Security News

The developers of the Drupal content management system released out-of-band security updates right before Thanksgiving due to the availability of exploits. The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive Tar, a third-party library designed for handling.

A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices. The vulnerability being referred to here is CVE-2018-13379, a path traversal flaw impacting a large number of unpatched Fortinet FortiOS SSL VPN devices.

China-backed APT Cicada joins the list of threat actors leveraging the Microsoft Zerologon bug to stage attacks against their targets. Researchers observed a "Large-scale attack campaign targeting multiple Japanese companies" across 17 regions and various industry sectors that engaged in a range of malicious activity, such as credential theft, data exfiltration and network reconnaissance.

New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space - namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.

A Chinese state-sponsored hacking group has been observed while attempting to exploit the Windows Zerologon vulnerability in attacks against Japanese companies and subsidiaries from multiple industry sectors in 17 regions around the globe. APT10 attackers were also observed using Zerologon exploits to steal domain credentials and take full control over the entire domain following successful exploitation of vulnerable devices.

A day after proof-of-concept exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch. PoC exploits for the flaw - as well as 11 other issues in Cisco Security Manager - were published online Monday by security researcher Florian Hauser.

A British infosec outfit spotted a privilege escalation vulnerability in EA Games' Origin client after discovering the software was hunting for an absent DLL file when users opened it. Nettitude found the priv-esc after researcher Tom Wilson fired up Origin and ran Process Monitor over it to see what Origin was calling when it ran.

A threat actor specializing in business email compromise attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations. An analysis of the attack revealed that the hackers had sent out phishing emails by leveraging a flaw related to how Rackspace SMTP servers hosted at emailsrvr.com authorize users.

Cisco has disclosed today a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software with proof-of-concept exploit code publicly available. While security updates are not yet available for this arbitrary code execution vulnerability, Cisco is working on addressing the zero-day, with a fix coming in a future AnyConnect client release.

The vulnerability is tied to Google's open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an "Inappropriate implementation in V8". Clement Lecigne of Google's Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a blog post announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. "Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild. CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android," he wrote.