The Good
This week was all about Black Hat 2019, the annual hacker con that meets in Las Vegas to offer training, briefings, and showcases of the latest security technology. Some of the good news to come out of Black Hat aside from our own announcements includes an expanded Apple bug bounty program for researchers. Starting this Fall, Apple will open up the program to all researchers across all its platforms, with up to $1million on offer for zero-click vulnerabilities that lead to complete kernel exploitation. The week continues for cybersecurity enthusiasts with Def Con 27 running from Thursday through to Sunday.
Chipmaker Broadcom has announced a cash buy-out of Symantec’s enterprise business for $10.7 billion. The cybersecurity firm has been going through a rough patch of late, with turbulence in the boardroom and declining revenues, so the buy-out should be welcome news to Symantec shareholders. Not everyone was pleased about the acquistion, though. “[It’s a dinosaur] buying another dinosaur before both dinosaurs go out of business,” Herjavec Group CEO Robert Herajvec said, while commenting on the deal.
The Bad
IoT devices have been the focus of a campaign targeting public and private organizations by Russian-state backed APT group Fancy Bear, aka APT28 and Strontium, according to researchers at Microsoft. The campaign, thought to have begun in April, penetrates enterprise networks by leveraging simple vulnerabilities such as default passwords and outdated firmware on network-connected devices like printers, VOIP phones and video decoders. Once an IoT device is infected, the attackers are able to conduct a network scan and attempt lateral movement into higher privileged accounts.
New figures from IBM reveal that the number of ransomware attacks appears to have doubled in the last six months. The stats show that on average, an enterprise ransomware infection cripples around 12,000 devices and requires over 500 hours of incident response. Multinationals that fall victim to ransomware are suffering loses of $239 million on average, the report claims.
The Ugly
Spectre is back, well it’s been back and gone again! Microsoft silently patched a hitherto unknown vulnerability affecting Intel CPUs in July, but the side channel attack could have been leaking encryption keys, passwords, private conversations and more if it had been exploited prior to that. Classified as CVE-2019-1125, the flaw made it possible for attackers to exploit the SWAPGS instruction and move data held in kernel memory to user memory.
Controversy has erupted around Amazon’s home security service Ring, which offers real-time crime and safety alerts from neighbors in part by sharing footage from video doorbells. Not all Ring users are inclined to share, however. Concern has been raised that Ring are coaching law enforcement agencies on both how to get users to “play ball” as well as how to drive downloads of Ring’s smartphone app. Claims that police officers can obtain footage without a warrant directly from Amazon were denied by the company.