Schneier on Security

APRIL 9, 2024

US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior U.S. government officials. From the executive summary: The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosy

Hacking 252

Hacking Government Accountability Technology 252

Krebs on Security

APRIL 9, 2024

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

DNS 231

DNS Social Engineering Malware Media 231

Tech Republic Security

APRIL 9, 2024

Discover the top open-source password managers for Windows. Learn about the features and benefits of each to determine which one is the best fit for your needs.

Password Management 161

Password Management Passwords 161

The Hacker News

APRIL 9, 2024

Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild. Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity.

138

138

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Tech Republic Security

APRIL 9, 2024

Some Google Cloud customers will be able to run instances on the Arm-based Axion chip later this year. Plus, Chrome has a new enterprise tier.

Artificial Intelligence 132

Artificial Intelligence Software 132

The Hacker News

APRIL 9, 2024

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

Cybersecurity 137

Cybersecurity 137

Security Boulevard

APRIL 9, 2024

To protect domestic violence survivors from abusers, the FCC wants to include internet-connected vehicles under the Safe Communication Act. The post FCC Mulls Rules to Protect Abuse Survivors from Stalking Through Cars appeared first on Security Boulevard.

Internet 128

Internet Internet Security Awareness IoT 128

Security Affairs

APRIL 9, 2024

Researchers found multiple vulnerabilities in LG webOS running on smart TVs that could allow attackers to gain root access to the devices. Bitdefender researchers discovered multiple vulnerabilities in LG webOS running on smart TVs that could be exploited to bypass authorization and gain root access on the devices. The vulnerabilities discovered by the researchers impact WebOS versions 4 through 7 running on LG TVs. “WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by

Hacking 127

Hacking Internet Internet Authentication 127

Bleeping Computer

APRIL 9, 2024

Security researchers at Bitdefender have discovered four vulnerabilities impacting multiple versions of WebOS, the operating system used in LG smart TVs. [.

134

134

The Hacker News

APRIL 9, 2024

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.

120

120

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Bleeping Computer

APRIL 9, 2024

Today is Microsoft's April 2024 Patch Tuesday, which includes security updates for 150 flaws and sixty-seven remote code execution bugs.

139

139

Security Affairs

APRIL 9, 2024

Google announced support for a V8 Sandbox in the Chrome web browser to protect users from exploits triggering memory corruption issues. Google has announced support for what’s called a V8 Sandbox in the Chrome web browser. The company included the V8 Sandbox in Chrome’s Vulnerability Reward Program (VRP). Chrome 123 is a sort of “beta” release for the sandbox designed to mitigate memory corruption issues in the Javascript engine.

Engineering 119

Engineering Software Hacking Information Security 119

Bleeping Computer

APRIL 9, 2024

Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. [.

128

128

The Hacker News

APRIL 9, 2024

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.

Phishing 117

Phishing Malware Cybersecurity 117

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Bleeping Computer

APRIL 9, 2024

Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks. [.

139

139

Penetration Testing

APRIL 9, 2024

Fortinet has released an urgent security advisory and patches addressing several critical and high-severity vulnerabilities in their popular security products. These vulnerabilities could expose organizations to remote code execution, unauthorized file deletion, OS command... The post Fortinet Patches Multiple Critical Vulnerabilities Affecting FortiClient, FortiSandbox, FortiOS, and FortiProxy appeared first on Penetration Testing.

Penetration Testing 114

Penetration Testing 114

Security Boulevard

APRIL 9, 2024

BOCA RATON, FL, April 9, 2024 — Techstrong Group, the power source for people and technology, is excited to announce the rebranding of the renowned Security Bloggers Network to the Security Creators Network. With over 350 security-focused content creators, the network has been a staple in the cybersecurity community for the past two decades. The. The post Techstrong Group Announces Rebranding of Security Bloggers Network to Security Creators Network appeared first on Security Boulevard.

Technology 116

Technology Cybersecurity Marketing Network Security 116

Malwarebytes

APRIL 9, 2024

Sometimes the consequences of a stolen identity exceed anything you could have imagined. Matthew David Keirans, a 58-year-old former hospital employee has pleaded guilty to assuming another man’s identity since 1988. He was convicted of one count of making a false statement to a National Credit Union Administration insured institution and one count of aggravated identity theft.

