Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

In Other News: TikTok Zero-Day, DMM Bitcoin Hack, Free VPN App Analysis

Noteworthy stories that might have slipped under the radar: TikTok patches account hijacking zero-day, $300 million DMM Bitcoin hack, free Android VPN apps analyzed.

Cybersecurity News tidbits

SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports. 

Here are this week’s stories: 

SEC cyber disclosures delayed in several cases

The SEC requires companies to disclose material breaches within four business days, but the government can request delays for national security or public safety reasons. The WSJ reported that the government has delayed the public disclosure of cyber incidents several times since the rules came into effect in December 2023.

TikTok zero-day

Hackers have exploited what has been described as a ‘zero-day’ to hijack the TikTok accounts of high-profile individuals and organizations. Details are scarce, but it has been reported that opening a malicious DM was enough to trigger the exploit. TikTok claims to have patched the vulnerability following attacks on the accounts of CNN, Paris Hilton, Sony, and others, but has refused to share any technical information on the incident.  

Advertisement. Scroll to continue reading.

Shell impacted by data breach at third party

Oil and gas giant Shell recently launched an investigation into a cybersecurity incident and determined that some data was obtained from a third party that provides anonymous mystery shopping services. Shell systems were not affected, the company said. 

OmniIndex launches AI threat intelligence tool for fully encrypted log files

OmniIndex has launched LoggerBC, a solution that leverages AI to find threats and vulnerabilities from within logs that are protected by homomorphic encryption. These logs are further stored in a private blockchain for additional protection.

Azure vulnerability leads to firewall rules bypass

Tenable warns of a vulnerability in Azure impacting users that rely on Azure Service Tags for firewall rules. Azure services allow users to craft web requests and control server-side requests. The identified issue allows attackers to control the requests and impersonate Azure services, bypassing network controls that use Service Tags and accessing internal APIs. 

$305 million in crypto stolen from DMM Bitcoin

Japanese cryptocurrency exchange DMM Bitcoin fell victim to a cyberattack that resulted in the theft of over $300 million in assets, making this the eighth largest crypto heist in recent history. 

Cyberattack hits Germany’s main opposition party

One week ahead of elections across the European Union, the Christian Democratic Union (CDU), the leading opposition party in Germany, fell victim to a serious cyberattack likely perpetrated by a “professional threat actor”. The party took parts of its network offline to contain the incident and prevent “further damage”, which suggests ransomware might have been involved. 

Leaked Google database reveals privacy incidents

A leaked internal Google database reportedly shows how the internet giant erroneously collected childrens’ voice data, leaked information on car pool users, and used deleted search histories to make YouTube recommendations. Along with other employee-reported privacy incidents the leak reportedly revealed, most of these mishaps were never publicly disclosed. 

Address bar spoofing flaws in mobile browsers

RedSecLabs shared information on address bar spoofing vulnerabilities identified in mobile versions of the Safari, Microsoft Edge, and DuckDuckGo browsers. RedSecLabs’ proof-of-concept (PoC) code shows how constant reloading may confuse the user in regard to the legitimacy of the visited URL. Apple released patches for the issue in October 2023.

Vulnerability in RISC-V open source chip architecture

A major vulnerability in open source chip architecture RISC-V, identified by Chinese researchers, could allow attackers to bypass security protections and steal sensitive information. First reported by China’s CNCERT in April, the security defect was reportedly confirmed in late May by academics at China’s Northwestern Polytechnical University.

Security of 100 free Android VPN apps tested

Top10VPN has tested 100 of the most popular free VPN applications available in the Google Play store and found significant issues. The identified security and privacy problems include encryption issues, leaks, tunnel instability, risky permissions, third-party tracking and data collection, and malware.

Related: In Other News: China’s Undersea Spying, Hotel Spyware, Iran’s Disruptive Attacks

Related: In Other News: Apple WPS Surveillance, Canadian Gov Wants Backdoors, NIST AI Program

Written By

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights