Security News > 2022

Threat actors leveraged a cloud video hosting service to carry out a supply chain attack on more than 100 real estate websites operated by Sotheby's Realty that involved injecting malicious skimmers to steal sensitive personal information. "The attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well," Palo Alto Networks' Unit 42 researchers said in a report published this week.

Cybersecurity researchers have taken the wraps of an organized financial-theft operation undertaken by a discreet actor to target transaction processing systems and siphon funds from entities primarily located in Latin America for at least four years. The malicious hacking group has been codenamed Elephant Beetle by Israeli incident response firm Sygnia, with the intrusions aimed at banks and retail companies by injecting fraudulent transactions among benign activity to slip under the radar after an extensive study of the targets' financial structures.

It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. The FTC's brief but blunt warning makes an example of the infamous Equifax breach of 2017, where the US credit reporting behemoth was compromised via an unpatched Apache Struts vulnerability with the unassuming bug identifier CVE-2017-5638.

A top US Army War College paper suggests Taiwan should credibly threaten to eradicate, or eradicate, its semiconductor industry if threatened by China so that Beijing would no longer be interested in unification. The US Army War College showed the paper was its most popular of the year, when it revealed it topped a list of the most downloaded papers of 2021 from its quarterly academic journal Parameters.

The Federal Trade Commission will muster its legal muscle to pursue companies and vendors that fail to protect consumer data from the risks of the Log4j vulnerabilities, it warned on Tuesday. "The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," according to the warning.

The New York State Office of the Attorney General has warned 17 well-known companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks. NY OAG discovered these compromised online accounts after a "Sweeping investigation" over several months after monitoring multiple online communities dedicated to sharing validated credentials harvested in previously undetected credential stuffing attacks.

A new malware campaign is taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. As described on Wednesday by cyber threat intelligence firm Check Point Research, an attack using the infamous Zloader banking malware aims to steal account credentials and other private data and has already infected 2,170 unique machines that downloaded the malicious DLL file involved in the exploit.

Arbix Finance, an audited and supposedly trustworthy yield farming platform, has been flagged as a 'rugpull,' deleting its site, Twitter, and Telegram channel and transferring $10 million worth of deposited cryptocurrency. Rugpulls, otherwise known as "Exist scams," are when pseudo-anonymous platforms or cryptocurrencies are created twith the ultimate goal of collecting funds for an allegedly legitimate "Service" and then disappear with deposited funds.

The Kennedy Space Center kick-started Andee Harston's career in cybersecurity. Here's how she worked her way up to overseeing the cybersecurity curriculum for Infosec.

Norton antivirus's inbuilt cryptominer has re-entered the public consciousness after a random Twitter bod expressed annoyance at how difficult it is to uninstall. Exe, Norton 360's signed cryptocurrency-mining binary, to installations of Norton antivirus isn't new - but it seems to have taken the non-techie world a few months to realise what's going on.