#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter
CrowdSec

data security | Breaking Cybersecurity News | The Hacker News

Beware of Ghost Sites: Silent Threat Lurking in Your Salesforce Communities

Beware of Ghost Sites: Silent Threat Lurking in Your Salesforce Communities

May 31, 2023 Data protection / Cyber Threat
Improperly deactivated and abandoned Salesforce  Sites  and  Communities  (aka Experience Cloud) could pose severe risks to organizations, leading to unauthorized access to sensitive data. Data security firm Varonis dubbed the abandoned, unprotected, and unmonitored resources " ghost sites ." "When these Communities are no longer needed, though, they are often set aside but not deactivated," Varonis Threat Labs researchers  said  in a new report shared with The Hacker News. "Because these unused sites are not maintained, they aren't tested against vulnerabilities, and Admins fail to update the site's security measures according to newer guidelines." Varonis said it found many of these deactivated (but still active) sites still fetching new data, thereby allowing threat actors to extract data by manipulating the  host header  in the HTTP request. Identifying the complete internal URLs associated with the sites is challenging but not impossible, as an adversary could leverage too
E.U. Regulators Hit Meta with Record $1.3 Billion Fine for Data Transfer Violations

E.U. Regulators Hit Meta with Record $1.3 Billion Fine for Data Transfer Violations

May 22, 2023 Data Protection / Privacy
Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S. In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months. Additionally, Meta has been given five months to suspend any future transfer of Facebook users' data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order. "The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous," Andrea Jelinek, EDPB Chair,  said  in a statement. "Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizati
cyber security

external linkWing Security Launches Free SaaS Discovery Tool to Tackle Shadow IT Risks

websitewww.wing.securitySaaS Security / Attack Surface
Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.
ChatGPT is Back in Italy After Addressing Data Privacy Concerns

ChatGPT is Back in Italy After Addressing Data Privacy Concerns

Apr 29, 2023 Data Safety / Privacy / AI
OpenAI, the company behind ChatGPT, has officially made a return to Italy after the company met the  data protection authority's demands  ahead of April 30, 2023, deadline. The development was  first reported  by the Associated Press. OpenAI's CEO, Sam Altman,  tweeted , "we're excited ChatGPT is available in [Italy] again!" The reinstatement comes following Garante's decision to  temporarily block  access to the popular AI chatbot service in Italy on March 31, 2023, over concerns that its practices are in violation of data protection laws in the region. Generative AI systems like ChatGPT and Google Bard primarily rely on huge amounts of information freely available on the internet as well as the data its users provide over the course of their interactions. OpenAI, which published a  new FAQ , said it filters and removes information such as hate speech, adult content, sites that primarily aggregate personal information, and spam. It also emphasized that
ViperSoftX InfoStealer Adopts Sophisticated Techniques to Avoid Detection

ViperSoftX InfoStealer Adopts Sophisticated Techniques to Avoid Detection

Apr 28, 2023 Data Security / Malware
A significant number of victims in the consumer and enterprise sectors located across Australia, Japan, the U.S., and India have been affected by an evasive information-stealing malware called  ViperSoftX . ViperSoftX was first documented by Fortinet in 2020, with cybersecurity company Avast detailing a campaign in November 2022 that  leveraged  the malware to distribute a malicious Google Chrome extension capable of siphoning cryptocurrencies from wallet applications. Now a  new analysis  from Trend Micro has revealed the malware's adoption of "more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking." The arrival vector of ViperSoftX is typically a software crack or a key generator (keygen), while also employing actual non-malicious software like multimedia editors and system cleaner apps as "carriers." One of the key steps performed by the malware before downloading a first-stage Po
Protect Your Company: Ransomware Prevention Made Easy

Protect Your Company: Ransomware Prevention Made Easy

Apr 05, 2023 Endpoint / Network Security
Every year hundreds of millions of malware attacks occur worldwide, and every year businesses deal with the impact of viruses, worms, keyloggers, and ransomware. Malware is a pernicious threat and the biggest driver for businesses to look for cybersecurity solutions.  Naturally, businesses want to find products that will stop malware in its tracks, and so they search for solutions to do that. But  malware protection  alone is not enough, instead what's needed is a more holistic approach. Businesses need to defend against malware entering the network, and then on top of that have systems and processes in place to restrict the damage that malware can do if it infects a user device.  This approach will not only help stop and mitigate the damage from malware, but defend against other types of threats too, such as credential theft as a result of phishing, insider threats, and supply-chain attacks.  Element 1: Malware Protection and Web Filtering The first and most sensible place to
Think Before You Share the Link: SaaS in the Real World

