BuzzSec

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks from The Hacker News https://thehackernews.com/2024/10/new-cryptojacking-attack-targets-docker.html

The U.S. Department of Justice (DoJ) has charged a 39-year-old U.K. national for perpetrating a hack-to-trade fraud scheme that netted him nearly $3.75 million in illegal profits. Robert Westbrook of London was arrested last week and is expected to be extradited to the U.S. to face charges related to securities fraud, wire fraud, and five counts of computer fraud. According to the court from The Hacker News https://thehackernews.com/2024/10/uk-hacker-charged-in-375-million.html

  Exploring 2025 Cybersecurity Threats and Solutions: AI, Quantum Computing, CISOs, and Deepfakes As we look ahead to 2025, cybersecurity continues to evolve at a rapid pace. Emerging technologies, like AI and quantum computing, present both new threats and innovative solutions. At the same time, critical infrastructure remains vulnerable to sophisticated attacks like deepfakes. Below, I explore key questions and provide insights into the future of cybersecurity and the challenges organizations will face. AI-Based Protections and Attacks AI is quickly becoming a central force in both cybersecurity defenses and threats. It’s changing the way we protect our systems and how attackers target them. Do you foresee AI creating a "stalemate" between cyber criminals and defenders, or will it ultimately benefit one side? If so, which one and why? I do not foresee a stalemate. History has shown us that security is an evolution. The bad guys do X, and we counter with Y. The thing we'

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months. The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it. "Fake from The Hacker News https://thehackernews.com/2024/09/crypto-scam-app-disguised-as.html

Check out the 40 new pieces of training content added in September, alongside the always fresh content update highlights, events and new features. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4-content-updates-september-2024

The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks. The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent from The Hacker News https://thehackernews.com/2024/09/microsoft-identifies-storm-0501-as.html

NIST’s second draft of its “ SP 800-63-4 “—its digital identify guidelines—finally contains some really good rules about passwords: The following requirements apply to passwords: lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of com

In today's fast-evolving digital landscape, cybersecurity has become a cornerstone of organizational resilience. As cyber threats grow increasingly sophisticated, the demand for skilled cybersecurity professionals has never been higher. Whether you're a seasoned cyber professional or just starting your journey, signing up for the GIAC Newsletter ensures you're always informed and equipped for from The Hacker News https://thehackernews.com/2024/09/cybersecurity-certifications-gateway-to.html

Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling. The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF from The Hacker News https://thehackernews.com/2024/09/new-html-smuggling-campaign-delivers.html

The U.S. government on Thursday sanctioned two cryptocurrency exchanges and unsealed an indictment against a Russian national for his alleged involvement in the operation of several money laundering services that were offered to cybercriminals. The virtual currency exchanges, Cryptex and PM2BTC, have been alleged to facilitate the laundering of cryptocurrencies possibly obtained through from The Hacker News https://thehackernews.com/2024/09/us-sanctions-two-crypto-exchanges-for.html

A critical security flaw has been disclosed in the NVIDIA Container Toolkit that, if successfully exploited, could allow threat actors to break out of the confines of a container and gain full access to the underlying host. The vulnerability, tracked as CVE-2024-0132, carries a CVSS score of 9.0 out of a maximum of 10.0. It has been addressed in NVIDIA Container Toolkit version v1.16.2 and from The Hacker News https://thehackernews.com/2024/09/critical-nvidia-container-toolkit.html

As many as 25 websites linked to the Kurdish minority have been compromised as part of a watering hole attack designed to harvest sensitive information for over a year and a half. French cybersecurity firm Sekoia, which disclosed details of the campaign dubbed SilentSelfie, described the intrusion set as long-running, with first signs of infection detected as far back as December 2022. The from The Hacker News https://thehackernews.com/2024/09/watering-hole-attack-on-kurdish-sites.html

A good —long, complex—analysis of the EU’s new Cyber Resilience Act. from Schneier on Security https://www.schneier.com/blog/archives/2024/09/an-analysis-of-the-eus-cyber-resilience-act.html

In the second timeline of June 2024, I collected 106 events (7.07 events/day) with a threat landscape dominated by... from HACKMAGEDDON https://www.hackmageddon.com/2024/09/26/16-30-june-2024-cyber-attacks-timeline/

