Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries

A study of 16 different Uniform Resource Locator URL parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Snyk,...

Microsoft Issues Fix for Exchange Y2K22 Bug That Crippled Email Delivery Service

Microsoft, over the weekend, rolled out a fix to address an issue that caused email messages to get stuck on its Exchange Server platforms due to what it blamed on a date validation error at around the turn of the year. "The problem relates to a date check failure with the change of the new year...

Why Database Patching Best Practice Just Doesn't Work and How to Fix It

Patching really, really matters – patching is what keeps technology solutions from becoming like big blocks of Swiss cheese, with endless security vulnerabilities punching hole after hole into critical solutions. But anyone who's spent any amount of time maintaining systems will know that patchin...

Emerging Ransomware Targets Dozens of Businesses Worldwide

An emerging ransomware strain in the threat landscape claims to have breached 30 organizations in just four months since it went operational by riding on the coattails of a notorious ransomware syndicate. First observed in February 2021, "Prometheus" is an offshoot of another well-known ransomwar...

Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs

Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords following a supply chain attack. The Adelaide-based firm said a bad actor used sophisticated techniques to compromise the software's update...

Software Supply-Chain Attack Hits Vietnam Government Certification Authority

Cybersecurity researchers today disclosed a new supply-chain attack targeting the Vietnam Government Certification Authority VGCA that compromised the agency's digital signature toolkit to install a backdoor on victim systems. Uncovered by Slovak internet security company ESET early this month, t...

2-Factor Authentication Bypass Flaw Reported in cPanel and WHM Software

cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication 2FA protection on an account. The issue, tracked as "SEC-575" and discovered...

Hackers Trick 3 British Private Equity Firms Into Sending Them $1.3 Million

In a recent highly targeted BEC attack, hackers managed to trick three British private equity firms into wire-transferring a total of $1.3 million to the bank accounts fraudsters have access to — while the victimized executives thought they closed an investment deal with some startups. According ...

The Best Templates for Posting Cybersecurity Jobs

The cybersecurity of a company is heavily reliant upon the skills and knowledge of the people who install, manage, and operate its security products. This means that recruiting and nurturing the best security team possible should be a CISO's top priority. Cynet's Ultimate Cybersecurity Job Postin...

5 Reasons Why Programmers Should Think like Hackers

Programming has five main steps: the identification and definition of the problem, the planning of the solution for the problem, coding of the program, testing, and documentation. It's a meticulous process that cannot be completed without going through all the essential points. In all of these,...

Thousands of Google Calendars Possibly Leaking Private Information Online

"Warning — Making your calendar public will make all events visible to the world, including via Google search. Are you sure?" Remember this security warning? No? If you have ever shared your Google Calendars, or maybe inadvertently, with someone that should not be publicly accessible anymore, you...

Mozilla Launches 'Firefox Private Network' VPN Service as a Browser Extension

Mozilla has officially launched a new privacy-focused VPN service, called Firefox Private Network, as a browser extension that aims to encrypt your online activity and limit what websites and advertisers know about you. Firefox Private Network service is currently in beta and available only to...

Gain the Trust of Your Business Customers With SOC 2 Compliance

In today's business environment, data is what matters most. It matters to organizations that monetize it into operational insights and optimisations, and it matters the threat actors that relentlessly seek to achieve similar monetisation by compromising it. In the very common scenario in which...

How Endpoint Management Can Keep Workplace IT Secure

Workplaces have become highly connected. Even a small business could have dozens of devices in the form of desktops, mobile devices, routers, and even smart appliances as part of its IT infrastructure. Unfortunately, each of these endpoints can now be a weak link that hackers could exploit. Hacke...

Here's the List of ~600 MAC Addresses Targeted in Recent ASUS Hack

EXCLUSIVE — While revealing details of a massive supply chain cyber attack against ASUS customers, Russian security firm Kaspersky last week didn't release the full list all MAC addresses that hackers hardcoded into their malware to surgically target a specific pool of users. Instead, Kaspersky...

Researchers Implant "Protected" Malware On Intel SGX Enclaves

Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification. In other words, the technique allows attackers to...

MyHeritage Says Over 92 Million User Accounts Have Been Compromised

MyHeritage, the Israel-based DNA testing service designed to investigate family history, has disclosed that the company website was breached last year by unknown attackers, who stole login credentials of its more than 92 million customers. The company learned about the breach on June 4, 2018, aft...

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products. The issues apply to all modern processors and affect nearly all operating systems Windows, Linux,...

Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices

Remember BlueBorne? A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo. As estimated during the discover...

A Decade Old Unix/Linux/BSD Root Privilege-Escalation Bug Discovered

Update: Find working Exploits and Proof-of-Concepts at the bottom of this article. Security researchers have discovered more than a decade-old vulnerability in several Unix-based operating systems — including Linux, OpenBSD, NetBSD, FreeBSD and Solaris — which can be exploited by attackers to...

Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites

Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages CVE-2024-20720 CVSS score: 9.1, which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way f...

Critical Citrix NetScaler Flaw Exploited to Target from Government, Tech Firms

Citrix is warning of exploitation of a recently disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of sensitive information. Tracked as CVE-2023-4966 CVSS score: 9.4, the vulnerability impacts the following supported versions - NetScaler ADC and...

OpenRefine's Zip Slip Vulnerability Could Let Attackers Execute Malicious Code

A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 CVSS score: 7.8, the vulnerability is a Zip Slip vulnerability that could have adverse...

Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints

Three interrelated high-severity security flaws discovered in Kubernetes could be exploited to achieve remote code execution with elevated privileges on Windows endpoints within a cluster. The issues, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and impact...

WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831, allows threat actors to spoof file extensions, thereby making it possible to launch...

