Meta Platforms, the parent company of Facebook, has been fined €251 million (US$263 million) in relation to a 2018 data breach that impacted millions of users of the social networking app.

The fine was issued by the Irish Data Protection Commission (DPC), which said the breach impacted 29 million Facebook accounts worldwide, with approximately 3 million based in the European Union and European Economic Area (EEA).

Meta disclosed the breach in September 2018 and said it was due to a flaw introduced to Facebook’s systems in July 2017, allowing unknown threat actors to exploit the “View As” feature that lets a user see their own profile as someone else. The bug made it possible to obtain account access tokens, allowing malicious actors to break into victim accounts.

Data exposed included users’ full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups of which they were members, and children’s personal data.

The penalties issued by the DPC are pursuant to the violation of four different clauses under the GDPR data privacy laws, namely Article 33(3), Article 33(5), Article 25(1), and Article 25(2).

U.S. authorities are conducting several investigations into the products and business practices of TP-Link, the supplier of up to 65% of routers for the small-office home-office (SOHO) segment of the market. These investigations may ultimately lead to the banning of the use of this brand of devices in the U.S.

The popular devices manufactured by TP-Link offer desirable features at a low price, the latter for which it is under investigation for below cost selling. Many U.S. ISPs also provide TP-Link routers as the default option for subscribers, which also helps to push up the usage of these devices in the U.S. market.

With such a commanding marketshare, authorities are naturally concerned about the potential security risks posed by such a critical device found in many U.S. households and organizations. Frequent targeting of poorly secure Internet of Things (IoT) devices such as routers, printers, cameras, and so forth by cybercriminals and nation-state backed threat actors only further adds to these concerns.

In a recent report by researchers at Microsoft, they warned about a newly discovered botnet built using malware called Quad7 (CovertNetwork-1658) that was mostly compromised TP-Link devices, suggesting that these devices were perhaps less secure than other brands whose devices featured to a much smaller extent in the botnet.

Data exposed included users’ full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups of which they were members, and children’s personal data.

The penalties issued by the DPC are pursuant to the violation of four different clauses under the GDPR data privacy laws, namely Article 33(3), Article 33(5), Article 25(1), and Article 25(2).

The Cybersecurity and Infrastructure Security Agency (CISA) yesterday (December 17) issued a Binding Operational Directive (BOD) to safeguard federal information and information systems. The BOD requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

CISA Director Jen Easterly said in a statement that the actions laid out in the directive are “an important step” toward reducing risk across the federal civilian enterprise, though threats loom in “every sector.”

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” said Easterly. “The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

When asked if the Directive was related to a specific incident, Matt Hartman, deputy executive assistant director for cybersecurity at CISA, said there have been “a number of recent cybersecurity incidents” where “the improper configuration of security controls in cloud environment introduced substantial risk and has resulted in actual compromises.” Hartman would not go into detail about the recent incidents or intrusions, only referring to the 2020 SolarWinds compromise as an example. “This is the product of work that we began after the SolarWinds campaign to create a centralized and consistent approach to securing the federal cloud environment,” Hartman told reporters.

A newly uncovered Windows vulnerability allows attackers to capture NTLM credentials by tricking the target into viewing a malicious file in Windows Explorer.

Researchers at 0patch discovered the flaw and reported it to Microsoft; however, no official fix has been released.

The vulnerability, which currently has no CVE ID, impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

While 0patch has withheld technical details until Microsoft provides an official fix, the researchers explained that the attack works by just viewing a specially crafted malicious file in File Explorer, and that opening the file is not required. The flaw likely forces an outbound NTLM connection to a remote share, which causes Windows to automatically send NTLM hashes for the logged-in user, which an attacker can then steal.

0patch is offering a free micropatch for the flaw to all users registered on its platform until Microsoft provides an official fix

Threat actors are leveraging a fake video conferencing app to deliver information-stealing malware called Realst to people working in Web3 under the guise of fake business meetings.

According to a report from Cado Security, the criminals behind the campaign “have set up fake companies using AI to increase the appearance of legitimacy. The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer.”

The attackers approach targets on Telegram to discuss a potential investment opportunity, urging them to join a video call hosted on the fake video conferencing platform called Meetem. However, after supposedly downloading a Windows or macOS version of Meetum, victims are infected with the Realst malware.

