Security News > 2020 > October

The vulnerability - which enables attackers to inject client-side scripts into web pages viewed by other users - earned hackers $4.2 million in total bug-bounty awards in the last year, a 26-percent increase from what was paid out in 2019 for finding XSS flaws, according to the report. In total, organizations paid ethical hackers $23.5 million in bug bounties for all of these flaws this year, according to HackerOne, which maintains a database of 200,000 vulnerabilities found by hackers.

HackerOne's list was topped by cross-site scripting, and found improper access control and SSRF vulnerabilities to be climbing in number and risk potential. Bug bounty platform HackerOne has released its list of the most commonly discovered security vulnerabilities for 2020, with the 10 vulnerabilities listed accounting for $23.5 million in payouts to white hat hackers hunting down bugs and reporting them on its platform.

Newly launched cybersecurity company Stairwell, which aims to provide security teams with more tools to identify adversaries, has closed a $4.5 million seed investment round. The new organization is founded and led by Mike Wiacek, who previously founded Google's Threat Analysis Group and co-founded Alphabet's enterprise security firm Chronicle.

A report published Thursday by security firm Barracuda Networks details how schools are being hit by phishing emails and what they can do to better protect themselves. Schools and colleges have been preyed on by specific types of phishing campaigns, including spear phishing and Business Email Compromise attacks.

The Iran-linked state-sponsored threat group known as Charming Kitten was observed targeting potential attendees of two major international conferences, Microsoft reports. Recently observed attacks, Microsoft says, targeted over 100 high-profile individuals, potential attendees of two upcoming global policy conferences, namely the Munich Security Conference and the Think 20 Summit, which is held in Saudi Arabia.

The U.S. government has warned hospitals and healthcare providers of an "Increased and imminent" ransomware threat, which some experts have attributed to cybercriminals from Eastern Europe. The organizations say they've received credible information that threat actors are targeting the healthcare sector with the TrickBot malware in attacks that often lead to ransomware infections, data theft and disruption of healthcare services.

A critical and easily exploitable remote code execution vulnerability in Oracle WebLogic Server is being targeted by attackers, SANS ISC has warned. Oracle WebLogic is a Java EE application server that is part of Oracle's Fusion Middleware portfolio and supports a variety of popular databases.

Parked domains, which act as aliases and redirect to other websites, can send visitors to malicious or unwanted landing pages or turn entirely malicious at any point in time - as evidenced by a recent Emotet campaign, a separate effort abusing Comcast and McAfee brands, and an election-themed attack. That's shady enough, but sometimes, parked domains are crafted to be malicious from the get-go.

Microsoft rushed to take action on Wednesday after Defender Advanced Threat Protection users reported getting Cobalt Strike and Mimikatz alerts that turned out to be false positives. It's not surprising that some Microsoft Defender ATP users had a small heart attack on Wednesday when they saw multiple high-severity alerts for Cobalt Strike.

Cyber Privacy: Who Has Your Data and Why You Should Care is the title of a new book from April Falcon Doss, a former associate general counsel for intelligence law at America's NSA. Doss spoke to The Register about her concerns with pervasive data collection and its potential for harm. Explaining why she wrote the newly published book, Doss said: "I spent years immersed in and I was constantly discovering new areas of data collection, new ways in which data is being used, new concerns for individuals, and I thought, you shouldn't have to be a data expert to understand these things."