CISA warns of a zero-day vulnerability (CVE-2021-40539) affecting Zoho ManageEngine ADSelfService Plus that has been actively exploited in the wild.

Details: https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html

The authentication bypass flaw could lead to arbitrary remote code execution attacks.

Hackers leak hundreds of thousands of VPN login credentials belonging to users of nearly 87,000 #Fortinet FortiGate devices.

Read: https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html

REvil ransomware group has returned after a two-month hiatus following its highly publicized attack against Kaseya.

Read: https://thehackernews.com/2021/09/russian-ransomware-group-revil-back.html

A critical cross-account takeover #vulnerability in Microsoft's Azure Container Instances service could have allowed attackers to execute code on other customers' containers, exfiltrate secrets or deploy cryptominers.

Details: https://thehackernews.com/2021/09/microsoft-warns-of-cross-account.html

A previously unknown backdoor #malware targeting an unidentified computer retail firm in the United States has been linked to a long-standing Chinese espionage group called Grayfly.

Read details: https://thehackernews.com/2021/09/experts-link-sidewalk-malware-attacks.html

Several banking, cryptocurrency wallets, and shopping apps are the target of a newly discovered Android trojan that could enable attackers to siphon sensitive data from infected devices, including credentials and open the door for on-device fraud.

https://thehackernews.com/2021/09/sova-new-android-banking-trojan-emerges.html

Whatsapp has finally closed a major privacy loophole and soon users will be able to end-to-end encrypt their chat backups to iCloud or Google Drive.

Read: https://thehackernews.com/2021/09/whatsapp-to-finally-let-users-encrypt.html

Mēris botnet hit Russian tech giant Yandex with a record-breaking DDoS attack, peaking at 21.8 million requests per second (RPS) by using a technique called HTTP pipelining.

Read details: https://thehackernews.com/2021/09/meris-botnet-hit-russias-yandex-with.html

SpockJs, a new side-channel attack on modern CPUs, successfully bypasses the Site Isolation security feature of Chrome and Chromium-based browsers to protect against Spectre-type flaws, allowing attackers to steal data from other sites.

https://thehackernews.com/2021/09/new-spookjs-attack-bypasses-google.html

A high-severity remote code execution vulnerability (CVE-2021-23406) has been identified in Pac-Resolver, a popular NPC package with about 3 million weekly downloads, affecting Node.js applications.

Read: https://thehackernews.com/2021/09/critical-bug-reported-in-npm-package.html

Researchers discover a Linux and Windows re-implementation of Cobalt Strike Beacon that is targeting telecommunications, government and financial organizations around the world.

Read details: https://thehackernews.com/2021/09/linux-implementation-of-cobalt-strike.html

Update your Google Chrome browser right away to protect against two new zero-day vulnerabilities currently being exploited in the wild by malicious actors.

Read: https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html

Apple has issued urgent software patches for all of its devices to address a newly discovered and actively exploited zero-day vulnerability tied to the NSO Group's Pegasus Spyware.

https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html

Users should update their iPhone, iPad, Mac, and Apple Watch ASAP!

Millions of gaming computers are affected by a new high-severity #vulnerability in the HP OMEN driver (CVE-2021-3437) that could allow attackers to overwrite system components, corrupt the OS, or perform other malicious activities.

Read: https://thehackernews.com/2021/09/hp-omen-gaming-hub-flaw-affects.html

Users looking for TeamViewer remote desktop software on search engines like Google are being routed to dangerous links that download ZLoader malware to their PCs, leaving the virus undetected by security solutions.

Read details: https://thehackernews.com/2021/09/new-stealthier-zloader-variant.html

Microsoft releases latest Windows security updates as part of its monthly Patch Tuesday release cycle to address 66 newly discovered flaws, including an actively exploited zero-day in MSHTML Platform that was discovered last week.

Read: https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html

The United States fines 3 former intelligence and military officials $1.68 million for acting as cyber mercenaries on behalf of a cybersecurity company based in the United Arab Emirates.

Read details: https://thehackernews.com/2021/09/3-former-us-intelligence-officers-admit.html

Critical vulnerabilities discovered in an Azure app that Microsoft secretly installed on Linux virtual machines.

Attackers can exploit these bugs to escalate to root privileges and remotely execute malicious code.

"With a single packet, an attacker can become root on a remote machine by simply removing the authentication header."

Unfortunately, Microsoft can't fix it for you. Users affected by these vulnerabilities must manually update the OMI agent to the patched versions.

Details: https://thehackernews.com/2021/09/critical-flaws-discovered-in-azure-app.html

Microsoft has introduced a new passwordless mechanism, allowing users to sign-in to their Microsoft accounts without a password.

Read more about it here: https://thehackernews.com/2021/09/you-can-now-sign-in-to-you-microsoft.html

A recently disclosed zero-day vulnerability affecting Microsoft Windows MSHTML has been exploited in targeted cyber attacks to deploy Cobalt Strike beacon on targeted systems.

Read: https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html