Identity Theft 109

Identity Theft Banking Insurance Accountability 109

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Security Boulevard

APRIL 9, 2024

For April 2024, Microsoft has rolled out a significant update aimed at bolstering the security and performance of its product suite. In this month’s release, users and IT administrators are encouraged to prioritize these updates to protect their systems from known vulnerabilities and cyber threats. Key Highlights from April’s Patch Tuesday: Total Updates: This month, … Read More The post Patch Tuesday Update – April 2024 appeared first on Security Boulevard.

Cyber threats 113

Cyber threats 113

Penetration Testing

APRIL 9, 2024

A critical vulnerability in the Rust standard library has been uncovered, exposing Windows-based systems to the risk of arbitrary code execution. The flaw, tracked as CVE-2024-24576, could potentially be exploited by attackers to gain... The post CVE-2024-24576 (CVSS 10): Rust Flaw Exposes Windows Systems to Command Injection Attacks appeared first on Penetration Testing.

Penetration Testing 111

Penetration Testing Risk 111

WIRED Threat Level

APRIL 9, 2024

The US Congress will this week decide the fate of Section 702, a major surveillance program that will soon expire if lawmakers do not act. WIRED is tracking the major developments as they unfold.

Surveillance 105

Surveillance 105

The Hacker News

APRIL 9, 2024

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks. The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

DDOS 105

DDOS Phishing 105

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

Malwarebytes

APRIL 9, 2024

In the past couple of weeks, we have observed an ongoing campaign targeting system administrators with fraudulent ads for popular system utilities. The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America. Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer.

System Administration 105

System Administration DNS Engineering Social Engineering 105

Tech Republic Security

APRIL 9, 2024

By using code ENJOY20 at checkout, you will unlock an additional 20% off most deals at TechRepublic Academy. This fantastic offer is available from April 8–16.

Software 103

Software 103

Penetration Testing

APRIL 9, 2024

A new report from Positive Technologies Expert Security Center (PT ESC) warns that a cybercriminal group known as “Lazy Koala” has successfully compromised government organizations across several countries. The attackers used a malware strain... The post LazyStealer Malware Targets Governments with Simple But Effective Strategy appeared first on Penetration Testing.

Government 100

Government Penetration Testing Malware Technology 100

Tech Republic Security

APRIL 9, 2024

As the digital landscape becomes more interconnected, it brings with it the growing threat of cyberattacks. The purpose of this policy, written by Maria Carrisa Sanchez for TechRepublic Premium, is to outline the terms and conditions under which the company provides coverage to its employees for losses incurred as a result of cyber-related incidents.

Cyber Insurance 84

Cyber Insurance Insurance 84

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Penetration Testing

APRIL 9, 2024

Microsoft’s April 2024 Patch Tuesday release brings a staggering 147 new vulnerability fixes across its software ecosystem. The sheer volume highlights the relentless cybersecurity battle, especially considering reports of a zero-day vulnerability already being... The post CVE-2024-29988: ‘In-the-Wild’ Flaw Among Microsoft’s April 2024 Patch Tuesday appeared first on Penetration Testing.

Penetration Testing 100

Penetration Testing Software Cybersecurity 100

Bleeping Computer

APRIL 9, 2024

Non-profit healthcare service provider Group Health Cooperative of South Central Wisconsin (GHC-SCW) has disclosed that a ransomware gang breached its network in January and stole documents containing the personal and medical information of over 500,000 individuals. [.

Ransomware 106

Ransomware Healthcare 106

Security Affairs

APRIL 9, 2024

Researchers discovered a sophisticated multi-stage attack that leverages ScrubCrypt to drop VenomRAT along with many malicious plugins. Fortinet researchers observed a threat actor sending out a phishing email containing malicious Scalable Vector Graphics (SVG) files. The email is crafted to trick recipients into clicking on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool.

Engineering 99

Engineering Phishing Malware Hacking 99

SecureWorld News

APRIL 9, 2024

Have you noticed that the latest cyberattacks are threatening the very existence of lots of smaller medical clinics and their doctors' ability to deliver care? You might not have because this fact is wildly underreported in the U.S. national mainstream news. Think urgent care centers, cancer treatment, and primary care doctors. And the government is almost powerless to stop these cybercriminals.

Healthcare 93

Healthcare Computers and Electronics Insurance Hacking 93

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.