Adobe Patches Four Critical Bugs in Flash, InDesign

Adobe fixed four critical vulnerabilities in its Flash Player and InDesign products as part of its regularly scheduled April Security Bulletin Tuesday morning. In all, Adobe released 19 patches for products including Adobe Experience Manager, Adobe InDesign CC, Adobe Digital Editions and the Adob...

Quant Loader Trojan Spreads Via Microsoft URL Shortcut Files

Researchers are warning of a new email phishing campaign that downloads and launches the Quant Loader trojan, capable of distributing ransomware and stealing passwords. Barracuda on Tuesday said it has been tracking emails containing zipped Microsoft internet shortcut files with a “.url” file...

Word Attachment Delivers FormBook Malware, No Macros Required

A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware. Researchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and...

Impact Of Chat Service Breach Expands To Best Buy, Kmart

The number of companies coming forward as victims of a data breach – that potentially exposed hundreds of thousands of credit card payment information – has expanded to include Best Buy and Kmart. Last week, software service provider 247.ai, a company that provides online chat services for Delta,...

Mirai Variant Targets Financial Sector With IoT DDoS Attacks

A variant of the Mirai botnet was used to launch a series of distributed denial of service campaigns against financial sector businesses. The attacks utilized at least 13,000 hijacked IoT devices generating traffic volumes up to 30 Gbps, considerably less intense than the original Mirai assaults...

Privacy Advocates Blast Facebook After Data Scraping Scandal

Privacy advocates are up in arms after CEO Mark Zuckerberg said this week a Facebook reverse search tool may have compromised the data of the social network’s two billion users. The feature in question was designed to enable users to enter a Facebook user’s phone numbers or email addresses into t...

Delta, Sears Breaches Blamed on Malware Attack Against a Third-Party Chat Service

Security researchers are pinning a recent data breach – that potentially exposed the credit card information of hundreds of thousands of Delta Air Lines and Sears Holdings customers – on weak third-party security policies. The cyberattack hit software service provider 247.ai, a company that...

Rarog Trojan ‘Easy Entry’ For New Cryptomining Crooks, Report Warns

A malware family called Rarog is becoming an appealing and affordable tool for hackers to launch cryptocurrency mining attacks, researchers say. They say the Trojan is low priced, easily configurable and supports multiple cryptocurrencies, making it an appealing option for hackers. Palo Alto...

Facebook Bolsters Privacy Measures With New Data Access Restrictions

Facebook on Wednesday listed a number of new data access restrictions as the social media company looks to reassure end users that their personal information will remain private. The new measures, detailed in a post by Facebook CTO Mike Schroepfer, limit the personal data that apps can collect...

Intel Tells Remote Keyboard Users to Delete App After Critical Bug Found

Intel said Tuesday it was putting the kibosh on a popular Android and iOS app called Intel Remote Keyboard after researchers discovered that local attackers can inject keystrokes into a remote keyboard session when in use. The Intel Remote Keyboard product is an Android and iOS app that works in...

Intel Halts Spectre Fixes On Older Chips, Citing Limited Ecosystem Support

Intel has halted patches for an array of older chips that would protect them against the Spectre vulnerability, according to a recent microcode update. The microcode update shows that its older products – including Wolfdale, Bloomfield, Clarksfield, Gulftown, Harpertown, Jasper Forest, SoFIA 3GR,...

Insecure SCADA Systems Blamed in Rash of Pipeline Data Network Attacks

After a cyberattack shut down numerous pipeline communication networks this week, experts are stressing the importance of securing third-party systems in supervisory control and data acquisition SCADA environments. Over the past two days, various major U.S. pipelines across the country reported...

Google’s April Android Security Bulletin Warns of 9 Critical Bugs

Nine vulnerabilities rated critical were patched as part of Google’s Android Security Bulletin for April. Critical vulnerabilities ranged from two remote code execution vulnerabilities tied to the Android media framework, to a Qualcomm Wi-Fi component flaw that allowed a nearby attacker to use “a...

Panera Bread Slammed After Sitting On Massive Data Leak For Eight Months

Panera Bread has shut down a massive data leak that revealed the information of potentially millions of customers via its website. The data was exposed for up to eight months after the company was first notified of the security threat. The incident has shed light on how organizations handle...

U.S. DoD Hopes To Stamp Out Threats With Bug Bounty Program

The U.S. Department of Defense is doubling down on routing out vulnerabilities in its massive government systems. On Monday, the DoD announced it was expanding its bug bounty program to include the agency’s massive Defense Travel System. The “Hack the DTS” program launched in partnership with bug...

Cloudflare Launches Publicly DNS-Over-HTTPS Service

Cloudflare is hoping to boost consumer privacy, reduce the threat of man-in-the-middle attacks, and speed up the internet with a new free solution for securing domain name server traffic that uses the encrypted HTTPS channel. On Sunday, the security focused content delivery network provider,...

Credit Data Stolen From 5M Saks, Lord & Taylor Customers

Hackers stole credit and debit card information from millions of consumers who have shopped at Saks Fifth Avenue and Lord & Taylor stores. Parent company, Hudson’s Bay Company, confirmed the security breach on Sunday, stating that customer payment card data at certain Saks Fifth Avenue, Saks Off...

