Security News

The US Cybersecurity and Infrastructure Security Agency and the National Security Agency are blaming unchanged default credentials as the prime security misconfiguration that leads to cyberattacks. The misconfigurations in the CSA illustrate a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and highlights the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders.

The National Security Agency and the Cybersecurity and Infrastructure Security Agency revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations. "These teams have assessed the security posture of many networks across the Department of Defense, Federal Civilian Executive Branch, state, local, tribal, and territorial governments, and the private sector," the NSA said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while...

The US Fifth Circuit Court of Appeals has modified a ruling from last month to add the Cybersecurity and Infrastructure Security Agency to a list of US government entities prohibited from working with social media firms to curtail the spread of misinformation. In other words, stopping CISA from asking social media sites to restrict the reach of misinformation would interrupt the bulk of the Biden administration's moderation requests.

The US's Cybersecurity and Infrastructure Security Agency has added the latest actively exploited zero-day vulnerability affecting Google Chrome to its Known Exploited Vulnerabilities Catalog.With its addition to the KEV Catalog, CISA has effectively indicated that exploits for the vulnerability pose a "Significant risk to the federal enterprise," and agencies in the Federal Civilian Executive Branch have been set a three-week deadline of October 23 to apply the recommended fixes.

CISA also plans to create a guide to best practices in open source security for government entities and critical infrastructure organizations, according to the roadmap. CISA notes that open source software can lead to great innovation; however, CISA said, vulnerabilities like the widespread Log4shell vulnerability in 2021 mean open source software can introduce insidious flaws in widely-used code.

The U.S. Cybersecurity & Infrastructure Security Agency has announced it is offering free security scans for critical infrastructure facilities, such as water utilities, to help protect these crucial units from hacker attacks. "(CISA) can help your drinking water and wastewater system identify and address vulnerabilities with a no-cost vulnerability scanning service subscription.

The U.S. Cybersecurity and Infrastructure Security Agency ordered federal agencies today to patch security vulnerabilities abused as part of a zero-click iMessage exploit chain to infect iPhones with NSO Group's Pegasus spyware. On Monday, CISA added the two security flaws to its Known Exploited Vulnerabilities catalog, tagging them as "Frequent attack vectors for malicious cyber actors" and posing "Significant risks to the federal enterprise."

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. "Nation-state advanced persistent threat actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application, establish persistence, and move laterally through the network," according to a joint alert published by the agency, alongside Federal Bureau of Investigation, and Cyber National Mission Force.

The U.S. Cybersecurity and Infrastructure Security Agency has added to its catalog of known exploited vulnerabilities a critical-severity issue tracked as CVE-2023-33246 that affects Apache's RocketMQ distributed messaging and streaming platform. CISA is warning federal agencies that they should patch the CVE-2023-33246 vulnerability for Apache RocketMQ installations on their systems by September 27.