Security News > 2022 > February

The government of Cambodia has delayed implementation of its National Internet Gateway, because it is yet to acquire the equipment needed to operate the service. The Gateway was announced in February 2021 and quickly attracted criticism on the basis its enabling legislation gives the regime - which has banned opposition parties from contesting elections - the power to force all internet traffic to or from the country, and within its borders, to pass through the Gateway.

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. "This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra," Omer Kaspi, security researcher at DevOps firm JFrog, said in a technical write-up published Tuesday.

The European Union's data protection authority on Tuesday called for a ban on the development and the use of Pegasus-like commercial spyware in the region, calling out the technology's "Unprecedented level of intrusiveness" that could endanger users' right to privacy. "Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy," the European Data Protection Supervisor said in its preliminary remarks.

In 2021, securing your network is more challenging than ever - you need to secure users, devices, apps, and data at the point of access, working at the cloud edge to deliver protection and performance. Your choice of cloud security platform and partner is key, as it will serve as a foundation for the way you grow and evolve to meet new challenges - for example, meeting the new standards defined by Gartner as part of their forward-thinking secure access service edge architecture.

The US Cybersecurity and Infrastructure Security Agency has added nine new flaws to its collection of actively exploited vulnerabilities, including two recently patched zero-days impacting Google Chrome and Adobe Commerce/Magento Open Source. The Chrome vulnerability is a high severity use after free bug that can let attackers execute arbitrary code or escape the browser's security sandbox on computers running unpatched Chrome versions addressed in Chrome 98.0.4758.102.

The US Cybersecurity and Infrastructure Security Agency has added nine new flaws to its collection of actively exploited vulnerabilities, including two recently patched zero-days impacting Google Chrome and Adobe Commerce/Magento Open Source. The Chrome vulnerability is a high severity use after free bug that can let attackers execute arbitrary code or escape the browser's security sandbox on computers running unpatched Chrome versions addressed in Chrome 98.0.4758.102.

SquirrelWaffle - the newish malware loader that first showed up in September - once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of hijacking email threads. In a Tuesday post, Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks - which typically entail the threat actors walking through holes left by unpatched, notorious, oft-picked-apart ProxyLogon and ProxyShell Exchange server vulnerabilities - the attack ends when those holes finally get patched, removing the attacker's ability to send emails through the server.

A reporter who faced potential hacking charges for viewing website source code in his browser can rest easier now that Missouri officials have decided not to prosecute him. After Renaud filed a story to this effect, Missouri Governor Mike Parson said the state would investigate and explore legal options, and claimed the incident might cost the US state's taxpayers as much as $50m. "Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators," said Parson in an October press conference.

Google says it bumped up rewards for reports of Linux Kernel, Kubernetes, Google Kubernetes Engine, or kCTF vulnerabilities by adding bigger bonuses for zero-day bugs and exploits using unique exploitation techniques. "We increased our rewards because we recognized that in order to attract the attention of the community we needed to match our rewards to their expectations," Google Vulnerability Matchmaker Eduardo Vela explained.

Meta Platforms has agreed to pay $90 million to settle a lawsuit over the company's use of cookies to allegedly track Facebook users' internet activity even after they had logged off from the platform. The social media company will be required to delete all of the data it illegally collected from those users.