The Zero-Day Initiative (ZDI) , an organization that offers bug bounties for security researchers and organizes popular hacking competition events with eye-catching prizes, is in the midst of its first ever Pwn2Own event in Ireland. After two full days of hacking in the four-day event, the competition has already paid out prizes to the tune of $800,000 to numerous competitors.

The competition is known for drawing in top hacking talent from around the world to tackle challenges against numerous devices and uncovering new vulnerabilities in the process. The inaugural Pwn2Own Ireland event looks set to continue with that tradition.

So far, the highest single prize of $100,000 was awarded to Sina Kheirkhah from the Summoning Team who knitted together a series of vulnerabilities to get “from QNAP QHora-322 through to the TrueNAS Mini X,” which is a challenge for an attacker to traverse from a QNAP router to the NAS device.

Other notable prizes went to Jack Dates of RET2 Systems, who exploited an out-of-bounds write vulnerability to exploit a Sonos Era 300 speaker to earn $60,000.

The Viettel Cyber Security team also earned themselves $50,000 in the “QNAP QHora-322 to the TrueNAS Mini X” challenge by using a combination of four vulnerabilities, two in the router and two in the NAS.

Ken Gannon of NCC Group used several vulnerabilities and techniques against a Samsung Galaxy 24 device in order to get shell access and install an app, earning himself $50,000 in the process.

The competition is set to continue until Friday, October 25, with many more devices expected to be pwned and prizes paid by then.

Radiant Capital, a decentralized autonomous organization (DAO) providing a multichain lending protocol, has revealed that sophisticated attackers managed to overcome its security procedures to steal around $50 million worth of cryptocurrency.

It is believed that the attackers managed to compromise the machines of at least three of the key developers of the DAO and install malware designed to steal cryptocurrency. These developers were then tricked into signing and approving transactions that displayed legitimate transaction information in the user interface, while alternative transactions were signed behind the scenes.

A possible sign that things were amiss was some extra steps to sign and retransmit seemingly failed transactions. This can sometimes happen in legitimate circumstances but the attackers manufactured this scenario to make the developers perform multiple signing operations in order to overcome a multi-signature wallet setup.

The attackers managed to move around $58 million worth of cryptocurrency held by the DAO into their own wallets. The stolen funds were subsequently converted to 12,800 ETH and 32,100 BNB tokens.

Radiant Capital has engaged experts and authorities to investigate the attack and attempt to freeze and recover the funds

Researchers have found severe cryptographic flaws in several end-to-end encrypted (E2EE) cloud storage platforms that could expose sensitive data to threat actors.

ETH Zurich researchers Jonas Hofmann and Kien Tuong Turong found issues in the Sync, pCloud, Icedrive, Seafile, and Tresorit services, which are collectively used by more than 22 million people.

“The vulnerabilities range in severity: in many cases, a malicious server can inject files, tamper with file data, and even gain direct access to plaintext,” the researchers explained. “Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs.”

The analysis is based on the assumption an attacker is controlling a malicious server, which could then be used to target the service providers’ users. The researchers found serious vulnerabilities in all five products, including implementations that could allow malicious actors to inject files, tamper with data, or gain access to user files.

The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024. While Icedrive decided not to address the issues, Sync, pCloud, Seafile, and Tresorit acknowledged the report and have moved to address the issues.

Apple has patched a vulnerability (CVE-2024-44133 – CVSS 5.5) in the macOS operating system (OS) that could allow an attacker to bypass the Transparency, Consent, and Control (TCC) protection, which is designed to protect a user’s privacy.

TCC is designed to prevent apps from accessing functionality that the user does not want them to access, such as the camera, microphone, and location. However, Microsoft discovered a way to get around this protection in Safari on MDM-managed devices by taking a few steps and modifying some configuration files for the user.

Once the configuration is completed, an attacker simply has to open a specially crafted website into a tiny Safari window so that it cannot easily be seen. They can then use the browser to access the camera or location of the device without the user knowing or consenting. Microsoft believes the vulnerability may have already been used in the wild for adware-related attacks.

The issue was patched by Apple on September 16 in the macOS Sequoia 15 update.

Cisco confirmed on Friday (October 18) that it took its public DevHub portal offline after a threat actor leaked “non-public” data. However, the tech giant reiterated that there is no evidence that its systems were breached.

“We have determined that the data in question is on a public-facing DevHub environment—a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed,” reads an updated statement from Cisco. “At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published.”

The news follows claims made by the threat actor known as IntelBroker who said that they breached Cisco on October 6 and stole a large amount of developer data.

