Security News

A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week. Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3.

Software vulnerabilities are more likely to be discussed on social media before they're revealed on a government reporting site, a practice that could pose a national security threat, according to computer scientists at the U.S. Department of Energy's Pacific Northwest National Laboratory. At the same time, those vulnerabilities present a cybersecurity opportunity for governments to more closely monitor social media discussions about software gaps, the researchers assert.

GitHub on Wednesday announced two new security features designed to help developers identify vulnerabilities and potential secrets in their code. These new security features, code scanning and secret scanning, are currently in beta.

Citrix this week announced that updates released for Citrix ShareFile storage zones controllers address several information disclosure vulnerabilities. With storage zones controllers, the ShareFile Software-as-a-Service cloud storage also offers private storage for ShareFile data, which is known as storage zones.

SAP this week revealed that it is notifying customers of a series of security issues that it has identified in its cloud products. The Germany-based enterprise software maker said it discovered that some of its cloud products "Do not meet one or several contractually agreed or statutory IT security standards at present."

Microsoft on Tuesday announced a new security research challenge that encourages white hat hackers to find and responsibly disclose vulnerabilities in the company's Azure Sphere solution. In an effort to identify potentially serious vulnerabilities in Azure Sphere, Microsoft has decided to run a three-month application-only challenge.

TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands. Tracked as CVE-2020-12111, the first of the command injection flaws impacts the NC260 and NC450 models and could be abused to remotely execute commands as root on affected devices.

Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns. The vulnerabilities affect all Salt versions prior to 2019.2.4 and 3000.2, which were released last week.

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert. Last week, F-Secure security researchers disclosed two vulnerabilities in Salt that could allow remote attackers to execute commands as root on "Master" and connected minions.

Oracle warned customers on Thursday that threat actors have been spotted attempting to exploit multiple recently patched vulnerabilities, including a critical WebLogic Server flaw tracked as CVE-2020-2883. Oracle's April 2020 Critical Patch Update resolves nearly 400 vulnerabilities, including CVE-2020-2883, a critical flaw in Oracle WebLogic Server that can be exploited by an unauthenticated attacker for remote code execution.