Security News

Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant. The Thrive Themes represent a collection of themes and plugins that provide WordPress administrators with the means to quickly customize their websites.

Microsoft on Wednesday announced that its bug bounty programs now also cover the desktop client of its Teams business communications platform. The tech giant is offering rewards for vulnerabilities in the Teams desktop client as part of its Application Bounty Program, which will feature additional app-related bounties in the future.

UK-based industrial automation company Ovarro recently patched a series of vulnerabilities in its TBox remote terminal units. Ovarro's TBox RTUs are described by the vendor as a remote telemetry solution for remote automation and monitoring of critical assets.

Cybersecurity vulnerabilities among credit unions and their vendors create the potential for large financial impacts to the credit union industry, according to a Black Kite report. The research analyzed the cybersecurity posture of 250 NCUA credit unions and 150 vendors commonly used by credit unions.

A researcher says he has earned more than $50,000 from Facebook after discovering vulnerabilities that could have been exploited to gain access to some of the social media giant's internal systems. Abdulridha also claimed the account takeover attack may have allowed a hacker to access accounts for other internal Facebook applications as well, but Facebook told SecurityWeek it had not found any evidence to suggest that the flaw could be escalated to access other internal accounts.

Over the past month, a variant of the Mirai botnet was observed targeting new security vulnerabilities within hours after they had been disclosed publicly, researchers with Palo Alto Networks reveal. What makes the variant tracked by Palo Alto Networks stand out in the crowd is the fact that, within a four-week timeframe, it started exploiting several vulnerabilities that have been disclosed this year.

"Security doesn't just happen. If you are not finding vulnerabilities, then you are not looking hard enough," said Suzy Greenberg, vice president, Intel Product Assurance and Security. Respondents are familiar with their organizations' purchases of IT security technologies and services.

Roughly 80,000 Exchange servers have yet to receive patches for the actively exploited vulnerabilities, Microsoft says. Over the course of last week, Microsoft released additional fixes for these vulnerabilities, including security updates for older and unsupported Exchange Server versions, or Cumulative Updates, as the company calls them.

In addition to state-sponsored threat actors, the recently disclosed vulnerabilities affecting Microsoft Exchange Server are now being targeted by ransomware operators. A total of four critical zero-day vulnerabilities that are collectively referred to as ProxyLogon were patched in Exchange Server at the beginning of this month, and activity surrounding the bugs has only intensified since.

Industrial cybersecurity firm Claroty this week disclosed technical details for two potentially serious vulnerabilities affecting PowerLogic smart meters made by Schneider Electric. PowerLogic is a line of revenue and power quality meters that are used not only by utilities, but also industrial companies, healthcare organizations, and data centers for monitoring electrical networks.