Security News > 2021

The Department of Homeland Security has announced that the 'Hack DHS' program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities. The 'Hack DHS' bug bounty program was announced last week.

The victim in this case was the Sony Life Insurance Company Limited, which was allegedly defrauded of this enormous sum in an audacious internal scam that was apparently pulled off by a single employee. The US Department of Justice claims that a certain Mr Rei Ishii conducted a classic "Send funds to a different account" scam.

A man pleaded guilty to fraudulently opening rideshare and delivery service accounts using stolen identity information sold on dark web marketplaces. The man is believed to be a leading actor of an 18-member team who stole identities and falsified documents to create false rideshare and delivery service accounts and then sold or rented them to other individuals.

A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web apps, led to the exposure of PHP, Node, Python, Ruby, or Java customer source code deployed on Microsoft's cloud infrastructure. Only Azure App Service Linux customers were impacted by the issue discovered and reported by researchers at cloud security vendor Wiz.io, with IIS-based applications deployed by Azure App Service Windows customers not being affected.

The Opera browser team is working on a new clipboard monitoring and protection system called Paste Protection, which aims to prevent content hijacking and snooping. Opera introduced the new feature in development version 83, and Bleeping Computer has tested it on developer version 84, where it's still present.

PYSA, which is also known by Mespinoza, has overtaken Conti as the top ransomware threat group for the month of November. According to NCC Group's November insights on the ransomware sector, PYSA increased its market share with a 50 percent rise in the number of targeted organizations, which includes a 400 percent spike in attacks against government-sector systems.

An attacker with an account with the site - such as a subscriber, shopping account holder or member - can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri. Essentially, the plugin can send commands to various REST API endpoints, and it performs a permissions check to make sure no one's doing anything they're not allowed to do.

Don't duck at the latest mention of Apache: Two critical bugs in its HTTP web server - HTTPD - need to be patched pronto, lest they lead to attackers triggering denial of service or bypassing your security policies. Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier.

Microsoft said it won't fix or is delaying patches for several security flaws impacting Microsoft Team's link preview feature reported since March 2021.Bräunlein reported the four flaws to the Microsoft Security Response Center, which investigates vulnerability reports concerning Microsoft products and services.

A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season's greeting message. Dridex is a banking malware spread through malicious emails that was initially developed to steal online banking credentials.