Adobe Fixes Critical Flash Player Code Execution Flaws

Adobe has issued patches for critical vulnerabilities in Flash Player which, if exploited, could lead to arbitrary code execution. Overall, as part of its September Security Bulletin, Adobe patched three vulnerabilities, including two critical-severity flaws in Flash Player and one “important”...

U.S. Manufacturer Most Recent Target of LokiBot Malspam Campaign

The well-known LokiBot malware has popped up in several malicious spam campaigns over the past year, covertly siphoning information from victims’ compromised endpoints. Researchers this week are warning of the most recent sighting of the malware, which was recently spotted in spam messages...

Vulnerabilities in D-Link, Comba Routers Can Leak Credentials

Researchers have discovered vulnerabilities in D-Link and Comba Telecom routers that can leak passwords for the devices and have the potential to affect every user on networks that use them for access. Trustwave SpiderLabs Security Researcher Simon Kenin discovered the vulnerabilities—two in a...

PsiXBot Adds PornModule, Google DNS Service to Its Arsenal

The PsiXBot malware has made a few changes in recent weeks, including implementing Google’s DNS over HTTPS DoH and adding the blackmail-ready “PornModule” to its bag of tricks. PsiXBot is a multi-use Windows malware that has a range of capabilities, including keylogging, stealing passwords and...

Stealth Falcon Targets Middle East with Windows BITS Feature

The notorious Stealth Falcon cyberespionage group has adopted a new backdoor using the Windows Background Intelligent Transfer Service BITS in its ongoing spyware attacks against journalists, activists and dissidents in the Middle East. According to researchers at ESET, attackers are exploiting t...

Telnet Backdoor Opens More Than 1M IoT Radios to Hijack

Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio...

Wikipedia, World of Warcraft Downed By Weekend DDoS Attacks

Attackers targeted an array of servers with a flurry of distributed denial of service DDoS attacks over the weekend, crippling online encyclopedia Wikipedia, as well as popular online role-playing game World of Warcraft Classic. DDoS attacks are bent on taking websites offline by overwhelming...

Critical Exim Flaw Opens Millions of Servers to Takeover

UPDATE Researchers are urging users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them. Exim, which is free software used on Unix-like operating systems...

Apple Claims Google is Spreading FUD Over Patched iPhone Bugs

Apple has called out Google for promoting a “false impression” about iOS vulnerabilities the iPhone maker said it fixed in February. It claims Google is unnecessarily panicking Apple customers. On Aug. 29, Ian Beer of Google’s Project Zero published a blog post that took a “very deep dive” into 1...

Police Use of Facial Recognition is Just Fine, Say Most Americans

Despite the appetite for dystopian surveillance dramas on TV and in film, most Americans actually do trust law enforcement to not abuse facial recognition technology, according to a new survey. According to the Pew Research Center, a full 56 percent said that they trust police and officials to us...

China's APT3 Pilfers Cyberweapons from the NSA

The advanced persistent threat APT group known as APT3, which researchers across the board link to the Chinese government, has built a full in-house battery of exploits and cybertools collectively dubbed “UPSynergy.” An analysis of the toolkit has uncovered a geopolitical cat-and-mouse spy game: ...

Back-to-School Scams Target Students with Library-Themed Emails

College students settling back into school might want to think twice before clicking on an email prompting them to renew their school library account. Researchers warn that students at hundreds of universities worldwide are being targeted with fake emails this week, which tout attachments or link...

News Wrap: Deepfake CEO Voice Scam, Facebook Phone Data Exposed

In this week’s news wrap ended Sept. 6, the Threatpost team breaks down the biggest news of the week, including: Cybercrooks successfully fooling a company into a large wire transfer using an AI-powered deepfake of a chief executive’s voice and Facebook, Microsoft and a number of universities...

Facebook, Microsoft Challenge Industry to Detect, Prevent ‘Deepfakes’

Facebook, Microsoft and a number of universities have joined forces to sponsor a contest promoting research and development to combat deepfakes, or videos altered through artificial intelligence AI to mislead viewers. The two tech giants—along with the Partnership on AI and academics from Cornell...

Joker Spyware Found in 24 Google Play Apps

A new spyware has been making the rounds in Android apps on Google Play, infecting victims post-download to steal their SMS messages, contact lists and device information. In addition to stealing victims’ information, the malware also stealthily signs them up for premium service subscriptions tha...

FunkyBot Malware Intercepts Android Texts, 2FA Codes

An Android malware dubbed “FunkyBot” has started making the scene in Japan, operated by the same attackers responsible for the FakeSpy malware. It intercepts SMS messages sent to and from infected devices. According to FortiGuard Labs, the malware named after logging strings found in the...

$5.3M Ransomware Demand: Massachusetts City Says No Thanks

After a ransomware attack slapped a hefty payout demand of $5.3 million on New Bedford, Mass., the city announced that it is instead opting to pick up the pieces and restore what it can from backups itself. If the city had opted to pay, the payout would have been the largest known ransom payout f...

