20778 matches found
Hackers' Operating System Kali Linux Released for Raspberry Pi 4
We've got some really exciting news for you... Offensive Security has released an official version of Kali Linux for Raspberry Pi 4—the most powerful version of the compact computer board yet that was released just two weeks ago with the full 4GB of RAM at low cost and easy accessibility. Based o...
Warning: ASUS Software Update Server Hacked to Distribute Malware
Remember the CCleaner hack? CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017. Security researchers today revealed another massive supply chain attack that compromised over 1 million...
Facebook admits public data of its 2.2 billion users has been compromised
Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information. On Wednesday, Facebook CEO Mark Zuckerberg revealed that "malicious actors" took advantage of "Search" too...
New Highly-Critical SAP Bug Could Let Attackers Take Over Corporate Servers
SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server AS Java platform, allowing an unauthenticated attacker to take control of SAP applications. The bug, dubbed RECON and tracked as CVE-2020-6287, is rated with a maximum CVSS sco...
New malware found using Google Drive as its command-and-control server
Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities. Cybersecurity researchers have now spotted a new malware attack campai...
Microsoft Issues Patch for Windows Zero-Day Flaw Under Active Attack
Microsoft today, on its year-end December Patch Tuesday, released security updates to patch a total 39 vulnerabilities its Windows operating systems and applications—10 of which are rated as critical and other important in severity. One of the security vulnerabilities patched by the tech giant th...
Abusing Network Time Protocol (NTP) to perform massive Reflection DDoS attack
In 2013, we have seen a significant increase in the use of a specific distributed denial of service DDoS methodology known as Distributed Reflection Denial of Service attacks DrDoS. Open and misconfigured DNS Domain Name System can be used by anyone to resolve domain names to IP addresses are...
New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification
An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old flaw concerning Microsoft's digital signature verification to siphon user credentials and sensitive information. Israeli cybersecurity company Check Point Research, which has been trackin...
New UAF Vulnerability Affecting Microsoft Office to be Patched Today
Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents. "Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to...
Learn How to Manage and Secure Active Directory Service Accounts
There are many different types of accounts in a typical Active Directory environment. These include user accounts, computer accounts, and a particular type of account called a service account. A service account is a special type of account that serves a specific purpose for services, and...
Facebook Finds 'No Evidence' Hackers Accessed Connected Third-Party Apps
When Facebook last weekend disclosed a massive data breach—that compromised access tokens for more than 50 million accounts—many feared that the stolen tokens could have been used to access other third-party services, including Instagram and Tinder, through Facebook login. Good news is that...
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional...
Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox
A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host...
'Dirty Pipe' Linux Flaw Affects a Wide Range of QNAP NAS Devices
Network-attached storage NAS appliance maker QNAP on Monday warned of a recently disclosed Linux vulnerability affecting its devices that could be abused to elevate privileges and gain control of affected systems. "A local privilege escalation vulnerability, also known as 'Dirty Pipe,' has been...
5 High Impact Flaws Affect Cisco Routers, Switches, IP Phones and Cameras
Several Cisco-manufactured network equipments have been found vulnerable to five new security vulnerabilities that could allow hackers to take complete control over them, and subsequently, over the enterprise networks they power. Four of the five high-severity bugs are remote code execution issue...
Google Uncovers How Just Visiting Some Sites Were Secretly Hacking iPhones For Years
Beware Apple users! Your iPhone can be hacked just by visiting an innocent-looking website, confirms a terrifying report Google researchers released earlier today. The story goes back to a widespread iPhone hacking campaign that cybersecurity researchers from Google's Project Zero discovered...
Apple Releases iOS 12.4.1 Emergency Update to Patch 'Jailbreak' Flaw
Apple just patched an unpatched flaw that it patched previously but accidentally unpatched recently — did I confuse you? Let's try it again... Apple today finally released iOS 12.4.1 to fix a critical jailbreak vulnerability, like it or not, that was initially patched by the company in iOS 12.3 b...
