Welcome reader to your Sunday CybersecurityHQ report.

Headlines

● China passed a new law requiring all companies operating in the country to report any software vulnerabilities to the government within 48 hours of their discovery. Without formal agreement between the Ministry of Industry and Information Technology and the company, researchers are no longer allowed to report any information about the vulnerability until a patch is available.

While this is not out of line with new plans by Western governments, some commentators are saying this move makes state-sponsored hacking and cyber-espionage easier for China — like the strongly China-opposed Atlantic Council.

● Spyware posing as modified versions of Telegram has been detected in the Google Play Store. The malicious apps, collectively downloaded millions of times, were designed to collect sensitive data from compromised Android devices. Dubbed "Evil Telegram" by cybersecurity firm Kaspersky (which discovered the spyware), the apps exfiltrate user information, including names, IDs, contacts, phone numbers, and chat messages to a server controlled by the threat actors.

The fake apps used typosquatting techniques, adopting package names like "org.telegram.messenger.wab" to appear legitimate. The discovery follows previous instances of similar fake Telegram and WhatsApp apps that intercepted cryptocurrency transfers. Google has since removed the apps.

● Global ticketing services company See Tickets has just announced it was hit with a data breach. Their notification to the Maine Attorney General’s office reported that “unauthorized party(ies) inserted multiple instances of malicious code into a number of its e-commerce checkout pages resulting in unauthorized access to, and acquisition of, certain customer payment card information used to make purchases on the websites between February 28th, 2023 and July 2nd, 2023.”

323,498 individuals were affected by the breach. Hackers had inserted malicious code into the checkout pages, which could allow them to steal payment card details. The compromised data includes names, physical addresses, and payment card information.

Long Read

Your new car is spying on you. This long read from Mozilla (written by Jen Caltrider, Misha Rykov and Zoë MacDonald) focuses on the privacy issues raised by the automobile industry. In fact, the authors note that this is the worst product category they’ve ever reviewed. Included is a long list of popular manufacturers ranked from “bad to worst” in terms of privacy.

While French automaker Renault came in as the least bad, every single one of the companies on their extensive fell short of basic privacy standards.

Cyber Security Career Opportunities

• Remote DevSec Ops Engineer

  • Conch Technologies, Inc

  • Full-time

  • Remote (Minnesota, United States, US)

• Channel CISO

  • Red Canary

  • Full-time

  • United States

• Senior Information Security Engineer

  • Mastercard

  • Full-time

  • Arlington, VA, US

For the latest openings in cyber security careers, check CybersecurityHQ.