Security News > 2024 > January

The number of public-facing installs of Jenkins servers vulnerable to a recently disclosed critical vulnerability is in the tens of thousands. Trailing them are India, Germany, Republic of Korea, France, and the UK. The revelation of the vast attack surface comes days after multiple exploits were made public on January 26 - themselves released just two days after the coordinated disclosure from Jenkins and Yaniv Nizry, the researcher at Sonar who first discovered the vulnerability.

A Brazilian law enforcement operation has led to the arrest of several Brazilian operators in charge of the Grandoreiro malware. The Federal Police of Brazil said it served five temporary arrest...

Enforcing a password policy that helps end-users create stronger passwords and blocks the use of weak and common phrases will make it more difficult for hackers. Specops data shows that 83% of compromised passwords satisfied both length and complexity requirements of regulatory password standards.

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating...

New York Attorney General Letitia James sued Citibank over its failure to defend customers against hacks and scams and refusing to reimburse victims after allowing fraudsters to steal millions from their accounts. The complaint claims that because it's providing online and mobile banking options for wire transfers, Citibank should also compensate fraud victims, akin to the protections afforded to victims of electronic credit or debit card fraud under the same legislation.

The Federal Police of Brazil and cybersecurity researchers have disrupted the Grandoreiro banking malware operation, which has been targeting Spanish-speaking countries with financial fraud since 2017. The operation was supported by ESET, Interpol, the National Police in Spain, and Caixa Bank, all providing critical data leading to identifying and arresting individuals controlling the malware's infrastructure.

The four vulnerabilities reported to Juniper Networks by watchTowr researcher Aliz Hammond, which were later found to be missing individual CVEs, have now each been disclosed separately, per an out-of-cycle security advisory. Despite submitting four vulnerability reports in total, Juniper credited watchTowr with the discovery of just two.

The China-based threat actor known as Mustang Panda is suspected to have targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and...

It finally admitted to buying bulk data on Americans from data brokers, in response to a query by Senator Weyden. This is almost certainly illegal, although the NSA maintains that it is legal until it's told otherwise.

Less than two weeks after having plugged a security hole that allows account takeover without user interaction, GitLab Inc. has patched a critical vulnerability in GitLab CE/EE again and is urging users to update their installations immediately.GitLab Inc. operates GitLab.com and develops GitLab Community Edition and Enterprise Edition, a widely used software development platform with built-in version control, issue tracking, code review, etc.