Security News > 2022 > June

Connectivity is soaring and digital transformation is accelerating, making it critical for the technology community, governments and corporate boardrooms to invest in digital trust. As digital transformation has continued to accelerate, digital trust has become an essential requirement of online operations.

ShiftLeft released its second annual AppSec Progress Report documenting critical trends in application security and how organizations are shifting security left to deal with the ever-rising volume of attacks and disclosed vulnerabilities. By identifying and prioritizing OSS vulns that are actually attackable, AppSec teams and developers fix what matters, ship code faster and actually improve security with fewer, better fixes.

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary. The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office routers as part of a sophisticated campaign targeting North American and European networks. The malware "Grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold," researchers from Lumen Black Lotus Labs said in a report shared with The Hacker News.

The FTC has sued Walmart, claiming it turned a blind eye to fraudsters using its money transfer services to con folks out of "Hundreds of millions of dollars." The FTC wants the courts to order Walmart to return the money to victims and make the corporation cough up penalties for, in the regulator's view, breaking the FTC Act and Telemarketing and Consumer Fraud and Abuse Prevention Act.

Microsoft has released the optional KB5014666 Preview cumulative update for Windows 10 20H2, Windows 10 21H1, and Windows 10 21H2. This update includes numerous bug fixes and new, unexpected printing features. The KB5014666 cumulative update preview is part of Microsoft's June 2022 monthly "C" update, allowing admins to test fixes in the July 2022 Patch Tuesday.

A report commissioned by the Pentagon concluded that the blockchain is not decentralized, is vulnerable to attacks and is running outdated software. The report, "Are Blockchains Decentralized, Unintended Centralities in Distributed Ledgers", uncovered that a subset of participants can "Exert excessive and centralized control over the entire blockchain system."

The Evilnum hacking group is showing renewed signs of malicious activity, targeting European organizations that are involved in international migration. Evilnum is an APT that has been active since at least 2018 and had its campaign and tools exposed only recently, in 2020.

Mozilla Firefox 102 was released today with a new privacy feature that strips parameters from URLs that are used to track you around the web. Numerous companies, including Facebook, Marketo, Olytics, and HubSpot, utilize custom URL query parameters to track clicks on links.

Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. "During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," the company said.