Tue.Dec 12, 2023

article thumbnail

New Windows/Linux Firmware Attack

Schneier on Security

Interesting attack based on malicious pre-OS logo images : LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux… The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday.

Firmware 316
article thumbnail

LW ROUNDTABLE: Cybersecurity takeaways of 2023 — and what’s ahead in 2024 ( part 1)

The Last Watchdog

A look back at the cybersecurity landscape in 2023 rings all-too familiar: cyber threats rapidly evolved and scaled up , just as they have, year-to-year, for the past 20 years. Related: Adopting an assume-breach mindset With that in mind, Last Watchdog invited the cybersecurity experts we’ve worked with this past year for their perspectives on two questions that all company leaders should have top of mind: •What should be my biggest takeaway from 2023, with respect to mitigating cyber risks at

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Microsoft Patch Tuesday, December 2023 Edition

Krebs on Security

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known “zero-day” threats targeting any of the vulnerabilities in December’s patch batch. Still, four of the updates pushed out today address “critical” vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete c

Internet 244
article thumbnail

Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware

Tech Republic Security

Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. Get the details.

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Dubai’s largest taxi app exposes 220K+ users

Security Affairs

The Dubai Taxi Company (DTC) app, which provides taxi, limousine, and other transport services, left a database open to the public, exposing sensitive customer and driver data. Dubai Taxi Company, a subsidiary of Dubai’s Roads and Transport Authority, leaked a trove of sensitive information from the DTC app, the Cybernews research team has found. Over 197K app users and nearly 23K drivers were exposed.

VPN 141
article thumbnail

The sound of you typing on your keyboard could reveal your password

Malwarebytes

As if password authentication’s coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. The technique, developed at Durham University, the University of Surrey, and Royal Holloway University of London, builds on previous work to produce a more accurate way to guess your password by listening to the sound of you typing it on your keyboard.

Passwords 143

More Trending

article thumbnail

Over 1,450 pfSense servers exposed to RCE attacks via bug chain

Bleeping Computer

Roughly 1,450 pfSense instances exposed online are vulnerable to command injection and cross-site scripting flaws that, if chained, could enable attackers to perform remote code execution on the appliance. [.

138
138
article thumbnail

Ukrainian military intelligence service hacked the Russian Federal Taxation Service

Security Affairs

The Ukrainian government’s military intelligence service announced the hack of the Russian Federal Taxation Service (FNS). Hackers of the Main Intelligence Directorate of the Ministry of Defense of Ukraine announced they have compromised the Russian Federal Taxation Service (FNS). The military intelligence service said that the hack was the result of a successful special operation on the territory of Russia.

Hacking 132
article thumbnail

Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day

Bleeping Computer

Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. [.

131
131
article thumbnail

Apple released iOS 17.2 to address a dozen of security flaws

Security Affairs

Apple rolled out emergency security updates to backport patches for two actively exploited zero-day flaws to older devices. The company released iOS 17.2 and iPadOS 17.2 which address a dozen of security flaws. The most severe flaw is a memory corruption issue that resides in the ImageIO. Successful exploitation of the flaw may lead to arbitrary code execution.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Avira antivirus causes Windows computers to freeze after boot

Bleeping Computer

Since Friday, Windows users have reported problems with the operating system freezing shortly after booting, an issue linked to a faulty update for Avira's security software. [.

Antivirus 130
article thumbnail

Kyivstar, Ukraine’s largest mobile carrier brought down by a cyber attack

Security Affairs

Kyivstar, the largest Ukraine service provider, was hit by a cyber attack that paralyzed its services. The attack is linked to the ongoing conflict. Kyivstar , the largest Ukraine service provider was down after a major cyber attack. The Ukrainian telecommunications company provides communication services and data transmission based on a broad range of fixed and mobile technologies, including 4G (LTE) in Ukraine.

article thumbnail

Snyk Launches ASPM Platform to Secure Software Supply Chains

Security Boulevard

Snyk's ASPM platform promises to bridge the divide between cybersecurity teams and application developers. The post Snyk Launches ASPM Platform to Secure Software Supply Chains appeared first on Security Boulevard.

Software 130
article thumbnail

Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware

Security Affairs

North Korea-linked APT group Lazarus was spotted exploiting Log4j vulnerabilities to deploy previously undocumented remote access trojans. The North Korea-linked APT group Lazarus is behind a new hacking campaign that exploits Log4j vulnerabilities to deploy previously undocumented remote access trojans (RATs). Cisco Talos researchers tracked the campaign as Operation Blacksmith, the nation-state actors are employing at least three new DLang -based malware families.

Malware 129
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

The sound of you typing on your keyboard could reveal your password

Malwarebytes

As if password authentication’s coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. The technique, developed at Durham University, the University of Surrey, and Royal Holloway University of London, builds on previous work to produce a more accurate way to guess your password by listening to the sound of you typing it on your keyboard.

Passwords 129
article thumbnail

News alert: Detectify’s EASM research reveals top overlooked vulnerabilities from 2023

The Last Watchdog

Stockhom, Sweden & Boston, Mass., Dec. 12, 2023 – Detectify , the External Attack Surface Management platform powered by elite ethical hackers, has today released its “ State of EASM 2023 ” report. The research incorporates insights from Detectify’s customer base and provides a snapshot of the threat landscape faced by core industries and regions that Detectify serves.

article thumbnail

Top CISOs in the USA to Follow in 2024

Security Boulevard

By following some of the top CISOs in the USA, you can gain valuable insights into developing a robust cybersecurity strategy. The post Top CISOs in the USA to Follow in 2024 appeared first on Scytale. The post Top CISOs in the USA to Follow in 2024 appeared first on Security Boulevard.

