Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently.
Here’s what you don’t want to miss from the week of September 14, 2015:
- A new, active malware campaign has compromised thousands of WordPress sites, redirecting visitors to a Nuclear Exploit Kit landing page. According to SucuriLabs, the landing pages will try a variety of available browser exploits to infect the computers of unsuspecting visitors. “We detected thousands of sites compromised just today and 95% of them are using WordPress,” said Sucuri CTO Daniel Cid. The campaign appears to have started only 15 days ago, but has quickly gained traction. SucuriLabs shared a snapshot of the daily infection rates, thus far:
- Apple’s iOS 9 was released this week, fixing a serious vulnerability in AirDrop – the over-the-air file sharing service for both iPhones and Macs. Australian researcher Mark Dowd at Azimuth Security found that this particular flaw could allow anyone within range of an AirDrop user to install malware on a device and manipulate operating system settings in order to force the exploit to work, even if the victim did not accept the incoming AirDrop file. You can see Dowd demonstrate the exploit in a video here. iOS 9 resolves the issue for iPhones, and OS X El Capitan – launching September 30 – will also resolve the issue for Mac computers.
- Telecommunications giant Vodafone Australia is under fire following the revelation that a journalist’s call and text records were accessed in an attempt to uncover the source for a story on a serious security issue in the Siebel data system used by Vodafone. Journalist Natalie O’Brien reported that the data system was available online and easily accessible through generic passwords, which were being shared around the company. Vodafone previously denied allegations, but has since released a statement apologizing for the “unacceptable and potentially criminal behavior.”
- Researchers at F-Secure released a report detailing evidence of the Russian government’s alleged involvement with the seven-year malware campaign targeting government institutions, political think tanks and other high-level organizations. The report includes research dating back to 2008, outlining numerous incidents executed by a “well-resourced, highly dedicated and organized cyberespionage group” believed to be working for the Russian Federation.
- A new survey by Kaspersky Labs says that about a third (32 percent) of serious distributed denial of service (DDoS) attacks are accompanied by a network intrusion. According to survey respondents, small businesses were most likely to lose data as a result of a DDoS attack – 31 percent of SMBs reported data loss, compared to 22 percent of enterprises. Furthermore, the average DDoS attack was found to cost SMBs more than $50,000 in recovery expenses, while enterprises typically dish out more than $417,000 to recover.
- Schneider Electric pushed out a critical patch to an industrial control system, which transmitted user login credentials between client and server machines in plain text. CVE-2015-3962 – with a CVSS base score of 10.0 – affects Struxureware Building Expert, prior to version 2.15. The vulnerable system handles air conditioning, lighting and metering, and is estimated to be used worldwide.
- A U.S. judge ruled that banks can proceed with a class action suit filed against Target for the massive data breach that occurred in 2013. The St. Paul, Minnesota, U.S. District Court judge affirmed Target’s negligence in the data hack, which compromised upwards of 40 million credit cards. The decision enables the $5 million class action to be maintained under the representation of the five primary plaintiffs: Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain.