Security News
Tactical and targeting overlaps have been discovered between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster that's known to use a backdoor known as...
Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging. "While GuLoader's core functionality hasn't changed...
AI security researchers from Robust Intelligence and Yale University have designed a machine learning technique that can speedily jailbreak large language models in an automated fashion. "The method, known as the Tree of Attacks with Pruning, can be used to induce sophisticated models like GPT-4 and Llama-2 to produce hundreds of toxic, harmful, and otherwise unsafe responses to a user query in mere minutes," Robust Intelligence researchers have noted.
The conversation also touches on the broader ethical considerations in cybersecurity and the impact of emerging technologies on vulnerability disclosure practices and offers advice for cybersecurity professionals grappling with these critical decisions. Some might argue that in the interest of the public, public disclosure is the most ethical approach as it ensures the issue is closed as quick as possible.
The owner of the e-commerce store management system OpenCart has responded with hostility to a security researcher disclosing a vulnerability in the product. Penetration tester Mattia Brollo brought a static code injection vulnerability to the attention of OpenCart by opening a GitHub issue on October 14, only to be met with numerous dismissive and offensive responses from Daniel Kerr, OpenCart's owner.
A team of academic researchers from universities in California and Massachusetts demonstrated that it's possible under certain conditions for passive network attackers to retrieve secret RSA keys from naturally occurring errors leading to failed SSH connection attempts. A paper published by university researchers Keegan Ryan, Kaiwen He, Nadia Heninger, and George Arnold Sullivan, shows that it's possible for a passive network attacker to obtain a private RSA key from SSH servers experiencing faults during signature computation.
Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies are promoting phishing pages to drain wallets in an ongoing campaign on X. To lure potential victims, the scammer uses a breach on major cryptocurrency exchange platforms. The scammers impersonate accounts on X belonging to blockchain analytics or crypto fraud investigation firms and researchers, like CertiK, ZachXBT, and Scam Sniffer, to promote fabricated security breaches on Uniswap and Opensea.
The scammers impersonate accounts on X belonging to blockchain analytics or crypto fraud investigation firms and researchers, like CertiK, ZachXBT, and Scam Sniffer, to promote fabricated security breaches on Uniswap and Opensea. To impersonate the legitimate accounts, the threat actors created new X accounts with similar account names.
Cybersecurity researchers have developed what's the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft Azure Automation service without racking up any charges. Developed by Microsoft, it's a cloud-based automation service that allows users to automate the creation, deployment, monitoring, and maintenance of resources in Azure.
As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and...