This Week’s Top 5 News June 2023 | 01

With every passing day there are new cybersecurity events that have the potential to impact you or your company. We have rounded up five top cybersecurity news stories to help keep you up to date with cybersecurity issues around the world. From acts of espionage to simple code errors that could leak your private data.
Here are our top five new stories from the past week:

1. New Botnet Malware targets Spanish-Speaking users

Spanish-speaking users in Latin America have been targeted by a new botnet malware called Horabot since November 2020. According to Cisco Talos researcher Chetan Raghuprasad, Horabot allows the threat actor to control the victim’s Outlook mailbox, exfiltrate contacts’ email addresses, and send phishing emails with malicious HTML attachments. The botnet program also delivers a Windows-based financial trojan and a spam tool to harvest online banking credentials. Most infections have been identified in Mexico, but victims have also been found in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama.
For more about this story click here


2. The Importance of Managing Your Data Security Posture

Data security posture management (DSPM) is gaining attention as organizations look for evidence-based security to protect their data. DSPM assesses an organization’s data store or individual data objects, evaluating the data attack surface, data security control effectiveness, and data blast radius. To maintain a strong data security posture, organizations should inventory their data, monitor data activity and flows, assess data security controls, reduce the data attack surface, and minimize the blast radius. By implementing these measures, businesses can better protect their data from unauthorized access, destruction, or alteration, improving overall data security.
For more about this story click here


3. Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers

The Zero Day Initiative (ZDI) reported multiple security flaws in Sonos One wireless speakers, which could potentially lead to information disclosure and remote code execution. These vulnerabilities were demonstrated by teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest, earning them $105,000 in rewards. The four flaws impact Sonos One Speaker 70.3-35220, with two allowing network-adjacent attackers to execute arbitrary code and two permitting the disclosure of sensitive information. Successful exploitation could enable an attacker to execute code as the root user. Sonos addressed the flaws in their S2 and S1 software versions 15.1 and 11.7.1, respectively, and users are advised to apply the latest patches to mitigate potential risks.
For more about this story click here


4. CAPTCHA-Breaking Services with Human Solvers Helping Cybercriminals Defeat Security

Cybersecurity researchers have warned about CAPTCHA-breaking services being sold to bypass systems that differentiate between legitimate users and bot traffic. Trend Micro’s report highlights that these services employ human solvers instead of advanced machine learning methods or optical character recognition techniques. CAPTCHA, an essential tool for combating spam and limiting fake account creation, is becoming less effective due to these illicit services. Threat actors have been observed combining CAPTCHA-breaking services with proxyware offerings to evade antibot barriers and obscure originating IP addresses. To counter these risks, online web services should supplement CAPTCHAs and IP blocklisting with additional anti-abuse tools.
For more about this story click here


5. Don’t Click That ZIP File!

A new phishing technique called “file archiver in the browser” can emulate file archiver software in a web browser when a victim visits a .ZIP domain. Security researcher mr.d0x disclosed that threat actors could create realistic phishing landing pages using HTML and CSS, mimicking legitimate file archive software and hosting it on a .zip domain. This method elevates social engineering campaigns, potentially redirecting users to credential harvesting pages when clicking files within the fake ZIP archive. The technique raises concerns about the introduction of eight new top-level domains (TLDs), including “.zip” and “.mov,” which could invite phishing and other online scams due to their resemblance to legitimate file extensions. Cybersecurity company Group-IB has reported a 25% surge in the use of phishing kits in 2022, with increasing sophistication and evasion capabilities. For more about this story
click here

There are many ways cyber criminals will look to exploit your integral IT systems to access data or create chaos within your business for their own personal gain.
Here at DIESEC, we have experts on hand waiting to help you with all of your cybersecurity needs, from ensuring your system is safe and secure to teaching your employees how not to fall victim to social engineering ploys.

For more information please contact us now!