Apple release a patch to fix jailbreak flaw

Apple has released an update (12.4.1) to fix a jailbreaking vulnerability – one which had previously been fixed back in iOS 12.3.  The vulnerability was accidentally reintroduced on iPhone XS, XS Max, and XR or the 2019 iPad Mini and iPad Air.  Jailbreaking these devices will open them up to a multitude of security risks. 

Users of Apple devices should now ensure they have updated to iOS 12.4.1.  Apple has published a security note about the update, which includes recognition for the researcher that flagged the vulnerability, and users should also keep track of Apple’s latest security updates


By Jindrich Karasek (Threat Researcher) at Trend Micro has reported on the Heatstroke’ Campaign.  This uses Multistage Phishing Attack to Steal PayPal and Credit Card Information

Heatstroke demonstrates how far phishing techniques have evolved —  from merely mimicking legitimate websites and using diversified social engineering tactics — with its use of more sophisticated techniques such as steganography. Heatstroke’s operators research their potential victims looking for private email addresses, more likely to be hosted on free email services with lax security and spam filtering. These are also usually used as verification for social media and e-commerce websites, as well as backups for Gmail and business accounts.

The stolen credentials are sent to an email address using steganography (hiding or embedding data into an image). Trend Micro's researchers were able to capture two phishing kits — one for Amazon users and the second for stealing PayPal credentials.


Hostinger Suffers Data Zinger

Web hosting platform Hostinger disclosed a data breach this week that affected up to 14 million of the company's 29 million customers. A hacker apparently used an access token, found on Hostinger's servers, to access an API database that included usernames, email addresses, and weakly hashed passwords. In response, Hostinger automatically reset customer passwords and upgraded its safeguards.


Sourced from www.wired.com