Security News
Three different connected home hubs - Fibaro Home Center Lite, Homematic Central Control Unit and Elko's eLAN-RF-003 - are vulnerable in their older versions to serious bugs that would allow information disclosure, man-in-the-middle attacks and unauthenticated remote code execution, according to researchers. Home hubs are used to connect a range of smart devices.
The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan laterally throughout an entire corporate environment, researchers said. SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.
We'll refer to this one a Fourthytuesday instead, now that Firefox has reduced its update wavelength to four weeks to get important-but-not-zero-day-critical fixes out just that bit more frequently. If your automatic update hasn't happened yet, a manual check will let you "Jump the queue" and get the update a bit sooner.
A vulnerability in the Point-to-Point Protocol Daemon software, which comes installed on many Linux-based and Unix-like operating systems and networking devices, can be exploited by unauthenticated attackers to achieve code execution on - and takeover of - a targeted system. Pppd is a daemon that is used to manage PPP session establishment and session termination between two nodes on Unix-like operating systems.
The CNAME points to a subdomain on a hosting service like Azure, which allows users to create websites using subdomains of. No verification, no alert to Microsoft that one of their old subdomains has been taken over, and no easy way for enterprise security systems to detect that this apparently legit domain is anything but.
SAN FRANCISCO - Researchers have discovered several high-severity vulnerabilities in a connected vacuum cleaner. The security holes could give remote attackers the capability to launch an array of attacks - from a denial of service attack that renders the vacuum unusable, to viewing private home footage through the vacuum's embedded camera.
Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service or account takeover via credential-stuffing. According to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.
Twitter for Android users are urged to update their app to fend off a security bug that allows hackers to access private account data and control accounts to send tweets and direct messages.
One flaw found in WordPress plugins Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor is actively being exploited.
Microsoft recently addressed an OAuth 2.0 vulnerability that could allow an attacker to take over Azure accounts. The issue impacts specific Microsoft OAuth 2.0 applications and allows an attacker...