Chicago Public Schools (CPS) disclosed on Friday that students may have had their data taken in a ransomware incident involving one of its vendors. The ransomware attack happened last December at Battelle for Kids (BfK), based in Columbus Ohio, which develops services to provide innovation in schools for students and teachers. Around 490,000 students and 56,000 employees found their data breached by those responsible for the ransomware. The data accessed by criminals, stretching from 2015 to 2019, included a variety of information. The notification breach says that home addresses, health/financial information, and social security numbers were not exposed. Chicago Public Schools is offering free credit monitoring for those affected.
A security researcher claims to have discovered an unpatched vulnerability in PayPal’s money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons with the goal of downloading malware, redirecting to malicious websites, or disclose sensitive information. This is typically achieved by displaying an invisible page or HTML element on top of the visible page, resulting in a scenario where users are fooled into thinking that they are clicking the legitimate page when they are in fact clicking the rogue element overlaid atop it.
Hacktivist group Anonymous has announced on social media that it’s launching a cyber-war against the pro-Russian group Killnet, which recently attacked European institutions. The news comes after anonymous hackers recently declared “cyber war” against Vladimir Putin’s government following the Russian invasion of Ukraine, including leaking over 360,000 Russian federal agency files in the process. On Twitter, the @YourAnonOne account announced that: “The #Anonymous collective is officially in cyber war against the pro-Russian hacker group #Killnet.” Last week, Killnet attacked the websites of various Italian institutions and government ministries, including the superior council of the judiciary, its customs agency and its foreign affairs, education and cultural heritage ministries.
The good news for the estimated 3.2 billion users of Google’s Chrome web browser is that, as far as we know, there are no new zero-day attacks ongoing against them. However, according to the latest confirmation from Google, a total of 32 new security vulnerabilities have been discovered that impact the Chromium-based browser. Of these, one has a critical impact status, eight are rated high and a further nine are medium. This is one big, and very important, security update for all Chrome users across Windows, Mac, and Linux platforms. There is also an update rolling out for the Android Chrome app, but this appears not to be security-related as Google has only pointed to “stability and performance” issues in the release announcement.
Apple has slammed the privacy-invading habits of firms such as Facebook and Google with a bold new advert. One of Apple’s headline iPhone features is App Tracking Transparency, the anti-tracking tool that has hit Facebook’s revenues hard, costing the social network an estimated $12 billion. The latest Apple privacy advert focuses on all the iPhone maker’s privacy features. The advert is set at an auction: “The next sale is a digital treasure trove—charming Ellie’s private data,” the auctioneer announces as “Ellie” enters the room. Slot number one is her emails, and number two is her drug store purchases.
Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code. Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022. With Zoom’s chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.