An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2). Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant. "Between late 2022 to present, SloppyLemming from The Hacker News https://thehackernews.com/2024/09/cloudflare-warns-of-india-linked.html

Nation-state threat actors backed by Beijing broke into a "handful" of U.S. internet service providers (ISPs) as part of a cyber espionage campaign orchestrated to glean sensitive information, The Wall Street Journal reported Wednesday. The activity has been attributed to a threat actor that Microsoft tracks as Salt Typhoon, which is also known as FamousSparrow and GhostEmperor. "Investigators from The Hacker News https://thehackernews.com/2024/09/chinese-hackers-infiltrate-us-internet.html

Google has revealed that its transition to memory-safe languages such as Rust as part of its secure-by-design approach has led to the percentage of memory-safe vulnerabilities discovered in Android dropping from 76% to 24% over a period of six years. The tech giant said focusing on Safe Coding for new features not only reduces the overall security risk of a codebase, but also makes the switch from The Hacker News https://thehackernews.com/2024/09/googles-shift-to-rust-programming-cuts.html

Phishing attacks are becoming more advanced and harder to detect, but there are still telltale signs that can help you spot them before it's too late. See these key indicators that security experts use to identify phishing links:1. Check Suspicious URLs  Phishing URLs are often long, confusing, or filled with random characters. Attackers use these to disguise the link's true destination from The Hacker News https://thehackernews.com/2024/09/expert-tips-on-how-to-spot-phishing-link.html

A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions from The Hacker News https://thehackernews.com/2024/09/chatgpt-macos-flaw-couldve-enabled-long.html

Transportation and logistics companies in North America are the target of a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs). The activity cluster, per Proofpoint, makes use of compromised legitimate email accounts belonging to transportation and shipping companies so as to inject malicious content into existing email conversations. As many from The Hacker News https://thehackernews.com/2024/09/transportation-companies-hit-by.html

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the from The Hacker News https://thehackernews.com/2024/09/cisa-flags-critical-ivanti-vtm.html

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro. Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include - Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million from The Hacker News https://thehackernews.com/2024/09/necro-android-malware-found-in-popular.html

A phishing campaign is targeting GitHub users with phony CAPTCHA pages, according to researchers at McAfee. The phishing emails ask users to address a security vulnerability in a GitHub repository that they recently contributed to, and contain a link to find more information about the alleged vulnerability. This link leads to a fake CAPTCHA page that attempts to trick them into installing malware. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/phony-captcha-pages-target-github

Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover (DTO) and perform fraudulent transactions. The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have from The Hacker News https://thehackernews.com/2024/09/new-octo2-android-banking-trojan.html

In a major policy reversal, the popular messaging app Telegram has announced it will give users' IP addresses and phone numbers to authorities in response to valid legal requests in an attempt to rein in criminal activity on the platform. "We've made it clear that the IP addresses and phone numbers of those who violate our rules can be disclosed to relevant authorities in response to valid legal from The Hacker News https://thehackernews.com/2024/09/telegram-agrees-to-share-user-data-with.html

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets. "Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis. "The approach is indicative of a from The Hacker News https://thehackernews.com/2024/09/hacktivist-group-twelve-targets-russian.html

The U.K. Information Commissioner's Office (ICO) has confirmed that professional social networking platform LinkedIn has suspended processing users' data in the country to train its artificial intelligence (AI) models. "We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its U.K. users," Stephen from The Hacker News https://thehackernews.com/2024/09/linkedin-halts-ai-data-processing-in-uk.html

Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns. The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook. "I have always advocated and advocate for freedom of speech, but the issue of Telegram is from The Hacker News https://thehackernews.com/2024/09/ukraine-bans-telegram-use-for.html

Researchers at Barracuda have observed an increase in phishing attacks that abuse popular content creation and collaboration platforms. These include online graphic design platforms and document-sharing services widely used by educational institutions and businesses. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/phishing-attacks-abuse-content-creation

Law enforcement authorities have announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The phishing-as-a-service (PhaaS) platform, called iServer, is estimated to have claimed more than 483,000 victims globally, led by Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina from The Hacker News https://thehackernews.com/2024/09/europol-shuts-down-major-phishing.html

