Unpatched Security Flaws Open Connected Vacuum to Takeover

SAN FRANCISCO – Researchers have discovered several high-severity vulnerabilities in a connected vacuum cleaner. The security holes could give remote attackers the capability to launch an array of attacks — from a denial of service DoS attack that renders the vacuum unusable, to viewing private...

Stalkerware Attacks Increased 50 Percent Last Year, Report

The number of stalkerware attacks on mobile devices increased 50 percent over the last year, showing an upward and continued trend in the emerging threat, researchers said. Over the past year, the instances of stalkerware—which tracks users without their knowledge and can result in harassment,...

Video: Ransomware a Growing Industrial Security Threat

SAN FRANCISCO – Today, Operational Technology OT and Information Technology systems are merging and changing security playbooks. Here at RSA Conference 2020, Waterfall Security‘s CEO and co-founder Lior Frenkel describes the front lines of the convergence. Frenkel maintains that just as more...

RSAC 2020: Blockchain is 'Garbage In', Voting Needs Paper Ballots

SAN FRANCISCO – Cryptography is at the heart of security, especially here at this week’s RSAC 2020. And during the event’s annual Cryptographer’s Panel, industry leaders broke down their top crypto-concerns, including privacy regulations, election security and blockchain. Privacy is clearly a top...

Google Patches Chrome Browser Zero-Day Bug, Under Attack

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms. The zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rati...

RSAC 2020 Keynote: Changing the World's False Perception of Cybersecurity

SAN FRANCISCO – Today, cybersecurity is portrayed in the media and by businesses as an ongoing complex conflict between defenders and cybercriminals, with heightened noise around hyper-technical proof-of-concept attacks, or nation state threats. But, the reality is starkly different, said Rohit...

Sen. Schumer Pushes for TSA Employee Ban on TikTok App at Work

The Transportation Safety Authority TSA has become the latest federal agency to ban the use of TikTok among its employees based on national-security fears over how ByteDance, the Beijing-based company that owns the app, uses the data collected by it. Some TSA employees have used the app to create...

Free Download: The Ultimate Security Pros’ Checklist

You are a cybersecurity professional with the responsibility to keep your organization secured, you know your job chapter and verse, from high-level reporting duties to the bits and bytes of what malware targeted your endpoints a week ago. But it’s a lot to hold in one’s mind, so to make your lif...

Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data

Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email...

Data Breach Occurs at Agency in Charge of Secure White House Communications

Hackers have compromised the Department of Defense DoD agency in charge of securing and managing communications for the White House, leaking personally identifiable information PII of employees and leading to concerns over the safety of the communications of top-level U.S. officials in the run-up...

Lawsuit Claims Google Collects Minors’ Locations, Browsing History

Google was slapped with a lawsuit this week that alleges that it has been covertly collecting data of students via its G Suite for Education program, which offers its productivity services to students for free. Google’s G Suite for Education program formerly known as Google Education offers free...

Active Attacks Target Popular Duplicator WordPress Plugin

Active exploits are targeting a recently patched flaw in the popular WordPress plugin Duplicator, which has more than 1 million active installations. So far, researchers have seen 60,000 attempts to harvest sensitive information from victims. Researchers at Wordfence who discovered the in-the-wil...

RSAC 2020: Editors' Preview of Hottest Sessions, Speakers and Themes

The RSA 2020 conference kicks off next week in San Francisco, this year with a theme looking at the “human element” of cybersecurity. As they prepare to cover the show, Threatpost editors Lindsey O’Donnell-Welch, Tom Spring and Tara Seals break down the biggest news, stories and trends that they...

Burning Man Tickets for $225? Yep, Too Good to Be True

Burning Man aficionados anxious to get their tickets squared away for the 2020 “experience” should beware: Fake concert organizers are offering passes in what researchers say is a very convincing and sophisticated scam effort. Burning Man, which bills itself as a “vibrant participatory metropolis...

ISS World Hit with Malware Attack that Shuts Down Global Computer Network

A Denmark-based global facility-management company was hit with a major cyber attack this week that shut down its worldwide computer systems for a few days and disrupted operations across its global network of employees. ISS World cut off access to shared IT services across its customer sites and...

New 'Haken' Malware Found On Eight Apps In Google Play Store

Researchers have identified eight malicious Android apps in the official Google Play marketplace distributing a new malware family. The “Haken” malware exfiltrates sensitive data from victims and covertly signs them up for expensive premium subscription services. The eight apps in question, which...

