08-Apr-24: In Security News Today

Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits

Crowdfense is offering up to $30 million for zero-day exploits affecting Android, iOS, Chrome, and Safari, significantly increasing its previous rewards. The program seeks fully functional, previously unreported zero-day exploits, with rewards ranging up to $9 million for the most impactful findings. This initiative underscores the high market demand for such vulnerabilities, reflecting the critical nature of mobile and browser security.

Home Depot Confirms Third-party Data Breach Exposed Employee Info

Home Depot confirmed a data breach where a third-party SaaS vendor mistakenly exposed limited employee data, potentially leading to targeted phishing attacks. The leaked data included corporate IDs, names, and email addresses, posing a risk for phishing attempts to gather more sensitive information or deploy ransomware. Employees are advised to be cautious of emails requesting corporate credentials and report any suspicious emails to the company’s IT staff.

UK Retailers Lost £11.3bn to Fraud in 2023

A study by Ayden and CEBR reveals that 35% of UK retailers experienced fraudulent activity, cyber-attacks, or data leaks in the past year, resulting in a total loss of £11.3bn. The report highlights a significant increase in payments fraud affecting UK consumers, with an average loss of £311.09 in 2023. Retailers are urged to invest in advanced defense mechanisms to combat sophisticated fraud methods, as only 63% currently have effective fraud prevention systems in place.

Critical Bugs Put Hugging Face AI Platform in a ‘Pickle’

Researchers at Wiz discovered two critical security vulnerabilities in the Hugging Face AI platform, allowing attackers to access and alter customer data and models. The vulnerabilities were related to weaknesses in Hugging Face’s inference infrastructure, including the ability to upload Pickle-based models that could execute arbitrary code. Wiz highlighted the risks associated with shared infrastructure in AI-as-a-service environments and recommended organizations to analyze and mitigate potential threats, such as data poisoning and malicious AI models.

Cyberattack on UK’s CVS Group Disrupts Veterinary Operations

UK veterinary services provider CVS Group experienced a cyberattack that led to disruptions in IT services across its 500 practices in the UK and other countries. The company responded by shutting down its IT systems to prevent further unauthorized access. CVS Group is working with third-party specialists to investigate the incident, restore IT services, and migrate infrastructure to the cloud for enhanced security.

Attackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites

Threat actors are exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites, allowing for arbitrary code execution. The attack leverages CVE-2024-20720 with a high CVSS score, addressed by Adobe in a security update. Hackers are using a crafted layout template to automatically inject malicious code, leading to the installation of a payment skimmer to steal financial information.

Browsing in Incognito Mode Doesn’t Protect You as Much as You Might Think

Private browsing or “Incognito Mode” offers limited privacy and doesn’t obscure user activity from websites or internet service providers. While it prevents local storage of browsing history and cookies, it doesn’t hide users’ IP addresses or online activity. A recent legal settlement aims to improve Chrome’s Incognito mode, requiring Google to delete records and make privacy disclosures more prominent.

Attackers Deploy Crypto Drainers on Thousands of WordPress Sites

Hackers have compromised around 2,000 WordPress sites to display fake NFT and discount pop-ups, tricking visitors into connecting their wallets to crypto drainers that steal funds. The attackers have been unsuccessful with their original campaign and are now deploying new scripts to turn visitors’ browsers into tools for brute-forcing admin passwords on other sites. To protect digital assets, users are advised to only connect their wallets to trusted platforms and exercise caution with unexpected pop-up windows.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.