15946 matches found
Senate Passes Bill Aimed At Combating Ransomware Attacks
The U.S. Senate has approved new legislation aimed at helping government agencies and private-sector companies combat ransomware attacks. The legislation comes as local governments and schools continue to be hit by sophisticated – and in some cases coordinated – ransomware attacks. The proposed...
Hostinger Data Breach: 14M Customer Passwords, Personal Data at Risk
Web hosting company Hostinger is warning that a breach of one of its servers potentially gave bad actors access to the hashed passwords and personal data of more than 14 million customers. Hostinger, a popular web, cloud and virtual private server hosting provider and domain registrar with 29...
GoBotKR Targets Pirate Torrents to Build a DDoS Botnet
A botnet dubbed GoBotKR is targeting fans of Korean TV, compromising computers via pirated copies of South Korean movies, games and TV shows available via Korean and Chinese torrent sites. Ultimately, the cybercriminals are building a network that can then be used to perform DDoS attacks of vario...
Hackers Favor Weekdays for Attacks, Share Resources Often
Do threat actors carry out phases of their attack on different days of the week? Do threats use the same infrastructure for exploitation and control? These may not be the sort of questions that cybersecurity professional usually think about, but their implications can actually have an important...
Carbanak Source Code Unveils a Startlingly Complex Malware
A look under the hood of FIN7’s notorious Carbanak backdoor – the result of nearly 500 total hours of analysis across 100,000 lines of code and dozens of binaries – shows that the malware is highly sophisticated – more sophisticated than expected. It’s a Cadillac in a sea of golf carts, if you...
RSAC 2019: For Domestic Abuse, IoT Devices Pose New Threat
SAN FRANCISCO – The influx of connected products in the home – from smart thermometers to connected locks – presents a disturbing new threat surface for victims of domestic abuse. That’s what Lisa Green, senior director of operations at Independent Security Evaluators, is warning conference-goers...
Adobe Patches Six Critical Flaws in ColdFusion
Adobe has released patches fixing six critical vulnerabilities in its ColdFusion product that could lead to arbitrary code-execution. The flaws impact Adobe’s ColdFusion product, which is the company’s commercial web application development platform. Impacted are the 2016 Update 6 and earlier...
Pinterest Browser Extension Injects Unwanted Code into 5K Websites
A buggy Mozilla Firefox browser extension for sharing links to Pinterest has automatically injected malformed code into at least 5,000 websites. The code injection in this instance was not malicious, but researchers at Sucuri, which discovered and reported the problem on Tuesday, said the inciden...
Multiple Bugs Found in QNAP Q’Center Web Console
Researchers found an array of high severity vulnerabilities in network storage vendor QNAP’s web console, which could enable an authenticated attacker to gain privileges and execute arbitrary commands on the system. The web-based platform, Q’center, allows users to manage network attached storage...
KRACK Vulnerability Puts Medical Devices At Risk
A slew of devices from medical technology company Becton, Dickinson and Company BD are vulnerable to the infamous KRACK key-reinstallation attack, potentially enabling hackers to change and exfiltrate patient records. The KRACK vulnerability, discovered last October, is an industry-wide glitch in...
Microsoft Releases Outlook Patches, Fixes Broken Update
During the heat of Black Hat last week, Microsoft pushed out patches for Outlook that address three newly reported vulnerabilities. Last week’s update also included fixes for six of eight vulnerabilities left unpatched after issues were reported with the June Patch Tuesday update. The most seriou...
Average Bug Bounty Payments Growing
HackerOne said Monday its average dollar payouts to participants are up, and cross site scripting vulnerabilities cause the biggest headaches for companies. The bug bounty platform provider culled data from the past four years, analyzing 50,000 reported bugs and more than $17 million in payouts t...
Patched BadTunnel Windows Bug Has 'Extensive' Impact
Among the more than three dozen vulnerabilities Microsoft patched on Tuesday was a fix for a bug that the researcher who found it said has “probably the widest impact in the history of Windows.” “There were also some wide impact vulnerabilities before, but maybe not like this extensive,” Chinese...
Public Exploits Available for ImageMagick Vulnerabilities
Within hours of the disclosure of serious vulnerabilities in ImageMagick, public exploits were available increasing the risk to thousands of websites that make use of the open source image-processing software. Attackers can append malicious code to an image file that ImageMagick will process...
Linux Kernel Privilege Escalation Flaw Patched
A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today. The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, t...
March 2015 Microsoft Patch Tuesday Security Bulletins
Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old patch for a vulnerability exploited by Stuxnet was incomplete and machines have been exposed since 2010, but today is also Patch Tuesday and the updated Stuxnet patch is one of 14 bulletins...
Many Flash, Java Users Running Older, Vulnerable Versions
It’s long been known that Java and Flash are favored targets of attackers, thanks to their huge install bases and numerous security issues. And the users who are targeted by these attacks aren’t doing themselves any favors either, as new research shows that 19 percent of business users are runnin...
