SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
Burger King parent uses DMCA complaint to censor security research
Two researchers reported finding serious vulnerabilities, including ones that expose employee information and drive-through orders, in systems run by Restaurant Brands International (RBI), which owns the Tim Hortons, Burger King and Popeyes brands. The vulnerabilities were reported to the vendor and quickly fixed. In addition, RBI said the system targeted by the researchers is still in early development. However, the company still sent a DMCA complaint to the researchers to force them to remove the blog post detailing their findings. The blog post was initially archived by the Internet Archive, but it has now been removed even from there.
Google paid out $1.6 million at cloud hacking event
Google announced the results of its inaugural cloud-focused bugSWAT hacking event, which brought together 20 top cloud security experts who found a total of 91 vulnerabilities. Roughly $1.6 million was paid out at the event, which brought the total paid out by the company this year for cloud vulnerabilities to $2.5 million.
Hundreds of XSS vulnerabilities still found in Microsoft services
Cross-site scripting (XSS) vulnerabilities have been around for more than two decades, but they still continue to be common in online services. Microsoft has learned of nearly 1,000 XSS vulnerabilities affecting its services since the start of January 2024. In the past year, the tech giant paid out more than $900,000 in bug bounties for XSS flaws, with the highest single reward being $20,000.
Huntress research raises concerns
Security firm Huntress has disclosed the results of research conducted after a threat actor installed a trial of its product, which gave the company a “rare look” inside the hacker’s operations. However, due to the way it was framed, the blog post raised concerns over the level of access the company has to customers’ systems, even those who only install a free trial of its product. The company has since provided clarifications on how its product works and the actual level of access it had to the attacker’s system and customers’ system in general.
“Huntress was able to see the hacker’s movements only because the hacker themselves installed the Huntress trial agent, which causes our SOC to analyze and investigate alerts as we would for any customer per their subscription to the services,” John Hammond, Principal Security Researcher at Huntress, told SecurityWeek. “The Huntress agent does not have capabilities like remote screen access or screenshots. The browser history references in the blog were obtained by investigating the forensic logs and artifacts pertinent to the malware alerts observed on the endpoint. Images that were included in our blog post were recreated by simply reviewing what the threat actor had done as part of their cybercriminal operations.”
MostereRAT analysis
FortiGuard Labs has published an analysis of MostereRAT and a phishing campaign it was involved in. The attack flow and its C&C domains were mentioned in a 2020 report as being associated with a banking trojan, but the malware has since evolved into a RAT that is now called MostereRAT. The malware employs sophisticated techniques, such as incorporating an EPL program, hiding the service creation method, blocking AV traffic, and switching to legitimate remote access tools like AnyDesk, tightVNC, and RDP Wrapper to control the victim’s system.
Kosovo national pleads guilty in US to operating BlackDB
Liridon Masurica, a 33-year-old Kosovo national, has pleaded guilty in a US court to operating the BlackDB.cc cybercrime marketplace, where users could trade account and server credentials, payment card information, and other personal information. Masurica was arrested in Kosovo in December 2024 and later extradited to the United States. He faces up to 10 years in prison.
California bill requires web browsers to allow consumers to opt out of data sharing
Lawmakers in California have passed AB 566, a bill that requires web browsers to include an option that allows users to opt out of the sale and sharing of their personal information. Governor Newsom now has to sign AB 566 into law.
HybridPetya bypasses UEFI Secure Boot
A piece of malware linked to the infamous NotPetya exploits CVE‑2024‑7344 to bypass UEFI Secure Boot, according to research conducted by ESET. Dubbed HybridPetya, the ransomware is designed to encrypt files. However, there is no evidence of use in the wild, and ESET believes HybridPetya may be another proof-of-concept malware developed by security researchers.
Cursor vulnerability
Oasis Security has found a vulnerability in the AI code editor Cursor that allows a malicious repository to execute arbitrary code when opened using Cursor. The malicious project includes a hidden ‘autorun’ instruction that tells Cursor to execute a task as soon as the folder is opened, without requiring explicit permission from the user. The attack is prevented by Cursor’s Workspace Trust feature. The feature is disabled by default, but Cursor plans on updating its security guidance to inform users about the risks.
Related: In Other News: Scammers Abuse Grok, US Manufacturing Attacks, Gmail Security Claims Debunked
Related: In Other News: Iranian Ships Hacked, Verified Android Developers, AI Used in Attacks
Source link
