Security News

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warnsIf your organization is running VMware Horizon and Unified Access Gateway servers and you haven't implemented the patches or workarounds to fix/mitigate the Log4Shell vulnerability in December 2021, you should threat all those systems as compromised, the Cybersecurity and Infrastructure Security Agency has advised on Thursday. 7 DevSecOps myths and how to overcome themBy including security and compliance processes in end-to-end automation, businesses can secure software throughout the whole software supply chain, significantly improve the developer experience, and accelerate safer delivery.

Nearly five dozen security vulnerabilities have been disclosed in devices from 10 operational technology vendors due to what researchers call are "Insecure-by-design practices." Collectively dubbed OT:ICEFALL by Forescout, the 56 issues span as many as 26 device models from Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

Forescout's Vedere Labs disclosed OT:ICEFALL, 56 vulnerabilities affecting devices from 10 operational technology vendors. This is one of the single largest vulnerability disclosures that impact OT devices and directly addresses insecure-by-design vulnerabilities.

The research found that 53% of the 1.6 million organizations assessed had at least one exposed vulnerability to the internet, while 22% of organizations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organizations' critical assets. Regardless of how many total vulnerabilities existed across their domain(s), organizations typically fixed about 10% of weaknesses each month.

The U.S. Cybersecurity and Infrastructure Security Agency and Food and Drug Administration have issued an advisory about critical security vulnerabilities in Illumina's next-generation sequencing software. The issues impact software in medical devices used for "Clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions, or for research use only," according to the FDA. "Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level," CISA said in an alert.

BeyondTrust's recent 2022 Microsoft Vulnerabilities Report includes the latest annual breakdown of Microsoft vulnerabilities by category and product, as well as a six-year trend analysis, providing a holistic understanding of the evolving threat landscape. In this video for Help Net Security, Morey Haber, Chief Strategy Officer at Beyond Trust, talks about this report, which analyzes data from security bulletins publicly issued by Microsoft throughout the previous year.

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems. "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week.

Critical Microsoft vulnerabilities decreased 47% in 2021.Overall vulnerabilities across all Microsoft products decreased five percent in 2021, according to the annual BeyondTrust Microsoft Vulnerabilities 2022 report.

Figures from the National Vulnerability Database of the US National Institute of Standards and Technology show last year broke all records for security vulnerabilities. Just 1,212 vulnerabilities were reported in Microsoft products last year, said BeyondTrust, a 5 percent drop on the previous year.

The Cybersecurity & Infrastructure Security Agency has added 41 vulnerabilities to its catalog of known exploited flaws over the past two days, including flaws for the Android kernel and Cisco IOS XR. The added vulnerabilities come from a wide range of years, with the oldest disclosed in 2016 and the most recent being a Cisco IOS XR vulnerability fixed last Friday. CISA has given federal agencies until June 13th, 2022, to apply security updates for the Android and Cisco vulnerabilities.