Google Bans 600 Android Apps for Obnoxious Ads

Google has removed nearly 600 Android apps from the Play Store for serving up obnoxious, invasive ads that aren’t easily “x’d” out of. The internet giant said the enforcement action was a strike against mobile ad fraud. Google said Thursday that the apps violated its disruptive ads policy – and a...

Critical Cisco Bug Opens Software Licencing Manager to Remote Attack

A critical flaw in the High Availability HA service of Cisco Smart Software Manager On-Prem Base has been uncovered, which would open the door to remote attackers thanks to its use of a static, default password, even if the platform isn’t directly connected to the internet. Cisco Smart Software...

Cybergang Favors G Suite and Physical Checks For BEC Attacks

Researchers have uncovered a new business email compromise BEC threat actor, which they call Exaggerated Lion, targeting thousands of U.S. companies with money pilfering scams. The cybercrime ring is unique in its leveraging of Google’s cloud-based productivity suite, G Suite, and for its use of...

Critical Adobe Flaws Fixed in Out-of-Band Update

Adobe has issued unscheduled patches for two critical vulnerabilities that, if exploited, enable an attacker to execute remote code on targeted devices. The two apps affected by the critical flaws are Adobe After Effects, a visual effects and motion graphics app used for post-production film maki...

MGM Grand Breach Leaked Details of 10.6 Million Guests Last Summer

A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer. The incident—revealed in a published report on ZDNet...

U.S. Pipeline Disrupted by Ransomware Attack

A ransomware attack has hit a natural gas compression facility in the U.S., the feds have warned. The attack resulted in a two-day pipeline shutdown as the unnamed victim worked to bring systems back online from backups. The attackers were able penetrate the IT portion of the facility’s network,...

BlueKeep Flaw Plagues Outdated Connected Medical Devices

While Microsoft issued patches for the infamous BlueKeep vulnerability almost a year ago, researchers warn that almost half of connected medical devices in hospitals run on outdated Windows versions that are still vulnerable to the remote desktop protocol RDP flaw. Researchers said they found tha...

SMS Attack Spreads Emotet, Steals Bank Credentials

Attackers are sending SMS messages purporting to be from victims’ banks – but once they click on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware. Emotet has continued to evolve since its...

Hamas Ensnares Israeli Soldiers with Pretty 'Ladies'

Hamas has been caught taking a classic “catfish” approach, to tempt Israeli soldiers into installing spyware on their phones. Members posed as teen girls who are looking for quality chat time. This is the third time that the Palestinian group has used the tactic – but this time it upped its...

Cynet Offers Free Threat Assessment for Mid-Sized and Large Organizations

Visibility into an environment attack surface is the fundamental cornerstone to sound security decision making. However, the standard process of 3rd party threat assessment as practiced today is both time consuming and expensive. Cynet changes the rules of the game with a free threat assessment...

Small Tax-Preparation Firms at Higher Risk this Tax Season, Report

This tax season crooks are targeting users with a new crop of scams that include leveraging remote desktop software and compromising small tax-prep company websites. “If you have the word ‘tax’ in your domain name; you’re a target this year,” warns Sherrod DeGrippo, senior director of threat...

FC Barcelona Suffers Likely Credential-Stuffing Attack on Twitter

Just ahead of its Champion’s League Round of 16 appearance next week, FC Barcelona’s official Twitter account was hacked in an apparent credential-stuffing attack. The strike resulted in account takeover and bogus tweets being sent out. The hacking collective known as OurMine, which made headline...

Ring Mandates 2FA After Rash of Hacks

Connected doorbell-maker Ring is now requiring two-factor authentication 2FA for all users when they sign into their accounts. The new requirement comes after Ring faced a backlash in December following a rash of disturbing hacks and security issues tied to the smart doorbell. While Amazon-owned...

Iran-Backed APTs Collaborate on 3-Year 'Fox Kitten' Global Spy Campaign

Two Iran-backed APTs could be working together on a sprawling, three-year campaign to compromise high-value organizations from the IT, telecom, oil and gas, aviation, government and security sectors in Israel and around the world, according to a report by researchers at ClearSky. They maintain,...

Active Exploits Hit Vulnerable WordPress ThemeGrill Plugin

Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin. The ThemeGrill Demo Importer plugin is owned by ThemeGrill, which offers various templates for website...

Hacker Scheme Threatens AdSense Customers with Account Suspension

A new e-mail based extortion attack threatens users of Google’s AdSense banner-ad program with creating online behavior that will warrant them an account suspension—perhaps a permanent one–from Google if they don’t pay the attackers in bitcoin. The scam—revealed in a post by security writer and...

Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs

Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium. TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP...

