Find this story and other updates on our Let's Talk Security Podcast Episode here:
On 11th Nov, Chrome announced the stable channel update for Windows, Mac, and Linux with fixes rolled out under "Security Fixes and Rewards”. In their announcement of this stable update, they noted with their standard boilerplate that details would be kept restricted until the majority of users would no longer be affected.
Both of those new-in-the-wild zero days were discovered and reported by "Anonymous," the first on the 7th and the second on the 9th. What was the flaw? The first flaw was kind of an "inappropriate implementation in V8," and the other flaw was a user-after-free flaw in the site isolation component, which we depend to prevent cross-site exploitability. It was a overall quick turn around between detection of the vulnerability and a patch update to fix it.
Ransomware extortion from Ragnar Locker on the italian distiller campari, is taking a shame your victims approach. They obtained 2TB of sensitive data on nov 3rd and demanded 50 million $s. They then hacked into a facebook user, chris hodson. They then took out a facebook ad to share and pressure the ransomeware victim into paying. Even if Campari didn’t want to retrieve the decryption keys for their data, they wouldn’t want it known that 2TB of potentially sensitive data is on the loose. Facebook detected fraudulent activity and stopped the ad soon after.
So now we have double the coercion for victims of ransomeware attacks, demanding payment for not just the decryption keys, but also to avoid releasing their victims sensitive data.