Friday's Top Five Scary Infosec News Stories - Bonus Edition

Fridays in cybersecurity are rarely ever slow news days the way many of us who grew up with traditional media have been conditioned to expect. Sure enough, yesterday was chock-filled with significant cybersecurity developments, including a late-day disclosure by Google of a Windows zero-day flaw and a warning from the feds that Iran has targeted voting systems in at least ten states, with one of those states successfully breached.

On top of that, the top tier of infosec reporters at Reuters released a scoop that Russia’s Fancy Bear, the APT group that was the bane of the 2016 election, this year has targeted the email accounts of Democratic state parties in California and Indiana, among other political institutions. On the data breach front, the UK fined Marriott the equivalent of $24 million for its Starwood breaches. Singapore's largest online grocery store Lazada Redmart suffered an obvious breach because now over one million of its user accounts are for sale on a hacker forum.

Get more details on these and other developments below. Stay safe and Happy Halloween to all.

Google Discloses Zero-Day Windows Flaw That Is Exploited in the Wild

Google disclosed last night a zero-day vulnerability in the Windows operating system which is actively being exploited in the wild. On Twitter, team lead for Google’s Project Zero Ben Hawkes said the Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another a Chrome zero-day (tracked as CVE-2020-15999) that his team disclosed last week. The flaw is slated to be fixed on November 10, which is Microsoft’s next Patch Tuesday. (Catalin Cimpanu / ZDNet)

Related: TechCrunch, Security Affairs, HealthITSecurity, Neowin, Bleeping Computer, Reddit - cybersecurity, The Register - Security, AskWoody, Neowin, SecurityWeek, Ars Technica, Reddit - cybersecurity, Slashdot, TechNadu, Business Insider, Cyber Kendra, ETTelecom.com, Economic Times, Inverse, The Register - Security, Google

Authorities Say Iranian APT Has Targeted Election Websites in 10 States, Successfully Compromised at Least One

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory on an Iranian advanced persistent threat (APT) actor targeting U.S. state websites, including elections websites, to obtain voter registration data. The suspected Iranian hackers compromised at least one voter registration database and had been probing for software vulnerabilities in at least ten states. (Sean Lyngaas / Cyberscoop)

Related: US-CERT Current Activity, Homeland Security Today, Voice of America, CNN.com, Bleeping Computer, Big News Network, Al Jazeera English, News.com.au, Daily Mail, CNBC, Channel News Asia, Reddit - cybersecurity, CNN.com, Homeland Security Today

UK Fines Marriott International Nearly $24 Million for Starwood Breaches

The UK’s Information Commissioner's Office (ICO) fined hotel company Marriott International £18.4 million (or nearly $24 million) for failing to stop hackers from stealing 339 million guest records from the company’s Starwood hotels’ reservation system between 2014 and 2018. The ICO said names, contact information, and passport details may all have been compromised in a cyber-attack. (BBC News)

Related: Glasgow Times, ReadWrite, BBC News - Home, Verdict, TechCrunch, City A.M. - Technology, HOTforSecurity, TechTarget

Russia’s Fancy Bear Group Targeted Email Accounts of California, Indiana Democratic Parties

The Russian hacking group known as Fancy Bear or APT 29, which was accused of hacking into Democratic Party systems and accounts during the 2016 presidential election, earlier this year targeted the email accounts of Democratic state parties in California and Indiana, and influential think tanks in Washington and New York, according to sources. The intrusions, which were internally flagged by Microsoft Corp, targeted, among others, the Center for American Progress, the Council on Foreign Relations, and the Washington-based Carnegie Endowment for International Peace, although those organizations said they had not seen evidence of successful hacking. (Raphael Satter, Christopher Bing, Joel Schectman / Reuters)

Related: The Verge, Slashdot

Over One Million User Accounts for Singapore’s Lazada Redmart Are for Sale on Hacker Forum

Singapore's largest online grocery store Lazada Redmart, a billion-dollar arm of Chinese giant Alibaba, suffered a data breach with the hackers putting up information of 1.1 million RedMart user accounts for sale at $1,500 on a hacker forum. The leaked data from the accounts include email addresses, SHA-1 hashed passwords, first and last name, phone numbers, mailing addresses, billing addresses, partial credit card numbers, and expiration dates. (Ax Sharma / Bleeping Computer)

Related: ZDNet Security, The Straits Times Tech News, Channel News Asia, DataBreaches.net

Not All Information Security News Is Scary

The Cyberlaw Clinic at Harvard Law School’s and the Electronic Frontier Foundation just published A Researcher’s Guide to Some Legal Risks of Security Research (pdf) to help security researchers navigate the legal risks and cope with legal threats as they go about their often legally perilous work. Bookmark it, download it, or share with colleagues because odds are you might need it down the road. Photo by Bill Oxford on Unsplash

Photo by Sudan Ouyang on Unsplash