4.6M Evernote users put at risk
Cybersecurity watchdogs discovered a critical flaw in the popular organization app Evernote, reported Bleeping Computer. The vulnerability allows attackers to access sensitive information stored on third-party sites connected to the Evernote account. By exploiting a logical coding error in the Evernote Web Clipper Chrome extension, attackers could gain privileges in Iframes beyond Evernote’s domain. Users can link various third-party sites to their Evernote app, creating an unintentional linked database of login credentials, financial data, personal communications, and more, which attackers could explore and steal.
Fortunately, a fix has already been developed. Evernote rolled out a patch for the universal cross-site scripting (UXSS) vulnerability on June 4. All users of the Evernote Web Clipper Chrome extension – estimated at 4.6 million – are advised to visit the Chrome extension page to ensure they have version 7.11.1 (or later) installed.
This week’s stat
The MIT Technology Review estimates that if the current level of public interest continues, commercial genetic databases will hold the info of 100 million people by 2021. Read more.
Cyberattack prompts Radiohead to release unheard tracks
The band Radiohead has released 18 hours of previously unheard – and, in some cases, unfinished – tracks to the streaming service Bandcamp. In a tweet the band’s guitarist Johnny Greenwood wrote that “someone stole [lead singer] Thom’s minidisk archive from around the time of (the 1997 album) ‘OK Computer’ and reportedly demanded $150,000 on threat of releasing it.” The majority of the material in the archive, according to Greenwood, is “only tangentially interesting. And very, very long.”
Never intended for public consumption, the music is available for 18 days only. The BBC reported that, “Among the treasures in the collection are a 12-minute version of ‘Paranoid Android,’ Thom Yorke’s demo recording of ‘Karma Police,’ and dozens of unreleased or unfinished songs.” Fans can listen for free on Bandcamp or buy the full 18 hours of music for £18. All proceeds of the new material will go to the nonviolent activist group Extinction Rebellion.
This week’s quote
“Using ideas like this requires creativity and experimentation, but at least they are informed by evidence about how humans actually make decisions.” – From a new Avast report urging cybersecurity pros to go beyond using warnings to encourage security updates.
FBI issues warning about phishing
The FBI posted a public service announcement earlier this week to educate the public on the phishing of websites with the prefix https (Hypertext Transfer Protocol Secure). Phishing emails are more frequently using the public’s trust that https indicates a safe site. For years, cybersecurity experts have been training the public to look for https (vs. http) and the lock icon in their browser’s address bar to ensure the site is secure. Cybercriminals are now taking advantage of that by “incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.” If a user mistakenly believes a phishing email is from the legitimate company it mimics, he or she may enter login credentials and any other info that would immediately become part of the attacker’s database.
The FBI provides the following tips to keep from falling victim to https phishing:
- Do not simply trust the name on an email. Question the intent of the email content.
- If you receive a suspicious email from a known contact that includes a link, confirm the email is legitimate by calling or emailing the contact. Do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in .gov ends in .com instead).
- Do not trust a website just because it has a lock icon or https in the browser address bar.
1.5M servers brute-forced by GoldBrute
A new botnet discovered by cybersecurity researchers is currently at work brute-forcing about 1.5 million remote desktop protocol (RDP) servers, reported Dark Reading. GoldBrute, as the botnet is known, is the newest in a longstanding cybercriminal venture of botnets scanning for RDP servers that use weak or reused passwords. GoldBrute scans for exposed RDP servers, then sends the addresses back to its command-and-control (C2) server. When the botnet collects a list of 80 addresses, the C2 commands it to brute-force select targets. One clever trait of GoldBrute is that each bot only tries one username and password in the brute-force attack, which could be a tactic to stay under the security radar. If a target is successfully brute-forced, the botnet then downloads the GoldBrute Java code and other affiliated files to the target, making it into another bot.
“This is a huge risk for small businesses and enterprises,” commented Avast Security Evangelist Luis Corrons. “And I’m not just talking about having one computer compromised and added to the botnet. These RDP servers are in corporate networks, and once they’re in, attackers can leverage full-scale attacks against all computers in the local network, such as last year’s SamSam ransomware hits.
This week’s ‘must-read’ on The Avast Blog
One of the largest tech companies in the world, the U.S. government, and cybersecurity professionals are all fervently urging computer users to apply an easy patch that could prevent a vulnerability known as BlueKeep from becoming a major cybersecurity incident. Why won’t users do it? A new report from Avast suggests an answer.
Learn more about products that protect your digital life at avast.com. And get all the latest news on today’s cyberthreats and how to beat them at blog.avast.com. Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.