Security News > 2020 > December

Retail stalwart Kmart has suffered a ransomware attack at the hands of the Egregor gang, according to a report. "There is never a good time for a ransomware attack, but the run up to the Christmas shopping period is a bad time for Kmart to be hit. My advice to CISOs: add 'P.S. Please give me some cybersecurity awareness training budget' to your Dear Santa letter, and hope that he comes early this year."

A number of high-profile Android apps are still using an unpatched version of Google's widely-used app update library, potentially putting the personal data of hundreds of millions of smartphone users at risk of hacking. Although Google addressed the vulnerability in March, new findings from Check Point Research show that many third-party app developers are yet to integrate the new Play Core library into their apps to mitigate the threat fully.

The emails impersonate a member company of the COVID-19 vaccine supply chain to harvest account credentials, says IBM Security X-Force. A calculated cybercriminal operation is targeting companies in the coronavirus vaccine supply chain with phishing emails that appear to be designed to steal sensitive user credentials, IBM Security X-Force said in a report released Thursday.

In this episode: we look at a network intrusion where the crooks tried to take over dozens of different online accounts from every user, we discuss the potential dangers of digital doorbells, and we give you some handy hints for improving your wireless security at home. LISTEN NOW. Click-and-drag on the soundwaves below to skip to any point in the podcast.

2021 is likely to see more of the same with a variety of threats and vulnerabilities affecting the healthcare industry. In a report released on Wednesday, security firm Kaspersky offers six predictions that will impact healthcare providers next year.

According to collaborative research from Advanced Intelligence and Eclypsium, the additional TrickBot functionality, which they call "TrickBoot," checks devices for known vulnerabilities that can allow attackers to read, write or erase the UEFI/BIOS firmware of a device. In October, a rare firmware bootkit was spotted being used to target diplomats and members of non-governmental organizations from Africa, Asia and Europe.

Developers often need years to address some of the vulnerabilities introduced in their software, a new GitHub report reveals. The report, which is based on the analysis of more than 45,000 active repositories, shows that it typically takes 7 years to address vulnerabilities in Ruby, while those in npm are usually patched in five years.

Dell Technologies on Thursday announced new security offerings designed to address threats targeting the supply chain, a device's boot process, and sensitive data. For supply chain security, Dell unveiled SafeSupply Chain solutions.

An unidentified group of malicious sorts impersonated a so-called "Cold chain" company involved in COVID-19 vaccine distribution networks then targeted an EU governmental agency, according to IBM. Infosec researchers from Big Blue's X-Force threat intelligence unit "Uncovered targets across multiple industries, governments and global partners" involved in setting up the vaccine cold chain, it said in a blog post today. The phishing campaign's operators reportedly posed as an executive from the Chinese arm of Haier Biomedical, a business IBM described as "a credible and legitimate member company of the COVID-19 vaccine supply chain and qualified supplier for the CCEOP program."

GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization's dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019. In comparison to 2019, GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average.