Security News > 2020 > May

A Microsoft vulnerability found in Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization's Teams accounts. The phishing campaign used a ton of different Microsoft file sharing platforms including Microsoft Sway, which if you guys don't know what that is, it's basically Microsoft's platform for newsletters and presentations.

Two separate attacks have targeted as many as 50,000 different Teams users, according to findings from Abnormal Security. If recipients click the link, they'll be presented with a button asking them to log in to Microsoft Teams - if that button is clicked, they're taken to a malicious page which impersonates the Microsoft Office login page in order to steal their credentials.

Oracle warned customers on Thursday that threat actors have been spotted attempting to exploit multiple recently patched vulnerabilities, including a critical WebLogic Server flaw tracked as CVE-2020-2883. Oracle's April 2020 Critical Patch Update resolves nearly 400 vulnerabilities, including CVE-2020-2883, a critical flaw in Oracle WebLogic Server that can be exploited by an unauthenticated attacker for remote code execution.

Threat actors are using people's interest in the Department of Labor's Family and Medical Leave Act to spread what appears to be the TrickBot trojan in a new spam campaign that security researchers discovered recently. "Users infected with the TrickBot Trojan will see their device become part of a botnet that can allow attackers to gain complete control of the device," Via, along with IBM X-Force co-authors David Bryant and Limor Kessem, wrote in the post.

An alert the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency published this week reiterates previously issued recommendations on how organizations should properly secure Microsoft Office 365 deployments. In May last year, the agency issued an alert to highlight some of the common security oversights by Office 365 customers, and also included a series of recommendations on how organizations could improve their security posture.

Several vulnerabilities, most of which have been described as cross-site scripting flaws, have been patched in WordPress this week with the release of version 5.4.1. WordPress 5.4.1, described as a short-cycle security and maintenance release, fixes 17 bugs and 7 vulnerabilities affecting version 5.4 and earlier.

"My problem with contact tracing apps is that they have absolutely no value," Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. One, the app's location and proximity systems - based on GPS and Bluetooth - just aren't accurate enough to capture every contact.

A memorandum sent by the United States Cybersecurity and Infrastructure Security Agency to Chief Information Officers at federal agencies reminds them to use EINSTEIN 3 Accelerated's Domain Name System sinkholing capability for DNS resolution. In the United States, DNS resolution services provided by CISA are mandatory in most federal agencies in the executive branch.

Developers use a number of ways to breed extensions like a bunch of spam bunnies in Google's Chrome Web Store, which is the biggest extension catalog online. User Ratings, Reviews, and Installs: Developers are forbidden from manipulating their extensions' placement in the Chrome Web Store by doing things like cooking up bogus downloads, reviews or ratings.

Heads up, Microsoft Office 365 users: It's time to take some important steps in securing your account. The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has released some recommendations to help secure the online productivity service.