Security News > 2020 > October

The CISO’s Guide to Third-Party Security Management provides the instructions you need to make your organization’s third-party security program effective and scalable. In particular, it covers how...

Venafi announced the debut of Venafi Zero Touch PKI, a cloud-based, turnkey solution that delivers no-touch, fully automated modern PKI. With Venafi Zero Touch PKI, users can eliminate the effort, expense and risk of traditional PKI, while still providing the speed and control enterprises need to be successful. "Venafi Zero Touch PKI is a breakthrough for enterprises, which have had limited options from small providers that require expensive consultants to host antiquated CA software. Customers want fast, modern, easy solutions, and now they have one. With Venafi Zero Touch PKI, companies get a next-generation service that delivers immediate value with increased security."

Cybersecurity researchers have spotted a rare kind of potentially dangerous malware that targets a machine's booting process to drop persistent malware. The campaign involved the use of a compromised UEFI containing a malicious implant, making it the second known public case where a UEFI rootkit has been used in the wild.

APIsec provides a 100% automated and continuous API security testing platform that eliminates the need for expensive, infrequent, manual pen-testing. "Our customers love the comprehensive security test coverage APIsec provides out of the box, and they wanted to stop hiring expensive, time-consuming outside firms for penetration testing reports," said Intesar Shannan Mohammed, CTO of APIsec.

Tenable announced new Tenable Lumin innovations that empower customers to align business objectives with cybersecurity initiatives. The latest enhancements to the Cyber Exposure Management Platform enable organizations to predict which vulnerabilities pose the greatest business risk and act with confidence to effectively reduce risk across their modern, distributed environments.

The Company will use the investment to further extend the company's leadership position within the SaaS management platform market by investing in product innovation and expanding its global network of enterprise clients, international resellers, and managed service providers. CoreView has already gained significant traction in the market, having increased year-over-year revenue 173% in 2019, grown its total number of users under management to more than five million, and earned a Microsoft Gold Partner certification.

Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. The upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator's session information - all of which are paths to complete takeover of a site.

Russian antivirus maker Kaspersky has said it uncovered "Rogue UEFI firmware images" seemingly developed by black hats with links to China. The firm explained that UEFI firmware is "Typically shipped within SPI flash storage that is soldered to the computer's motherboard", and thus any malware injected into it is "Resistant to OS reinstallation or replacement of the hard drive." The technique shot to public prominence in 2015 when malware-for-governments purveyor Hacking Team was itself hacked, with details of its firmware-level spyware becoming public knowledge.

What TeamTNT plans to do with the saved passwords and additional capabilities is still unclear, but the development signals that the group doesn't plan to slow down anytime soon. In August, TeamTNT was identified by researchers as the first cryptojacking group to specifically target AWS. With increasingly sophisticated TTPs, the cybercriminal gang appears to be gaining steady momentum.

We do a show on Facebook every week in our Naked Security Live video series, where we discuss one of the big security concerns of the week. For those of you who [a] don't use Facebook, [b] had buffering problems while we were live, [c] would like subtitles, or [d] simply want to catch up later, we also upload the recorded videos to our YouTube channel.