China's Border Guards Secretly Installing Spyware App on Tourists' Phones
Chinese authorities are secretly installing surveillance apps on smartphones of foreigners at border crossings in the Xinjiang region who are entering from neighboring Kyrgyzstan, an international investigation revealed. Xinjiang XUAR is an autonomous territory and home to many Muslim ethnic...
New Shamoon Malware Variant Targets Italian Oil and Gas Company
Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia's largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East. Earlier this week, Italian oil drilling company Saipem was attacked and...
Critical Flaws in Ghostscript Could Leave Many Systems at Risk of Hacking
Google Project Zero's security researcher has discovered a critical remote code execution RCE vulnerability in Ghostscript—an open source interpreter for Adobe Systems' PostScript and PDF page description languages. Written entirely in C, Ghostscript is a package of software that runs on differen...
Looking For Secure VPN Services? Get a Lifetime Subscription
PRIVACY – a bit of an Internet buzzword nowadays, because the business model of the Internet has now shifted towards data collection. Today, most users surf the web unaware of the fact that websites and online services collect their personal information, including search histories, location, and...
Google Blocks Chrome Extension Installations From 3rd-Party Sites
You probably have come across many websites that let you install browser extensions without ever going to the official Chrome web store. It's a great way for users to install an extension, but now Google has decided to remove the ability for websites to offer "inline installation" of Chrome...
Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery SSRF vulnerability, while th...
Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities
Microsoft's Patch Tuesday updates for the month of April have addressed a total of 128 security vulnerabilities spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others. 10 of the 128 bugs fixed are rated...
Researchers Warn of Linux Kernel 'Dirty Pipe' Arbitrary File Overwrite Vulnerability
Linux distributions are in the process of issuing patches to address a newly disclosed security vulnerability in the kernel that could allow an attacker to overwrite arbitrary data into any read-only files and allow for a complete takeover of affected systems. Dubbed "Dirty Pipe" CVE-2022-0847,...
Critical Flaws Discovered in Azure App That Microsoft Secretly Installs on Linux VMs
Microsoft on Tuesday addressed a quartet of security flaws as part of its Patch Tuesday updates that could be abused by adversaries to target Azure cloud customers and elevate privileges as well as allow for remote takeover of vulnerable systems. The list of flaws, collectively called OMIGOD by...
PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.
Cybersecurity researchers on Monday disclosed a set of nine vulnerabilities known as "PwnedPiper" that left a widely-used pneumatic tube system PTS vulnerable to critical attacks, including a possibility of complete takeover. The security weaknesses, disclosed by American cybersecurity firm Armis...
Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability
Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek...
Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability
Researchers from Wordfence have sounded the alarm about a "sudden" spike in cyber attacks attempting to exploit an unpatched flaw in a WordPress plugin called Kaswara Modern WPBakery Page Builder Addons. Tracked as CVE-2021-24284, the issue is rated 10.0 on the CVSS vulnerability scoring system a...
Alert: Hackers Exploit Adobe Reader 0-Day Vulnerability in the Wild
Adobe has released Patch Tuesday updates for the month of May with fixes for multiple vulnerabilities spanning 12 different products, including a zero-day flaw affecting Adobe Reader that's actively exploited in the wild. The list of updated applications includes Adobe Experience Manager, Adobe...
WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. Tracked as CVE-2020-11261 CVSS score 8.4, the flaw concerns an "improper input validation" issue in Qualcomm's Graphics compone...
New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices
The recent controversies surrounding the WhatsApp hacking haven't yet settled, and the world's most popular messaging platform could be in the choppy waters once again. The Hacker News has learned that last month WhatsApp quietly patched yet another critical vulnerability in its app that could ha...
