SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
Student charged for hacking shipping company
A University of Miami student has been charged for hacking into employee accounts at a shipping and supply chain management company as part of a $3.5 million fraud scheme. The fraudsters bought high-end electronics, jewelry, designer clothing, and accessories from retailers and then used their access to the shipping firm’s systems to enter fraudulent tracking information and claim full refunds while keeping the merchandise.
US offering big rewards for Iranian cyber actors
The US State Department has made two announcements, each offering rewards of up to $10 million for information on Iranian cyber actors. Some of them are accused of interfering in US elections, while others are said to have targeted critical infrastructure and compromised hundreds of computer networks.
New Google Play banner highlights independent security validation of apps
Google has announced a new banner for Google Play applications that have undergone independent security testing. For now, the banner is available for VPN applications, indicating to users that the app meets industry mobile security and privacy minimum best practices.
CISA guidance for Vulnerability Exploitability eXchange (VEX) information
CISA has published guidance on when organizations should issue Vulnerability Exploitability eXchange (VEX) information, which allows developers, suppliers and others to share information about vulnerabilities. The goal is to make it easier for others to make their own assessment of the risks associated with a vulnerability.
Critical QNAP product vulnerabilities
QNAP has published four security advisories to inform customers about vulnerabilities found in its products, including critical QTS, QuTS and Multimedia Console flaws that can be exploited for remote code execution.
Zephyr RTOS vulnerabilities
A researcher has discovered a dozen vulnerabilities in the Linux Foundation-sponsored Zephyr real-time operating system (RTOS). The flaws can be exploited for DoS attacks, arbitrary code execution and other purposes.
Evolution of Chinese state-sponsored cyber operations
Recorded Future has published a report on the evolution of Chinese state-sponsored cyber operations, highlighting a shift “from broad intellectual property theft to a more targeted approach supporting specific strategic, economic, and geopolitical goals”.
SolarWinds responds to SEC charges
SolarWinds has responded to the recent charges announced by the SEC against the company and its CISO over its cybersecurity practices leading up to the massive breach. SolarWinds has described the SEC’s lawsuit as “fundamentally flawed” and has shared some information in an effort to set the record straight on some allegedly false claims.
New EU regulation enables government surveillance
The EFF has issued a warning over a new EU regulation called eIDAS 2.0. Article 45 in the new regulation would forbid browsers from enforcing certain security requirements on government-appointed CAs, allowing governments to intercept HTTPS communications in the EU and beyond. Major tech companies have raised concerns about the new regulation.
SentinelOne acquires Krebs Stamos Group and launches new unit
SentinelOne has acquired the Krebs Stamos Group, a company founded by former CISA director Chris Krebs and former Facebook and Yahoo security chief Alex Stamos. Krebs and Stamos will lead PinnacleOne, a new strategic risk analysis and advisory group launched by SentinelOne.