Security

by Paul Ducklin Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited. There’s a remote code execution hole (RCE) dubbed CVE-2022-32893 in Apple’s HTML rendering software (WebKit), by means of which a booby trapped web page can trick iPhones, iPads and Macs into running unauthorised and untrusted

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now increasingly deploying the loader known as Bumblebee to breach target networks and subsequently conduct post-exploitation activities. The news comes from the Cybereason Global Security Operations Center (GSOC) team, who published a new advisory about Bumblebee on Thursday. “[We] observed threat actors transitioning from BazarLoader, Trickbot,

The Cybersecurity and Infrastructure Security Agency (CISA) has published a new advisory warning of threat actors actively exploiting five different vulnerabilities in the Zimbra Collaboration Suite (ZCS). The document was compiled in collaboration with the Multi-State Information Sharing & Analysis Center (MS-ISAC) and explains how threat actors may be targeting unpatched ZCS instances in both

by Paul Ducklin The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows). According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making

Two more malicious Python packages have been discovered in the Python Package Index (PyPI) repository, days after security researchers from Check Point spotted 10 of them. The two additional packages were also found, this time by Kaspersky, who posted an advisory describing them on their blog. According to the security team, both new packages were

by Naked Security writer You’ve almost certainly seen and heard the word Conti in the context of cybercrime. Conti is the name of a well-known ransomware gang – more precisely, what’s known as a ransomware-as-a-service (RaaS) gang, where the ransomware code, and the blackmail demands, and the receipt of extortion payments from desperate victims are

by Paul Ducklin At the well-known DEF CON security shindig in Las Vegas, Nevada, last week, Mac cybersecurity researcher Patrick Wardle revealed a “get-root” elevation of privilege (EoP) bug in Zoom for Mac: Mahalo to everybody who came to my @defcon talk “You’re M̶u̶t̶e̶d̶ Rooted” 🙏🏽 Was stoked to talk about (& live-demo 😅) a

An injection flaw connected to how macOS handles software updates on the system could allow attackers to access all files on Mac devices. The news comes from Mac security specialist Patrick Wardle who, in a Sector7 blog post (and at the Black Hat conference in Las Vegas), demonstrated how threat actors could abuse the flaw

A threat actor group named SolidBit is actively advertising RaaS (Ransom-as-a-Service) and looking to recruit new affiliates on dark web forums. The news comes from CloudSEK security researchers, who published an advisory about the new threat actors on Thursday. “The group is actively looking for partners to gain access to companies’ private networks in order to

Vulnerabilities in Xiaomi’s mobile payment could lead to an attacker stealing private keys used to sign Wechat Pay control and payment packages. The flaws were found by Check Point Research (CPR) in Xiaomi’s trusted execution environment (TEE), the system element responsible for storing and managing sensitive information such as keys and passwords. “We discovered a

Social media giant Meta has announced it will start testing end-to-end encryption (E2EE) as the default option on its Facebook Messenger platform. The company made the announcement in a blog post on August 11, where it explained the feature will be initially available only to selected users. “If you’re in the test group, some of

by Paul Ducklin Here’s this week’s BWAIN, our jocular term for a Bug With An Impressive Name. BWAIN is an accolade that we hand out when a new cybersecurity flaw not only turns out to be interesting and important, but also turns up with its own logo, domain name and website. This one is dubbed

A remote-code-execution (RCE) vulnerability affecting Zimbra Collaboration Suite (ZCS) email servers was exploited without valid administrative credentials, unlike previously believed. The finding come from security researchers at Volexity, who detailed them in an advisory published on Wednesday. While the RCE issue (tracked CVE-2022-27925) was patched by Zimbra in March 2022, in July and early August 2022 Volexity investigated

by Paul Ducklin Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. Schroedinger’s cat outlines in featured image via Dhatfield under CC BY-SA 3.0. You can listen to us on Soundcloud, Apple Podcasts, Google