Huawei Controversy Highlights 5G Security Implications

The controversy over Huawei’s involvement in the 5G telecom gear market ratcheted up a notch this week. U.S. officials said they have evidence that the Chinese equipment giant has had access to backdoors inside mobile carrier networks for more than 10 years. Officials are trying to make the case...

500 Malicious Chrome Extensions Impact Millions of Users

Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers, and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from...

Apple iPhone Users Bombarded with Bogus Dating App for Valentine's Day

A malicious email campaign aimed at iPhone owners is making the rounds this week, using a bouquet of different themes to scam victims, just in time for Valentine’s Day – including a fake dating app. The gambit begins far afield from romance however, with an email from “Nerve Renew,” claiming to...

SMS Phishing Campaign Targets Mobile Bank App Users in North America

A mobile phishing campaign that targeted customers of more than a dozen North American banks, including Chase, Royal Bank of Canada and TD Bank, managed to hook nearly 4,000 victims. The attacks used an automated SMS tool to blast bogus security text messages to mobile phone users between June an...

News Wrap: Valentine's Day Scams and Emotet's Wi-Fi Hack

Threatpost editors Tara Seals and Lindsey O’Donnell-Welch break down the top stories for this week, ended Feb. 14, including: Recent phishing scams – including ones with a romance hook – continue to trick victims, showing that phishing tactics still work in stealing millions from individuals,...

Researchers: Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App

Security researchers have found key flaws in a mobile voting app that some states plan to use in the 2020 election that can allow hackers to launch both client- and server-side attacks that can easily manipulate or even delete someone’s vote, as well as prevent a reliable audit from taking place...

Critical WordPress Plugin Bug Afflicts 700K Sites

A popular WordPress plugin, which helps make websites compliant with the General Data Protection Regulation GDPR, has issued fixes for a critical flaw. If exploited, the vulnerability could enable attackers to modify content or inject malicious JavaScript code into victim websites. The plugin, GD...

Privacy Experts Skeptical of Proposed Data Protection Agency

A new federal bureaucracy, the Data Protection Agency DPA, has been proposed to completely revamp how the U.S. government regulates data collection and misuse by big tech companies. However, while privacy experts call the agency a “good first step,” they remain skeptical about how effective it...

Puerto Rico Gov Hit By $2.6M Phishing Scam

A phishing scam has swindled a Puerto Rico government agency out of more than $2.6 million, according to reports. According to reports, the email-based phishing scam hit Puerto Rico’s Industrial Development Company, which is a government-owned corporation aimed at driving economic development to...

Google: Efforts Against Bad Android Apps on Play Store Are Working

Some of the efforts Google has made over the past few years to bolster the security of Android app users as well as the mobile apps available on its Google Play store are starting to work, according to the tech giant. The company, which historically has struggled mightily to keep bad apps and...

Mozilla Firefox 73 Browser Update Fixes High-Severity RCE Bugs

Mozilla has launched the latest version of its Firefox browser, which knocks out high-severity security flaws that leave systems open to attack by a remote adversary. The patched version of Mozilla’s browser, launched on Tuesday, is Firefox 73 and Firefox ESR 68.5. The Firefox ESR browser is its...

SoundCloud Tackles DoS, Account Takeover Issues

Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service DoS or account takeover via credential-stuffing. SoundCloud recently sold a $75 million stake to satellite...

Katie Moussouris: The Bug Bounty Conflict of Interest

Since the launch of the Hack the Pentagon program in 2016, bug bounty programs continue to increase in popularity – however, as more programs are created, some companies are forgetting the real reason behind bug bounties. Instead of aiming to make their systems more secure, companies are viewing...

Report to Your Management with the Definitive ‘IR Management and Reporting’ presentation Template

The realistic approach to security is that incidents occur. While ideally, the CISO would want to prevent all of them, in practice some will succeed to a certain degree—making the ability to efficiently manage an incident response process a mandatory skill for any CISO. Moreover, apart from the...

FBI: $3.5B Lost in 2019 to Known Cyberscams, Ransomware

Cybercriminals are focusing on previously successful internet scams to defraud businesses and individuals in the United States out of more money than ever before, according to the FBI’s annual report on cybercrime. Meanwhile, ransomware continues to take a big financial toll on victims. Businesse...

Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches

Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important. The update includes a patch for the zero-day...

Intel Patches High-Severity Flaw in Security Engine

Intel is warning of a high-severity flaw in the firmware of its converged security and management engine CSME, which if exploited could allow privilege escalation, denial of service and information disclosure. CSME powers Intel’s Active Management System hardware and firmware technology, used for...