Security News > 2022 > March

Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its business firewall and VPN products that could enable an attacker to take control of the devices. "An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions," the company said in an advisory published this week.

Phishing attacks are abusing Microsoft Azure's Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. Azure Static Web Apps is a Microsoft service that helps build and deploy full-stack web apps to Azure from GitHub or Azure DevOps code repositories.

Apple has released updates for its mobile and desktop operating systems to patch security holes that may well have been exploited in the wild. On Thursday, the iPhone giant issued macOS Monterey 12.3.1; iOS 15.4.1 and iPadOS 15.4.1; tvOS 15.4.1; and watchOS 8.5.1 to address vulnerabilities in its software.

The CVE-2022-22963 bug exists in a Spring component called Spring Cloud Function, which is an optional module that you can use inside the Spring ecosystem to write your Spring code in what's known as a "Functional" style, where you strip back the code needed for data processing to a minimum. Patching against the CVE-2022-22963 bug is easy: if you use the Spring Cloud Function module anywhere in your Spring-based ecosystem, upgrade to version 3.1.7 or 3.2.3, depending on which of the two officially supported branches of Spring Cloud Function you have.

Apple and Meta shared data with child hackers pretending to be law enforcement. It was revealed on March 30 that both Apple and Facebook parent company, Meta, were duped by child hackers impersonating law enforcement officers last year, according to a report from Bloomberg.

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild. Both the vulnerabilities have been reported to Apple anonymously.

The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies on Thursday to patch a critical Sophos firewall bug and seven other vulnerabilities within the next three weeks, all exploited in ongoing attacks. CISA also ordered federal agencies to patch a high severity arbitrary file upload vulnerability in the Trend Micro Apex Central product management console that can be abused in remote code execution attacks.

A new information-stealing malware named BlackGuard is winning the attention of the cybercrime community, now sold on numerous darknet markets and forums for a lifetime price of $700 or a subscription of $200 per month. BlackGuard's evasion capabilities are still under heavy development, but some systems are already in place to help the malware escape detection and analysis.

Three security vulnerabilities have been disclosed in the popular Wyze Cam devices that grant malicious actors to execute arbitrary code and access camera feeds as well as unauthorizedly read the SD cards, the latter of which remained unresolved for nearly three years after the initial discovery. The security flaws relate to an authentication bypass, a remote code execution bug stemming from a stack-based buffer overflow, and a case of unauthenticated access to the contents of the SD card.

The LAPSUS$ data extortion gang announced their return on Telegram after a week-long "Vacation," leaking what they claim is data from software services company Globant. "We are officially back from a vacation," the group wrote on their Telegram channel - which has nearly around 54,000 members as of writing - posting images of extracted data and credentials belonging to the company's DevOps infrastructure.