Leaky Server Exposes 419M Phone Numbers of Facebook Users

Phone numbers linked to the Facebook accounts of hundreds of millions of users has been found online on an insecure server in the latest privacy gaffe for the social media giant. The server, which lacked password protection, contained more than 419 million records over several databases of Facebo...

Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn

UPDATE Researchers are warning of a high-severity zero-day vulnerability in Google’s Android operating system, which if exploited could give a local attacker escalated privileges on a target’s device. The specific flaw exists within the v4l2 Video4Linux 2 driver, which is the Android media driver...

Critical Bugs Open Food-Safety Systems to Remote Attacks

Two critical vulnerabilities in a food-quality management software package would allow adversaries to completely compromise the system. The issues affect the AK-EM 800 product from SCADA vendor Danfoss. It’s an enterprise management solution for the food retail industry that provides a central...

BRATA Android RAT Steals Banking Info in Real Time

A powerful Android remote access tool RAT family dubbed BRATA is proliferating, with at least 20 different variants cropping up since it was first spotted in January. The majority of the binaries have been found in the official Google Play store, masquerading as updates for the instant messaging...

Half of Android Handsets Susceptible to Clever SMS Phishing Attack

Over half of all Android handsets are susceptible to a clever over-the-air SMS phishing attack that could allow an adversary to route all internet traffic through a rogue proxy, as well as hijack features such as a handset’s homepage, mail server and directory servers for synchronizing contacts a...

CEO 'Deep Fake' Swindles Company Out of $243K

In the first known case of successful financial scamming via audio deep fakes, cybercrooks were able to create a near-perfect impersonation of a chief executive’s voice – and then used the audio to fool his company into transferring $243,000 to their bank account. A deep fake is a plausible video...

Android Zero-Days Now Worth More Than iPhone Exploits

An Android zero-day exploit is now worth more than one for the iPhone on the global cyberweapons market. Exploit acquisition vendor Zerodium said Tuesday that it is willing to pay a whopping $2.5 million for a zero-click Android zero-day with persistence. That number significantly increases the...

MSP or System Integrator? Add Incident Response to Your Portfolio at No Cost

As breaches and cyberattacks grow in a steady upward trajectory, organizations are increasingly looking for ways to protect their assets, outsourcing critical Incident Response IR services to third-party providers. Cynet is now providing its IR services at no cost in a market-first offering which...

Facebook Drops Default Facial Recognition Tag Suggestions

Facebook is giving users more control over a facial recognition feature used by the company to help identify, or Tag, people on its platform. Starting Tuesday, the company said it would allow its users to opt-out of the Tag Suggestions feature, while at the same time the company is attempting to...

IoT Security Challenges in a 5G Era: Expert Advice

When it comes to what we can expect with 5G mobile networks, they promise a more IoT friendly ecosystem, with vast improvements over the current capabilities of the 4G. Providing ultra low-latency and exponentially faster throughput along with sensors that will boast a 10-year battery life 5G pav...

Firefox 69 Release Kills Default Tracking Cookies, Flash Support

Mozilla has released its latest Firefox browser iteration, Firefox 69, which by default blocks third-party cookies and cryptominers; it also disables default support for Adobe Flash Player. In addition, the browser has squashed several critical and high-severity vulnerabilities. Mozilla has long...

How to Get a Handle on Patch Management

Patch management is a thankless job. Data shows, despite best efforts, that 80 percent of enterprise applications have at least one unpatched vulnerability in them, according research by Veracode. It is not for lack of trying that vulnerabilities persist. Last year 16,500 vulnerabilities were...

WordPress Plugins Anchor Widespread Malvertising, Rogue Backdoor Campaign

A malvertising campaign redirecting website visitors and surfacing popups is plaguing the WordPress ecosystem, according to researchers, using known vulnerabilities in WordPress plugins as the attack vector. The campaign has been ongoing all summer, with cybercrooks bent on redirecting website...

Data Leak Impacts Millions of Yves Rocher Cosmetics Company Customers

UPDATE Cosmetics giant Yves Rocher is warning that a giant data leak exposed the personal data of millions of its customers and reams of sensitive internal company information to the public. The data exposure stems from a database left unprotected by a third-party consultant to the firm...

'USBAnywhere' Bugs Open Supermicro Servers to Remote Attackers

Authentication vulnerabilities in the baseboard management controllers BMCs of Supermicro X9-X11 servers have been discovered that allow a remote attacker to easily connect to a server and mount any virtual USB device of their choosing. The bugs, collectively dubbed USBAnywhere, allow an attacker...

Gamification Can Transform Company Cybersecurity Culture

Chief information security officers CISOs of Global 2000 enterprises have one of the toughest jobs in the world, defending their organization’s cyberspace and being the guardian of its assets and private information. But CISOs also have a second, even bigger problem: Their own company employees...

iPhone Zero-Days Anchored Watering-Hole Attacks

A total of 14 iPhone vulnerabilities – including two that were zero-days when discovered — have been targeted by five exploit chains in a watering hole attack that has lasted years. The watering holes deliver a spyware implant that can steal private data like iMessages, photos and GPS location in...