Microsoft Fixes Bad Patch That Left Win7, Server 2008 Open to Attack

Microsoft released an out-of-band fix on Thursday for a Windows vulnerability introduced earlier this year as a patch. If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2...

Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts

UPDATE Fitness apparel firm Under Armour said 150 million users of its MyFitnessPal app are victims in a breach exposing user names, email addresses and hashed passwords. The company said personal identifiable information such as credit card numbers and social security numbers were not part of th...

Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable

Drupal released a patch for a “highly critical” flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS...

Cisco Patches Two Critical RCE Bugs in IOS XE Software

Three critical vulnerabilities were patched by Cisco Systems on Wednesday, each tied to the company’s widely used internetworking operating system IOS XE. Two of the bugs are remote code execution vulnerabilities that could allow an attacker to take control over affected systems. The critical bug...

Bad Microsoft Meltdown Patch Made Some Windows Systems Less Secure

UPDATE Researcher Ulf Frisk has created a proof-of-concept exploit demonstrating that Microsoft’s January Patch Tuesday update made security matters worse when it comes to memory vulnerabilities associated with Intel’s CPU bug Meltdown. Frisk, a Swedish IT security expert, reported on Tuesday tha...

Alleged Mastermind Behind Carbanak Crime Gang Arrested

The suspected mastermind behind the Carbanak criminal gang, which is notorious for stealing as much as $1 billion from more than 100 financial institutions in a string of attacks, has been apprehended, according to the Spanish National Police. According to the European Union Agency for Law...

Facebook Cracks Down On Data Misuse With Expanded Bug Bounty Program

Facebook said in the coming weeks it will expand its bug bounty program in an attempt to crackdown on data misuse by third-party app developers. The company’s bug bounty program, first started in 2011, prompts researchers to find vulnerabilities on the social media platform – but now will be...

GoScanSSH Malware Targets SSH Servers, But Avoids Military and .GOV Systems

Researchers have identified a new malware family, dubbed GoScanSSH, that targets public facing SSH servers, but avoids those linked to government and military IP addresses. The malware has been in the wild since June 2017 and exhibits a number of unique characteristics, such as being written in t...

Sanny Malware Updates Delivery Method

The group behind Sanny malware attacks has made significant changes to the way it delivers their payload. According to new research by FireEye, the attackers have upgraded their delivery techniques when it comes to planting malware on systems via document attachments sent as part of spam and...

Facebook Woes Continue as FTC Opens Data Privacy Probe

The Federal Trade Commission on Monday announced it is launching an investigation into Facebook’s data privacy practices. The announcement is another kick to Facebook, which has been grappling with the fallout from a scandal where data from the social media platform leaked through a third-party...

FBI: Iranian Firm Stole Data In Massive Spear Phishing Campaign

The United States Department of Justice announced charges against nine Iranians accused of stealing private data from U.S. universities, private companies and U.S. government agencies. FBI Deputy Director David Bowdich said in a statement that the state-sponsored hackers worked for more than four...

Mozilla Tests DNS over HTTPS: Meets Some Privacy Pushback

The Mozilla Foundation is testing a new mechanism for securing domain name server traffic that uses the encrypted HTTPS channel. It is an attempt to speed up the internet, reduce the threat of man-in-the-middle attacks and keep prying eyes from monitoring what users do online. Starting in the nex...

Senate Gives Nod To Controversial Cross-Border Data Access Bill

The United States Senate on Thursday approved a controversial cross-border data access act, dubbed the CLOUD Act, that was part of the overall omnibus government spending bill. Buried on page 2,201 of the government spending bill is the Clarifying Lawful Overseas Use of Data Act the CLOUD Act, a...

A Closer Look at APT Group Sofacy’s Latest Targets

Threatpost talks to Kaspersky Lab researcher Kurt Baumgartner who was instrumental in tracking the latest activities of the Russian-speaking Sofacy APT gang. Research shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti...

Ransomware Attack Cripples Several Atlanta City Systems

UPDATE – Atlanta Mayor Keisha Lance Bottoms said during a Monday press conference that the emergency response team continues to “work around the clock” to address an ongoing ransomware attack on the city’s systems that first started Thursday. Many services are still unavailable four days after th...

Drupal Forewarns ‘Highly Critical’ Bug to be Patched Next Week

UPDATE Drupal developers are being asked to give themselves extra time next week to fix a “highly critical” flaw in Drupal 7 and 8 core. In an advisory sent to developers on Wednesday, Drupal notified them that, “there will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28t...

Apple To Fix Glitch Allowing Siri To Read Hidden Messages Out Loud

Apple has confirmed a privacy bug in its iPhone that allows the Siri voice assistant to read out messages from locked screens – even if the messages are hidden. First discovered by Brazilian website Mac Magazine, the privacy bug enables anyone to access third-party hidden messages that appear as...

