Security News

Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager product that remote attackers could use to run code with SYSTEM privileges. SolarWinds ARM is a tool that enables organizations to manage and audit user access rights across their IT environments.

Microsoft is extending Purview Audit log retention as promised after the Chinese Storm-0558 hacking group breached dozens of Exchange and Microsoft 365 corporate and government accounts in July.The changes to audit logging retention announced today will roll out to Microsoft Purview Audit customers with Standard licenses in the coming weeks, starting with enterprise tenants this month and government customers in November.

Chief audit executives have identified risk orientation, stakeholder management, and team leadership as the top three characteristics of the most effective individuals, according to Gartner. In April 2023, Gartner surveyed 114 CAEs across 180 areas to identify the most important measures of an effective CAE, and the six that were the most significant included: management satisfaction; CAE and audit department performance; perception of the CAE; audit engagement quality; CAE impact; and team engagement.

VMware has patched an information disclosure vulnerability in VMware Tanzu Application Service for VMs and Isolation Segment caused by credentials being logged and exposed via system audit logs. Tracked as CVE-2023-20891, the security flaw addressed today by Vmware would allow remote attackers with low privileges to access Cloud Foundry API admin credentials on unpatched systems in low-complexity attacks that don't require user interaction.

The top focus areas for chief audit executives in 2023 are advancing data analytics, assuring proliferating digital risks, and talent management, according to Gartner. "In 2023 most CAEs are focusing on organizational and departmental digital transformation initiatives and improving team engagement and performance in response to growing assurance needs," said Leslee McKnight, VP in the Gartner Risk & Audit Practice.

The IT audit director develops and schedules internal audits to measure and document whether those IT controls were followed as prescribed. This hiring kit from TechRepublic Premium can give your enterprise a head start on finding your ideal candidate for the IT audit director role.

Streamlining the audit process is not the only benefit of compliance automation. At the same time, automation improves your compliance and security posture as well as the productivity of your compliance program.

Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution that can let attackers steal information from customers' databases. "An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.

Hackers exploited a Level Finance smart contract vulnerability to drain 214,000 LVL tokens from the decentralized exchange and swapped them for 3,345 BNB, worth approximately $1,100,000. While Level Finance said the attack did not affect its liquidity pool and the DAO treasury, and the exploit was isolated from all other contracts, the LVL token lost roughly 50% of its value immediately after the attack was made known.

Researchers have discovered cryptographic vulnerabilities in Swiss-based secure messaging application Threema that may have allowed attackers to do things like break authentication or recover users' long-term private keys. The vulnerabilities have been fixed and Threema has since switched to a new communication protocol they designed with the help of external cryptographers.