Hacker who reported flaw in Hungarian Telekom faces up to 8-years in prison
Many of you might have this question in your mind: "Is it illegal to test a website for vulnerability without permission from the owner?" Or… "Is it illegal to disclose a vulnerability publicly?" Well, the answer is YES, it's illegal most of the times and doing so could backfire even when you hav...
Does WhatsApp Have A Privacy Bug That Could Expose Your Messages?
In-short conclusion—Whatsapp service or its 45-days deletion policy doesn't seem to have a bug. For detailed logical explanation, please read below. An Amazon employee earlier today tweeted details about an incident that many suggest could be a sign of a huge privacy bug in the most popular...
New Malware Takes Commands From Memes Posted On Twitter
Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services. Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter accoun...
phpMyAdmin Releases Critical Software Update — Patch Your Sites Now!
Developers of phpMyAdmin, one of the most popular and widely used MySQL database management systems, today released an updated version 4.8.4 of its software to patch several important vulnerabilities that could eventually allow remote attackers to take control of the affected web servers. The...
Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit
Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago. Security researcher Troy...
Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple an...
Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition
Multiple software products from Adobe, Apple, Google, Microsoft, Mozilla, and Samsung were successfully pwned with previously unseen exploits in Tianfu Cup 2020, the third edition of the international cybersecurity contest held in the city of Chengdu, China. "Many mature and hard targets have bee...
Instasheep — Instagram Account Hacking Tool Released
Two days ago, we reported at The Hacker News about a critical issue in the most popular image and video sharing service, Instagram app for mobiles, that allows an attacker to hijack users’ account and successfully access private photos, delete victim's photos, edit comments and also post new...
Severe Security Flaw Found in "jsonwebtoken" Library Used by 22,000+ Projects
UPDATE: CVE-2022-23529 Retracted Following Review Auth0 and Unit 42 said they are formally retracting CVE-2022-23529 CVSS score: 7.6 based on the fact that several prerequisites are essential for exploitation. The cybersecurity company said "important security checks" have been added to fix the...
Zyxel Issues Patches for 4 New Flaws Affecting AP, API Controller, and Firewall Devices
Zyxel has released patches to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information. The list of security vulnerabilities is as follows - CVE-2022-0734 - A cross-site scripting XSS...
First Patch Tuesday of 2022 Brings Fix for a Critical 'Wormable' Windows Vulnerability
Microsoft on Tuesday kicked off its first set of updates for 2022 by plugging 96 security holes across its software ecosystem, while urging customers to prioritize patching for what it calls a critical "wormable" vulnerability. Of the 96 vulnerabilities, nine are rated Critical and 89 are rated...
CompTIA Security Certification Prep — Lifetime Access for just $30
At long last, top companies are starting to take cybersecurity seriously. As a consequence, technical recruiters are looking for people with hacking skills and certifications to prove it. CompTIA is seen as the gold standard when it comes to cybersecurity exams, with several certifications to...
RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts
A serious security vulnerability has been discovered in the core runC container code that affects several open-source container management systems, potentially allowing attackers to escape Linux container and obtain unauthorized, root-level access to the host operating system. The vulnerability,...
Android Phones Can Get Hacked Just by Looking at a PNG Image
Using an Android device? Beware! You have to remain more caution while opening an image file on your smartphone—downloaded anywhere from the Internet or received through messaging or email apps. Yes, just viewing an innocuous-looking image could hack your Android smartphone—thanks to three...
Google 'Titan Security Key' Is Now On Sale For $50
Google just made its Titan Security Key available on its store for $50. First announced last month at Google Cloud Next '18 convention, Titan Security Key is a tiny USB device—similar to Yubico's YubiKey—that offers hardware-based two-factor authentication 2FA for online accounts with the highest...
CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required
The U.S. Cybersecurity and Infrastructure Security Agency CISA on Friday added five security flaws to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software...
NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware
A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise SWC targeting a South Korean online newspaper. Cybersecurity firm Volexity attributed the watering hole attacks to a...
How to Audit Password Changes in Active Directory
Today's admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user ...