Cybersecurity News
2021 in review: The biggest cybersecurity stories of the year
As we close out another year like no other, let's look back at some of the most notable cybersecurity stories that shaped 2021
The post 2021 in review: The biggest cybersecurity stories of the year appeared first on WeLiveSecurity
4-Year-Old Microsoft Azure Zero-Day Exposes Web App Source Code
The security vulnerability could expose passwords and access tokens, along with blueprints for internal infrastructure and finding software vulnerabilities.
Telegram Abused to Steal Crypto-Wallet Credentials
Attackers use the Telegram handle “Smokes Night” to spread the malicious Echelon infostealer, which steals credentials for cryptocurrency and other user accounts, researchers said.
‘Spider-Man: No Way Home’ Download Installs Cryptominer
The origin of the Monero cryptominer file has been traced to a Russian torrent website, researchers report.
PYSA Emerges as Top Ransomware Actor in November
Overtaking the Conti ransomware gang, PYSA finds success with government-sector attacks.
All in One SEO Plugin Bug Threatens 3M Websites with Takeovers
A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.
Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS
Don't freak: It's got nothing to do with Log4Shell, except it may be just as far-reaching as Log4j, given HTTPD's tendency to tiptoe into software projects.
Four Bugs in Microsoft Teams Left Platform Vulnerable Since March
Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address and launch a DoS attack.
This holiday season, give your children the gift of cybersecurity awareness
Don't leave your kids to their own devices – give them a head start with staying safe online instead
The post This holiday season, give your children the gift of cybersecurity awareness appeared first on WeLiveSecurity
Time to Ditch Big-Brother Accounts for Network Scanning
Yaron Kassner, CTO and co-founder of Silverfort, discusses why using all-seeing privileged accounts for monitoring is bad practice.
Java Code Repository Riddled with Hidden Log4j Bugs; Here’s Where to Look
There are 17,000npatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits.
Half-Billion Compromised Credentials Lurking on Open Cloud Server
A quarter-billion of those passwords were not seen in previous breaches that have been added to Have I Been Pwned.
Two Active Directory Bugs Lead to Easy Windows Domain Takeover
Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12.
FBI: Another Zoho ManageEngine Zero-Day Under Active Attack
APT attackers are using a security vulnerability in ManageEngine Desktop Central to take over servers, deliver malware and establish network persistence.
Conti Ransomware Gang Has Full Log4Shell Attack Chain
Conti has become the first professional-grade, sophisticated ransomware group to weaponize Log4j2, now with a full attack chain.
Robocalls More Than Doubled in 2021, Cost Victims $30B
T-Mobile reported blocking 21 billion scam calls during a record-smashing year for robocalls.
Third Log4J Bug Can Trigger DoS; Apache Issues Patch
The new Log4j vulnerability is similar to Log4Shell in that it also affects the logging library, but this DoS flaw has to do with Context Map lookups, not JNDI.
Don’t forget to unplug your devices before you leave for the holidays!
As you down tools for the holiday season, be sure to also switch off the standby lights – it’s both cost effective and better for the environment
The post Don’t forget to unplug your devices before you leave for the holidays! appeared first on WeLiveSecurity
UN-backed investigator into possible Yemen war crimes targeted by spyware
Analysis of Kamel Jendoubi’s mobile phone reveals he was targeted in August 2019
The mobile phone of a UN-backed investigator who was examining possible war crimes in Yemen was targeted with spyware made by Israel’s NSO Group, a new forensic analysis of the device has revealed.
Kamel Jendoubi, a Tunisian who served as the chairman of the now defunct Group of Eminent Experts in Yemen (GEE)– a panel mandated by the UN to investigate possible war crimes – was targeted in August 2019, according to an analysis of his mobile phone by experts at Amnesty International and the Citizen Lab at the University of Toronto.
Continue reading...How cut-and-pasted programming is putting the internet and society at risk | John Naughton
A vulnerability has been exposed in Minecraft, the bestselling video game of all time – and the security implications outside the world of gaming are vast
In one of those delicious coincidences that warm the cockles of every tech columnist’s heart, in the same week that the entire internet community was scrambling to patch a glaring vulnerability that affects countless millions of web servers across the world, the UK government announced a grand new National Cyber Security Strategy that, even if actually implemented, would have been largely irrelevant to the crisis at hand.
Initially, it looked like a prank in the amazingly popular Minecraft game. If someone inserted an apparently meaningless string of characters into a conversation in the game’s chat, it would have the effect of taking over the server on which it was running and download some malware that could then have the capacity to do all kinds of nefarious things. Since Minecraft (now owned by Microsoft) is the best-selling video game of all time (more than 238m copies sold and 140 million monthly active users), this vulnerability was obviously worrying, but hey, it’s only a video game…
Continue reading...