Digital Shadows

MARCH 17, 2025

Key Findings Even years after their disclosure, VPN-related vulnerabilities like CVE-2018-13379 and CVE-2022-40684 remain essential tools for attackers, driving large-scale campaigns of credential theft and administrative control. CVE-2018-13379: The Eternal Exploit What is CVE-2018-13379?

VPN 133

VPN Authentication Ransomware Risk 133

Adam Shostack

JANUARY 2, 2025

The slides from my Blackhat talk, " Threat Modeling in 2018: Attacks, Impacts and Other Updates " are now available either as a PDF or online viewer. The slides from my Blackhat talk are now available.

130

130

Schneier on Security

APRIL 5, 2024

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and ­ if known ­ the attacker’s identity.

Surveillance 332

Surveillance Telecommunications 332

The Hacker News

FEBRUARY 20, 2025

Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies.

Telecommunications 140

Telecommunications 140

Bleeping Computer

AUGUST 5, 2024

A design flaw in Windows Smart App Control and SmartScreen that enables attackers to launch programs without triggering security warnings has been under exploitation since at least 2018. [.]

122

122

Krebs on Security

JUNE 25, 2021

” Western Digital’s brief advisory includes a link to an entry in the National Vulnerability Database for CVE-2018-18472. Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. We are actively investigating the issue and will provide an updated advisory when we have more information.”

Internet 335

Internet Internet Backups Small Business 335

The Hacker News

DECEMBER 17, 2024

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined 251 million (around $263 million) for a 2018 data breach that impacted millions of users in the bloc, in what's the latest financial hit the company has taken for flouting stringent privacy laws.

Data breaches 133

Data breaches Accountability 133

Malwarebytes

OCTOBER 18, 2024

The vulnerability, tracked as CVE-2024-44133 was fixed in the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).

Adware 144

Adware Spyware Mobile Technology 144

Troy Hunt

APRIL 29, 2021

You can read more about government access in the initial post from 2018. Romania joins a steadily growing number of governments across the globe to have free and unrestricted access to API-based domain searches for their assets in HIBP.

Government 361

Government Data breaches 361

Adam Shostack

JANUARY 2, 2025

[no description provided] I'm at the OWASP AppSec Cali event, and while there's now there'll be video , I'm taking notes: Context for the talk What fails during the development process? Incomplete requirements, non-secure design, lack of security mindset, leaky development These failures are threats which can be mitigated. (eg,

Risk 130

Risk 130

Krebs on Security

DECEMBER 19, 2024

But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018. That user, “ Exorn ,” has posts dating back to August 2018. THE TURKISH CONNECTION Silent Push notes that the website where Araneida is being sold — araneida[.]co

Hacking 227

Hacking Cybercrime Advertising Data breaches 227

Schneier on Security

JULY 28, 2021

Carriers were caught in 2018 selling real-time location data to brokers , drawing the ire of Congress. The Pillar says it obtained 24 months’ worth of “commercially available records of app signal data” covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used.

Mobile 363

Mobile Advertising Data collection Surveillance 363

Schneier on Security

MAY 2, 2024

It banned default passwords in 2018, the law taking effect in 2020. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

Passwords 338

Passwords IoT Manufacturing Telecommunications 338

Adam Shostack

JANUARY 2, 2025

[no description provided] I really enjoyed being part of this panel. I felt we had a good mix of experience and some really interesting conversations.

130

130

Krebs on Security

AUGUST 16, 2020

In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. The last time that August 2018 file was scanned at VirusTotal (Aug 14, 2020), it was detected as a malicious Java trojan by 28 of 59 antivirus programs. And several researchers informed Microsoft about the weakness over the past 18 months.

Antivirus 363

Antivirus Malware Software 363

Krebs on Security

JULY 23, 2020

Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018. But in Wednesday’s filing, the DFS said First American was unable to determine whether records were accessed prior to Jun 2018.

Insurance 346

Insurance Financial Services Penetration Testing Scams 346

Security Affairs

NOVEMBER 1, 2024

ThreatFabric observed threat actors using two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver macOS implants. The experts noticed that a portion of the CVE-2018-4404 exploit is likely borrowed from the Metasploit framework.

Spyware 142

Spyware Media Malware Hacking 142

Schneier on Security

NOVEMBER 30, 2022

Total GDPR fines are over €2 billion (EUR) since 2018. Facebook—Meta—was just fined $276 million (USD) for a data leak that included full names, birth dates, phone numbers, and location. Meta’s total fine by the Data Protection Commission is over $700 million.

269

269

Troy Hunt

MARCH 6, 2024

Back in 2018, we started making Have I Been Pwned domain searches freely available to national government cybersecurity agencies responsible for protecting their nations' online infrastructure. Today, we're very happy to welcome Germany as the 35th country to use this service, courtesy of their CERTBund department.

Government 307

Government Data breaches Cybersecurity 307

Krebs on Security

FEBRUARY 19, 2020

Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. 13, 2018 and Mar. 28, 2018, a claim Citrix initially denied but later acknowledged.

VPN 363

VPN Passwords Software Telecommunications 363

Adam Shostack

JANUARY 2, 2025

In the United States in 2018, an estimated 40,000 people lost their lives in car crashes, and 4.5 And while an emergency stop may certainly be a risk minimizing action in some circumstances, describing it as such is surprising, especially when presented in contrast to a "safe stop" maneuver. million people were seriously injured.