CISO 122
article thumbnail

Cloud engineer gets 2 years for wiping ex-employer’s code repos

Bleeping Computer

Miklos Daniel Brody, a cloud engineer, was sentenced to two years in prison and a restitution of $529,000 for wiping the code repositories of his former employer in retaliation for being fired by the company. [.

article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

A pernicious potpourri of Python packages in PyPI

We Live Security

The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository, ESET research finds

135
135
article thumbnail

Ukrainian military says it hacked Russia's federal tax agency

Bleeping Computer

​The Ukrainian government's military intelligence service says it hacked the Russian Federal Taxation Service (FNS), wiping the agency's database and backup copies. [.

Hacking 121
article thumbnail

LogoFAIL Attack: A Deep Dive into UEFI Vulnerabilities

Security Boulevard

A new threat has emerged, sending shockwaves through the cybersecurity industry – the LogoFAIL attack. This vulnerability targets the image-parsing components within the UEFI code, affecting a multitude of devices and posing a serious risk to the booting process. LogoFAIL is not just another cybersecurity buzzword; it represents a tangible threat to the integrity of […] The post LogoFAIL Attack: A Deep Dive into UEFI Vulnerabilities appeared first on TuxCare.

article thumbnail

Kelvin Security cybercrime gang suspect seized by Spanish police

Graham Cluley

A malicious hacking group, thought to have been operating since at least 2013, may have suffered a significant blow after the arrest of a suspected leading member by Spanish police late last week. Read more in my article on the Tripwire State of Security blog.

article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

article thumbnail

CISA Unveils Tools to Strengthen Google Cloud Services

Security Boulevard

As organizations continue their migration to the cloud, threat groups are not far behind. According to a report earlier this year from cybersecurity firm CrowdStrike, the number of attacks against cloud environments in 2022 jumped 95% year-over-year, and those involved cloud-conscious bad actors almost tripled. “As cloud integration continues to increase across business environments, adversaries.

article thumbnail

Windows 10 KB5033372 update released with Copilot for everyone, 20 changes

Bleeping Computer

Microsoft has released the KB5033372 cumulative update for Windows 10 21H2 and Windows 10 22H2, which includes Copilot for Windows and nineteen other changes to the operating system. [.

113
113
article thumbnail

Understanding the Impact of the new Apache Struts File Upload Vulnerability

Security Boulevard

Introduction Recently researcher Steven Seeley discovered a way to abuse the popular Apache Struts frameworks’ file upload functionality to achieve remote code execution. This bug, known as CVE-2023-50164, has been assigned a 9.8 CVSS score. No doubt this is causing some security practitioners to have flashbacks of the “good times” that a serious Struts bug […] The post Understanding the Impact of the new Apache Struts File Upload Vulnerability appeared first on Praetorian.

111
111
article thumbnail

Microsoft: OAuth apps used to automate BEC and cryptomining attacks

Bleeping Computer

Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. [.

Phishing 112
article thumbnail

Introducing CDEs to Your Enterprise

Explore how enterprises can enhance developer productivity and onboarding by adopting self-hosted Cloud Development Environments (CDEs). This whitepaper highlights the simplicity and flexibility of cloud-based development over traditional setups, demonstrating how large teams can leverage economies of scale to boost efficiency and developer satisfaction.

article thumbnail

What to do if your company was mentioned on Darknet?

SecureList

Every year is abundant with major data leaks, biggest data breaches and hacks drawing massive media attention (such as Medibank and Optus data breach, Twitter data breach, and Uber and Rockstar compromise in 2022 and in T-Mobile , MailChimp and OpenAI in 2023). But are we really conscious of the true scale of the threat? To find out, in 2022 we created a list of 700 companies worldwide from different industries: industrial, telecommunication, financial, retail, and others.

article thumbnail

Sophos backports RCE fix after attacks on unsupported firewalls

Bleeping Computer

Sophos was forced to backport a security update for CVE-2022-3236 for end-of-life (EOL) firewall firmware versions after discovering hackers actively exploiting the flaw in attacks. [.

Firewall 106
article thumbnail

Mastering SDLC Security: Best Practices, DevSecOps, and Threat Modeling

Security Boulevard

In the ever-evolving landscape of software development, it’s become absolutely paramount to ensure robust security measures throughout the Software Development Lifecycle (SDLC). Need proof? In the last three years alone, we’ve witnessed a surge of high-profile supply chain attacks including SolarWinds, the Codecov, and the breach of Nissan’s Global Network.

Software 105
article thumbnail

Healthcare giant Norton breach leads to theft of millions of patient records

Malwarebytes

Healthcare company Norton says a May breach led to the theft of data of around 2.5 million of its patients, as well as employees and their dependents. Norton has more than 40 clinics and hospitals in and around Louisville, Kentucky. In a filing with Maine’s attorney general on Friday, Norton said that on May 9, 2023, it discovered an “external system breach.

article thumbnail

IT Leadership Agrees AI is Here, but Now What?

IT leaders are experiencing rapid evolution in AI amid sustained investment uncertainty. As AI evolves, enhanced cybersecurity and hiring challenges grow. This whitepaper offers real strategies to manage risks and position your organization for success.