In IT environments, some secrets are managed well and some fly under the radar. Here’s a quick checklist of what kinds of secrets companies typically manage, including one type they should manage: Passwords [x] TLS certificates [x] Accounts [x] SSH keys ??? The secrets listed above are typically secured with privileged access management (PAM) solutions or similar. Yet, most traditional PAM from The Hacker News https://thehackernews.com/2024/09/passwordless-and-keyless-future-of.html

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks. Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and from The Hacker News https://thehackernews.com/2024/09/iranian-apt-unc1860-linked-to-mois.html

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices. "This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said. The PIN is a six-digit code by default, although it's from The Hacker News https://thehackernews.com/2024/09/chrome-users-can-now-sync-passkeys.html

Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. "Path Traversal in the Ivanti CSA before 4.6 Patch from The Hacker News https://thehackernews.com/2024/09/critical-ivanti-cloud-appliance.html

Threat actors have been observed targeting the construction sector by infiltrating the FOUNDATION Accounting Software, according to new findings from Huntress. "Attackers have been observed brute-forcing the software at scale, and gaining access simply by using the product’s default credentials," the cybersecurity company said. Targets of the emerging threat include plumbing, HVAC (heating, from The Hacker News https://thehackernews.com/2024/09/hackers-exploit-default-credentials-in.html

Changes to the msds-KeyCredentialLink attribute are not audited/logged with standard audit configurations. This required serious investigations and a partner firm in infosec provided us the answer: TrustedSec.  So, credit where […] The post Enable Auditing of Changes to msDS-KeyCredentialLink  appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/enable-auditing-of-changes-to-msds-keycredentiallink/

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor. "Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the from The Hacker News https://thehackernews.com/2024/09/new-brazilian-linked-sambaspy-malware.html

The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system. "The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le from The Hacker News https://thehackernews.com/2024/09/new-teamtnt-cryptojacking-campaign.html

Analyst reports aim to provide market insights. But when it comes to Human Risk Management (HRM), we’ve noticed that they often fall short of capturing the full picture. You already know that we are the undisputed leader in the essential areas that have been standard features in the security awareness market for years. Those capabilities are why we’ve become the largest vendor in the space. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/beyond-analyst-reports-knowbe4s-undeniable-leadership-hrm

Part 1: Overview of the Problem ASM Solves and a High-Level Description of ASM and Its Components Welcome to the first installment of our multipart series, "Help! I Can’t See! A Primer for Attack Surface Management Blog Series." In this series, we will explore the critical challenges and solutions associated with Attack Surface Management (ASM), a vital aspect of modern cybersecurity strategy. This initial blog, titled "Overview of the Problem ASM Solves and a High-Level Description of ASM and Its Components," sets the stage by examining the growing difficulties organizations face in managing their digital environments and how ASM can help address these issues effectively. The fast paced evolution of digital infrastructure that is driving businesses forward (e.g. workstations, virtual machines, containers, edge) is also making it more difficult for organizations to keep track of and account for the cyber attack surface they’re responsible for protecting. Despit

Cybersecurity in healthcare has never been more urgent. As the most vulnerable industry and largest target for cybercriminals, healthcare is facing an increasing wave of cyberattacks. When a hospital's systems are held hostage by ransomware, it’s not just data at risk — it’s the care of patients who depend on life-saving treatments. Imagine an attack that forces emergency care to halt, surgeries from The Hacker News https://thehackernews.com/2024/09/healthcares-diagnosis-is-critical-cure.html

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S. The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832). "Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, from The Hacker News https://thehackernews.com/2024/09/microsoft-warns-of-new-inc-ransomware.html

GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass. The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week. The from The Hacker News https://thehackernews.com/2024/09/gitlab-patches-critical-saml.html

Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here’s a closer look at the size of this scheme, and some findings about who may be responsible. One of the many scam funeral group pages on Facebook. Clicking to view the “live stream” of the funeral takes one to a newly registered website that requests credit card information. KrebsOnSecurity recently heard from a reader named George who said a friend had just passed away, and he noticed that a Facebook group had been created in that friend’s memory. The page listed the correct time and date of the funeral service, which it claimed could be streamed over the Internet by following a link that led to

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is from The Hacker News https://thehackernews.com/2024/09/north-korean-hackers-target-energy-and.html

