Unusual quieter week in the cyber landscape, criminals take vacations too it seems, or not...

While catching up from vacations with all emails is usually heavy, the cyber world have been more quiet, and somehow, this is a good thing.

Still, this week in 41 points (still a lot of points, but instead of leaks and breaches, some good practice stuff too) :

1 - Usual stuff, and unpatched vulnerabilities pile up - Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities

2 - PetitPotam : Quick response, BUT, you need to manually make the change - Microsoft Rushes Fix for ‘PetitPotam’ Attack PoC

3 - Complex infrastructure on multiple providers ? What a Zero Trust Security Architecture Means with Multi-Cloud Identity

4 - Apple patch time, and not with duct tape - Apple fixes zero-day affecting iPhones and Macs, exploited in the wild (but watch out, as usual updates will wipe your privacy settings, re enable the invasive icloud, siri and all the spying crap, so much for "we care for privacy" ah ah, my macbook and my wife's one got all setting reset and started to sync again unwillingly ! Extremely annoying rotten apple !

5 - Criminals do love your cloud clusters, such a shiny SPOF target ! Criminal Hackers Attack Kubernetes Cluster to Deploy Crypto-Miners

6 - Network segmentation is a basic security approach allowing you to isolate workloads and data by category, hence applying proper governance - Rescuing Your Network with Micro-Segmentation

7 - The cloud leaks even if you don't accept the fact - Clubhouse denies Data breach; 3.8 billion phone numbers Leaked , don't fall for FOMO, it's always bad for business in the long run.

8 - Data is the core of modern business, and it always ends on storage - 6 out of box strategies to help enterprise-security pros secure their storage

9 - You are not alone against ransomwares, check this out - No More Ransom saves almost €1 billion in ransomware payments in 5 years

10 - Have you updated signal ? Signal fixes bug that sent random images to wrong contacts

11 - Data poisoning is a real threat to AI based systems (and our only defence against the machines ! ) - Attackers May Induce ‘Toxic Behavior’ Of AI Translation Systems, Study Finds

12 - Your open source systems need patch management too - Several Bugs Found in 3 Open-Source Software Used by Several Businesses

13 - And what about privacy ? Microsoft Teams now automatically blocks phishing attempts

14 - yet another supply chain attack - Malicious npm Packages Steal Chrome Browser Passwords

15 - Acces to your system is for sale, and ransomware gangs buy it all - Ransomware Retail: Underground Remote Access Markets

16 - Awareness trainings + advanced email protection + DLP should reduce the likelihood of this - UC San Diego Health discloses data breach after phishing attack

17 - it's #zimbra patch time, patch available - Zimbra Server Bugs Could Lead to Email Plundering

18 - Criminals have not restriction or regulation to follow, they innovate faster - EvilModel – New Method to Secretly Deliver Malware Via Nearual Networks To Evading Antivirus Engines

19 - ou know specialized groups sell exploits non stop - Is your iPhone vulnerable to Pegasus spyware?

20 - Condidential data leaks non stop, seems we lost the confidentiality part in technology lately - Northern Ireland suspends vaccine passport system after data leak

21 - Now that big tech is fully above the laws, as they own everything, they are not scared of lawsuits anymore - Sue us: Amazon ends ‘binding arbitration’ for customer disputes —?here’s what it means

22 - The cloud backend is just made of computers, vulnerable as well - Critical Microsoft Hyper-V bug could haunt orgs for a long time

23 - Your smartphone is a high value target as it's the key to your digital world - UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild

24 - Did you update telegram ? you must - Numerous Vulnerabilities Discovered In Telegram Encryption Protocol

25 - Your attack surface is exposed to the whole world, including state sponsored attackers - Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers

26 - Social engineering attacks are also done in the long run, who can you trust ? Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

27 - Apple device are not more secure than any other computing stuff - macOS Malware Now Steals Account Logins Of Telegram, Chrome, And More

28 - Even with #TPM, encrypted laptop and all, windows OS is a threat to your organization

29 - Change management, friction, a lot in security implementation lead to constraint - Security Teams: You Don’t Have to Frustrate Your Developers

30 - Wireless is weak, I told you for long, now NSA state almost the same - NSA shares guidance on how to secure your wireless devices

31 - Proper backups (hot, warm, cold) and incident response plan remain your best assets in the current threat landscape - New destructive Meteor wiper malware used in Iranian railway attack

32 - Enabling MFA and restricting access are no longer an option, but more like mandatory baseline - Chipotle’s marketing account hacked to send phishing emails

33 - Use Firefox and keep it up to date, don't store passwords in browsers - Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs

34 - Ransomware group never really retire - DoppelPaymer ransomware gang rebrands as the Grief group

35 - Communication and coordination between teams is a key factor in successful business infrastructure management - The importance of bridging NetOps and SecOps in network management

36 - The cloud is poisoned and it's your main supply chain. Do you have security controls in place to be protected from the cloud ? PyPI packages caught stealing credit card numbers, Discord tokens

37 - more content for your blocklists - Experts Uncover Several C&C Servers Linked to WellMess Malware

38 - Don't fall for the vishing ! Phony Call Centers Tricking Users Into Installing Ransomware and Data-Stealers

39 - Cloud or not, same problem, except that in the cloud you can't verify anything - How do criminal hackers gain access to your core data? Storage systems may be the weakest link

40 - Time to bring big tech back under the laws, they've been abusing for too long ! Amazon gets $888 million GDPR fine for behavioral advertising

41 - Hopefully your Linux systems are up to date - Linux eBPF bug gets root privileges on Ubuntu - Exploit released

And a side topic, this week I shared a post about crowd funding to support a sick kid here in Quebec, and I'm thankful for all of you who reshared or even donated. This campaign did show up in the news, checked by journalists, so no scam here, just humanity in play.

Direct link to campaign being : https://www.gofundme.com/f/la-thrapie-gnique-pour-madi?utm_campaign=p_cp+share-sheet&utm_medium=copy_link_all&utm_source=customer

Have a great weekend all ! Thanks for your support, as usual :D