Here is our latest news roundup of articles about network and digital security. Click here to see the whole series.

Malware

• Recently, the FBI issued an alert about a ransomware group that had affected 60 organizations in four months. BlackCat ransomware group has demanded millions of dollars in ransom and primarily leverages compromised user credentials to gain access.
• New research out of Germany found that iPhones are prone to malware even when switched off. With the new iOS 15 update, Apple introduced the “Find My iPhone After Power Off” feature that allows users to locate phones even when turned off. However, the Bluetooth can be exploited and used to install malware on the device.

Vulnerabilities

• The FBI is warning that unidentified attackers have been stealing credit card data from checkout pages of U.S. businesses for several months. The hackers are using malicious PHP code to scrape data. The FBI recommends changing default login credentials, monitoring for potentially malicious activity and securing all websites with TLS/SSL.
• A newly discovered vulnerability in Tesla allows attackers to potentially exploit a Bluetooth weakness to unlock doors, operate vehicles and even gain access to connected laptops from hundreds of miles away. The hack is classified as a relay attack and can be used even when a key fob is out of range. It takes advantage of BLE (Bluetooth Low Energy), which the researcher explains should never be used for proximity authentication because it could be vulnerable. This vulnerability in the BLE protocol could be exploited in any device running BLE, including smartphones, smart locks, watches and more.
• CISA issued an emergency directive warning of two new VMware vulnerabilities that it says are likely to be exploited.
• A flaw recently discovered in a WordPress theme allows for complete site takeover. The Jupiter theme and JupiterX Core plugin are used by over 90,0000 sites, leaving a large potential threat vector. New updates to Jupiter include patches to the flaws.

Data breaches

• The U.S. Department of Justice (DoJ) announced the conviction of Sercan Oyuntur, who managed to use a phishing operation in 2018 to divert $23.5 million from the Department of Defense (DoD) to his personal bank account.
• Wedding registry site Zola was hacked in May due to credential stuffing. The company said no cash had been lost and that gift cards would be refunded to couples. In addition, no credit cards or bank information where exposed. Zola did reset all user passwords but does not offer two-factor authentication for all accounts, which made the attack easier for hackers.

Government standards

• The European Parliament and EU Member States reached an agreement on a Directive on measures for a high common level of cybersecurity across the Union in early May. The existing rules were the first EU-wide legislation on cybersecurity; however, an update was needed to offer more digital trust amidst increasing digital transformation. The NIS 2 Directive expands its scope to medium and large entities in various sectors including public electric communications, public administration, healthcare and more. The goal is to increase the level of cybersecurity in Europe. Member states will have 21 months to implement the directive into national law.

Internet of Things

• A Domain Name System (DNS) bug could put millions of devices and routers at risk if not patched. The flaw was discovered in all versions of the popular C standard libraries and is caused by predictable transaction IDs which could allow attackers to perform a DNS poisoning attack. DNS attacks have been increasing in recent years, and at DigiCert we’ve been involved in research to prevent and detect DNS hijacking.