Security News

Microsoft will pay more - up to $26,000 more - for "High-impact" bugs in its Office 365 products via its bug bounty program. The new "Scenario-based" payouts to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program aim to incentivize bug hunters to focus on finding vulnerabilities with "The highest potential impact on customer privacy and security," Microsoft said late last week.

In this video for Help Net Security, Chris Westphal, Cybersecurity Evangelist at Ordr, talks about an alert that came out recently from CISA and the Department of Energy, about potential threats to uninterruptible power supply devices that are connected to the internet. UPS devices are used to provide emergency power, they're usually connected to critical infrastructure.

Cyberattackers are targeting uninterruptible power supply devices, which provide battery backup power during power surges and outages. UPS devices are usually used in mission-critical environments, safeguarding critical infrastructure installations and important computer systems and IT equipment, so the stakes are high.

The U.S. Cybersecurity and Infrastructure Security Agency and the Department of Energy are jointly warning of attacks against internet-connected uninterruptible power supply devices by means of default usernames and passwords. "Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet," the agencies said in a bulletin published Tuesday.

In a joint advisory with the Department of Energy, the Cybersecurity and Infrastructure Security Agency warned U.S. organizations today to secure Internet-connected UPS devices from ongoing attacks. UPS devices are regularly used as emergency power backup solutions in mission-critical environments, including data centers, industrial facilities, server rooms, and hospitals.

Mozilla fixes Firefox zero-days exploited in the wildMozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities exploited by attackers in the wild. Easily exploitable Linux bug gives root access to attackersAn easily exploitable vulnerability in the Linux kernel can be used by local unprivileged users to gain root privileges on vulnerable systems by taking advantage of already public exploits.

Three high-impact security vulnerabilities have been disclosed in APC Smart-UPS devices that could be abused by remote adversaries as a physical weapon to access and control them in an unauthorized manner. TLStorm consists of a trio of critical flaws that can be triggered via unauthenticated network packets without requiring any user interaction, meaning it's a zero-click attack, with two of the issues involving a case of faulty TLS handshake between the UPS and the APC cloud -.

If you're managing a smart model from ubiquitous uninterrupted power supply device brand APC, you need to apply updates now - a set of three critical zero-day vulnerabilities are making Smart-UPS devices a possible entry point for network infiltration. The vulnerabilities, dubbed "TLStorm" were found in Schneider Electric's APC Smart-UPS products by security firm Armis, which made the info public on Tuesday.

A set of three critical zero-day vulnerabilities now tracked as TLStorm could let hackers take control of uninterruptible power supply devices from APC, a subsidiary of Schneider Electric. UPS devices act as emergency power backup solutions and are present in mission-critical environments such as data centers, industrial facilities, hospitals.

TLStorm exploits expose more than 20 million UPS units to takeover. The exploits come, said Armis head of research Barak Hadad, in a time when even the least likely of devices has an internet connection that turns it into a potential threat.