Tesla Pwn2Own hacks and iOS push alerts abuse
Ethical hackers crack Tesla twice at Pwn2Own Automotive, popular iPhone apps found abusing iOS push notifications to steal data and the VexTrio TDS operation. Catch all this and more in this week’s edition of Cybersecurity Weekly.
Phishing simulations & training
1. Hackers breach Tesla twice, earn $450,000 at Pwn2Own automotive
Hackers at Pwn2Own Automotive in Tokyo made headlines by hacking a Tesla car twice. This first edition of the event saw Team Synacktiv winning $450,000 for demonstrating serious security gaps. In total, the competitors unearthed 49 zero-day bugs in electric car systems, highlighting critical cybersecurity challenges in the automotive sector.
2. Popular iPhone apps abuse iOS push notifications to spoof user data
Mobile researcher Mysk discovered many iOS apps, including TikTok and Facebook, use push notifications to secretly collect user data. This practice, which bypasses Apple's security, can create detailed user profiles. Apple plans to tighten API usage rules by Spring 2024 to stop this. Until then, users are advised to disable push notifications on their iPhone to safeguard their privacy.
3. Security researchers VexTrio for running an illicit TDS operation
Infoblox reported that VexTrio, a group controlling over 70,000 domains, is significantly involved in cybercrime by operating a traffic distribution system. This system links compromised websites with hosts of malicious content. Described as a major threat, VexTrio is involved in scams, phishing, and malware distribution. Their sophisticated methods of filtering and redirecting internet traffic make them hard to detect and counter, posing a persistent challenge to cybersecurity.
4. Threat actors attack WordPress database plugin with 1 million active users
Researchers have spotted thousands of attacks on a flaw in the Better Search Replace WordPress plugin. Identified as CVE-2023-6933, the flaw could let hackers execute code or steal data. The plugin's maker, WP Engine, has released a patch to fix this issue. It has also urged users to update their plugin immediately to protect against these security threats. Currently, Better Search Replace is active on 1 million WordPress sites.
5. Exposed Trello API enables hackers to link private email addresses with accounts
Popular project management tool Trello recently experienced a data breach affecting over 15 million Trellow user profiles. A hacker named emo attempted to sell this data on a hacking forum. Although Trello stated the leak stemmed from public data scraping, security researchers found the leak involved exploiting an exposed API. Trello has since tightened API access, but concerns remain about potential phishing attacks using this data.
See Infosec IQ in action
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Tesla Pwn2Own hacks and iOS push alerts abuse
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
- Uber data leaked, 48 DDoS-for-hire domains seized and Facebook posts phishing attack
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
