Security News > 2021 > January

Two vulnerabilities in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website. Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities.

The Reserve Bank of New Zealand - Te Pūtea Matua - says Accellion's FTA file sharing service was involved in a security incident disclosed on Sunday. The malicious incident, the bank said, involved a service that stored commercially and personally sensitive information, but could not provide specific details on the type of data that might have been accessed.

The EMA is an agency of the European Union in charge of the evaluation and supervision of medicinal products in the E.U, similar to the FDA in the U.S. In December, the agency disclosed that threat actors broke into its server and accessed documentation about the vaccine from Pfizer and BioNTech. Specifically accessed were some documents relating to the regulatory submission for the companies' COVID-19 vaccine candidate, BNT162b2, which was stored on the EMA server, a Pfizer spokesperson confirmed to Threatpost.

The number of federal agencies and private companies who learn that they have been affected by a massive Russian hack is expected to grow as the investigation into it continues, the U.S. government's chief counterintelligence official said Tuesday. The FBI and other agencies last week attributed the intrusions to Russia as part of what officials described as an intelligence-gathering operation rather than an effort to damage or disrupt U.S. government operations.

Now patched, the exploits took advantage of bugs in Windows, Chrome, and older versions of Android though watering hole attacks, says Google. In a series of blog posts published Tuesday, Google revealed that it discovered two malicious servers set to deliver different exploit campaigns through watering hole attacks.

Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against Windows and Android platforms. Working together, researchers from Google Project Zero and the Google Threat Analysis Group uncovered the attacks, which were "Performed by a highly sophisticated actor," Ryan from Project Zero wrote in the first of a six-part blog series on their research.

The US Cybersecurity and Infrastructure Security Agency said today that threat actors bypassed multi-factor authentication authentication protocols to compromise cloud service accounts. While threat actors tried gaining access to some of their targets' cloud assets via brute force attacks, they failed due to their inability to guess the correct credentials or because the attacked organization had MFA authentication enabled.

Adobe Flash Player is officially non-functional, and it's time to uninstall the program once and for all. When Adobe released their final version of Flash Player in December, they also announced that recent versions of the software include a kill switch that prevents Flash Player from loading Flash content starting on January 12th, 2021.

Israeli IoT security start-up Vdoo announced on Wednesday that it has extended its Series B funding round to $57 million, bringing the total amount raised by the company to $70 million. The company's solutions are designed to help manufacturers of IoT devices identify and mitigate security risks.

With default passwords set up by someone else, you can never be sure how many other accounts were set up with the same password, or how many other people have access to the list of defaults that were chosen. A prerequisite for secure home studying is a secure device.