Security News > 2021

Cybersecurity agencies from Australia, Canada, New Zealand, the U.S., and the U.K. on Wednesday released a joint advisory in response to widespread exploitation of multiple vulnerabilities in Apache's Log4j software library by nefarious adversaries. "Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. These vulnerabilities are likely to be exploited over an extended period."

A short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware. "The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report published Tuesday.

BlackTech cyber-espionage APT group has been spotted targeting Japanese companies using novel malware that researchers call 'Flagpro'. The threat actor uses Flagpro in the initial stage of an attack for network reconnaissance, to evaluate the target's environment, and to download second-stage malware and execute it.

The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea. The malware targets the 'Login Data' file found on all Chromium-based web browsers and is an SQLite database where usernames and passwords are saved.

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use it to log into their accounts from unknown locations. Reports of compromised LastPass master passwords are streaming in via multiple social media sites and online platforms, including Twitter, Reddit, and Hacker News.

Samsung's official Android app store, called the Galaxy Store, has had an infiltration of riskware apps that triggered multiple Play Protect warnings on people's devices. Scammers bet on the popularity of the pirate app, and indeed their cloned apps enjoyed a welcoming reception by the Samsung user community.

Many adults found it charming when Mattel upgraded its classic Fisher-Price Chatter telephone for its 60th anniversary in October with actual Bluetooth capabilities, so grownups, too, can use it - and for actual mobile phone calls. The bug in Fisher-Price Chatter with Bluetooth is similar to a problem with a children's toy called My Friend Cayla - which is both a child's doll and a Bluetooth headset - that a researchers from Pen Test Partners also identified.

If you're not certain whether your Java project is free from Log4j vulnerabilities, you should try this easy-to-use scanning tool immediately. Part of the problem is that Log4j is so deeply embedded in Java projects and dependencies that are used by quite a lot of tools.

As Chen tells it, the project manager tasked with coming up with a public product name for the Windows handheld OS was dead serious about the task. At the point when the project was dropped into his lap, the code name for the OS was Pegasus.

PECB offers the Certified Lead Ethical Hacker training course, which validates your ability to lawfully assess the security of a system, as well as identify and mitigate potential threats. The PECB Certified Lead Ethical Hacker exam comprises two parts: the practical exam and the report writing.