Security News > 2020 > December

Despite hospitals being on the front lines during the pandemic, bad actors have continued to target them with ransomware. Incidents of ransomware attacks against hospitals skyrocketed in October.

Proof-of-concept exploit code and full details on a Windows Kerberos security bypass vulnerability have been published earlier this week by Jake Karnes, the NetSPI security consultant and penetration tester who reported the security bug to Microsoft. The security bug tracked as CVE-2020-17049 and patched by Microsoft during November 2020's Patch Tuesday can be exploited in what the researcher has named as Kerberos Bronze Bit attacks.

Documents related to the Pfizer coronavirus vaccine were illegally accessed during a cyberattack at the EU regulator, the company said Wednesday, as Germany and other northern hemisphere countries grappled with a winter surge in the pandemic. While the EMA did not give details on the attack, Pfizer and BioNTech said documents relating to their vaccine candidate had been accessed, but that "No systems have been breached in connection with this incident."

Computer emergency response teams and other cybersecurity agencies around the world have released alerts and advisories for a recently disclosed denial-of-service vulnerability affecting OpenSSL, and vendors have started assessing the impact of the flaw on their products. The OpenSSL Project announced this week that OpenSSL 1.1.1i fixes a high-severity vulnerability that can be exploited for remote DoS attacks.

Valve fixed critical bugs in its Steam gaming client, which is a platform for popular video games like Counter Strike: Global Offensive, Dota2 and Half Life. Game developer Valve has fixed critical four bugs in its popular Steam online game platform.

Cisco has addressed a new critical severity remote code execution vulnerability affecting several versions of Cisco Jabber for Windows, macOS, and mobile platforms after patching a related security bug in September. Cisco released security updates in September to address a critical RCE security vulnerability tracked as CVE-2020-3495 stemming from a Cross-Site Scripting bug in Cisco Jabber.

The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script. The MoD has joined forces with bug bounty platform HackerOne, with the scheme seemingly being aimed at those who probe external web-facing parts of the ministry's sprawling digital estate.

The server-client communication in certain versions of the WinZip file compression tool is insecure and could be modified to serve malware or fraudulent content to users. WinZip has been a long-standing utility for Windows users with file archiving needs beyond the support built in the operating system.

One of the operators behind a Mirai botnet pleaded guilty to their involvement in a huge DDoS attack that caused a massive Internet disruption during October 2016. The botnet, a variant of the Mirai botnet, was developed by the defendant with the help of others between roughly 2015 until November 2016, specifically for being used to target gaming platforms in DDoS attacks.

Cisco has once again fixed four previously disclosed critical bugs in its Jabber video conferencing and messaging app that were inadequately addressed, leaving its users susceptible to remote attacks. The new flaws, which were uncovered after one of its clients requested a verification audit of the patch, affects all currently supported versions of the Cisco Jabber client.