A critical vulnerability in ThemeGrill WordPress plugin—with over 200,000 active installations—could let unauthenticated attackers wipe the entire database of targeted sites and gain administrative access.

This WordPress plugin flaw remained undetected for the last 3 years, through ThemeGrill Demo Importer version 1.3.4 to 1.6.1.

A new fixed version has now been released, update the plugin and patch your sites ASAP!

Details: https://thehackernews.com/2020/02/themegrill-wordpress-plugin.html

Iranian hackers are exploiting unpatched 1-day enterprise VPN vulnerabilities to compromise network of organizations worldwide and implant backdoors for cyber espionage.

➡️ Pulse Secure Connect: CVE-2019-11510
➡️ Palo Alto Networks: CVE-2019-1579
➡️ Fortinet FortiOS: CVE-2018-13379
➡️ Citrix: CVE-2019-19781

Read: https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html

The U.S. Department of Homeland Security's CISA issues a warning to all industries operating critical infrastructures of a new ransomware threat after hackers targeted a Gas pipeline facility and knocked it out of operation for almost 2 days.

https://thehackernews.com/2020/02/critical-infrastructure-ransomware-attack.html

Amazon's Ring makes two-factor authentication security mandatory for all of its users following several recent reports of hackers gaining access to people's internet-connected #Ring doorbell and security cameras.

Read more: https://thehackernews.com/2020/02/ring-cameras-cybersecurity.html

Adobe today released security updates for Adobe After Effects (CVE-2020-3765) and Media Encoder (CVE-2020-3764) applications to patch 2 new critical code execution vulnerabilities.

Details: https://thehackernews.com/2020/02/adobe-software-updates.html

⚠️ Scam Alert ⚠️

You've Been Selected for 'Like of the Year 2020' Contest Cash Prizes !!!

That's an ongoing fraud scheme—yes, LIKE of the year—lures users with promises of financial rewards to steal their payment card information.

Details: https://thehackernews.com/2020/02/like-of-the-year-scam.html

Android's never-ending battle with malware...

Google has banned nearly 600 Android apps from the official Play Store for bombarding millions of users with disruptive ads and violating its advertising guidelines.

Read more: https://thehackernews.com/2020/02/android-adware-apps-banned.html

Microsoft releases a public preview of its Defender ATP Antivirus for Linux operating system —— And it's coming soon for Android and iOS later this year.

Read details ➤ https://thehackernews.com/2020/02/windows-defender-atp-linux-android.html

🔥 CVE-2020-8794

Yet another critical RCE vulnerability disclosed in OpenSMTPD email servers running on #OpenBSD or Linux systems.

Read: https://thehackernews.com/2020/02/opensmtpd-email-vulnerability.html

The 5-year-old bug could let attackers takeover vulnerable remote servers by sending specially crafted emails.

Important — Install latest Chrome browser update (80.0.3987.122) to patch 3 new high-severity vulnerabilities, one of which hackers are actively exploiting in the wild to hijack computers.

Read more: https://thehackernews.com/2020/02/google-chrome-zero-day.html

If you use Firefox, here's an important update that you need to be aware of.

Firefox is enabling "DNS-over-HTTPS" feature for all users in the U.S. (and soon for rest of the world) — by default with Cloudflare's DoH service.

Details ➤ https://thehackernews.com/2020/02/firefox-dns-over-https.html

⭐Google recommends Android developers to encrypt app data on the users' devices, especially when they use external storage that's prone to hijacking, man-in-the-disk, & other side-channel attacks.

Also, considering that there are not many reference frameworks available for the same, Google also offered an open-source crypto library—called JetSec—that lets developers easily read and write encrypted files by following best security practices.

Read details ➤ https://thehackernews.com/2020/02/android-app-data-encryption.html

Researchers uncover a new 📡 LTE network security vulnerability that could let attackers impersonate Android and iOS users on the 📶 4G networks.

Dubbed 'IMP4GT,' this new LTE attack could let remote attackers forge any traffic to the Internet with an identity (IP address) associated with the victims.

Read details ➤ https://thehackernews.com/2020/02/lte-network-4g-vulnerability.html

🔥 Kr00k Attack </>

New Wi-Fi chip-based #encryption flaw affects over a billion devices—including phones, laptops, routers, IoTs—that could let hackers decrypt packets transmitted by vulnerable devices without knowing WiFi password or connecting to it.

https://thehackernews.com/2020/02/kr00k-wifi-encryption-flaw.html

⭐ Milestone! Let's Encrypt has issued a BILLION free SSL certificates since its launch in 2015

Read here ➤ https://thehackernews.com/2020/02/lets-encrypt-ssl-certificate.html

Meanwhile, Apple also takes a significant step forward by limiting the maximum lifetime for TLS certs on its devices & Safari browser to 398 days

🐱 GhostCat ~ A new high risk 'file read/inclusion' vulnerability (CVE-2020-1938) affects all versions of the 'Apache Tomcat' (9.x/8.x/7.x/6.x) released in the past 13 years.

Read details: https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html

Web admins should patch it immediately, as several proof-of-concept (PoC) exploits have been posted online.

Weekly Roundup : In Case You Missed Any Important Story!

➤ Microsoft Antivirus for Linux
https://bit.ly/32AaKeu

➤ OpenSMTPD / OpenBSD Bug
https://bit.ly/2vpKffq

➤ Chrome 0-Day Attacks
https://bit.ly/2VEB7OG

➤ Firefox DoH by Default
https://bit.ly/2T8apN0

➤ Mobile 4G Network Bug
https://bit.ly/2vi2dRh

➤ Wi-Fi Encryption Bug
https://bit.ly/3ciRYg6

➤ Apache Tomcat Bug
https://bit.ly/2Tb4Hd8

SurfingAttack — Hackers can use ultrasonic guided waves to send inaudible commands and hijack voice-activated phones (Android, #
iPhone) & smart assistants.

Details & Demos ➤ https://thehackernews.com/2020/03/voice-assistants-ultrasonic-waves.html

It works over a longer distance and without the need to be in line-of-sight.

U.S. has charged and sanctioned 2 Chinese nationals for helping North Korean hackers (Lazarus Group) launder nearly $100 million that was stolen as part of $250 million heists during the hacks of two separate cryptocurrency exchanges

https://thehackernews.com/2020/03/cryptocurrency-lazarus-hackers.html

Researchers claim the CIA hackers were behind an 11-year-long hacking and cyber-espionage campaign against several critical Chinese industries (aviation, petroleum, and more) and government agencies.

Read more: https://thehackernews.com/2020/03/china-cia-hackers.html

⚠️ Important Notice ⚠️

Let's Encrypt is going to revoke 3,048,289 TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software.

Affected website owners have until 8 PM UTC (3 PM EST) March 4 to manually renew and replace their TLS HTTPS certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.

Read details: https://thehackernews.com/2020/03/lets-encrypt-certificate-revocation.html