Threatpost

30 March 2020

• Apple Unpatched VPN Bypass Bug Impacts iOS 13, Warn Researchers
  The vulnerability can be exploited to reveal limited traffic data including a device’s IP address.
• Critical CODESYS Bug Allows Remote Code Execution
  CVE-2020-10245, a heap-based buffer overflow that rates 10 out of 10 in severity, exists in the CODESYS web server and takes little skill to exploit.
• Tupperware Cyberattack Stores Away Customer Payment Cards
  The food container company's main website had a card skimmer that scooped up online customers' payment card data.
• Emerging APT Mounts Mass iPhone Surveillance Campaign
  The malware, the work of a new APT called TwoSail Junk, allows deep surveillance and total control over iOS devices.
• As Zoom Booms, Incidents of ‘ZoomBombing’ Become a Growing Nuisance
  Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools.
• Hackers Hijack Routers to Spread Malware Via Coronavirus Apps
  The router DNS hijacking attacks have targeted more than a thousand victims with the Oski info-stealing malware.
• Tokyo Olympics Postponed, But 5G Security Lessons Shine
  Threatpost Senior Editor Tara Seals is joined by Russ Mohr, engineer and Apple evangelist at MobileIron along with Jerry Ray, COO at SecureAge, for a discussion about the now postponed Tokyo Games and its use of 5G and the myriad of security concerns Japan is preparing for.
• Apple Update Fixes WebKit Flaws in iOS, Safari
  Apple's security update included a slew of vulnerabilities in various components of iOS, macOS and Safari - the most severe of which could enable remote code execution.
• Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign
  Researchers say that APT41's exploits are part of one of the broadest espionage campaigns they've seen from a Chinese-linked actor "in recent years."
• GE Employees Lit Up with Sensitive Doc Breach
  Marriage, divorce and death certificates, beneficiary info, passports and more were all caught up in an email takeover hack.