🛡 Cybersecurity & Privacy 🛡 - News

Microsoft Patches Zero-Day Spreading Emotet Malware

The December rollout includes 67 security patches and addresses one zero-day and five more publicly known vulnerabilities.

187 views22:18

❌ Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery ❌

December's Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities.

📖 Read

via "Threat Post".

Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery

December's Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities.

187 views22:35

🕴 Ransomware Hits Virginia Legislative Agencies 🕴

The attack forced a shutdown of computer systems and websites for Virginia legislative agencies and commissions, reports state.

📖 Read

via "Dark Reading".

Ransomware Hits Virginia Legislative Agencies

The attack forced a shutdown of computer systems and websites for Virginia legislative agencies and commissions, reports state.

175 views22:48

🕴 Tool Overload & Attack Surface Expansion Plague SOCs 🕴

Security professionals are burning out from handling too many tools and facing a growing number of threats, and more than 40% see lack of leadership as the main problem.

📖 Read

via "Dark Reading".

Tool Overload & Attack Surface Expansion Plague SOCs

Security professionals are burning out from handling too many tools and facing a growing number of threats, and more than 40% see lack of leadership as the main problem.

174 views22:48

Microsoft Patch Tuesday, December 2021 Edition

♟️ Microsoft Patch Tuesday, December 2021 Edition ♟️

Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that that is already being actively exploited. But this month's Patch Tuesday is being overshadowed by the "Log4Shell" 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.

📖 Read

via "Krebs on Security".

Krebsonsecurity

Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that that is already being actively exploited. But this month's Patch Tuesday is being overshadowed…

176 views22:54

‼ CVE-2021-44942 ‼

glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist.

📖 Read

via "National Vulnerability Database".

171 views23:13

🕴 Propane Gas Distributor Hit With Ransomware 🕴

North America-based Superior Plus "temporarily disabled" some of its systems in the wake of the attack.

📖 Read

via "Dark Reading".

Propane Gas Distributor Hit with Ransomware

North America-based Superior Plus "temporarily disabled" some of its systems in the wake of the attack.

179 views23:18

❌ Apple iOS Update Fixes Cringey iPhone 13 Jailbreak Exploit ❌

It took just 15 seconds to hack the latest, greatest, shiniest iPhone 13 Pro on stage at the Tianfu Cup in October, using a now-fixed iOS kernel bug.

📖 Read

via "Threat Post".

Apple iOS Update Fixes Cringey iPhone 13 Jailbreak Exploit

It took just 15 seconds to hack the latest, greatest, shiniest iPhone 13 Pro on stage at the Tianfu Cup in October, using a now-fixed iOS kernel bug.

184 views23:35

How to install Qubes OS as a virtual machine

🦿 How to install Qubes OS as a virtual machine 🦿

Qubes OS defines itself modestly as "a reasonably secure operating system." It might actually be one of the safest operating systems, often used by pros who are most concerned with computer security.

📖 Read

via "Tech Republic".

TechRepublic

Qubes OS defines itself modestly as "a reasonably secure operating system." It might actually be one of the safest operating systems, often used by pros who are most concerned with computer security.

199 views23:46

🕴 Attackers Target Log4J to Drop Ransomware, Web Shells, Backdoors 🕴

Amid the increase in Log4J attack activity, at least one Iranian state-backed threat group is preparing to target the vulnerability, experts say.

📖 Read

via "Dark Reading".

Attackers Target Log4j to Drop Ransomware, Web Shells, Backdoors

Amid the increase in Log4j attack activity, at least one Iranian state-backed threat group is preparing to target the vulnerability, experts say.

200 views23:50

🕴 Ground Labs Research Reveals 71% of American Consumers are Unaware of Data Protection Laws 🕴

Google Survey of 1,000 U.S. consumers uncovers data privacy disconnect, a call to action for businesses.

📖 Read

via "Dark Reading".

Ground Labs Research Reveals 71% of American Consumers are Unaware of Data Protection Laws

Google Survey of 1,000 U.S. consumers uncovers data privacy disconnect, a call to action for businesses.

210 views00:18

🕴 Tufin Introduces Security Policy Builder (SPB) App to Marketplace 🕴

Automates security policy design to ensure compliance and reduce likelihood of breach announcing significant updates to other marketplace apps.

📖 Read

via "Dark Reading".

Tufin Introduces Security Policy Builder (SPB) App to Marketplace

Automates security policy design to ensure compliance and reduce likelihood of breach announcing significant updates to other marketplace apps.

219 views00:18

❌ In 2022, Expect More Supply Chain Pain and Changing Security Roles ❌

If 2021 was the Year of Supply Chain Pain, 2022 will be the Year of Supply Chain Chronic Pain (or something worse than pain). This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key […]

📖 Read

via "Threat Post".

2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns

Sounil Yu, CISO at JupiterOne, discusses the growing mesh of integrations between SaaS applications, which enables automated business workflows – and rampant lateral movement by attackers, well outside IT's purview.

274 views00:35

‼ CVE-2021-43827 ‼

discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue.

📖 Read

via "National Vulnerability Database".

372 views01:13

🕴 Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust 🕴

Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.

📖 Read

via "Dark Reading".

Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust

Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.

385 views02:48

Log4j vulnerability: Why your hot take on it is wrong

🦿 Log4j vulnerability: Why your hot take on it is wrong 🦿

Commentary: Those searching for a single cause for the Log4j vulnerability – whether it's open source is not secure, or open source is not sustainable – are getting it wrong. It's a complicated issue.

📖 Read

via "Tech Republic".

TechRepublic

Commentary: Those searching for a single cause for the Log4j vulnerability – whether it's open source is not secure, or open source is not sustainable – are getting it wrong. It's a complicated issue.

540 views11:41

❌ Apache’s Fix for Log4Shell Can Lead to DoS Attacks ❌

Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apache’s blanket of a quickly baked patch for Log4Shell also has holes.

📖 Read

via "Threat Post".

Apache’s Fix for Log4Shell Can Lead to DoS Attacks

Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apache’s blanket of a quickly baked patch for Log4Shell also has holes.

354 views14:06

🕴 Kryptowire Collaborates With Orange and Finds Vulnerabilities in Mobile Devices 🕴

Kryptowire’s end-to-end cybersecurity engine identified vulnerabilities granting system user-level privileges for arbitrary shell script execution.

📖 Read

via "Dark Reading".

Kryptowire Collaborates With Orange and Finds Vulnerabilities in Mobile Devices

Kryptowire’s end-to-end cybersecurity engine identified vulnerabilities granting system user-level privileges for arbitrary shell script execution.

300 views14:21

‼ CVE-2021-4116 ‼

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

📖 Read

via "National Vulnerability Database".

282 views15:14

‼ CVE-2021-20330 ‼

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.

📖 Read

via "National Vulnerability Database".

275 views15:14

🕴 Why Cloud Storage Isn't Immune to Ransomware 🕴

Cloud security is a shared responsibility. which sometimes leads to security gaps and complexity in risk management.

📖 Read

via "Dark Reading".