Afternoon Dessert - 2022-09-22

Welcome to another Afternoon Dessert breakout:

IT Security Takeaways from the Wiseasy Hack
Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals. How Did the Wiseasy Hack Happen? Wiseasy employees use a cloud-based dashboard for remotely
Read more....

Hackers stealing GitHub accounts using fake CircleCI notifications
GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform. [...]
Read more....

Critical Magento vulnerability targeted in new surge of attacks
Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites. [...]
Read more....

Malicious NPM Package Caught Mimicking Material Tailwind CSS Package
A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a CSS-based framework advertised by its maintainers as an "easy to use components library for Tailwind CSS and Material Design." "The
Read more....

Interested in cybersecurity? Join us for Security SOS Week 2022!
Four one-on-one interviews with experts who are passionate about sharing their expertise with the community.
Read more....

Microsoft Exchange servers hacked via OAuth apps for phishing
Microsoft says a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the end goal of deploying malicious OAuth applications and sending phishing emails. [...]
Read more....

Researchers Uncover Years-Long Mobile Spyware Campaign Targeting Uyghurs
A new wave of a mobile surveillance campaign has been observed targeting the Uyghur community as part of a long-standing spyware operation active since at least 2015, cybersecurity researchers disclosed Thursday. The intrusions, originally attributed to a threat actor named Scarlet Mimic back in January 2016, is said to have encompassed 20 different variants of the Android malware, which were
Read more....

S3 Ep101: Uber and LastPass breaches – is 2FA all it’s cracked up to be? [Audio + Text]
Latest episode - listen now! Learn why adopting 2FA isn't a reason to relax your other security precautions...
Read more....

Microsoft adds 'systemd' to the Windows Subsystem for Linux
Microsoft and Canonical have teamed up to add systemd support to the Windows Subsystem for Linux, allowing a larger number of compatible apps to be installed. [...]
Read more....