Cyber Weekly Digest - Week #40


Although another month of 2021 has ended, the list of zero-days continues to grow; in this week's digest, we explore the latest Chrome zero-days patched by Google. We will also dive into how researchers were able to make fraudulent payments using ApplePay on a locked iPhone and the latest VoIP provider to suffer a DDoS attack. Keep reading to stay up to date with the biggest and latest cyber security news from the week.


1. Researchers discovered a way to make fraudulent payments using Apple Pay from a locked iPhone.

Academic researchers from the University of Surrey and the University of Birmingham have discovered a way in which you can make fraudulent payments using Apple Pay from a locked iPhone with a Visa card in the digital wallet with express mode enabled. The method can be seen as a digital version of pickpocketing. Even if the iPhone is in a bag or someone's pocket, it works over the air, and there is no transaction limit. Researchers say that the issue is caused by using a unique code, named "magic bytes", that is broadcast by transit gates and turnstiles to unlock Apple Pay. They could trick the iPhone into thinking it was talking to a transit gate using standard radio equipment.

2. New trojan has emerged on underground forums being used to steal online gamer accounts.

A new advanced trojan, named BloodyStealer, has been found on underground forums, and it is being used to steal gamer accounts of various platforms such as Steam, Epic Games Store and EA Origin. According to researchers, BloodyStealer first emerged last March on the dark web, being sold at $10 for a one-month subscription or $40 for a lifetime subscription. The stealer swipes data, including cookies, passwords, forms, bank-card information saved in browsers, screenshots, login memory and application sessions. There has been a growing demand on the dark web for stolen gamer accounts over the past year.


3. Bandwidth becomes the latest DDoS victim targeting VoIP providers.

Bandwidth.com has become the latest victim of distributed denial of service attacks targeting VoIP providers this month, leading to nationwide voice outages over the past few days. Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers. Due to this, many other VoIP vendors also reported outages this week, including Twilio and RingCentral. Earlier in September, provider VoiP.ms also suffered a catastrophic DDoS attack used as part of a ransomware attack.

4. Google pushes emergency Chrome update to fix two zero-days.

Google has released Chrome 94.0.4606.71 for Windows, Mac, and Linux to fix two zero-day vulnerabilities known to be actively exploited. The first zero-day, tracked as CVE-2021-37976, is described as an "Information leak in core" and was assigned a Medium severity level. The second zero-day, tracked as CVE-2021-37975, is a High severity user after free bug in the Chrome V8 JavaScript engine. With these two fixes, Google has patched 13 zero-day vulnerabilities in the Chrome web browser since the start of 2021.


5. JVCKenwood hit by Conti ransomware claiming theft of 1.5TB data.

JVC Kenwood has suffered a Conti ransomware attack this week in which threat actors claim to have stolen 1.7 TB of data and are demanding a $7 million ransom. Conti attackers breached the Kenwood servers belonging to its sales companies based in Europe and could access company data. As proof that they stole data, the threat actors shared a PDF file indicating a scanned passport for a JVCKenwood employee.



15 views