š Welcome to the 26th edition Cyber Weekly DigestĀ of 2024.
This week summer finally reached the UK... and by the sounds of it, everyone is hating it. Feeling hot hot hot š„
What have we been up to at CV HQ?
A mega hectic but exciting week of onboarding new customers, engaging new vendors and continually learning new technologies!
It was also that time of year again, you've seen it all over LinkedIn, congregating in a hot, sweaty tent, having it large... nope, not Glastonbury, it was the SentinelOne partner event with #PurpleAI headlining! Fantastic day, gaining insights to the innovations customers can see in the next 12 months.
Lastly, quick shout out to Magic (Katie, not Potter) and the Newmanator who are actually at Glastonbury this weekend. Enjoy guys! šŗ
NewĀ and noteworthyĀ this week:
Ā
š£ Reminder from Censys to strengthen yourĀ cybersecurityĀ strategy with Forrester's latest report on Attack Surface Management! Whether you're shaping global security policies or ensuring day-to-day protection, this report provides essential insights into ASM's impact on your defenses. Not yet au fait with Censys? Watch their demo video here
š£ Mobile devices have transformed the workplace, providing unparalleled flexibility but this convenience comes with increased email security risks, particularly in a world of remote work and multi-channel attacks. From fat finger errors to spear-phishing, learn how to protect your organisation from emerging threats in 2024 with this awesome blog from our friends at Egress.
š£ Very exciting news out of Bugcrowd HQ as they launch their AI Pen Testing services. Did you know that Air Canada lost a legal battle with a passenger who received bad advice from their chatbot? The case has set a precedent: If you are handing over part of your business to AI, you are responsible for what it does!Ā Check out the press release
š£ Calling all tech specialists. Join SkyHigh for their interactive SSE Hands-On Workshop! Designed for tech pros and Web Gateway users, this is your chance to dive into their cloud-based SSE solution.Ā In this three-hour workshop, youāll be able to try out SWG, CASB, RBI, DLP & ZTNA. Register here
Last but not least...
š£ With attackers able to move more easily in the cloud, you need to stop the lateral movement. Find solutions to this common cloud security problem and more with Illumio's super informative guide
Now, let's take a look at our Cyber Weekly Digest, highlighting our top cyber security news picks of the week.
Ā
šØ This week we heard about a potential privacy issue with your headphones, a security breach detected in a corporate IT environment and a new credit card skimming scandal
Ā
Keep reading to stay up to date on the latest cyber security news.
Ā
Multiple security flaws have been disclosed in Emerson Rosemount gas chromatographs that could be exploited by malicious actors to obtain sensitive information, induce a denial-of-service (DoS) condition, and even execute arbitrary commands. The flaws impact GC370XA, GC700XA, and GC1500XA and reside in versions 4.1.5 and prior. According to operational technology (OT) security firm Claroty, the vulnerabilities include two command injection flaws and two separate authentication and authorization vulnerabilities that could be weaponized by unauthenticated attackers to perform a wide range of malicious actions ranging from authentication bypass to command injection.
Ā
TeamViewer on Thursday disclosed it detected an "irregularity" in its internal corporate IT environment on June 26, 2024. "We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures," the company said in a statement. It further noted that its corporate IT environment is completely cut off from the product environment and that there is no evidence to indicate that any customer data has been impacted as a result of the incident.
Ā
Cybersecurity researchers have disclosed a high-severity security flaw in the Vanna.AI library that could be exploited to achieve remote code execution vulnerability via prompt injection techniques. The vulnerability, tracked as CVE-2024-5565 (CVSS score: 8.1), relates to a case of prompt injection in the "ask" function that could be exploited to trick the library into executing arbitrary commands, supply chain security firm JFrog said. Vanna is a Python-based machine learning library that allows users to chat with their SQL database to glean insights by "just asking questions" (aka prompts) that are translated into an equivalent SQL query using a large language model (LLM).
Ā
Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorised manner. Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro. "When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," Apple said in a Tuesday advisory.
Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information. According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP file associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details.
ŠŠ¾Š¼Š¼ŠµŠ½ŃŠ°ŃŠøŠø