Security News

Several vulnerabilities in Samsung's Exynos chipsets may allow attackers to remotely compromise specific Samsung Galaxy, Vivo and Google Pixel mobile phones with no user interaction."With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely," Google Project Zero researchers have noted.

Microsoft's Security Intelligence team recently investigated a business email compromise attack and found that attackers move rapidly, with some steps taking mere minutes. BEC attacks are a type of cyberattack where the attacker gains access to an email account of the target organization through phishing, social engineering, or buying account credentials on the dark web.

DOUG. Crypto company code captured, Twitter's pay-for-2FA play, and GoDaddy breached. DOUG. Well, let's bring things into the modern, and talk about GoDaddy.

Australian software maker Atlassian has released patches for CVE-2023-22501, a critical authentication vulnerability in Jira Service Management Server and Data Center, and is urging users to upgrade quickly. "Installing a fixed version of Jira Service Management is the recommended way to remediate this vulnerability. If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround," they advised.

Data compromises steadily increased in the second half of 2022. Data breach notices suddenly lacked details, resulting in increased risk for individuals and businesses, as well as uncertainty about the number of data breaches and victims.

The researchers explain that attackers using search engine optimization poisoning are generally more successful "When they SEO poison the results of popular downloads associated with organizations that do not have extensive internal brand protection resources." SEO poisoning attacks consist of altering search engines results so that the first advertised links actually lead to attacker controlled sites, generally to infect visitors with malware or to attract more people on ad fraud.

A critical vulnerability in FortiOS SSL-VPN that Fortinet has issued patches for in November 2022 has been exploited by attackers to compromise governmental or government-related targets, the company has shared.They also pointed out that the malware can manipulate log files so it can avoid detection.

If you're a programmer, whether you code for a hobby or professionally, you'll know that creating a new version of your project - an official "Release" version that you yourself, or your friends, or your customers, will actually install and use - is always a bit of a white-knuckle ride. The idea is simple: every time anyone makes a change in their part of the project, grab that person's new code, and whisk them and their new code through a full build-and-test cycle, just like you would before creating a final release version.

A business email compromise attack is a type of scam aimed at an organization's employees in which the attacker impersonates a top executive or other trusted person associated with the business. While BEC attacks usually occur via email, they're now using SMS text messages to hit recipients.

The Russia-linked APT29 nation-state actor has been found leveraging a "Lesser-known" Windows feature called Credential Roaming as part of its attack against an unnamed European diplomatic entity. "The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere said in a technical write-up.