baseStriker: Office 365 Security Fails To Secure 100 Million Email Users

From avanan.com

We recently uncovered what may be the largest security flaw in Office 365 since the service was created. Unlike similar attacks that could be learned and blocked, using this vulnerability hackers can completely bypass all of Microsoft’s security, including its advanced services – ATP, Safelinks, etc.

The name baseStriker refers to the method hackers use to take advantage of this vulnerability: splitting and disguising a malicious link using a tag called the <base> URL tag.

So far we have only seen hackers using this vulnerability to send phishing attacks, but but it is also capable of distributing ransomware, malware and other malicious content

More information here.

LinkedIn Autofill flaw lets hackers harvest website visitors’ personal info

from www.scmagazineuk.com

If the visitor clicks anywhere on the page, then according to Cable, “LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site”. A vulnerability in LinkedIn’s Autofill feature allowed malicious actors to harvest personal information of LinkedIn users by inserting autofill iframes over websites that were whitelisted by LinkedIn, a security researcher has revealed.According to researcher Jack Cable who described the exploit in a detailed blog post, once a malicious actor lures a victim to visit a malicious website which is controlled by the former, the visitor is then greeted by a “LinkedIn AutoFill button iframe” which is styled so it takes up the entire page and is invisible to the user.

More information here

Major macOS High Sierra Bug Allows Full Admin Access Without Password

From macrumors.com

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

Full article here.

UK Cybersecurity Center Issues ‘The Dark Overlord’ Alert

From inforisktoday.com

Want to stop the latest cybercrime bogeyman? Then for the umpteenth time, put in place well-known and proven strategies for repelling online attacks.

That’s one takeaway from a recent threat report issued by Britain’s National Cyber Security Center. Based on open source reporting, the alert calls out a trio of attack campaigns: phishing emails that pretend to be speeding tickets but which instead deliver malware; attackers using stolen or fraudulently obtained digital certificates to “sign” malware; and the cybercrime-extortion group known as the “The Dark Overlord,” which continues to hack into organizations’ websites, hold data for ransom and cause chaos.

Full article here.

Fake WhatsApp app on Google Play, downloaded by more than 1M users

From thehackernews.com

Full article here.

Cisco Warns 69 Products Impacted by KRACK

From threatpost.com

Cisco said Wednesday that multiple Cisco wireless products are vulnerable to the recently identified Key Reinstallation Attacks (KRACK).

On Monday, researchers revealed how the KRACK vulnerabilities plagued the WPA2 protocol used to secure all modern Wi-Fi networks. In their report, researchers demonstrated how the KRACK vulnerabilities can be abused to decrypt traffic from enterprise and consumer networks with varying degrees of difficulty.

U.S. CERT advised users to patch immediately.

Full article here.

Related post: Wi-Fi Protected Access II (WPA2) compromised