Security News

Cybersecurity experts at Minerva recently made a stunning discovery of a new malware tagged Beep that has the features to evade detection and analysis by security software. While Beep is in its early stage of development and still lacks some essential malware attack capabilities, Minerva's report shows that it can enable threat actors to download and inject additional payloads on infected systems using three major components: a dropper, an injector and a payload. The differentiating factor between Beep and other malware is its ability to beat detection using unique evasion techniques.

Security researchers have disclosed two new vulnerabilities affecting Schneider Electric Modicon programmable logic controllers that could allow for authentication bypass and remote code execution. The flaws, tracked as CVE-2022-45788 and CVE-2022-45789, are part of a broader collection of security defects tracked by Forescout as OT:ICEFALL. Successful exploitation of the bugs could enable an adversary to execute unauthorized code, denial-of-service, or disclosure of sensitive information.

This is not the case when it comes to sensitive data sitting in production or analytic databases, data warehouses or data lakes. This article examines how Satori, a data security platform, gives control of the sensitive data in databases, data warehouses and data lakes to the security teams.

Cloud and application security is everyone's responsibility - there isn't much of a choice. Many enterprise cloud customers make the mistake of believing that they are free from obligation when it comes to application security, and they deploy the apps in the cloud, exposing themselves to security gaps at the seam of enterprise and cloud vendor infrastructures.

These cover a wide range of Intel products including Xeon processors, network adapters, and also software. One, CVE-2022-38090, has a severity rating of medium and affects a number of Intel processors, including the 3rd Gen Xeon Scalable server chips, which have only recently been superseded by the 4th Gen "Sapphire Rapids" products.

It's a challenge for IT security chiefs because unstructured data's decentralized nature makes it harder to maintain effective and consistent security controls that govern access to it. "Concepts of best practice in data storage have evolved rapidly since the SolarWinds hack," says Kevin Noreen, Senior Product Manager - Unstructured Data Storage Security at Dell Technologies.

Last week, the Identity Defined Security Alliance, a nonprofit that provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies, announced Jeff Reich as the organization's new Executive Director. In this Help Net Security interview, you can learn more about identity security and the evolving threat landscape.

While the report found that 96% of respondents were satisfied with the quality of threat intelligence their organization is using, respondents declared effectively applying that intelligence throughout the security organization to be one of their greatest challenges. Only 38% of security teams share threat intelligence with a wider group of employees for risk awareness.

In it, a pig butchering romance scammer targets her next victim: Sophos's lead threat researcher. "I was approached by multiple, separate scam operations personally, each running different variations on pig butchering," Sophos's principal threat researcher Sean Gallagher wrote in a blog post today about one of these attempts.

Along with those memory bugs, we also reported on a bug dubbed CVE-2022-4304: Timing Oracle in RSA Decryption. In other words, so-called timing attacks of this sort are always troublesome, even if you might need to send millions or bogus packets and time them all to have any chance at all.