Security News > 2022 > September

For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities. So poorly were these 885 front websites designed according to security research group Citizen Lab and Reuters, that they betrayed those using them to spy for the CIA. Citing a year-long investigation into the CIA's handling of its informants, Reuters on Thursday reported that Iranian engineer Gholamreza Hosseini had been identified as a spy by Iranian intelligence, thanks to CIA negligence.

Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks. The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks. The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, according to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks. Microsoft hasn't disclosed any information regarding the two security flaws so far and is yet to assign a CVE ID to track them.

New Chaos malware spreads over multiple architectures. Chaos, in addition to being able to work on multiple platforms, has also been designed to use known vulnerabilities and brute force SSH. Lumen researchers assess that Chaos is an evolution from the DDoS malware Kaiji based on code and function overlaps.

According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. The Pentagon didn't say how many bug hunters received rewards, or how much they each earned.

Security researchers have discovered a malicious campaign by the 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo. The group is also considered part of the TA410 operatives, previously linked to attacks against U.S. energy providers.

Women comprised only 17% of Fortune 500 CISOs positions in 2021, according to a new report from the Accenture Cybersecurity Forum Women's Council. Some 43% of respondents rated professional risk as a "Very" or "Most important" factor in declining a CISO or CSO position.

After being laid off, an IT system administrator disrupted the operations of his former employer, a high-profile financial company in Hawaii, hoping to get his job back. Casey K. Umetsu, aged 40, worked as a network admin for the company between 2017 and 2019, when his employer terminated his contract.

All of it I've never spent more than 10 seconds authorising myself to get into something when multifactor has popped up, and I can spare 10 seconds for the safety and security of not just my company's data, but our employees and our customers data. CHET. Well, the precise law in the United States, the Computer Fraud and Abuse Act, is very specific about the fact that you're breaching that Act when you exceed your authority or you have unauthorised access to a system.