This Cyber Weekly Digest will dive into the biggest stories from this week, including a curious tactic from hackers to give back to charities and a cyber-attack on a Covid vaccine manufacturer. To keep up to date with the latest news, keep reading.
Typically, money stolen from cyber-attacks would be used for personal gain, but the hacker group Darkside showed this week that they intend to share the money with charities and “make the world a better place”. The ransomware group posted evidence of receipts of $10,000 in Bitcoin to both The Water Project and Children International. However, there are two issues with the “Robin-Hood” act of kindness. Firstly, it is illegal for charities to receive donations which are associated with criminal activity. Secondly, because the contributions were made in Bitcoin, it makes it difficult to return the funds to their rightful owners.
On Tuesday, Google released a new version of Google Chrome which fixed several security vulnerabilities, including an actively exploited zero-day flaw. The zero-day vulnerability is tracked as CVE-2020-15999 ad is the third Chrome actively exploited zero-day in the past 12 months. The flaw is described as a memory corruption bug in the FreeType font rendering library, and threat actors have been spotted abusing the bug to attack Chrome users. Researchers are encouraging users to update their software.
This week researchers have found a security flaw in Googles GPS navigation software Waze which could allow hackers to track and identify users. The researchers found that they could request the Waze API to display both his and other nearby users coordinates. The unique ID numbers of other users did not change over time meaning that users could be tracked for the entirety of their journey as well as being able to access the actual full names of the users who interacted with the app.
Earlier in the week, it was revealed that the Pharmaceutical giant Pfizer had exposed data on hundred of prescription drug takers due to a Google Cloud Storage Bucket misconfiguration according to researchers. The researchers found the data completely unsecured and unencrypted on July 9th 2020, meaning the data has been exposed for over two months before Pfizer responded. The personal information included full names, phone numbers, home and email addresses as well as partial health and medical statuses.
Yesterday it was reported that the Covid vaccine-maker Dr Reddy’s had suffered a cyber-attack. Sites across the globe, including the UK, Brazil, India, Russia, and the US have been affected. Little information has been released about the attack, and Dr Reddy’s has refused to comment on whether its manufacturing facilities had been affected. The India-based company isolated all its data centre services to contain the attack and anticipates that services will be back within 24 hours with no significant impact on its operations.