More on Office 2003 Zero Day Vulnerability Patch
This week’s patch and security advisory for a vulnerability in Microsoft Office is the perfect example of why enterprise administrators need to take Microsoft’s criticality ratings as a suggestion and not gospel. Microsoft pushed security update MS13-051 through on Tuesday with a rating of...
DHS Chief Uses 'Sandy' to Underscore Cybersecurity Threats
While the eastern United States recovers from this week’s devastasting storm, the nation’s Homeland Security chief used “Superstorm Sandy” to promote the importance of national cybersecurity protection. “One of the possible areas of attack, of course, is attacks on our nation’s control systems —...
Serious Remote PHP Bug Accidentally Disclosed
A serious remote-code execution vulnerability in PHP was accidentally disclosed Wednesday, leading to fears of an outbreak of attacks on sites that were built using vulnerable versions of PHP. The bug has been known privately since January when a team of researchers used it in a capture the flag...
Mystery of Duqu Deepens As Researchers Ponder Unknown Programming Language
Segments of code within the mysterious information stealing trojan, Duqu, seem to have been written in an unknown programming language according to a new report from Securelist. Kaspersky Lab Expert, Igor Soumenkov claims that Duqu’s payload DLL initially looked like standard Windows executable,...
Main PHP-Nuke Site Compromised
The main site for the PHP-Nuke content management system software has been compromised and is serving malicious iFrame exploits to visitors. Researchers at Websense found that the phpnuke.org site is currently serving several different exploits. The attack uses the common iFrame-redirection...
Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks
A newly discovered and complex remote access trojan RAT is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found. Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic G...
Apple iOS Update Fixes Cringey iPhone 13 Jailbreak Exploit
As if the Log4Shell hellscape wasn’t already driving everybody starkers, it’s time to update iOS 15.2 and a crop of other Apple iGadgets, lest your iPhone get taken over by a malicious app that executes arbitrary code with kernel privileges. To paraphrase one mobile security expert, the iOS 15.2...
New Twists on Gift-Card Scams Flourish on Black Friday
Black Friday cyber-pariahs have revamped gift-card scams to better target modern online shoppers hungry for deals post-Thanksgiving. Experts warn new tactics include bogus gift-card generators that install malware designed to sniff out a victim’s cryptocurrency wallet address. Internet-based Blac...
Fake Kaseya VSA Security Update Drops Cobalt Strike
A malware spam campaign is milking the Kaseya ransomware attacks against its Virtual System/Server Administrator VSA platform to spread a link pretending to be a Microsoft security update, along with an executable file that’s dropping Cobalt Strike, researchers warn. On Tuesday night, Malwarebyte...
Netgear Authentication Bypass Allows Router Takeover
Netgear has patched three bugs in one of its router families that, if exploited, can allow threat actors to bypass authentication to breach corporate networks and steal data and credentials. Microsoft security researchers discovered the bugs in Netgear DGN-2200v1 series routers while they were...
Details of RCE Bug in Adobe Experience Manager Revealed
Details of an Adobe zero-day bug found in its content-management solution Adobe Experience Manager AEM, which affected customers ranging from Mastercard, LinkedIn and PlayStation, were revealed Monday. The bug, patched in May, allowed hackers to bypass authentication protection and execute code...
‘Agrius’ APT Launches Wiper Attacks Against Israelis
A new attack group called Agrius is launching damaging wiper attacks against Israeli targets, which researchers said are hiding behind ransomware to make their state-sponsored activities appear financially motivated. Sentinel Labs analysts said they have been tracking Agrius’ operations in Israel...
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
A new email-based campaign by an emerging threat actor aims to spread various remote access trojans RATs to a very specific group of targets who use Bloomberg’s industry-based services. Cisco Talos Intelligence researchers discovered the campaign, dubbing it and its perpetrator “Fajan,” and...
Robinhood Warns Customers of Tax-Season Phishing Scams
Attackers have targeted customers of stock-trading broker Robinhood with a phishing campaign aimed to steal their credentials and spread malware using fake tax documents, the company has warned. Robinhood, which aims to make it easy for people to trade stocks online but has faced a number of...
E.O. Would Strengthen Federal Cyber Requirements
The U.S. federal government is mulling changes to up its cybersecurity software game in the wake of the sprawling SolarWinds cyberattacks that came to light in December, including requiring data-breach notifications. In a draft executive order from President Joe Biden, software companies would be...
ProtonVPN CEO Blasts Apple for 'Aiding Tyrants’ in Myanmar
In a blog post filled with a passionate defense of human rights and internet privacy, Andy Yen, the CEO of secure internet provider ProtonVPN, blasted Apple for blocking its latest update and accused the tech juggernaut of helping the global spread of authoritarianism by “giving in to tyrants.” Y...
State-sponsored Threat Groups Target Telcos, Steal 5G Secrets
Chinese-language APTs are targeting telecom companies in cyberespionage campaigns aimed at stealing sensitive data and trade secrets tied to 5G technology, according to researchers. The campaigns, dubbed “Operation Diànxùn”, target and lure victims working in the telecom industry. A typical ploy...
