Roundup It has been a busy week in infosec, though here's a few more security news bites to mull over.
Storm clouds approaching Azure
The bug-hunters at Checkpoint have laid claim to the discovery and reporting of two serious, and now patched, security flaws in Microsoft Azure.
According to Checkpoint, the vulnerabilities would have potentially allowed a malicious virtual machine to break out of the Azure hypervisor protections and access the VMs of other tenants. In the wrong hands, the bugs would have had serious consequences.
The vulnerabilities, one designated CVE-2019-1234, and another not given an official number, have long since been patched after being privately disclosed to Microsoft. Still, the full story is an interesting read and a reminder that, just because your servers are hosted remotely they are not free of potentially serious security vulnerabilities.
Wawa data spotted for sale
Back in December, US convenience store chain Wawa suffered a network intrusion that resulted in the loss of customer payment card data. Now, unfortunately, some of that data has been found for sale to fraudsters.
Researchers with Gemini Advisory say the pilfered card details are being put up for sale on a notorious cybercrime marketplace called "the joker's stash."
There is some good news to be had, as it seems like the high-profile of the Wawa attack, combined with the limited geographic reach of the locations hit will limit some of the damage from fraudsters.
"Apart from banks with a nationwide presence, only financial institutions along the East Coast have significant exposure. Notably, major breaches of this type often have low demand in the dark web," the security firm explained.
"This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise."
That said, anyone who was included in the Wawa breach should probably looking into getting their payment cards replaced, just to be sure.
East Anglia uni pays students after data theft
Mark this one under "poor security will cost you."
East Anglia University in the UK says that the fallout from an errant email has cost it six figures in payouts.
The BBC says that after a staffer accidentally sent out the private personal health records of 298 students back in 2017, it has had to cough up settlements totaling £142,512 to those who were exposed.
Apple posts fixes for iOS and Mac bugs
Anyone who uses an Apple product will likely be asked to update soon, as the Cupertino electronics giant has dropped a set of patches for nearly every piece of kit it sells.
Among the fixes are security updates for iOS and macOS, the two major operating systems from Cook and Co. While there aren't any massive risks posed by the patched flaws (for example, none of the bugs are found in the WebKit browser engine), users and admins should look to get the patches in place before malware writers begin to take aim at them.
Maze ransomware operators dump data
The Maze ransomware has been in circulation for some time now, claiming some major infections, including one in Pensacola, Florida.
However, not everyone who was hit by the ransomware has paid the Bitcoin demands, and now the criminals behind the infection are dropping the data of companies that don't meet their demands.
Expect some serious hacks to come out of this.
Xbox opens bug bounty program
Microsoft has given security researchers yet another way to scare up some cash with the launch of an Xbox bug bounty program. Those who discover and report vulnerabilities in the Microsoft gaming platform will be able to get payouts as high as $20,000.
While bug bounty programs are not the end-all-be-all of corporate security, Microsoft has been better than most when it comes to handling reports and getting patches in place.
Malta bank hackers nabbed
The UK National Crime Agency says it has arrested three people in connection to a hacking attack on a Maltese bank last year.
In this case, the three men caught were suspected to have committed crimes including fraud, theft, and money laundering in connection with the attack. One of the trio was caught at Heathrow returning from a trip to China, while the other two were arrested in Belfast. Two others were arrested in connection with the case earlier in January.
Researcher finds DoD site running cryptocoin miner
The US Department of Defense has issued a rare shout-out to a private sector security researcher who spotted and reported an active attack on one of its sites.
Bug-hunter Nitesh Surana spotted a DoD site running a vulnerable version of Jenkins along with a suspicious script. On further inspection, it was found that someone had taken advantage of a code injection vulnerability to place a cryptocoin mining script on the government site.
The issue was reported in early January on HackerOne, and following a few weeks of investigation and cleanup, was disclosed to the public on January 31. ®