🔥 Watch Out! A new critical vBulletin zero-day RCE vulnerability and its PoC exploits have been publicly disclosed, allowing attackers to bypass patch for an old RCE bug (CVE-2019-16759) and remotely compromise sites.

Details — https://thehackernews.com/2020/08/vBulletin-vulnerability-exploit.html

A recently patched flaw in Chromium-based browsers—Chrome, Opera, or Edge for Windows, Mac, and Android—could let attackers bypass Content Security Policy (CSP) protection.

Details: https://thehackernews.com/2020/08/chrome-csp-bypass.html

Keep your web-browser software up-to-date.

PATCH! UPDATE! ALERT!

Newly discovered critical vulnerabilities could let unauthenticated attackers compromise on-premise Citrix XenMobile servers, an enterprise mobility management solution that enables companies to manage their employees' devices from a centralized system.

https://thehackernews.com/2020/08/citrix-endpoint-management.html

Multiple flaws in the 'Find My Phone' feature installed on Samsung Android smartphones could have allowed malicious app operators to:

✅ track victims' real-time location,
✅ monitor phone calls & messages,
✅ wipe data stored on the device.

Read details: https://thehackernews.com/2020/08/samsung-find-my-phone-hacking.html

⚡Hey Alexa, don't try to be too smart!

Just opening a link could've allowed hackers to install new malicious SKILLS to your Amazon's Alexa smart assistance devices and spy on your activities remotely—thanks to newly discovered flaws.

Details: https://thehackernews.com/2020/08/amazon-alexa-hacking-skills.html

Explained ➤ How hackers can remotely decrypt VoLTE encryption to eavesdrop on "targeted phone calls" using a newly introduced attack called 'ReVoLT.'

Details and demo here: https://thehackernews.com/2020/08/a-team-of-academic-researcherswho.html

Researchers exploited a vulnerability in Emotet malware to create a KILL-SWITCH, and prevented it from spreading for six months.

Details — https://thehackernews.com/2020/08/emotet-botnet-malware.html

Watch Out! A critical vulnerability affecting Jenkins web-server [jetty] could let unauthenticated, remote attackers access sensitive information through HTTP responses—including session identifiers, authentication credentials/cookies, and other sensitive information.

Read details: https://thehackernews.com/2020/08/jenkins-server-vulnerability.html

Security patches included in the latest Jenkins 2.243 and Jenkins LTS 2.235.5 release.

A new memory-related vulnerability (CVE-2020-4414) affects IBM's Db2 family of data management products that could allow a local attacker to access sensitive data or cause DoS attacks.

https://thehackernews.com/2020/08/ibm-data-management.html

Microsoft issues emergency out-of-band security updates for Windows 8.1, RT 8.1, and Server 2012 R2 systems to patch two recently disclosed privilege escalation bugs (CVE-2020-1530 & CVE-2020-1537) affecting Remote Access Service (RAS).

Read: https://thehackernews.com/2020/08/windows-update-download.html

Experian's South Africa unit suffered a data breach incident exposing the personal information of 24 million customers and 793,749 business entities.

Read details — https://thehackernews.com/2020/08/experian-data-breach-attack.html

The credit rating agency says the attacker behind this breach has been identified.

Oh, JOBS! Hackers posing as recruiters in #malware attacks.

FBI and CISA are warning companies about a new malware, dubbed 'BLINDINGCAN,' which North Korean hackers are using to spy on high-value employees at targeted government contractors.

https://thehackernews.com/2020/08/job-offer-hackers.html

Uber's Former Chief Security Officer, Joe Sullivan, has been charged over covering-up 2016's massive data breach by paying hackers $100,000 ransom as a bug bounty reward.

Details: https://thehackernews.com/2020/08/uber-data-breach-cover-ups.html

This incident, which exposed 57 million users' data, was disclosed to the public almost a year later when Sullivan left the company.

⚠️ BEWARE !!!

A Google Drive 'Feature' — Unpatched Yet — Could Let Attackers Trick You Into Installing Malware Using Convincing Spear Phishing Attacks.

Learn more about it and watch demos: https://thehackernews.com/2020/08/google-drive-file-versions.html

Update your Apache-powered servers!

Google researcher reported 3 flaws in Apache that could lead to code execution and, in some scenarios, even allow attackers to cause a crash and denial of service remotely.

https://thehackernews.com/2020/08/apache-webserver-security.html

CVE-2020-9490
CVE-2020-11984
CVE-2020-11993

A Popular iOS SDK Has Been Caught Spying on Billions of Apple Users and Committing Ad Fraud.

Read Details: https://thehackernews.com/2020/08/ios-sdk-ad-fraud.html

⚡APT hackers-for-hire ...

APT hackers hired by competing private companies exploit #Autodesk 3D Max software to steal sensitive information from industrial targets.

Read details & get IoCs:
https://thehackernews.com/2020/08/autodesk-malware-attack.html

FBI arrested a Russian extortion gang member in the United States after he TRAVELED there to met an employee of a targeted company and offered him $1 MILLION in bitcoins as a bribe for planting a data-stealing MALWARE into the company's systems.

Yeah, it works in the real world as well.

Read details: http://thehackernews.com/2020/08/russian-extortion-malware.html

Watch Out! A new malware campaign spreading QakBot banking trojan returned with new tricks up its sleeve to target government, military, and manufacturing sectors.

Read more: https://thehackernews.com/2020/08/qakbot-banking-trojan.html

In a new campaign...

Iranian hackers pose as journalists (over WhatsApp and LinkedIn) to trick high-value targets into handing over login credentials or installing spyware and steal sensitive information.

Read more: https://thehackernews.com/2020/08/hackers-journalist-malware.html