NSO Group Hacked

NSO Group, the Israeli cyberweapons arms manufacturer behind the Pegasus spyware -- used by authoritarian regimes around the world to spy on dissidents, journalists, human rights workers, and others -- was hacked. Or, at least, an enormous trove of documents was leaked to journalists. Theres a lo...

SolarWinds hackers exploited iOS 0-day to compromise iPhones

By Deeba Ahmed According to Google, SolarWinds hackers exploited an iOS 0-day vulnerability to hack iPhones and made millions from targeting phones worldwide. This is a post from HackRead.com Read the original post: SolarWinds hackers exploited iOS 0-day to compromise iPhones...

Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware

The Microsoft Threat Intelligence Center MSTIC alongside the Microsoft Security Response Center MSRC has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits CVE-2021-31979 and CVE-2021-33771. Private-sector offensiv...

b2evolution 7.2.2 Cross Site Request Forgery

Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery CSRF Exploit Author: Alperen Ergel @alpernae Vendor Homepage: https://b2evolution.net/ Software Link: https://b2evolution.net/downloads/7-2-2 Version : 7.2.2 Tested on: Kali Linux Category: WebApp Description...

Hacked Data for 69K LimeVPN Users Up for Sale on Dark Web

The VPN provider known as LimeVPN has been hit with a hack affecting 69,400 user records, according to researchers. A hacker claims to have stolen the company’s entire customer database before knocking its website offline Threatpost confirmed that as of press time, the website was down. The stole...

Long-awaited changes to the nation's cybersecurity infrastructure become reality

There is a lot of buzz in the biz about the ripple effects of President Bidens "Executive Order EO on Improving the Nations Cybersecurity," which comes on the heels of the Colonial Pipeline hack. The pipeline, which delivers about 45% of the fuel used on the Eastern Seaboard, was shut down after ...

Actual yield source check on address will succeed for non-existent contract

Handle 0xRajeev Vulnerability details Impact Low-level calls call/delegatecall/staticcall return true even if the account called is non-existent per EVM design. Solidity documentation warns: "The low-level functions call, delegatecall and staticcall return true as their first return value if the...

CVE-2020-35760

bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files ex: php files...

HackerOne: HackerOne making payments in USDC (Coinbase stable coin)

Summary: Hello Everyone, My name is Ariel and I’m a manager in HackerOne’s community team. As a part of a Hack Week project, HackerOne is now supporting payments via USDC, Coinbase’s stable coin. This has been a feature requested by many hackers, that we are now glad to announce as supported. Mor...

US Soldiers Exposed Nuclear Secrets on Digital Flash Ccards

Plus: A major hack in Japan, Citizen app run amok, and more of the week’s top security news...

Fujitsu SaaS Hack Sends Govt. of Japan Scrambling

Threat actors have stolen files from several official government agencies of Japan by hacking into Fujitsu’s software-as-a-service SaaS platform and gaining access to its systems. The Japan-based tech giant temporarily disabled ProjectWEB enterprise after learning of the attack, which is known to...

The Full Story of the Stunning RSA Hack Can Finally Be Told

In 2011, Chinese spies stole the crown jewels of cybersecurity—stripping protections from firms and government agencies worldwide. Here’s how it happened...

Watering Hole Attack Was Used to Target Florida Water Utilities

An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what's known as a watering hole attack. "This malicious code seemingly targeted water...

Apple Execs Chose to Keep a Hack of 128 Million iPhones Quiet

Emails from the Epic Games lawsuit show Apple brass discussing how to handle a 2015 iOS hack. The company never directly notified affected users...

Tesla Remotely Hacked from a Drone

This is an impressive hack: Security researchers Ralf-Philipp Weinmann of Kunnamon, Inc. and Benedikt Schmotzle of Comsecuris GmbH have found remote zero-click security vulnerabilities in an open-source software component ConnMan used in Tesla automobiles that allowed them to compromise parked ca...

FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers

The U.S. Cybersecurity and Infrastructure Security Agency CISA, Department of Homeland Security DHS, and the Federal Bureau of Investigation FBI on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures TTPs adopted by the Russian...

CVE-2020-7385

By launching the drbremotecodeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with...

Beating security fatigue with Troy Hunt, Chloé Messdaghi, and Tanya Janca: Lock and Code S02E06

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we speak to Point3 Security chief strategist Chloé Messdaghi, HaveIBeenPwned founder Troy Hunt, and We Hack Purple founder and CEO Tanya Janca about security fatigue. Security fatigue is...

Gigaset Android Update Server Hacked to Install Malware on Users' Devices

Gigaset has revealed a malware infection discovered in its Android devices was the result of a compromise of a server belonging to an external update service provider. Impacting older smartphone models — GS100, GS160, GS170, GS180, GS270 plus, and GS370 plus series — the malware took the form of...

Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail

A former IT contractor has been sentenced to two years in prison after hacking into a company’s server and deleting the majority of its employees’ Microsoft Office 365 O365 accounts. The incident resulted in the company completely shutting down for two days. The 32-year-old contractor, Deepanshu...