Risk 189

Risk Architecture Manufacturing Cybersecurity 189

Krebs on Security

DECEMBER 1, 2020

“In early 2018, Vaughn demanded 1.5 Among the Apophis Squad’s targets was encrypted mail service Protonmail, which reached out to this author in 2018 for clues about the identities of the Apophis Squad members after noticing we were both being targeted by them and receiving demands for money in exchange for calling off the attacks.

DDOS 276

DDOS Hacking Mobile Encryption 276

Security Affairs

FEBRUARY 26, 2025

ThreatFabric observed threat actors using two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver macOS implants. The experts noticed that a portion of the CVE-2018-4404 exploit is likely borrowed from the Metasploit framework.

Data collection 103

Data collection Spyware Media Surveillance 103

Krebs on Security

FEBRUARY 4, 2020

The government says Quantum Stresser had more than 80,000 customer subscriptions, and that during 2018 the service was used to conduct approximately 50,000 actual or attempted attacks targeting people and networks worldwide. and international authorities in December 2018 as part of a coordinated takedown targeting attack-for-hire services.

Internet 321

Internet Internet Government Accountability 321

Security Affairs

AUGUST 18, 2024

Boffins demonstrated the vulnerability of fingerprint recognition systems to dictionary attacks using ‘MasterPrints, ‘which are fingerprints that can match multiple other prints.

Architecture 140

Architecture Hacking Risk Information Security 140

Schneier on Security

NOVEMBER 30, 2021

After planning began in mid-2018, the Long-Term Retention Lab was up and running in the second half of 2019. The warehouse stores around 3,000 pieces of hardware and software, going back about a decade.

Technology 332

Technology Engineering Software Cybersecurity 332

Schneier on Security

JANUARY 25, 2023

We know Cybercom did similar things in 2018 and 2020, and presumably will again in two years. . “We were doing operations well before the midterms began, and we were doing operations likely on the day of the midterms.” ” And they continued until the elections were certified, he said.

Hacking 309

Hacking Cybersecurity 309

Troy Hunt

JUNE 9, 2021

TB of private data and the first sentence sets the scene: Between 2018 and 2020, a custom Trojan-type malware infiltrated over 3 million Windows-based computers and stole 1.2 (Full disclosure: I'm a strategic advisor for NordVPN who shares the same parent company.) NordLocker has written about the nameless malware that stole 1.2

Malware 362

Malware 362

Schneier on Security

OCTOBER 13, 2021

It’s a matter of going after those with deep pockets. ” Chhabria continued, “In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare.

Retail 336

Retail Manufacturing Internet Internet 336

Krebs on Security

SEPTEMBER 14, 2020

Curiously, in May 2018, its WHOIS ownership records switched to a new name with the same initials: one “ Jonathan Bibi ,” with an address in the offshore company haven of Seychelles. Likewise, Mr. Among those is acheterdubitcoin.org , a business that was blacklisted by French regulators in 2018 for promoting cryptocurrency scams.

Scams 353

Scams Cryptocurrency Accountability Technology 353

Adam Levin

FEBRUARY 21, 2020

Travel and hospitality industries have been a frequent target of hackers in recent years, perhaps most notably being the 2018 Marriott data breach that affected 300 million customers. The company has not yet indicated whether it would be providing credit monitoring or identity theft protection to customers affected by the breach.

Data breaches 305

Data breaches Identity Theft Passwords Technology 305

Krebs on Security

APRIL 10, 2020

Most people who who filed a tax return in 2018 and/or 2019 and provided their bank account information for a debit or credit should soon see an Economic Impact Payment direct-deposited into their bank accounts. More importantly, it appears one doesn’t really need to supply one’s AGI in 2018.

Computers and Electronics 360

Computers and Electronics Banking Accountability Scams 360

Schneier on Security

DECEMBER 30, 2020

The antivirus firm Emsisoft found that the average requested fee has increased from about $5,000 in 2018 to about $200,000 this year. Ransomware is a decades-old idea. Today, it’s increasingly profitable and professional.

Ransomware 284

Ransomware Antivirus 284

Krebs on Security

SEPTEMBER 16, 2021

man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. 2018 , when the FBI joined with law enforcement partners overseas to seize 15 different booter service domains. Charles, Ill.

DDOS 347

DDOS DNS Internet Internet 347

Schneier on Security

FEBRUARY 13, 2021

This is a follow on, with a lot more detail, to a story Bloomberg reported on in fall 2018. ”) Here’s me in 2018: Supply-chain security is an incredibly complex problem. There’s lots of detail in the article, and I recommend that you read it through. Yes, it’s plausible.

Surveillance 363

Surveillance Internet Internet Government 363

Schneier on Security

DECEMBER 3, 2020

From a ZDNet article : GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization’s dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.

Engineering 350

Engineering Software Cybersecurity 350

Security Affairs

NOVEMBER 2, 2024

Since 2018, Sophos has faced increasingly aggressive campaigns, including the India-based Sophos subsidiary Cyberoam, where attackers exploited a wall-mounted display for initial access. The first documented attack against a Sophos facility is the one that targeted Cyberoam in 2018.

Firmware 120

Firmware Government Firewall Malware 120