SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
MITRE publishes comparison of international PQC standards
MITRE has announced that the Post-Quantum Cryptography Coalition (PQCC), which brings together several tech giants, has published a comparison of international post-quantum cryptography (PQC) standards. The goal is to identify alignment and misalignment areas which could pose challenges for international vendor compliance and interoperability.
US Army Special Forces hack building
The US Army revealed that in a recent exercise taking place in Sweden, its Special Forces used disruptive cyber technology to target a building. Specifically, they identified the building’s networks, cracked the Wi-Fi password, and ran exploits on a computer inside the building. This enabled them to manipulate security cameras, door locks, and other security systems.
Transport for London cyberattack
Transport for London (TfL), the organization managing London’s transport network, has been hit by a cyberattack. While the attack has not impacted public transport services, some online services have been disrupted for several days, including live travel data. TfL does not believe it was targeted in a ransomware attack and there is no indication that customer data has been compromised.
CBIZ data breach impacts 9,000 people
Financial, insurance and advisory services firm CBIZ Benefits & Insurance Services has suffered a data breach that involved the exploitation of a vulnerability in one of its web pages. Information related to retiree health and welfare plans may have been compromised, including name, contact information, Social Security number, date of birth, and/or date of death. The company told the HHS that 9,100 individuals are affected.
UK takes down website enabling banking anti-fraud bypass
Three UK residents pleaded guilty to operating www[.]OTP[.]Agency, a website that allowed cybercriminals to access personal bank accounts and steal money. The three, Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque, charged subscription fees ranging between £30 (~$40) to £380 (~$500) a week for MFA bypasses and access to Visa and Mastercard verification sites. The three are estimated to have made up to £7.9 million (~$10.4 million).
OpenSSL and Firefox patches
The latest OpenSSL update patches a moderate-severity vulnerability that can be exploited for DoS attacks. Mozilla has released Firefox 130, which patches several high-severity vulnerabilities.
FTC warns of Bitcoin ATM scams
The FTC has issued a warning that scammers are increasingly targeting Bitcoin ATMs, or BTMs. BTMs look similar to regular ATMs, but they’re designed for buying or sending cryptocurrency. Scammers are tricking unsuspecting users — by impersonating government organizations or businesses — into depositing their money at BTMs in order to ‘keep it safe’. Victims are instructed to convert cash into cryptocurrency and deposit it in a wallet controlled by the scammers. The FTC says losses have reached $65 million this year.
38,000 AVTECH CCTV cameras exposed to botnet
Censys has identified roughly 38,000 internet-accessible AVTECH CCTV cameras that are potentially vulnerable to a zero-day vulnerability exploited by a Mira-based botnet. Tracked as CVE-2024-7029 and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in early August, the flaw allows unauthenticated attackers to inject and execute commands on vulnerable devices. The vendor did not respond to CISA’s attempts to get the bug fixed.
PyPI packages exposed to hijacking technique exploited in the wild
Threat actors are hijacking PyPI packages using a simple yet effective technique called Revival Hijack, JFrog reports. When PyPI projects are removed from the repository, the names of associated packages become available for registration and miscreants are using them to register malicious projects to deceive developers into using them. There are roughly 22,000 packages at risk of hijacking, JFrog says.
X hiring security and safety staff
X, formerly Twitter, has posted several job openings related to safety and cybersecurity, TechCrunch reported. The company is looking for security engineers, threat intelligence specialists, safety agents, and safety agent supervisors. The move comes two years after the company lost thousands of employees, including key privacy and security executives.
Related: In Other News: Automotive CTF, Deepfake Scams, Singapore’s OT Security Masterplan