Think Before You Share the Link: SaaS in the Real World

Apr 04, 2023 SaaS Security / Data Safety
Collaboration sits at the essence of SaaS applications. The word, or some form of it, appears in the top two headlines on Google Workspace's homepage. It can be found six times on Microsoft 365's homepage, three times on Box, and once on Workday. Visit nearly any SaaS site, and odds are 'collaboration' will appear as part of the app's key selling point.  By sitting on the cloud, content within the applications is immediately shareable, making it easier than ever to work with others.  However, that shareability is a two-sided coin. On the flip side are often sensitive links sitting on public-facing websites that can be easily accessed. The exposure caused by leaked documents can cause tremendous harm, from competitors trying to gather corporate secrets to whistleblowers sharing internal information with reporters or legislators. As integral as collaboration is to SaaS, sharing links creates a high-risk situation, and real-life breaches, that can be mitigated through the right process
Italian Watchdog Bans OpenAI's ChatGPT Over Data Protection Concerns

Italian Watchdog Bans OpenAI's ChatGPT Over Data Protection Concerns

Apr 03, 2023 Artificial Intelligence / Data Safety
The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban of OpenAI's ChatGPT service in the country, citing data protection concerns. To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in violation of the E.U. General Data Protection Regulation ( GDPR ) laws. "No information is provided to users and data subjects whose data are collected by Open AI," the Garante  noted . "More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies." ChatGPT, which is estimated to have reached over 100 million monthly active users since its release late last year,  has not   disclosed   what it used  to train its latest large languag
Cyberstorage: Leveraging the Multi-Cloud to Combat Data Exfiltration

Cyberstorage: Leveraging the Multi-Cloud to Combat Data Exfiltration

Mar 30, 2023 Data Security / Encryption
Multi-cloud data storage, once merely a byproduct of the great cloud migration, has now become a strategy for data management. "Multi-cloud by design," and its companion the supercloud, is an ecosystem in which several cloud systems work together to provide many organizational benefits, including increased scale and overall resiliency. And now, even security teams who have long been the holdout on wide-scale cloud adoption, may find a reason to rejoice. Born out of the multi-cloud approach, cyberstorage enables companies to not only enjoy the benefits that multi-cloud brings but also eliminate the risk of data exposure at the same time, marking the beginning of the multi-cloud maturity era. What Is The Supercloud? While many organizations ended up with multiple cloud services as a byproduct of interdepartmental needs, today organizations are intentionally building multi-cloud environments. And rather than manage the various cloud services individually, many are implementin
SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

Mar 07, 2023 Data Safety / Cyber Threat
Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors since November 2022. "The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News. "The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information." The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation  dubbed Ducktail  by Zscaler. However, WithSecure, which  first documented  the Ducktail activity cluster in July 2022, said the  two intrusion sets  are different from one another, indicating ho
Shein's Android App Caught Transmitting Clipboard Data to Remote Servers

Shein's Android App Caught Transmitting Clipboard Data to Remote Servers

Mar 07, 2023 Privacy / Data Breach
An older version of Shein's  Android application  suffered from a bug that periodically captured and transmitted clipboard contents to a remote server. The Microsoft 365 Defender Research Team said it  discovered  the problem in  version 7.9.2  of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. Shein, originally named ZZKKO, is a Chinese online fast fashion retailer based in Singapore. The app, which is currently at version 9.0.0, has over 100 million downloads on the Google Play Store. The tech giant  said  it's not "specifically aware of any malicious intent behind the behavior," but noted that the function isn't necessary to perform tasks on the app. It further pointed out that launching the application after copying any content to the device clipboard automatically triggered an HTTP POST request containing the data to the server "api-service[.]shein[.]com." To mitigate such privacy risks, Goo
Breaking the Security "Black Box" in DBs, Data Warehouses and Data Lakes

Breaking the Security "Black Box" in DBs, Data Warehouses and Data Lakes

Feb 16, 2023 Data Security / Compliance
Security teams typically have great visibility over most areas, for example, the corporate network, endpoints, servers, and cloud infrastructure. They use this visibility to enforce the necessary security and compliance requirements. However, this is not the case when it comes to sensitive data sitting in production or analytic databases, data warehouses or data lakes. Security teams have to rely on data teams to locate sensitive data and enforce access controls and security policies. This is a huge headache for both the security and data teams. It weakens the business's security and compliance putting it at risk of exposing sensitive data, large fines, reputational damages, and more. Also, in many cases, it slows down the business's ability to scale up data operations.  This article examines how Satori, a data security platform, gives control of the sensitive data in databases, data warehouses and data lakes to the security teams. Satori's  automated data security plat
Russian Hackers Using Graphiron Malware to Steal Data from Ukraine

