Trend Micro CEO Discusses Need for a Unified Cybersecurity Platform

In the face of evolving cyberattacks, an ever-expanding digital attack surface, and a global skills shortage, organizations need a more unified approach to managing cyber risk. Trend Micro co-founder & CEO Eva Chen discusses our vision and strategy for delivering a unified cybersecurity platform...

Microsoft Defender for Office 365 receives highest award in SE Labs Enterprise Email Security Services test

In today’s evolving threat landscape, email represents the primary attack vector for cybercrime, making effective email protection a key component of any security strategy.1 In Q1 2022, Microsoft participated in an evaluation of email security solutions, carried out by SE labs—a testing lab focus...

Mitigate Ransomware in a Remote-First World

Ransomware has been a thorn in the side of cybersecurity teams for years. With the move to remote and hybrid work, this insidious threat has become even more of a challenge for organizations everywhere. 2021 was a case study in ransomware due to the wide variety of attacks, significant financial...

Trellix Global Defenders: Defending against Cyber Espionage Campaigns – Operation Graphite

Trellix Global Defenders: Defending against Cyber Espionage Campaigns – Operation Graphite By Ben Marandel, Arnab Roy · June 20, 2022 Cyber Espionage campaigns by nature are targeted attacks that can go undetected for prolonged periods of time. Cyber Espionage campaigns often involve adversaries...

Trellix Global Defenders: Defending against Cyber Espionage Campaigns – Operation Graphite

Trellix Global Defenders: Defending against Cyber Espionage Campaigns – Operation Graphite By Ben Marandel, Arnab Roy · June 20, 2022 Cyber Espionage campaigns by nature are targeted attacks that can go undetected for prolonged periods of time. Cyber Espionage campaigns often involve adversaries...

Principal payout

Lines of code Vulnerability details Impact It's possible to treat unvested aura as bribes and an attacker may cause a withdraw of AURA from the strategy to the popint where the debt in AURA to users cannot be covered by the strategy. Proof of Concept Anyone can create a valuable token in which it...

auraBAL can be stuck into the Strategy contract

Lines of code Vulnerability details Impact The internal harvest function defined is responsible to claim auraBAL from the aura locker and within the function it swaps them to auraBAL - BAL/ETH BPT - WETH - AURA, finally it locks AURA to the locker to increase the position. For claiming auraBAL it...

Vault can never fully be emptied

Lines of code Vulnerability details Impact Vault cannot be fully emptied Proof of Concept Whenever rewards are earned they are automatically locked into the the Aura Locker. Since that reward will then earn more rewards while locked, there will be more rewards to be collected when that lock is...

Badger rewards from Hidden Hand can permanently prevent Strategy from receiving bribes

Lines of code Vulnerability details Impact If the contract receives rewards from the hidden hand marketplace in BADGER then the contract tries to transfer the same amount of tokens twice to two different accounts, once with sendBadgerToTree in MyStrategy and again with processExtraToken in the...

Reward token (auraBal) can be locked in the strategy

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. getRewardaddress account function of Aura Locker is an external function therefore can be called by anyone by passing in the address of strategy and transferring the rewards to the strategy. harvest...

All withdrawal functionality is paused when contract is paused

Lines of code Vulnerability details Impact When the strategy contract is paused, all withdrawal functionality will be paused. Based on the comments in MyStrategy.sol and baseStrategy.sol, withdrawToVault should not be affected by the pause functionality. This is not the case due to the...

Complimentary GartnerⓇ Report "How to Respond to the 2022 Cyberthreat Landscape": Ransomware Edition

First things first — if you're a member of a cybersecurity team bouncing from one stressful identify vulnerability, patch, repeat cycle to another, claim your copy of the GartnerⓇ report “How to Respond to the 2022 Cyberthreat Landscape" right now. It will help you understand the current landscap...

Defending Against Tomorrow's Threats: Insights From RSAC 2022

The rapidly changing pace of the cyberthreat landscape is on every security pro's mind. Not only do organizations need to secure complex cloud environments, they're also more aware than ever that their software supply chains and open-source elements of their application codebase might not be as...

Cyber Risk Retainers: Not Another Insurance Policy

The one-two punch of a cyberattack can be devastating. There is the breach and then the related mitigation costs. Implementing a comprehensive Incident Response IR gameplan into a worst-case-scenario should not be a post-breach scramble. And when that IR strategy includes insurance, it also must...

Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications

Who knew you could connect Moses to threat intelligence? By Jon Munshaw. When the security community usually thinks about the origins of cybersecurity and threat intelligence, the conversation may quickly center around the codebreakers in World War II or the Creeper software developed... This is...

com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter (>=1.0.0 <=1.0.1) potentially affected by CVE-2021-21624 via org.jenkins-ci.plugins:role-strategy (=2.1.0)

org.jenkins-ci.plugins:role-strategy MAVEN version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:role-strategy and may be impacted: - com.moded.extendedchoiceparameter:dynamicextendedchoiceparameter =1.0.0, =1.0.1 Source...

Improper authorization due to caching in Jenkins Role-based Authorization Strategy Plugin

Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups. Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being...

GHSA-9G4M-FFX6-C29G Jenkins Cross-site Scripting vulnerability in project naming strategy

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, that is displayed on item creation.\n\nThis results in a stored cross-site scripting XSS vulnerability exploitable by users with Overall/Manage permission.\n\nJenkins 2.252, LTS 2.235.4...

Jenkins Cross-site Scripting vulnerability in project naming strategy

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, that is displayed on item creation.\n\nThis results in a stored cross-site scripting XSS vulnerability exploitable by users with Overall/Manage permission.\n\nJenkins 2.252, LTS 2.235.4...

GHSA-VR6V-WJFW-RXCR Stored XSS vulnerability in Jenkins Matrix Authorization Strategy Plugin

Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting XSS vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or...