Security News > 2021 > June

Cisco's Talos threat intelligence and research unit on Wednesday disclosed the details of several SMB-related vulnerabilities patched recently by Apple in its macOS operating system. Apple's own SMB stack is called SMBX. Talos disclosed seven vulnerabilities found in SMBX server components and also detailed the process it used to identify them.

Phishing emails try to entrap people by pushing subjects designed to exploit their fears, interests, anxieties and curiosity. For its latest research, GreatHorn discovered that phishing attacks are increasingly using X-rated material in emails aimed at corporate employees.

More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns. Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices.

This week, a Trustwave security researcher disclosed a privilege escalation flaw in Huawei's USB LTE dongles. Huawei LTE driver autoruns with maximum permissions.

An astonishing data security blunder saw the personal data of Special Forces soldiers circulating around WhatsApp in a leaked British Army spreadsheet. The document, seen by The Register, contained details of all 1,182 British soldiers recently promoted from corporal to sergeant - including those in sensitive units such as the Special Air Service, Special Boat Service and the Special Reconnaissance Regiment.

The New York Times has a long story on the DarkSide ransomware gang. A glimpse into DarkSide's secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions of dollars in ransom payments each month.

Even with the best defenses, some malicious emails are invariably going to bypass your security and reach the inboxes of your users. In a report published Tuesday, security firm Barracuda Networks looks at how malicious messages evade security detection and what you can do to stop them.

Exploit acquisition firm Zerodium on Tuesday announced that it is offering $100,000 for severe vulnerabilities in Pidgin for Windows and Linux. On June 1, Zerodium announced that, until August 31, it will be accepting the submission of exploits for unpatched vulnerabilities that affect the latest version of Pidgin on Windows and/or Linux.

The Department of Justice has charged a woman in Rhode Island in a phishing campaign against candidates for political office and related associates that impersonated various individuals-including campaign workers and the Microsoft security team-in an attempt to trick victims into providing account credentials. The U.S. Attorney's Office for the District of Massachusetts has charged Diana Lebeau, 21, of Cranston, R.I., with "Attempted unauthorized access to a protected computer," according to a press release from the DoJ. The charge relates to a phishing campaign Lebeau allegedly mounted beginning in January 2020 against about 22 campaign staffers for an unnamed candidate for political office, as well as another political candidate-also not identified-and related associates, according to the DoJ. Assistant U.S. Attorney Seth Kosto is prosecuting the case.

A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions. The vulnerability, tracked as CVE-2021-28091, was initially reported to Akamai as it was discovered in the company's Enterprise Application Access product, which uses Lasso to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity providers.