Russian Hackers Using Graphiron Malware to Steal Data from Ukraine

Feb 08, 2023 Threat Intelligence / Data Safety
A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine. Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as  Nodaria , which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056. "The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files," the Symantec Threat Hunter Team  said  in a report shared with The Hacker News. Nodaria was  first spotlighted  by CERT-UA in January 2022, calling attention to the adversary's use of  SaintBot and OutSteel malware  in spear-phishing attacks targeting government entities. Also called DEV-0586, TA471, and UNC2589, the hacking crew has been linked to the destructive WhisperGate (aka PAYWIPE ) data wiper attacks targeting Ukrainian entities around the same time.
Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads

Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads

Jan 05, 2023 Privacy / Data Protection
The Irish Data Protection Commission (DPC) has  fined  Meta Platforms €390 million (roughly $414 million) over its handling of user data for serving personalized ads in what could be a major blow to its ad-fueled business model. To that end, the privacy regulator has ordered Meta Ireland to pay two fines – a €210 million ($222.5 million) fine over violations of the E.U. General Data Protection Regulation ( GDPR ) related to Facebook, and a €180 million ($191 million) for similar violations in Instagram. The latest enforcement comes in the wake of concerns that the social media company used its Terms of Service to gain users' forced consent to allow targeted advertising based on their online activity. The complaints were filed on May 25, 2018, the date when GDPR came into effect in the region. It also arrives a month after the European Data Protection Board (EDPB), an independent body that oversees the consistent application of GDPR in the E.U.,  announced  that it had reached 
France Fines Microsoft €60 Million for Using Advertising Cookies Without User Consent

France Fines Microsoft €60 Million for Using Advertising Cookies Without User Consent

Dec 23, 2022 Privacy / Data Security
France's privacy watchdog has imposed a €60 million ($63.88 million) fine against Microsoft's Ireland subsidiary for dropping advertising cookies in users' computers without their explicit consent in violation of data protection laws in the European Union. The Commission nationale de l'informatique et des libertés (CNIL)  noted  that users visiting the home page of its Bing search engine did not have a "mechanism to refuse cookies as easily as accepting them." The authority, which carried out an online audit between September 2020 and May 2021 following a complaint it received in February 2020,  stated  the tech giant deposited cookies with an aim to serve ads and fight advertising fraud without getting a user's permission beforehand, as is required by law. Along with the fines, Microsoft has also been ordered to alter its cookie practices within three months, or risk facing an additional penalty of €60,000 per day of non-compliance following the end
FTC Fines Fortnite Maker Epic Games $275 Million for Violating Children's Privacy Law

FTC Fines Fortnite Maker Epic Games $275 Million for Violating Children's Privacy Law

Dec 20, 2022 Privacy / Data Security
Epic Games has reached a $520 million settlement with the U.S. Federal Trade Commission (FTC) over allegations that the  Fortnite  creator violated online privacy laws for children and tricked users into making unintended purchases in the video game. To that end, the company will pay a record $275 million monetary penalty for breaching the Children's Online Privacy Protection Act ( COPPA ) by collecting the personal information of Fortnite players under the age of 13 without seeking permission from their parents. It will also pay $245 million to reimburse customers who were deceived by its  dark pattern  tricks to make accidental purchases as well as for allowing children to rack up unauthorized charges through in-game content purchases without requiring any parental or card holder action or consent. "Epic Games possessed actual knowledge that it collected personal information from children, including their names, email addresses, and identifiers used to keep track of pla
Cybercrime (and Security) Predictions for 2023

Cybercrime (and Security) Predictions for 2023

Dec 19, 2022 Password Policy / Data Security
Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it's up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs.  Here's a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.  Increase in digital supply chain attacks  With the rapid modernization and digitization of supply chains come new security risks. Gartner predicts that  by 2025, 45% of organizations worldwide will have experienced attacks  on their software supply chains—this is a three-fold increase from 2021. Previously, these types of attacks weren't even likely to happen because supply chains weren't connected to the internet. But now that they are, supply chains need to be secured properly.  The introduction of new technology around software supply chains means there are likely security holes that have yet to be identified, but are essenti
Cybersecurity Resources