Netflix Opens Public Bug Bounty Program with $15K Payout Cap

Netflix expanded its bug bounty program on Wednesday opening it up to any white hat hacker and at the same time increased the top reward to $15,000. The bug bounty program, managed by Bugcrowd, now allows any registered hackers to scour Netflix vast mobile, cloud and software platform for minor a...

Facebook CEO Vows to ‘Step Up’ After Cambridge Analytica ‘Mistakes’

Facebook CEO Mark Zuckerberg on Wednesday broke his silence on the Cambridge Analytica debacle that has unfolded over the past week, admitting “we made mistakes”. He vowed to step up to the plate when it comes to delivering better data security to Facebook users. “We have a responsibility to...

Facebook Fallout Continues as Politicians Call For Legal Action

A legal backlash against Facebook’s latest controversy is starting to gain momentum. Lawmakers from around the country are calling for investigations into Facebook after the company revealed that the data of 50 million platform users had leaked through a third-party app. Both New York and...

Orbitz Warns 880,000 Payment Cards Suspected Stolen

Expedia-owned travel site Orbitz said Tuesday a possible breach of both its consumer and partner platforms may have led to the disclosure of 880,000 payment cards. According to Expedia, criminals had access to Orbitz consumer and business partner platforms, but not the Orbitz.com website. The...

Experts Call Facebook’s Latest Controversy a Social Media ‘Breach Of Trust’

Privacy advocates are calling on all social media platforms to more responsibly handle and restrict improper access to data in the wake of Facebook’s latest controversy where it acknowledged users’ personal information had leaked through a third-party app. “People are shocked this happened, but I...

AMD Acknowledges Vulnerabilities, Will Roll Out Patches In Coming Week

AMD on Tuesday acknowledged several vulnerabilities that had been previously reported in its Ryzen and EPYC chips, and said that it would roll out firmware patches for those flaws in the coming weeks. The response comes a week after Israel-based CTS-Labs said that it has discovered 13 critical...

Telegram Ordered to Hand Over Encryption Keys to Russian Authorities

Russia’s top court ruled Tuesday that the Telegram messaging service, with 9.5 million active Russian users, must hand over encryption keys to authorities. The Britain-based messaging app company, with 100 million global users, now has 15 days to provide communications regulators in Russia with t...

Programs Controlling ICS Robotics Are ‘Wide Open’ to Vulnerabilities

Most manufacturers have connected their operational technology – including industrial control systems and robotic equipment –to the internet, yet the lack of basic security protocols leave these companies open to cyberattacks. Industrial security company Malcrawler pinpointed these dangers at...

Researchers Show How Popular Text Editors Can Be Attacked Via Third-Party Plugins

Security risks in popular extensible text editors allow hackers to abuse plugins and escalate privileges on targeted systems, according to new research from SafeBreach. Inadequate separation of regular and elevated access modes used in editors and a lack of folder permissions integrity allow...

Facebook Data Privacy Policies Bashed By Critics After Cambridge Analytica Incident

Facebook is in hot water after acknowledging that a consulting group – that has worked on several high profile political campaigns, including that of President Donald Trump’s – used the social media company’s platform to harvest the data of 50 million users. The company last week said that in 201...

A Mirai Botnet Postscript: Lessons Learned

The fall 2016 Mirai botnet compromised more than 300,000 IoT devices as part of a massive DDoS attack. After the crippling attack, Flashpoint and Akamai worked together with law enforcement to help bring those behind the botnet attack to justice. Threatpost’s Tom Spring sits down with Flashpoint’...

New Microsoft Bug Bounty Program Looks To Squash The Next Spectre, Meltdown

In the wake of the Meltdown and Spectre flaws, Microsoft has rolled out a new bug bounty program targeting speculative execution side channel vulnerabilities. The limited time program is open until December 31, and offers up to $250,000 for identifying new categories of speculative execution...

The ‘Perfect Storm’ of Disinformation and Hacking

We live in an age of fake news, misinformation and disinformation. Recently, we have been falling for it – mostly. That is largely thanks to a confluence of social media, hacking and good old fashion disinformation campaigns, according to Matt “Pwn all the Things” Tait, a senior cybersecurity...

Intel Details CPU ‘Virtual Fences’ Fix As Safeguard Against Spectre, Meltdown Flaws

Intel introduced hardware-based protections to its new chips to protect against the Spectre and Meltdown flaws that rocked the silicon industry when the vulnerabilities were made public in early 2018. Spectre and Meltdown, which account for three variants of a side-channel analysis security issue...

GandCrab Ransomware Crooks Take Agile Development Approach

Earlier this month, command-and-control servers tied to the fast-growing GandCrab ransomware campaigns were seized by Romanian Police and Europol. But, criminals behind GandCrab don’t appear phased by the setback and have already tweaked the malware to keep ransomware payment coming in. According...

Walmart Jewelry Partner Exposes Personal Data Of 1.3M Customers

A misconfigured Amazon S3 Simple Storage Service bucket, managed by a Walmart jewelry partner, left personal details and contact information of 1.3 million customers exposed to the public internet. The S3 repository containing a MSSQL database backup belongs to MBM Company, a Chicago, Ill.-based...