A roundup of the top news stories in information security this week, including a new Apache vulnerability that's similar to Heartbleed, iOS updates addressing a series of vulnerabilities, and a new study sheds light on the costs of data breaches for U.S. enterprises.
EQUIFAX BREACH
Equifax Security Executives Leave the Company
In a statement released late last week by Equifax, the company announced that its chief information officer and chief security officer are retiring. The changes are effective immediately, according to the company release, although the names of the executives were not featured in the announcement.
DATA BREACHES
Retailers Face Two Cyber Assaults a Week, Report Says
New research from Zynstra, an enterprise-grade IT software provider, indicates that retailers are responding to cyber attackers on average twice per week. While 64% of respondents in the survey indicated that they experienced one cyber attack per month, 16% shared they experienced an attempted attack every day, and 11% said they responded 2-3 times per week.
CYBER THREAT
Undocumented MS Office Feature Leveraged By Attackers to Gather Configuration Details
Security researchers at Kaspersky Lab discovered a spear phishing campaign featuring documents in the OLE2 format that contained no macros, exploits, or other active content. The documents featured several links to PHP scripts found in third-party web resources. If the files are opened, attackers can receive information on software installed on the targeted machine.
VULNERABILITY
Fitbit Bugs Allow Attackers to Access Personal Information
Vulnerabilities in the popular Fitbit devices could give cyber miscreants the ability to access the personal information and create false activity records. Researchers at the University of Edinburgh were able to exploit weaknesses in the device’s communication procedures to intercept messages transmitted between fitness trackers and cloud servers, bypassing end-to-end encryption.
RANSOMWARE
Report: $301 Million Paid to Cyber Attackers by SMBs
Small to medium-sized businesses have been hit hard by ransomware attackers, and a new study sheds light on just how much damage the malware has done. According to a survey released today of the 2016-2017 period, SMBs have paid out an estimated $301 million in ransom to attackers. The survey included responses from 1,700 managed service provides that have more than 100,000 SMB customers collectively.
VULNERABILITY
Apache Bug, Optionsbleed, Leaks Server Memory
Server memory can be leaked thanks to a vulnerability in Apache dubbed Optionsbleed. The flaw, CVE-2017-9798, was detailed this week by security researcher Hanno Böck, who said the flaw was similar to Heartbleed, seeing as attackers can query servers and fool Apache into responding with more data than usual.
PATCHES
iOS Update Addresses Eight Vulnerabilities
The iOS 11 update has been released, and along with a new look and feel that users can experience on the iPad, the update also addresses some significant vulnerabilities. A total of eight CVEs were patched in this week’s update, with more patches also released for Safari and the Xcode development framework.
SECURITY COSTS
Average Cyber Attack Costs Reach $1.3 Million for U.S. Enterprises
The average cost of a cyber attack on a North American enterprise or small to medium-sized business is increasing. According to a new report by Kaspersky Lab, the average cost of a data breach in North American is $1.3 million for enterprises and $117 million for SMBs.
RANSOMWARE
New Research Sheds Light on Ransomware Threat to Mobile Browsers
A new study by security firm SecureWorks’ Counter Threat Unit indicates that the mobile ransomware threat is only increasing. In 2016, their researchers discovered 200 new ransomware variants, an increase of 122% from the year prior. Given that most mobile ransomware threats are browser-based, it can infect nearly any device with a built-in browser, according to experts at SecureWorks CTU.