Dark Web Markets for Stolen Data See Banner Sales
Despite an explosion in the sheer amount of stolen data available on the Dark Web, the value of personal information is holding steady, according to the 2021 Dark Web price index from Privacy Affairs. That leaves these thriving dirty data dealers in a familiar predicament — they need to lock down...
Google Play Harbors Malware-Laced Apps Bent on Spying
A malware dropper that paves the way for attackers to remotely steal data from Android phones has been spreading via nine malicious apps on the official Google Play store, according to researchers. The malware is part of a campaign aimed at lifting victims’ financial information, but which also...
Crypto Crook Hired Steven Seagal to Promote Scam, Now Faces Charges
Hundreds of investors in a fake cryptocurrency scam were bilked out of $11 million by John DeMarr, who advised them to invest in fake cryptocurrency “Bitcoiin,” took their money and spent it on a Porsche, jewelry and upgrades to his home, a criminal complaint from the Department of Justice allege...
Google Forms Set Baseline For Widespread BEC Attacks
A threat actor has been sending thousands of emails to organizations, in what researchers warn is a reconnaissance campaign to identify targets for a possible follow-up business-email-compromise BEC attack. So far, researchers have observed thousands of messages being sent to companies since...
Nando's Hackers Feast on Customer Accounts
Diners at a popular chicken-dinner chain have seen hundreds of dollars siphoned out of their bank accounts, after cybercriminals were able to access their restaurant ordering credentials. The issue though is that payment-card information is not stored within Nando’s accounts, leaving some questio...
Facebook Debuts Bug Bounty ‘Loyalty Program’
Facebook has lifted the curtain on what it claims is an industry first: A loyalty program as part of its bug-bounty offering, which aims to further incentivize researchers to find vulnerabilities in its platform. The loyalty program, called “Hacker Plus,” offers bonuses on top of bounty awards,...
Twitter: Hackers Accessed Private Messages for Elite Accounts
Hackers accessed direct messages DMs for 36 of the 130 high-profile users whose accounts were hacked in an unprecedented account breach last week, Twitter confirmed Wednesday. An elected official in the Netherlands was one of those whose DMs were compromised, the company tweeted in an update late...
Report: Most Popular Home Routers Have ‘Critical’ Flaws
A security review of 127 popular home routers found most contained at least one critical security flaw, according to researchers. The “Home Router Security Report” PDF by Peter Weidenbach and Johannes vom Dorp—both from the German think tank Fraunhofer Institute–found that not only did all of the...
Facebook's FTC-Mandated Privacy Committee Now in Effect
Facebook on Thursday said it has started to report its privacy practices to a newly formed, independent Privacy Committee. The creation of the independent committee was part of the company’s settlement a year ago with the Federal Trade Commission FTC over data privacy violations, which came in...
Singapore’s Contact Tracing Wearable Causes Privacy Backlash
Singapore’s announcement that it is developing a wearable for contact tracing has caused citizens to voice concern for the technology’s impact on their data privacy, with more than 35,000 signing a petition against the devices. On Friday during a parliament session, Vivian Balakrishnan,...
Microsoft Shells Out $100K for IoT Security
Microsoft has launched a bug-bounty program for its Azure Sphere offering, which is a security suite for the internet of things IoT that encompasses hardware, OS and cloud elements. The top reward will come in at $100,000. The Azure Sphere Security Research Challenge is an expansion of a program...
Convincing Google Impersonation Opens Door to MiTM, Phishing
An attack that uses homographic characters to impersonate domain names and launch convincing but malicious websites takes minutes and a bare modicum of skill — while reaping high rates of success in luring victims, according to an independent researcher. Researcher Avi Lumelsky set out to see how...
Twitter API Abused to Uncover User Identities
Twitter said that malicious actors, with potential ties to state-sponsored groups, were abusing a legitimate function on its platform to unmask the identity of users. The social media giant said that on Dec. 24, 2019, it discovered a large network of fake accounts abusing a legitimate API...
ThreatList: Data Breaches Batter Stock Prices at Public Companies, For Months
Much has been made of the fallout that companies face after a data breach. But for public companies, shaken investor confidence adds a whole new dimension to recovery concerns. A recent study from Comparitech shows that share prices for large breached companies will hit a low point approximately ...
Android Malware Plaguing 45K Devices Remains a Mystery
Researchers are on the hunt for the infection vector behind a mysterious mobile malware that has infected over 45,000 Android devices in the past six months. Researchers said they have detected a surge in detections of the malware, dubbed Xhelper, which can hide itself from users, download...
ThreatList: Google's Advertising Network Dominates Global Data Collection
When it comes to data collection, Google’s combined arsenal of advertising tools and services continue to help it dominate at a global level. Close behind are AOL Advertising, Moat and AppNexus. Each are singled out by researchers in new report that brings to mind the privacy-busting quote, “If...