Security bug allows anyone to spoof Microsoft employee emails
A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets. As of this writing, the bug has not been patched. To demonstrate the bug, the researcher sent an email to TechCrunch that looked like it was sent from Microsoft’s account security team. Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing bug and reported it to Microsoft, but the company dismissed his report after saying it couldn’t reproduce his findings. This prompted Kokorin to publicize the bug on X, without providing technical details that would help others exploit it.
Scathing report on Medibank cyberattack highlights unenforced MFA
A scathing report by Australia’s Information Commissioner details how misconfigurations and missed alerts allowed a hacker to breach Medibank and steal data from over 9 million people. In October 2022, Australian health insurance provider Medibank disclosed that it had suffered a cyberattack that disrupted the company’s operations. A week later, the company confirmed that the threat actors stole all of its customer’s personal data and a large number of health claims data, causing a data breach that impacted 9.7 million people.
G7 countries vow to establish collective cybersecurity framework for operational tech
The Group of Seven (G7) countries have agreed to establish a collective cybersecurity framework around operational technologies for both manufacturers and operators, the White House announced Tuesday. At last week’s summit in Italy, the gathered G7 leaders “committed to taking critical action to strengthen the cybersecurity of the global supply chain of key technologies used to manage and operate electricity, oil, and natural gas systems across the world,” National Security Advisor Jake Sullivan said. The initiative seeks to address the continuous cyberattacks targeting energy systems around the world that are “vulnerable to disruption.”
Financial orgs subjected to attacks with new ONNX phishing service
Organizations in the financial sector had their employees’ Microsoft 365 accounts targeted with an attack campaign involving the novel ONNX phishing-as-a-service platform, which is believed to be a rebrand of the Caffeine phishing kit, since February, BleepingComputer reports. Attackers impersonated human resources departments in malicious emails purporting to be about salary updates containing PDF attachments with QR codes, which when scanned redirect targets to fake Microsoft 365 login pages without being flagged by phishing protections, according to a report from EcleticIQ.
US regulator says TikTok may be violating child privacy law
The US Federal Trade Commission (FTC) announced Tuesday that it had referred a complaint against TikTok to the Justice Department, saying the popular video sharing app may be violating child privacy laws. The complaint, which also names TikTok’s Chinese parent company Bytedance, stems from an investigation launched following a 2019 settlement, the FTC said in a statement. At the time, the US regulator accused TikTok’s predecessor, Musical.ly, of having improperly collected child users’ personal data.