Roundup Congratulations, everyone. We made it through April. Here's a handy mop-up of bits and bytes of security news beyond what we covered in The Reg.
Xiaomi phones at the center of tracking brouhaha
A Forbes report last week outlined how some Xiaomi Android phones track their owners' web browsing and online activities.
It was claimed the handsets' bundled Xiaomi browser collects things like browsing history, search queries, and news feed activity, and sends the data off to servers in China, even in private incognito mode.
Xiaomi, in response, claimed it anonymizes the harvested data for performance monitoring, though it did admit that this "aggregated data collection" included URLs even in incognito mode.
"Our user's privacy and internet security is of top priority at Xiaomi," the phone maker added. "We are confident that we strictly follow and are fully compliant with local laws and regulations.”
The two sides have had a bit of a barney over what exactly is happening. Xiaomi claimed it is not doing anything underhanded. Infosec bods said the data is anonymized using per-user unique ID numbers that do not frequently change, which isn't particularly brilliant.
Andrew Tierney, one of the researchers involved in the probe, tore into Xiaomi, saying its response was unclear, and added: "There is no doubt that the [Xiaomi] Mint Browser sends search terms and URLs whilst in incognito mode."
Today, the phone vendor issued an update for its Mi Browser, Mi Browser Pro on Google Play, and Mint Browser on Google Play to "include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection." Which should, in theory, when disabled, stop Xiaomi's software harvesting URLs and other stuff in private mode.
'PerSwaysion' attacks menace Microsoft 365 customers
Group-IB said a gang of hackers active since last year have infected specifically targeted victims by luring them to phishing servers mimicking Microsoft 365.
Known as PerSwaysion, the crew has compromised more than 150 executives and officers of organizations in the financial, legal, consulting, and manufacturing sectors, we're told. In addition to putting extensive work into setting up machines that impersonate Microsoft services, the miscreants also rely heavily on Redmond's Sway file-sharing service.
"The PerSwaysion campaign is a collection of small yet targeted phishing attacks run by multiple cyber-criminal groups, attacking small and medium financial services companies, law firms, and real estate groups," said Group-IB.
LabCorp faces data breach suit
Medical testing giant LabCorp is still dealing with the fallout from last year's network intrusion at one of its subcontracted bill collectors.
A group of investors has launched a derivative lawsuit against LabCorp and its management team. The suit, filed in Delaware, USA, claims LabCorp execs did not do enough to secure their patient records, and as a result the American company and its investors took a major financial hit.
White House says no more foreign grid gear
President Donald Trump has issued an executive order barring the purchase of any foreign-made equipment for use in the US power grid.
The order, which applies to the back-end "bulk" power equipment, is based on the belief that a significant national security risk is created when US power companies buy and install network-connected devices that could be backdoored or otherwise compromised to the knacker the American power grid.
Magento gets patched up
Admins of Adobe's Magento commerce suite will want to make sure they are fully up to date following the release of patches for more than a dozen security flaws.
The update includes fixes for six arbitrary code execution holes deemed to be critical security risks. Other vulnerabilities allow for authorization bypass, elevation of privilege, and information disclosure.
Remote learning gear could contain grade-busting bugs
Infosec bods have cracked open Wordpress plugins being used by schools for remote teaching, and say some of the tools could be exploited by mischief-makers to manipulate grades.
A report from CheckPoint details three WordPress plugins popular with schools for remote learning that contain potentially serious bugs.
In some cases, these are basic things like SQL injection attacks or arbitrary file overwrite bugs that would allow tampering with the site's back-end. In other cases, however, they found elevation of privilege flaws. In the case of a classroom, this would mean a student upgrading themselves to teacher credentials.
Ferris Bueller would be so proud...
Crooks caught selling phony street passes in Moscow
The team at Group-IB said it has broken up a ring of more than 100 sites that were claiming to allow Russian citizens to skirt the nation's lockdown orders.
The sites were selling phony street passes – credentials that allow people to be out driving in Moscow, St Petersburg, and other major cities that have restricted travel during the coronavirus pandemic. Those passes were of course fake and, in addition to losing their money and incurring the wrath of law enforcement, victims also risked having their payment information stolen.
Police in Moscow were able to track down two of the operators and have already arrested both.
Microsoft posts Edge Chromium update
Users and admins running the Chromium-based version of Edge will want to get an update for two CVE-listed security flaws. The bugs (CVE-2020-6461, CVE-2020-6462) describe a pair of use-after-free() vulnerabilities discovered by researcher Zhe Jin.
But don't go calling this an "out of band" update from Microsoft. One of the changes to come with Microsoft's move to the Chromium engine for its Edge browser is a new update schedule. As Google maintains its own schedule to post updates, Redmond likewise finds itself dropping browser updates on days other than Patch Tuesday. ®