Realst has the ability to steal various types of sensitive data, including cryptocurrency wallets, Telegram credentials, banking information, iCloud Keychain data, and browser cookies. In addition to the Realst malware, Cado says the scam websites host JavaScript that attempts to drain cryptocurrency wallets that connect to the site.

Researchers have published a report on the threat of bad software components to the critical infrastructure of the U.S. In a recently published paper, the researchers found more than 9,000 different vulnerabilities by reviewing the software bill of materials for around 2,000 software products.

A disturbingly large number of the vulnerabilities found, 855 of them, were the type that can be easily exploited by an attacker.

Over 3,800 instances of vulnerabilities that were in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list were also found spread across the products reviewed.

The researchers found that the bulk of the vulnerabilities were caused by 20 software components that are commonly used by other software products. The top three of these components are the Linux kernel, zlib, and OpenSSL.

The researchers also found that China-originated software code is 1.4 times more likely to contain vulnerabilities than code from other countries and that China-originated code was almost ubiquitous among the software products reviewed, featuring in 90% of them. This, the researchers said, poses a critical threat to the U.S., adding that “Software products with China-born code must be identified and weeded out from our nation’s critical infrastructure.

Browser isolation is often used by organizations as an effective way to protect their users from a wide range of web-borne security threats, but now researchers have found a way to use QR codes to enable a malware infected machine to communicate with a remote command-and-control (C&C) server via a browser even if the machine is using browser isolation technology.

To use this technique, the attacker’s malware could use a convoluted setup that involves the use of a local headless browser to send a request for the required web page from the C&C server. The C&C server encodes instructions in the form of a QR code included in the HTML response. The response is then rendered in the isolated browser, and the malware can then take a screenshot of the browser displaying the QR code and then use a QR code scanning library to extract the data or commands from the QR code and execute it.

While this technique does offer a way around browser isolation for receiving data from a C&C server, there are many limitations that make this technique less likely to catch on. These include the size limitation of the QR codes themselves, as in practice the researchers were only able to reliably exchange up to 2,189 bytes of data in each QR code. The process of downloading and rendering the QR code was also found to be relatively slow, with requests taking around 5 seconds each time. This makes it less practical for larger amounts of data, such as when downloading new malware.

Medical device manufacturer Artivion revealed on Monday (December 9) that a ransomware attack impacted some of its systems and caused disruption to order and shipping processes.

Artivion is a U.S. company based in Atlanta that specializes in heart surgery medical devices. The company employs over 1,250 people worldwide and has sales representatives in more than 100 countries.

“The incident involved the acquisition and encryption of files,” Artivion disclosed in an 8-K filing with the U.S. Securities and Exchange Commission (SEC). “The Company is working to securely restore its systems as quickly as possible and to evaluate any notification obligations.”

Artivion also said that disruptions to its corporate operations, order processing, and shipping have mostly been addressed and that insurance will cover expenses related to incident response. However, the company believes it will incur additional costs not covered by insurance.

At the time of writing, no ransomware group has claimed responsibility for the attack.

Researchers have published information about a vulnerability dubbed BadRAM that affects AMD’s Secure Encrypted Virtualization (SEV) technology, which is used to help secure data within AMD-powered virtual machine (VM) environments by encrypting the memory to prevent VMs from snooping data used by other VMs.

The vulnerability, officially titled Undermining Integrity Features of SEV-SNP with Memory Aliasing (CVE-2024-21944 – CVSS 5.3), can be exploited by an attacker with physical access to the targeted computer by installing a low-cost device that manipulates the Serial Presence Detect (SPD) chip on a DDR4 or DDR5 memory module. The device tricks the CPU memory controller into creating an alias for the extra memory space that does not physically exist. These aliases result in a situation where two different addresses can refer to the same DRAM location and can be used by the attacker to snoop on data at the address.

While researchers demonstrated the attack using a cheap device that required physical access to the targeted machine, they believe that a similar attack can also be performed via a software-only method if the SPD chip is unlocked, which is the case for some vendor hardware.

To address the issue, AMD has released a firmware update that securely validates memory configurations during the processor’s boot process. Besides this, AMD recommends the use of memory modules with locked SPDs and restricting physical access to the machines to reduce risk.