Cyber Weekly Digest - Week #43

This Cyber Weekly Digest will dive into the biggest stories from this week, including a curious tactic from hackers to give back to charities and a cyber-attack on a Covid vaccine manufacturer. To keep up to date with the latest news, keep reading.

1. Darkside ransomware hacker group is donating stolen money to charities.

Typically, money stolen from cyber-attacks would be used for personal gain, but the hacker group Darkside showed this week that they intend to share the money with charities and “make the world a better place”. The ransomware group posted evidence of receipts of $10,000 in Bitcoin to both The Water Project and Children International. However, there are two issues with the “Robin-Hood” act of kindness. Firstly, it is illegal for charities to receive donations which are associated with criminal activity. Secondly, because the contributions were made in Bitcoin, it makes it difficult to return the funds to their rightful owners.

2. Google released a new version of Google Chrome which patched an actively exploited zero-day.

On Tuesday, Google released a new version of Google Chrome which fixed several security vulnerabilities, including an actively exploited zero-day flaw. The zero-day vulnerability is tracked as CVE-2020-15999 ad is the third Chrome actively exploited zero-day in the past 12 months. The flaw is described as a memory corruption bug in the FreeType font rendering library, and threat actors have been spotted abusing the bug to attack Chrome users. Researchers are encouraging users to update their software.

3. A security vulnerability has been found in Google's GPS navigation software Waze.

This week researchers have found a security flaw in Googles GPS navigation software Waze which could allow hackers to track and identify users. The researchers found that they could request the Waze API to display both his and other nearby users coordinates. The unique ID numbers of other users did not change over time meaning that users could be tracked for the entirety of their journey as well as being able to access the actual full names of the users who interacted with the app.</