Week of December 13th, 2024
Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.
Here are this week’s top takeaways:
Vulnerabilities Across Krispy Kreme, Volkswagen, and More Reinforce the Fact: Cyberattacks Are a Matter of "If", Not "When"
Popular doughnut chain Krispy Kreme says it has been hit by a cyberattack that has disrupted its online systems.
Some customers in the US have been unable to make online orders because of the hack, which occurred in late November but has only just been disclosed.
On Wednesday, Krispy Kreme revealed the attack in a regulatory filing with the US Securities and Exchanges Commission (SEC).
The statement said the incident was "reasonably likely" to "have a material impact" on the firm's business operations but clarified that brick-and-mortar shops remain open. Krispy Kreme stated in its SEC filing that it has cybersecurity insurance, which it expects "to offset a portion of the costs."
These costs are expected to arise from losing digital sales, fees for the experts it has hired, and the restoration of impacted systems.
However, the doughnut brand is not the only business that made the headlines this week for exploited vulnerabilities: PCAutomotive, a specialized automotive cybersecurity firm, recently disclosed 12 new security flaws affecting the latest Skoda Superb III sedan model at Black Hat Europe.
The affected vehicles include the Skoda Superb III (3V3) 2.0 TDI manufactured in 2022, but the issue potentially extends to other Skoda and Volkswagen models using similar infotainment systems.
These vulnerabilities, primarily found in the MIB3 infotainment unit, could be exploited by malicious actors to inject malware into the vehicle and gain unauthorized access to various functions. PCAutomotive estimates that over 1.4 million vehicles could be vulnerable, with the actual number potentially higher when considering aftermarket components.
If successfully exploited, these vulnerabilities could allow attackers to:
Recommended by LinkedIn
With cyber threats developing at a breakneck pace, high-quality pentesting has never been more crucial.
In recent years:
As a CREST and SOC 2 Type II accredited penetration testing firm, Packetlabs’ 100% tester-driven pentesting goes beyond industry standards. Our best-in-class methodology digs deeper to deliver more in-depth, actionable results.
Was Your Device Targeted in the Recent Salt Typhoon Breach?
According to a new NBC report, telecommunications giants AT&T and Verizon have yet to address the full scope of victims of an ongoing Chinese phone data hacking campaign.
In a media call last week, the FBI told the press that they have yet to evict Chinese state-sponsored hackers from U.S. networks fully and that the agency has spent the past months alerting "high-value intelligence targets"— including the campaigns of both Donald Trump and Kamala Harris— to the extent of the breach, mainly those of interest to the U.S. government.
The allegedly China-backed espionage campaign, labeled Salt Typhoon by Microsoft threat detectors, has utilized what is known as an advanced persistent threat (APT) attacks to invade at least eight telecommunications companies to expose personal, individual communications.
Recent investigations revealed that the years-long initiative involved hacking Americans' data and monitoring political targets' communications. Senate Intelligence Committee chairman Senator Mark R. Warner has called it the "worst telecom hack in [U.S.] history by far. "
The FCC mandates that telecom companies notify customers only when it has been established that customers have been or could be harmed by the breach. This includes "financial harm, physical harm, identity theft, theft of services, the potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse, and other similar types of dangers." However, the definitions and scope of the breach's harm are at the companies' discretion.
Recent Posts From Our Ethical Hackers
Every month, our ethical hackers work to provide free resources so that your team can continue improving your organization's security posture.
Here are just some of our recent posts: