Security News

The U.S. Cybersecurity and Infrastructure Security Agency warned today of a high-severity Android vulnerability believed to have been exploited by a Chinese e-commerce app Pinduoduo as a zero-day to spy on its users. "Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed," CISA explains.

The Cybersecurity and Infrastructure Security Agency ordered federal agencies to patch two security vulnerabilities actively exploited in the wild to hack iPhones, Macs, and iPads. According to a binding operational directive issued in November 2022, Federal Civilian Executive Branch Agencies agencies are required to patch their systems against all security bugs added to CISA's Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency on Friday added five security flaws to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software that could lead to the execution of privileged commands on the underlying system.

On Friday, U.S. Cybersecurity and Infrastructure Security Agency increased by five its list of security issues that threat actors have used in attacks, three of them in Veritas Backup Exec exploited to deploy ransomware. Of the five vulnerabilities that CISA added to the catalog of Known Exploited Vulnerabilities today, only one was rated critical, an issue in Veritas' data protection software tracked as CVE-2021-27877 that allows remote access and command execution with elevated privileges.

The U.S. Cybersecurity and Infrastructure Security Agency has published eight Industrial Control Systems advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx. Topping the list is CVE-2022-3682, impacting Hitachi Energy's MicroSCADA System Data Manager SDM600 that could allow an attacker to take remote control of the product.

According to Etay Maor, Senior Director Security Strategy at Cato Networks, "It's interesting to note critical infrastructure doesn't necessarily have to be power plants or electricity. A nation's monetary system or even a global monetary system can be and should be considered a critical infrastructure as well." Not to mention the infamous Colonial Pipeline attack, which has become the poster child of critical infrastructure attacks.

The Cybersecurity and Infrastructure Security Agency warned federal agencies to patch a Zimbra Collaboration cross-site scripting flaw exploited by Russian hackers to steal emails in attacks targeting NATO countries. Winter Vivern's attacks start with the hackers using the Acunetix tool vulnerability scanner to find vulnerable ZCS servers and sending users phishing emails that spoof senders the recipients are familiar with.

Over 15 million publicly facing services are susceptible to at least one of the 896 vulnerabilities listed in CISA's KEV catalog. Using these custom search queries, the researchers found 15 million instances vulnerable to 200 CVEs from the catalog.

The Cybersecurity and Infrastructure Security Agency has ordered federal agencies today to patch security vulnerabilities exploited as zero-days in recent attacks to install commercial spyware on mobile devices. One month later, a complex chain of multiple 0-days and n-days was exploited to target Samsung Android phones running up-to-date Samsung Internet Browser versions.

American cybersecurity officials have released an early-warning system to protect Microsoft cloud users. Dubbed the Untitled Goose Tool, CISA said it "Offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services."