Security News > 2020 > April

The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. Salt is a tool from SaltStack which has both commercial and open source editions.

Google this week announced a new set of rules for its Chrome Web Store, meant to ensure that developers don't spam users with extensions that have similar functionality. The Chrome Web Store has been available since 2011, offering a total of more than 200.000 browser extensions that allow users to easily customize their browsing experience in Chrome.

Attackers used an account checker tool to identify Nintendo accounts with compromised and vulnerable login credentials, says SpyCloud. The recent data breach that hit Nintendo affected 160,000 people, resulting in account takeovers and financial losses for a host of users.

The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week. "More warnings appeared early this week. F-Secure's Mikko Hypponen tweeted on Monday, 27 April:"The vulnerability in Salt Master 3000.1 has been rated with a CVSS of 10.0"".

Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more. The flaws range in seriousness and impact, but could allow third-party attackers to steal personal information or target the financial payment methods that are tied to the platforms.

The actions of the hackers who recently targeted water facilities in Israel show their sophistication and prove that they knew exactly what they were doing, according to people with knowledge of the attacks. The attacks targeted wastewater treatment plants, pumping stations and sewage facilities, and organizations in the water sector have been instructed by Israeli authorities to immediately take measures to prevent attacks, including changing passwords to internet-exposed control systems, reducing internet exposure, and ensuring that all software is up to date.

Dubbed 'PerSwaysion,' the newly spotted cyberattack campaign leveraged Microsoft file-sharing services-including Sway, SharePoint, and OneNote-to launch highly targeted phishing attacks. According to a report Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors.

Dubbed 'PerSwaysion,' the newly spotted cyberattack campaign leveraged Microsoft file-sharing services-including Sway, SharePoint, and OneNote-to launch highly targeted phishing attacks. According to a report Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors.

Although the use of applications has steadily increased, the difference in the ways that web and mobile applications are protected is not widely understood. Many companies that have been using security tools for their web application may feel that moving these security tools to mobile may be difficult, but it isn't.

Adobe has emitted fixes for multiple remote code execution holes in Illustrator and its Bridge code. Those who rely on Adobe Illustrator version 24.0.2 for Windows, or earlier builds, will want to make sure they install APSB20-20, the latest round of security fixes for the drawing tool.