Security News > 2021 > December

A proof-of-concept tool has been published that leverages two Windows Active Directory bugs fixed last month that, when chained, can allow easy Windows domain takeover. Both vulnerabilities are described as a "Windows Active Directory domain service privilege-escalation" bugs and are of high severity, with a CVSS criticality score of 7.5 out of 10.

Want a custom security dashboard to bring together data from multiple places? Microsoft Power BI can do that and help you spot what's changing. Obviously, you can use Microsoft Power BI to monitor Power BI usage, using the Power BI Admin APIs to track who is accessing data and visualisations and make sure it's only the people you expect to have access to what might be critical or confidential business information.

Two widely used walk-through metal detectors made by Garrett are vulnerable to many remotely exploitable flaws that could severely impair their functionality, thus rendering security checkpoints deficient. Garrett is a well-known US-based manufacturer of hand-held and walk-through metal detectors commonly deployed in security-critical environments such as sports venues, airports, banks, museums, ministries, and courthouses.

Another Zoho ManageEngine zero-day vulnerability is under active attack from an APT group, this time looking to override legitimate functions of servers running ManageEngine Desktop Central and elevate privileges - with an ultimate goal of dropping malware onto organizations' networks, the FBI has warned. There is also evidence to support that it's being used in an attack chain with two other Zoho bugs that researchers have observed under attack since September, according to the alert.

Security researchers found a vulnerability in a home test for COVID-19 that a bad actor could use to change test results from positive to negative or vice versa. Here's how the test works: A user downloads an app, answers a few screening questions, watches an informational video and then performs the test.

Microsoft has released the final version of security configuration baseline settings for Windows 10, version 21H2, available today from the Microsoft Security Compliance Toolkit.The highlight of the new Windows 10 security baseline is the addition of tamper protection as a setting to enable by default.

The Belgian Ministry of Defence has suffered a cyber attack after miscreants exploited one of the vulnerabilities in Log4j. The attack marks the first occasion that a NATO country's defence ministry has fallen victim to the flaws.

The US Attorney's Office of Massachusetts on Monday announced the extradition of Vladislav Klyushin, a Russian business executive with ties to the Kremlin, on charges of hacking US computer networks and committing securities fraud by trading on undisclosed financial data. Klyushin, 41, a resident of Moscow, Russia, was arrested in Sion, Switzerland on March 21, 2021, reportedly upon disembarking from his private jet while on vacation with his family.

Note that the preliminary API risk factors published by OWASP are not aligned anymore with the current challenges, in order to give you a rundown of what is going with the latest OWASP list we have launched our new whitepaper. OWASP added A04:2021-Insecure Design focusing on risks related to design flaws.

According to the Identify Theft Resource Center, the total number of data breaches through September 2021 has already exceeded 2020 numbers by 17%. But beyond specific attacks, a variety of trends emerged and continued to gain strength in 2021. What we already know: Security and privacy use similar technologies to achieve objectives that are sometimes aligned, but sometimes opposed.