Security News > 2023 > May

A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022. Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs.

Microsoft reiterated in a blog that Windows 10 22H2 is the final feature version of Windows 10 and that all editions will receive security updates through October 14, 2025. They've since followed up with Extended Stable channel update 112.0.5615.179 for Windows and Mac, as well as a Stable Channel Update for Desktop 113 for Windows, Mac and Linux.

Cisco has warned of a critical security flaw in SPA112 2-Port Phone Adapters that it said could be exploited by a remote attacker to execute arbitrary code on affected devices.The company credited Catalpa of DBappSecurity for reporting the shortcoming.

Satori released Universal Data Permissions Scanner, a free, open-source tool that enables companies to understand which employees have access to what data, reducing the risks associated with overprivileged or unauthorized users and streamlining compliance reporting. The Universal Data Permissions Scanner simplifies the complexity associated with authorization.

Cyber-risk levels have improved from "Elevated" to "Moderate" for the first time, but insiders represent a persistent threat for global organizations, according to Trend Micro. Jon Clay, VP of threat intelligence at Trend Micro: "For the first time since we've been running these surveys, we saw the global cyber risk index not only improve but move into positive territory at +0.01. It means that organizations may be taking steps to improve their cyber-preparedness. There is still much to be done, as employees remain a source of risk. The first step to managing this is to gain complete and continuous attack surface visibility and control."

Identity theft can lead to a nightmare of events, from scammers ruining people's credit score, to selling their information on the dark web, and even impersonating people to pass background checks. "If you think your data has no value then why would scammers spend so much time trying to steal your data if it's worthless? The truth is that anyone can be affected and it is important to stay vigilant and use proper protection," said Jakub Kroustek, Avast Malware Research Director.

The National Computer Virus Emergency Response Center of China and local infosec outfit 360 Total Security have conducted an investigation called "The Matrix" that found the CIA conducts offensive cyber ops, and labelled the United States an "Empire of Hacking". The two orgs have been good enough to publish the first part of their work, titled Empire of Hacking: The US Central Intelligence Agency - Part I. The document doesn't offer much new info, leaning heavily on the 2017 infodump from WikiLeaks that detailed the "Vault7" trove of exploits the CIA uses to spy on computers, smart TVs, WhatsApp and just about any other device or service you might use.

Joe Sullivan won't serve any serious time behind bars for his role in covering up Uber's 2016 computer security breach and trying to pass off a ransom payment as a bug bounty. A San Francisco judge on Thursday sentenced the app maker's now-former chief security officer to three years of probation plus 200 hours of community service, despite prosecutors' pleas to throw Sullivan in the cooler.

The North Korean Kimsuky hacking group has been observed employing a new version of its reconnaissance malware, now called 'ReconShark,' in a cyberespionage campaign with a global reach. Previously, in August 2022, Kaspersky revealed another Kimsuky campaign targeting politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme that ensured only valid targets would be infected with malicious payloads.

Google Account holders can now use passkeys instead of passwords to log in, Google announced in a security blog post on Wednesday. The passkey is shared with Google websites and apps, but not beyond them.