Six Hackers Have Now Pocketed $1M From Bug Bounty Programs

Six hackers in total have each now pocketed more than $1 million from finding vulnerabilities in bug-bounty programs – including one from the U.S. That figure comes as more bug-bounty programs bump up their rewards due to participants finding more high-severity vulnerabilities in their platforms,...

News Wrap: Dentist Offices Hit By Ransomware, Venmo Faces Privacy Firestorm

In this week’s news wrap podcast, editor Lindsey O’Donnell and Tara Seals break down the top news of the week – from ransomware attacks to companies responding to outcry over privacy issues. Top stories include: Ring announced it is working with more than 400 US police departments to streamline...

TGI Fridays Delivers Customer Indigestion Over Data Exposure

Customers of TGI Fridays Australia were “strongly recommended” to change their MyFridays membership rewards program passwords. According to an email sent to customers this week, the company had inadvertently left sensitive loyalty program data exposed on the internet. News of the leaky server...

FIN6 Switches Up PoS Tactics to Target E-Commerce

The financial cybergang known as the FIN6 group, known for going after brick-and-mortar point-of-sale PoS data in the U.S. and Europe, has changed up its tactics to target e-commerce sites. According to researchers at IBM X-Force Incident Response and Intelligence Services IRIS, FIN6 a.k.a. ITG08...

Google Targets Data-Abusing Apps with Bug Bounty Launch

Google is looking to squash vulnerabilities on its Google Play app marketplace with a new bug-bounty program aimed at identifying data-abuse issues in Android apps and Chrome extensions. The company on Thursday announced the Developer Data Protection Reward Program, which, depending on the impact...

Venmo's Public Transactions Policy Stirs Privacy Concerns

Your simple $5 Venmo payment to a friend after splitting a pizza could easily expedite various malicious attacks, from stalking to spear-phishing, according to researcher concerns. Many have weighed in on Venmo’s privacy practices, but the latest are Mozilla Foundation and the Electronic Frontier...

Critical Cisco VM Bug Allows Remote Takeover of Routers

A critical remote authentication-bypass vulnerability – with the highest possible severity level of 10 out of 10 on the CvSS scale – has been found in the Cisco REST API virtual service container for Cisco IOS XE Software. The bug CVE-2019-12643 affects the following hardware if running the REST...

Innovation on the Dark Web: How Bad Actors Are Keeping Pace

By now, the vast majority of consumers have heard of the dark web. Even if they aren’t exactly sure how it works, they know that it’s the deep corner of the internet where “bad things happen.” Ever since the highly publicized seizure of large dark markets like AlphaBay and Hansa, It’s become comm...

Elderly China Chopper Tool Still Going Strong in Multiple Campaigns

A nine-year-old web shell used for providing remote access to web servers for cyberattackers is staying very active despite its advanced age in cyber-years, anyway. Researchers said they’ve spotted it being used in several recent campaigns – all with disparate goals. The tool, known as China...

TrickBot Targets Verizon, T-Mobile, Sprint Users to Siphon PINs

The TrickBot malware, known previously for targeting U.S. banks, is now setting a bullseye on users of U.S.-based mobile carriers, including Verizon Wireless, T-Mobile and Sprint, to launch SIM swapping attacks. Researchers with Dell’s Secureworks research team warned that they have observed the...

Apple Updates Privacy Policies After Siri Audio Recording Backlash

Apple is taking steps to improve the privacy of audio collected by its Siri voice assistant, on the heels of backlash around a program that let contractors listen into Siri conversations. On Wednesday, the phone giant apologized for violating users’ privacy through the program, which was...

Google Squashes High-Severity Blink Browser Engine Flaw

Google is urging users of its Chrome browser to update after a high-severity vulnerability – which could enable remote attackers to execute code and carry out other malicious attacks – was uncovered. The vulnerability CVE-2019-5869, a use-after-free flaw, specifically exists in Blink, an...

Defense Takeaways from Three Adversary Playbooks

In these days of advanced threats, the perimeter defense strategy – though still useful and necessary – is incomplete. IT security teams need as much information about existing threats as possible, so they know what to look for and how to position proactive countermeasures. Creating and using...

Dangerous Cryptomining Worm Racks Up 850K Infections, Self-Destructs

A French and U.S. law-enforcement effort has neutralized 850,000 infections by a cryptomining worm known as Retadup, by causing the threat to destroy itself. The worm has been distributing the malicious XMRig cryptocurrency miner to computers running the Windows operating system, mostly in Latin...

Magecart Hits 80 Major eCommerce Sites in Card-Skimming Bonanza

UPDATE More than 80 global eCommerce sites have been uncovered that were actively compromised by Magecart groups. Magecart, a loose affiliation of attack groups responsible for the payment-card attacks on Ticketmaster, Forbes, British Airways, Newegg and others, typically insert virtual credit-ca...

Employers Beware: Microsoft Word 'Resume' Phish Delivers Malware

Employers who receive an email from someone purporting to be a job applicant, with an attached resume, could fall victim to a difficult-to-detect phishing campaign peddling a remote-access tool used often for espionage. Researchers with Cofense said they have recently spotted emails with maliciou...