Cyber-criminals spreading malware families are shifting to shortcut (LNK) files to deliver malware, HP Wolf Security’s latest report suggests. According to the new research, shortcuts are gradually replacing Office macros (which are starting to be blocked by default by Microsoft) as a way for attackers to get a foothold within networks by tricking users into

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) said on Monday it issued sanctions against virtual currency mixer Tornado Cash. According to the announcement, Tornado Cash has been used to launder more than $7bn worth of virtual currency since its foundation in 2019. The figure includes more than $455m stolen by the

A new analysis by Kaspersky unveiled a wave of targeted attacks on military-industrial complex enterprises and public institutions in Belarus, Russia, Ukraine and Afghanistan. The cybersecurity company made the announcement in an advisory published on Monday, which claims the attackers were able to penetrate several enterprises and hijack the IT infrastructure of some of them.

by Paul Ducklin Popular collaboration tool Slack (not to be confused with the nickname of the world’s longest-running Linux distro, Slackware) has just owned up to a cybersecurity SNAFU. According to a news bulletin entitled Notice about Slack password resets, the company admitted that it had inadvertently been oversharing personal data “when users created or

North Korea stole hundreds of millions of dollars worth of crypto assets in at least one major hack, according to a confidential United Nations (UN) report seen by Reuters on Thursday. The document also reportedly suggests the US previously accused North Korea of carrying out cyber-attacks to fund its nuclear and missile programs. “Other cyber activity

by Paul Ducklin We’ve written about PQC, short for post-quantum cryptography, several times before. In case you’ve missed all the media excitement of the past few years about so-called quantum computing… …it is (if you will pardon what some experts will probably consider a reckless oversimplification) a way of building computing devices that can keep

ReversingLabs researchers discovered a new ransomware family targeting Linux-based systems in South Korea. Dubbed GwisinLocker, the malware was detected by ReversingLabs on July 19 while undertaking successful campaigns targeting firms in the industrial and pharmaceutical space. “In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) – looking to

by Paul Ducklin The word “protocol” crops up all over the place in IT, usually describing the details of how to exchange data between requester and replier. Thus we have HTTP, short for hypertext transfer protocol, which explains how to communicate with a webserver; SMTP, or simple mail transfer protocol, which governs sending and receiving

A team of security researchers from CloudSEK has discovered a new phishing tactic used by threat actors (TA) to target Indian banking customers via preview domains from Hosting Provider Hostinger. The new feature enables access to a site before it is accessible globally. In other words, it enables the viewing of website content without a

by Paul Ducklin Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just

Cybersecurity-focussed non-profit CREST has partnered up with the Open Web Application Security Project (OWASP) to release the OWASP Verification Standard (OVS). The move aims to provide mobile and web app developers with enhanced security assurance and accredited organizations with improved access to the app development industry. “Both CREST and OWASP are non-profit organizations and we

by Paul Ducklin Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI. This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the

European missile maker MBDA has publicly denied some of the hacking allegations against the company made on a dark web forum in July and posted on Twitter by Today Cyber News on Tuesday. The self-proclaimed hacking group who first made the allegation went under the name “Andrastea,” and claimed to have obtained roughly 60 GB of

by Paul Ducklin Cryptocurrency protocol Nomad (not to be confused with Monad, which is what PowerShell was called when it first came out) describes itself as “an optimistic interoperability protocol that enables secure cross-chain communication,” and promises that it’s a “security-first cross-chain messaging protocol.” In plain English, it’s supposed to let you swap cryptocurrency tokens

Google published its monthly security bulletin for August on Monday, detailing the latest available patches for Android. A total of 37 vulnerabilities have been patched, including a critical security flaw in the System component that could lead to remote code execution via Bluetooth with no additional execution privileges needed. The Bluetooth vulnerability is tracked as

by Paul Ducklin The best-known cryptographic library in the open-source world is almost certainly OpenSSL. Firstly, it’s one of the most widely-used, to the point that most developers on most platforms have heard of it even if they haven’t used it directly. Secondly, it’s probably the most widely-publicised, sadly because of a rather nasty bug