Instagram Launches 'Security Checkup' to Help Users Recover Hacked Accounts

Instagram earlier this week introduced a new "Security Checkup" feature that aims to keep accounts safe and help users—whose accounts may have been compromised—to recover them. In order to gain access to accounts, users will be prompted to perform a series of steps, which include checking recent...

Watch Out! That Android System Update May Contain A Powerful Spyware

Researchers have discovered a new information-stealing trojan, which targets Android devices with an onslaught of data-exfiltration capabilities — from collecting browser searches to recording audio and phone calls. While malware on Android has previously taken the guise of copycat apps, which go...

Cryptocurrency Firm Itself Hacked Its Customers to Protect Their Funds From Hackers

Are you using Komodo's Agama Wallet to store your KMD and BTC cryptocurrencies? Were your funds also unauthorisedly transferred overnight to a new address? If yes, don't worry, it's probably safe, and if you are lucky, you will get your funds back. Here's what exactly happened… Komodo, a...

Password-Guessing Was Used to Hack Gentoo Linux Github Account

Maintainers of the Gentoo Linux distribution have now revealed the impact and "root cause" of the attack that saw unknown hackers taking control of its GitHub account last week and modifying the content of its repositories and pages. The hackers not only managed to change the content in compromis...

Microsoft Patches Windows Zero-Day Flaw Disclosed by Google

Microsoft was very upset with Google last week when its Threat Analysis Group publically disclosed a critical Windows kernel vulnerability CVE-2016-7255 that had yet to be patched. The company criticized Google's move, claiming that the disclosure of the vulnerability, which was being exploited i...

New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now

Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle MitM and a denial-of-service DoS attack, respectively, under certain conditions. The vulnerabilities, detailed by the...

LockBit Ransomware Group Resurfaces After Law Enforcement Takedown

The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise seized control of its servers. To that end, the notorious group has moved its data leak portal to a new .onion address on the TO...

Microsoft's January 2024 Windows Update Patches 48 New Vulnerabilities

Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024. Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at...

Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. "A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the...

Barracuda Warns of Zero-Day Exploited to Breach Email Security Gateway Appliances

Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company's Email Security Gateway ESG appliances. The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection...

Zyxel Issues Critical Security Patches for Firewall and VPN Products

Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out ...

New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat APT. Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi, said the...

Lorenz Ransomware Exploit Mitel VoIP Systems to Breach Business Networks

The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting...

VMware Releases Patches for Several New Flaws Affecting Multiple Products

Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues, tracked from CVE-2022-31656 through CVE-2022-31665 CVSS scores: 4.7 - 9.8, impact...

OWASP's 2021 List Shuffle: A New Battle Plan and Primary Foe

Code injection attacks, the infamous king of vulnerabilities, have lost the top spot to broken access control as the worst of the worst, and developers need to take notice. In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will...

Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug

Unidentified threat actors breached a server running an unpatched, 11-year-old version of Adobe's ColdFusion 9 software in minutes to remotely take over control and deploy file-encrypting Cring ransomware on the target's network 79 hours after the hack. The server, which belonged to an unnamed...

Learn to Code — Get 2021 Master Bundle of 13 Online Courses @ 99% OFF

Whether you are looking to turn into a full-time developer or simply increasing your earnings in your current niche, learning to code can be a smart move. It is a well-known fact that recruiters strive to recruit people with technical skills, and these skills are a great way to build your own...

Apple Opens Its Invite-Only Bug Bounty Program to All Researchers

As promised by Apple in August this year, the company today finally opened its bug bounty program to all security researchers, offering monetary rewards to anyone for reporting vulnerabilities in the iOS, macOS, watchOS, tvOS, iPadOS, and iCloud to the company. Since its launch three years ago,...

Flaw in Elementor and Beaver Addons Let Anyone Hack WordPress Sites

Attention WordPress users! Your website could easily get hacked if you are using "Ultimate Addons for Beaver Builder," or "Ultimate Addons for Elementor" and haven't recently updated them to the latest available versions. Security researchers have discovered a critical yet easy-to-exploit...

Dozens of Severe Flaws Found in 4 Popular Open Source VNC Software

Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system. VNC virtual network computing is an open...

Louisiana State Government Hit by Ransomware Attack Forcing Server Shutdowns

Targeted ransomware attacks on banking and finance, government, healthcare, and critical infrastructure are on the rise, with the latest victim being the state government of Louisiana. The state government of Louisiana was hit by a large-scale coordinated ransomware attack yesterday, which forced...

Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices

Hundreds of millions of devices, especially Android smartphones and tablets, using Qualcomm chipsets, are vulnerable to a new set of potentially serious vulnerabilities. According to a report cybersecurity firm CheckPoint shared with The Hacker News, the flaws could allow attackers to steal...

New Settings Let Hackers Easily Pentest Facebook, Instagram Mobile Apps

Facebook has introduced a new feature in its platform that has been designed to make it easier for bug bounty hunters to find security flaws in Facebook, Messenger, and Instagram Android applications. Since almost all Facebook-owned apps by default use security mechanisms such as Certificate...

Fortnite Flaws Allowed Hackers to Takeover Gamers' Accounts

Check Point researchers have discovered multiple security vulnerabilities in Fortnite, a massively popular online battle game, one of which could have allowed remote attackers to completely takeover player accounts just by tricking users into clicking an unsuspectable link. The reported Fortnite...

New Android Malware Framework Turns Apps Into Powerful Spyware

Security researchers have uncovered a new, powerful Android malware framework that is being used by cybercriminals to turn legitimate apps into spyware with extensive surveillance capabilities—as part of what seems to be a targeted espionage campaign. Legitimate Android applications when bundled...