IntelBroker told BleepingComputer that he gained access to a Cisco third-party developer environment through an exposed API token. According to BleepingComputer, “IntelBroker grew increasingly frustrated when [Cisco] would not acknowledge a security incident, sharing screenshots with BleepingComputer to prove he had access to a Cisco developer environment.”

The screenshots showed that IntelBroker had access to most of the data stored on the portal, including source code, configuration files with database credentials, technical documentation, and SQL files.

BleepingComputer said it reached out to Cisco with further questions about IntelBroker’s claims but has not received a reply.

After an initial data breach back in early October 2024 where private data belonging to 31 million users were exposed, it has been revealed that there has been a fresh data breach related to the Internet Archive (IA). This time, the breach was made against the users of the Zendesk support site that IA used to provide support services to its users.

This new breach stems from the attackers finding and using a GitLab token that was stolen along with the original materials in the earlier breach. After the initial breach, IA failed to reset/rotate tokens for all the systems. This meant that an access token for Zendesk was not changed and attackers have likely used it to access the data from over 800,000 support tickets that were generated since 2018.

Some users of the support site have since received emails sent from an anonymous user criticizing the security operations at IA, informing them of the new development as well as warning them that their data is potentially already stolen by malicious actors.

The Bumblebee malware loader is back in action after Europol seized parts of its infrastructure in May.

The law enforcement action, codenamed Operation Endgame, seized over a hundred servers supporting multiple malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. Bumblebee remained inactive since the disruption. However, Netskope researchers recently observed new Bumblebee activity, suggesting the loader has returned.

The latest activity starts with a phishing email containing a link to download a ZIP file. The archive file contains a LNK file that triggers PowerShell to download a malicious MSI file disguised as a legitimate NVIDIA driver update or Midjourney installer. The MSI file is then executed silently and without the need for any user interaction, eventually leading to the deployment of Bumblebee.

Netskope did not provide any information on the payloads that Bumblebee dropped or the scale of the campaign.

Active since at least March 2022, Bumblebee is a malware loader associated with the Miner ransomware group (aka Conti, Wizard Spider). Bumblebee acts as a delivery vector for other malware, including ransomware. Bumblebee may have been introduced as a replacement loader for Trickbot and BazarLoader.

The U.S. Securities and Exchange Commission (SEC) on Tuesday (October 22) announced charges against four cybersecurity companies for downplaying the impact of their breaches during the 2020 SolarWinds Orion supply chain hack.

“The Securities and Exchange Commission today charged four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cybersecurity risks and intrusions,” the SEC said in a press release.

The SEC accused the companies of learning in 2020 and 2021 that the hacker behind the SolarWinds attack also accessed their systems but “each negligently minimized its cybersecurity incident in its public disclosures.”

The SEC also charged Unisys with disclosure controls and procedures violations. The SEC said Unisys failed to adequately address cybersecurity risks, even though it knew of two SolarWinds-related breaches involving data exfiltration.

The companies agreed to pay civil penalties to settle the SEC’s charges:

• Unisys Corp.: $4 million

• Avaya Holdings Corp.: $1 million

• Check Point Software Technologies Ltd.: $995,000

• Mimecast Limited: $990,000

A threat actor known as Satanic claims to have breached fashion retail giant Hot Topic and stolen personally identifiable information (PII) belonging to 350 million shoppers.

Satanic claims they compromised Hot Topic’s loyalty account. Stolen data is said to include customer names, emails, physical addresses, and dates of birth. The threat actor also claims the data includes the last four digits of customers’ credit cards, card types, hashed expiration dates, and account holder names.

There is evidence to suggest that the source of the data leak was an employee at Robling, a retail analytics business. An infostealer infection led to the theft of data containing a trove of credentials, many of which were linked to Hot Topic.

Satanic is selling the data haul for $20,000. The threat actor also offered Hot Topic the chance to pay $100,000 to remove the sale listing.

Landmark Admin, one of the largest insurance administrative services in the U.S., said it suffered a cyberattack in May 2024 that exposed sensitive information of more than 800,000 people.

In a filing with regulators in Maine, Landmark said that data accessed by the hackers included individuals’ first name/initial and last name; address; Social Security number; tax identification number; driver’s license number/state-issued identification card; passport number; financial account number; medical information; date of birth; health insurance policy number; and life and annuity policy information.

Landmark said it detected suspicious activity on May 13, which caused the company to shut down IT systems and remote access to its network to prevent the spread of the attack. The company said the investigation is ongoing and that it will notify affected individuals if more information becomes available.