Security News

CISA warned today of the significant breach risks linked to insecure direct object reference vulnerabilities impacting web applications in a joint advisory with the Australian Cyber Security Centre and U.S. National Security Agency. IDOR vulnerabilities are flaws in web apps that enable attackers to access and manipulate sensitive data by directly referencing internal objects or resources.

While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

U.S. government services contractor Maximus has disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks.The Clop ransomware gang added Maximus to its dark web data leak site yesterday as part of a big batch of 70 new victims, all having been breached using the MOVEit zero-day flaw.

IBM released its annual Cost of a Data Breach Report, showing the global average cost of a data breach reached $4.45 million in 2023 - an all-time high for the report and a 15% increase over the last 3 years. Data breaches disclosed by the attacker cost nearly $1 million more on average compared to studied organizations that identified the breach themselves.

Data breach costs rose to $4.45 million per incident in 2023, IBM found in its annual Cost of a Data Breach report. Average data breach cost rose to $4.45 million per incident.

The US government is warning that threat actors breached the network of a U.S. organization in the critical infrastructure sector after exploiting a zero-day RCE vulnerability currently identified as CVE-2023-3519, a critical-severity issue in NetScaler ADC and Gateway that Citrix patched this week. Because the targeted NetScaler ADC appliance was in a segregated environment on the network, the hackers were not able to move laterally to a domain controller, CISA says.

Threat actors have breached the network of a U.S. organization in the critical infrastructure sector after exploiting a zero-day RCE vulnerability currently identified as CVE-2023-3519, a critical-severity issue in NetScaler ADC and Gateway that Citrix patched this week.Because the targeted NetScaler ADC appliance was in a segregated environment on the network, the hackers were not able to move laterally to a domain controller, CISA says.

The law firm that last month sent a Letter of Claim to Capita over the breach in late March says it has signed up nearly 1,000 clients as it prepares a class action lawsuit aimed at the outsourcing biz. The Pension's Regulator advised clients to speak to Capita to ascertain the risk.

Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal. "Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee," security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News.

US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.