Security News

It's time to reorganize the US government and create a new agency focused solely on on digital risk management services, according to former CISA director Chris Krebs. Or, if that's too ambitious for Uncle Sam, Krebs proposed to at least pull CISA out of the Department of Homeland Security and make it a sub-cabinet agency that's allowed to operate independently.

The U.S. Cybersecurity and Infrastructure Security Agency has added two more flaws to its catalog of Known Exploited Vulnerabilities, based on evidence of active exploitation. Officially tracked as CVE-2022-34713 and informally referred to as DogWalk, the security flaw in MSDT allows an attacker to place a malicious executable into the Windows Startup folder.

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue in question is CVE-2022-27924, a command injection flaw in the platform that could lead to the execution of arbitrary Memcached commands and theft of sensitive information.

The U.S. Cybersecurity and Infrastructure Security Agency on Friday added the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2022-26138, concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.

CISA has added a critical Confluence vulnerability tracked as CVE-2022-26138 to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation. Today, CISA added the CVE-2022-26138 to its catalog of Known Exploited Vulnerabilities based on evidence of active exploitation.

A handful of vulnerabilities, some critical, in MiCODUS GPS tracker devices could allow criminals to disrupt fleet operations and spy on routes, or even remotely control or cut off fuel to vehicles, according to CISA. And there's no fixes for these security flaws. "Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features," the US government agency warned in an advisory posted Tuesday.

A Windows 11 vulnerability, part of Microsoft's Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency to advise patching of the elevation of privileges flaw by August 2. The recommendation is directed at federal agencies and concerns CVE-2022-22047, a vulnerability that carries a CVSS score of high and exposes Windows Client Server Runtime Subsystem used in Windows 11 and also Windows Server 2022 to attack.

Juniper Networks has patched critical-rated bugs across its Junos Space, Contrail Networking and NorthStar Controller products that are serious enough to prompt CISA to weigh in and advise admins to update the software as soon as possible. "CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates," according to the Feds' warning this week.

CISA has added an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem to its list of bugs abused in the wild.This high severity security flaw impacts both server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases.

NPower, a US-based non-profit participating in a cybersecurity workforce development program started by the Cybersecurity and Infrastructure Agency, is looking for recruits for a free cybersecurity training program aimed at underserved populations in the US, including women, people of color, young adults, and military veterans and their spouses. We've asked Nelson Abbott, Senior Director of Advanced Program Operations at NPower, and Chris Starling, a US Marine Corps veteran and Assistant VP at NPower California, to tell us more about it.