Security News

With speculative execution attacks remaining a stubbornly persistent vulnerability ailing modern processors, new research has highlighted an "Industry failure" to adopting mitigations released by AMD and Intel, posing a firmware supply chain threat. "The impact of such attacks is focused on disclosing the content from privileged memory to obtain sensitive data from processes running on the same processor," the firmware protection firm said in a report shared with The Hacker News.

Nearly five dozen security vulnerabilities have been disclosed in devices from 10 operational technology vendors due to what researchers call are "Insecure-by-design practices." Collectively dubbed OT:ICEFALL by Forescout, the 56 issues span as many as 26 device models from Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

With the attack surface expanding and cyberthreats growing in number and complexity, many organizations are sorting through a cybersecurity space that has myriad vendors and products to choose from, according to Chad Dunn, vice president for product management for Dell's Apex as-a-service business. Zero trust - which essentially dictates that any person or device trying to access the network should not be trusted and needs to go through a strict authentication and verification process - will be foundational for companies moving forward, but it has to be more than simply buying and deploying products, Dunn told The Register in an interview here in Las Vegas at the Dell Technologies World show.

Cybercriminals are leveraging advanced tactics in their phishing-kits granting them a high delivery success rate of spoofed e-mails which contain malicious attachments right before the end of the 2021 IRS income tax return deadline in the U.S. April 18th, 2022 - there was a notable campaign detected which leveraged phishing e-mails impersonating the IRS, and in particular one of the industry vendors who provide solutions to government agencies which including e-mailing, digital communications management, and the content delivery system which informs citizens about various updates. The IT services vendor actors impersonated is widely used by major federal agencies, including the DHS, and other such WEB-sites of States and Cities in the U.S. The identified phishing e-mail warned the victims about overdue payments to the IRS, which should then be paid via PayPal, the e-mail contained an HTML attachment imitating an electronic invoice.

Security alerts from multiple cloud vendors are overwhelming IT professionals. What happens when those notifications get out of hand? A report released Tuesday by cloud security provider Orca Security details how a flood of security alerts can easily trigger alert fatigue.

Security vendors pledge free protection for US hospitals and utilities amid fear of Russian cyberattacks. With that in mind, three security companies are offering their products for free to US hospitals and utilities.

Google's Project Zero is reporting that software vendors are patching their code faster. In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero.

Google's Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year. As the data shows, the average period software vendors needed to issue security fixes reported by Project Zero last year was 52 days, down from 80 days three years ago.

Researchers from firmware protection company Binarly have discovered critical vulnerabilities in the UEFI firmware from InsydeH2O used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer. UEFI software is an interface between a device's firmware and the operating system, which handles the booting process, system diagnostics, and repair functions.

As many as 23 new high severity security vulnerabilities have been disclosed in different implementations of Unified Extensible Firmware Interface firmware used by numerous vendors, including Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo, among others. The vulnerabilities reside in Insyde Software's InsydeH2O UEFI firmware, according to enterprise firmware security company Binarly, with a majority of the anomalies diagnosed in the System Management Mode.