Google has announced that it's rolling out a new set of features to its Chrome browser that gives users more control over their data when surfing the internet and protects against online threats. "With the newest version of Chrome, you can take advantage of our upgraded Safety Check, opt out of unwanted website notifications more easily and grant select permissions to a site for one time only," from The Hacker News https://thehackernews.com/2024/09/chrome-introduces-one-time-permissions.html

The GSM Association, the governing body that oversees the development of the Rich Communications Services (RCS) protocol, on Tuesday, said it's working towards implementing end-to-end encryption (E2EE) to secure messages sent between the Android and iOS ecosystems. "The next major milestone is for the RCS Universal Profile to add important user protections such as interoperable end-to-end from The Hacker News https://thehackernews.com/2024/09/gsma-plans-end-to-end-encryption-for.html

Broadcom on Tuesday released updates to address a critical security flaw impacting VMware vCenter Server that could pave the way for remote code execution. The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), has been described as a heap-overflow vulnerability in the DCE/RPC protocol. "A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a from The Hacker News https://thehackernews.com/2024/09/patch-issued-for-critical-vmware.html

Statista projects that the total cost of cybercrime will increase from $6.4 trillion between 2024 and 2029, reaching a staggering $15.63 trillion by the end of this period.  from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cost-of-cybercrime-estimated-15.6-trillion-in-2029

Rapid7 is delighted to announce the launch of Vector Command, a continuous red teaming managed service designed to assess your external attack surface and identify gaps in the security defenses on an ongoing basis. Following the launch of Surface Command and Exposure Command in August, Vector Command will continue our expansion of Exposure Management protection for our customers. In today’s digital landscape, organizations are more exposed to cyber threats than ever before. Cloud resources, SaaS solutions, and ever-growing shadow IT create vast external attack surfaces, making businesses increasingly vulnerable. Meanwhile attackers are constantly on the prowl, conducting reconnaissance to exploit weaknesses. Security teams lack visibility into their internet-facing exposures, leaving them vulnerable to potential breaches. While external attack surface management (EASM) tools offer visibility, they often fall short in validation, resulting in lengthy lists of potential exposures for

Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. from Schneier on Security https://www.schneier.com/blog/archives/2024/09/python-developers-targeted-with-malware-during-fake-job-interviews.html

Cryptocurrency exchange Binance is warning of an "ongoing" global threat that's targeting cryptocurrency users with clipper malware with the goal of facilitating financial fraud. Clipper malware, also called ClipBankers, is a type of malware that Microsoft calls cryware, which comes with capabilities to monitor a victim's clipboard activity and steal sensitive data a user copies, including from The Hacker News https://thehackernews.com/2024/09/binance-warns-of-rising-clipper-malware.html

SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution. The vulnerability, tracked as CVE-2024-28991, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data. "SolarWinds Access Rights from The Hacker News https://thehackernews.com/2024/09/solarwinds-issues-patch-for-critical.html

CISA wants everyone—and government agencies in particular—to remove or upgrade an Ivanti Cloud Service Appliance (CSA) that is no longer being supported. Welcome to the security nightmare that is the Internet of Things. from Schneier on Security https://www.schneier.com/blog/archives/2024/09/legacy-ivanti-cloud-service-appliance-being-exploited.html

Can you help me with your input? I'd love your thoughts about AI in InfoSec. This is a super short survey that asks about any AI tools you use or would like, how you feel about AI effectiveness, how it may change your headcount, and how confident you are to address AI-related security risks. The most important thing I'm dying to hear about is your biggest concerns about AI in cybersecurity in your own words. And if you would like to be entered into the drawing to win one of five $500 Amazon gift cards, you can leave your email address. Please take this survey. Thanks so much in advance! from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/4-minute-survey-share-your-thoughts-on-ai-in-infosec-with-me

Research from The Financial Ombudsman Service, a U.K. based organization dedicated to helping citizens with free financial advice, has found an increase in Authorized Pushed Payment (APP) scams. These attacks are rising both in number and sophistication. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/authorized-push-payment-fraud-responsible-for-over-half-of-u.k.-frauds-and-scams

Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. "Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content," Palo Alto from The Hacker News https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.html

