Security News

HP announced in a security bulletin this week that it would take up to 90 days to patch a critical-severity vulnerability that impacts the firmware of certain business-grade printers. The security issue is tracked as CVE-2023-1707 and it affects about 50 HP Enterprise LaserJet and HP LaserJet Managed Printers models.

Data storage devices maker Western Digital on Monday disclosed a "Network security incident" that involved unauthorized access to its systems.The breach is said to have occurred on March 26, 2023, enabling an unnamed third party to gain access to a "Number of the company's systems."

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. It impacts versions 4.8.0 through 5.6.1.

Devices used in critical infrastructure are riddled with vulnerabilities that can cause denial of service, allow configuration manipulation, and achieve remote code execution, according to security researchers. Most of these operational technology products - which include industrial control systems and related devices - claim security certifications, some of which they did not actually have.

The U.S. Cybersecurity and Infrastructure Security Agency has released eight Industrial Control Systems advisories on Tuesday, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation. "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code," CISA said.

Suspected Chinese spies have exploited a critical Fortinet bug, and used custom networking malware to steal credentials and maintain network access, according to Mandiant security researchers. "Mandiant suspected the FortiGate and FortiManager devices were compromised due to the connections to VIRTUALPITA from the Fortinet management IP addresses," the researchers observed.

The Federal Bureau of Investigation revealed in its 2022 Internet Crime Report that ransomware gangs breached the networks of at least 860 critical infrastructure organizations last year. "The IC3 received 870 complaints that indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack," the FBI said.

Security researchers have shared technical details for exploiting a critical Microsoft Outlook vulnerability for Windows that allows hackers to remotely steal hashed passwords by simply receiving an email. The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows.

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks. The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform and SAP NetWeaver.

Today, the U.S. Cybersecurity & Infrastructure Security Agency announced a new pilot program to help critical infrastructure entities protect their information systems from ransomware attacks. "Through the Ransomware Vulnerability Warning Pilot, which started on January 30, 2023, CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors," the cybersecurity agency said.