Week in review: Man in the Cloud attacks, Google GDPR fine, business resilience

Here’s an overview of some of last week’s most interesting news and articles:

Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution
A vulnerability in the firmware of a Wi-Fi chipset that is widely used in laptops, streaming, gaming and a variety of “smart” devices can be exploited to compromise them without user interaction.

Researchers analyze DDoS attacks as coordinated gang activities
In a new report, NSFOCUS introduced the IP Chain-Gang concept, in which each chain-gang is controlled by a single threat actor or a group of related threat actors and exhibit similar behavior among the various attacks conducted by the same gang.

Business resilience should be a core company strategy, so why are businesses struggling to take action?
Several barriers to achieving business resilience remain.

GDPR-ready organizations see lowest incidence of data breaches
Cisco’s 2019 Data Privacy Benchmark Study validates the link between good privacy practice and business benefits as respondents report shorter sales delays as well as fewer and less costly data breaches.

PHP PEAR supply chain attack: Backdoor added to installer
Some additional details have emerged about the recent security breach involving the PHP PEAR (PHP Extension and Application Repository) webserver.

Microsoft remains the most impersonated brand, Netflix phishing spikes
Although Microsoft remains the top target for phishers, Netflix saw an incredible surge in Dec., making it the second most impersonated brand in Q4 2018.

Beware the man in the cloud: How to protect against a new breed of cyberattack
One malicious tactic that has become quite prevalent in recent years is known as a ‘man in the cloud’ (MitC) attack. This attack aims to access victims’ accounts without the need to obtain compromised user credentials beforehand.

Machine learning trumps AI for security analysts
Machine learning is currently one of the biggest buzzwords in cybersecurity and the tech industry in general, but the phrase is often overused and misapplied, leaving many with their own, incorrect definition.

Industry reactions to Google’s €50 million GDPR violation fine
On 21 January 2019, the French National Data Protection Commission (CNIL) imposed a financial penalty of €50 million against Google, in accordance with the GDPR.

Researcher warns of privilege escalation flaw in Check Point ZoneAlarm
Illumant researcher Chris Anastasio has discovered a serious vulnerability in Check Point’s security software.

83% of global respondents experienced phishing attacks in 2018
Proofpoint analyzed data from tens of millions of simulated phishing attacks sent over a one-year period, along with nearly 15,000 cybersecurity professional survey responses, to provide an in-depth look at state of global phishing attacks.

The most effective security strategies to guard sensitive information
With the recent rise in breaches and privacy incidents, enterprises are prioritizing the protection of their customers’ personally identifiable information.

Cisco fixes security holes in SD-WAN, Webex, Small Business routers
Code for the exploitation of the two fixed vulnerabilities in the Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers has been made public and attackers are actively scanning networks for them.

Reimagining risk management to mitigate looming economic dangers
In a volatile market environment and with the edict to “do more with less,” many financial institutions are beginning efforts to reengineer their risk management programs.

Most out of date applications exposed: Shockwave, VLC and Skype top the list
More than half (55%) of PC applications installed worldwide are out-of-date, making PC users and their personal data vulnerable to security risks.

0patch releases micropatch for Windows Contacts RCE zero-day
ACROS Security, the creators of 0patch, have released a micropatch for a recently revealed zero-day RCE flaw affecting Windows.

SSDP amplification attacks rose 639%
The Nexusguard Q3 2018 Threat Report has revealed the emergence of an extremely stealthy DDoS attack pattern targeting communications service providers (CSPs).

Should enterprises delay efforts to remediate most vulnerabilities?
Companies are getting smarter in how they protect themselves from today’s cyber threats, improving operational efficiency and resource allocation, while best managing risk.

Cybercriminals increasingly taking aim at businesses
2018 has been the year when cybercriminals definitely realized businesses are juicier targets than individuals.

New infosec products of the week: January 25, 2019
A rundown of infosec products released last week.