This is a current list of where and when I am scheduled to speak: I’m speaking at eCrime 2024 in Boston, Massachusetts, USA. The event runs from September 24 through 26, 2024, and my keynote is at 8:45 AM ET on the 24th. I’m briefly speaking at the EPIC Champion of Freedom Awards in Washington, D.C. on September 25, 2024. I’m speaking at SOSS Fusion 2024 in Atlanta, Georgia, USA. The event will be held on October 22 and 23, 2024, and my talk is  at 9:15 AM ET on October 22, 2024. The list is maintained on this page . from Schneier on Security https://www.schneier.com/blog/archives/2024/09/upcoming-speaking-engagements-40.html

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild. The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances. "An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows from The Hacker News https://thehackernews.com/2024/09/ivanti-warns-of-active-exploitation-of.html

This is an odd story of serving squid during legislative negotiations in the Philippines. from Schneier on Security https://www.schneier.com/blog/archives/2024/09/friday-squid-blogging-squid-as-a-legislative-negotiating-tactic.html

SPIP Modules This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements. New module content (2) SPIP BigUp Plugin Unauthenticated RCE Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec Type: Exploit Pull request: #19444 contributed by Chocapikk Path: multi/http/spip_bigup_unauth_rce AttackerKB reference: CVE-2024-8517 Description: This adds an exploit module for CVE-2024-8517 , an unauthenticated RCE able to execute arbitrary PHP code. SPIP connect Parameter PHP Injection Authors: Arnaud Pachot, Davy Douhine, Frederic Cikala, and Valentin Lobstein Type: Exploit Pull request: #19432 contributed by Chocapikk Path: multi/http/spip_connect_exec CVE reference: BID-54292 Description: Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin. Enhancements and features (3) #19330 from heyder - T

Over the summer, I gave a talk about AI and democracy at TedXBillings. The recording is https://www.schneier.com/blog/archives/2024/09/my-tedxbillings-talk.html

Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard. The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865. "A novel attack that can infer eye-related biometrics from the avatar image to from The Hacker News https://thehackernews.com/2024/09/apple-vision-pro-vulnerability-exposed.html

Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks. The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who from The Hacker News https://thehackernews.com/2024/09/progress-whatsup-gold-exploited-just.html

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining. The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver malware dubbed Hadooken, according to cloud security firm Aqua. "When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher from The Hacker News https://thehackernews.com/2024/09/new-linux-malware-campaign-exploits.html

GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to from The Hacker News https://thehackernews.com/2024/09/urgent-gitlab-patches-critical-flaw.html

Microsoft is updating SymCrypt , its core cryptographic library, with new quantum-secure algorithms. Microsoft’s details are here . From a news article : The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren’t vulnerable to Shor’s algorithm when the keys are of a sufficient size. The ML in the ML-KEM name refers to Module Learning with Errors, a problem that can’t be cracked with Shor’s algorithm. As explained here , this problem is based on a “core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed s

As part of our research and tracking of threats, Rapid7 Labs is actively monitoring new and upcoming threat groups and the ransomware domain is known for having a large number of them. In the Ransomware Radar Report , Rapid7 Labs shared the observation that in the first half of 2024, 21 new or rebranded ransomware groups surfaced. Many of those are not immediately coming into the spotlight as abusing some fancy new or recently discovered vulnerability, or — as we measure activity — posting a large number of data leaks. Rapid7 Labs has an ongoing commitment to help organizations understand and mitigate the complex world of ransomware, and this includes highlighting these newer groups. In this post we’re going to focus on the recently-emerged Lynx ransomware group. Intro to the Lynx group The Lynx ransomware group was identified in July 2024, and has claimed more than 20 victims in various industry sectors to date. The group is using both single and double extortion techniques agains

Recently in the SOC, we were notified by a partner that they had a potential business email compromise, or BEC. We commonly catch these by identifying suspicious email forwarding rules, […] The post Monitoring High Risk Azure Logins  appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/monitoring-high-risk-azure-logins/

In the first timeline of June 2024 I collected 124 events (8.27 events/day) with a threat landscape dominated by... from HACKMAGEDDON https://www.hackmageddon.com/2024/09/12/1-15-june-2024-cyber-attacks-timeline/

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. "Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the from The Hacker News https://thehackernews.com/2024/09/wordpress-mandates-two-factor.html

Researchers at Bitdefender warn that law firms are high-value targets for ransomware gangs and other criminal threat actors. Attackers frequently use phishing to gain initial access to an organization’s networks. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/legal-firms-increasingly-targeted-by-phishing-attacks