USB devices are being used to hack targets in Southeast Asia, according to a new report by cybersecurity firm Mandiant. The use of USB devices as an initial access vector is unusual as they require some form of physical access — even if it is provided by an unwitting employee — to the target device. Earlier this year the FBI warned that cybercriminals were sending malicious USB devices to American companies via the U.S. Postal Service with the aim of getting victims to plug them in and unwittingly compromise their networks. The new campaign in Southeast Asia potentially began as far back as September 2021, according to a post on the Mandiant Managed Defence blog, published on Monday. Mandiant is now a part of Google Cloud.
Google announced on Tuesday that it has filed a lawsuit against a company allegedly impersonating it through telemarketing calls and manipulating reviews of Business Profiles on Google Search and Maps. A Google spokesperson shared dozens of reports sent to them from people who said they had been scammed by the company – which went by “G Verifier” – by attempting to charge people for creating Business Profiles, something Google provides for free. “They also created websites advertising the purchase of fake reviews, both positive and negative, to manipulate reviews of Business Profiles on Google Search and Maps. This practice exploits entrepreneurs and small businesses — and it violates our policies on deceptive content,” Google lawyer Jon Vermandel and Technical Program Manager Ian Williams said in a blog post.
Anker’s popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on. The information comes from security consultant Paul Moore, who last week published a video outlining the issue. Moore demonstrates the unauthorized cloud uploading by allowing his camera to capture his image and turning off the Eufy HomeBase. The website is still able to access the content through cloud integration, though he had not signed up for cloud service, and it remains accessible even when the footage is removed from the Eufy app.
The Australian government has passed a bill that markedly increases the penalty for companies suffering from serious or repeated data breaches. To that end, the maximum fines have been bumped up from the current AU$2.22 million to AU$50 million, 30% of an entity’s adjusted turnover in the relevant period, or three times the value of any benefit obtained through the misuse of information, whichever is greater. The turnover period is the time duration from when the contravention occurred to the end of the month when the incident is officially addressed.
Security researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products. Tracked as CVE-2022-40684 and impacting FortiOS, FortiProxy, and FortiSwitchManager products, the vulnerability was publicly disclosed in early October, when it was already exploited in malicious attacks. The issue is an authentication bypass allowing a remote attacker to use specially crafted HTTP or HTTPS requests to perform unauthorized operations on a vulnerable appliance’s admin interface. Essentially, the security defect provides the attacker with admin access to SSH on the target appliance, allowing the attacker to update or add a valid public SSH key to the device and gain complete control over it.