Week of December 13th, 2024

Week of December 13th, 2024

Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.

Here are this week’s top takeaways:

Vulnerabilities Across Krispy Kreme, Volkswagen, and More Reinforce the Fact: Cyberattacks Are a Matter of "If", Not "When"

Popular doughnut chain Krispy Kreme says it has been hit by a cyberattack that has disrupted its online systems.

Some customers in the US have been unable to make online orders because of the hack, which occurred in late November but has only just been disclosed.

On Wednesday, Krispy Kreme revealed the attack in a regulatory filing with the US Securities and Exchanges Commission (SEC).

The statement said the incident was "reasonably likely" to "have a material impact" on the firm's business operations but clarified that brick-and-mortar shops remain open. Krispy Kreme stated in its SEC filing that it has cybersecurity insurance, which it expects "to offset a portion of the costs."

These costs are expected to arise from losing digital sales, fees for the experts it has hired, and the restoration of impacted systems.

However, the doughnut brand is not the only business that made the headlines this week for exploited vulnerabilities: PCAutomotive, a specialized automotive cybersecurity firm, recently disclosed 12 new security flaws affecting the latest Skoda Superb III sedan model at Black Hat Europe.

The affected vehicles include the Skoda Superb III (3V3) 2.0 TDI manufactured in 2022, but the issue potentially extends to other Skoda and Volkswagen models using similar infotainment systems.

These vulnerabilities, primarily found in the MIB3 infotainment unit, could be exploited by malicious actors to inject malware into the vehicle and gain unauthorized access to various functions. PCAutomotive estimates that over 1.4 million vehicles could be vulnerable, with the actual number potentially higher when considering aftermarket components.

If successfully exploited, these vulnerabilities could allow attackers to:

  1. Obtain real-time GPS coordinates and speed data
  2. Record in-car conversations via the vehicle’s microphone
  3. Capture screenshots of the infotainment display
  4. Hijack the vehicle's speaker
  5. Access the vehicle owner’s phone contact database

With cyber threats developing at a breakneck pace, high-quality pentesting has never been more crucial.

In recent years:

  • There were an estimated 800,000 cyberattacks per year in 2023–with that number predicted to continue to rise annually
  • 97% of security breaches are exploiting WordPress plugins
  • An estimated 300,000 new malware are created daily
  • 92% of malware is being delivered via email
  • In 2024, it’s taking organizations an average of 49 days to identify a cyberattack
  • Over 4.1 million websites on the Internet have malware
  • 66% of interviewed CIOs plan to continue to increase their investment in cybersecurity

As a CREST and SOC 2 Type II accredited penetration testing firm, Packetlabs’ 100% tester-driven pentesting goes beyond industry standards. Our best-in-class methodology digs deeper to deliver more in-depth, actionable results.

Was Your Device Targeted in the Recent Salt Typhoon Breach?

According to a new NBC report, telecommunications giants AT&T and Verizon have yet to address the full scope of victims of an ongoing Chinese phone data hacking campaign.

In a media call last week, the FBI told the press that they have yet to evict Chinese state-sponsored hackers from U.S. networks fully and that the agency has spent the past months alerting "high-value intelligence targets"— including the campaigns of both Donald Trump and Kamala Harris— to the extent of the breach, mainly those of interest to the U.S. government.

The allegedly China-backed espionage campaign, labeled Salt Typhoon by Microsoft threat detectors, has utilized what is known as an advanced persistent threat (APT) attacks to invade at least eight telecommunications companies to expose personal, individual communications.

Recent investigations revealed that the years-long initiative involved hacking Americans' data and monitoring political targets' communications. Senate Intelligence Committee chairman Senator Mark R. Warner has called it the "worst telecom hack in [U.S.] history by far. "

The FCC mandates that telecom companies notify customers only when it has been established that customers have been or could be harmed by the breach. This includes "financial harm, physical harm, identity theft, theft of services, the potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse, and other similar types of dangers." However, the definitions and scope of the breach's harm are at the companies' discretion.

Recent Posts From Our Ethical Hackers

Every month, our ethical hackers work to provide free resources so that your team can continue improving your organization's security posture.

Here are just some of our recent posts:

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics