Security News

Hackers earn $1,035,000 for 27 zero-days exploited at Pwn2Own Vancouver
2023-03-27 15:23

Pwn2Own Vancouver 2023 has ended with contestants earning $1,035,000 and a Tesla Model 3 car for 27 zero-day exploited between March 22 and 24. The total prize pool for Pwn2Own Vancouver 2023 was over $1,000,000 in cash and a Tesla Model 3, which Team Synacktiv won.

Microsoft shares tips on detecting Outlook zero-day exploitation
2023-03-24 20:09

Microsoft today published a detailed guide aiming to help customers discover signs of compromise via exploitation of a recently patched Outlook zero-day vulnerability. Microsoft also shared guidance on how to block future attacks targeting this vulnerability, urging organizations to install the recently released Outlook security update.

Procter & Gamble confirms data theft via GoAnywhere zero-day
2023-03-24 17:54

Consumer goods giant Procter & Gamble has confirmed a data breach affecting an undisclosed number of employees after its GoAnywhere MFT secure file-sharing platform was compromised in early February. "P&G can confirm that it was one of the many companies affected by Fortra's GoAnywhere incident. As part of this incident, an unauthorized third party obtained some information about P&G employees," Procter & Gamble told BleepingComputer.

Microsoft Teams, Virtualbox, Tesla zero-days exploited at Pwn2Own
2023-03-23 23:33

Competitors successfully exploited zero-day bugs in multiple products during the second day of Pwn2Own Vancouver 2023, including the Tesla Model 3, Microsoft's Teams communication platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop operating system. Team Viettel hacked also Microsoft Teams via a 2-bug chain to earn $78,000 and Oracle's VirtualBox using a Use-After-Free bug and an uninitialized variable for $40,000.

2022 witnessed a drop in exploited zero-days
2023-03-21 13:03

Malicious threat actors have actively exploited 55 zero-days in 2022 - down from 81 in 2021 - with Microsoft, Google, and Apple products being most targeted. "While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions from these vulnerabilities is often limited. Alternatively, elevated privileges and code execution can lead to lateral movement across networks, causing effects beyond the initial access vector," the company's analysts noted.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022
2023-03-21 09:54

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations.

Hackers Steal Over $1.6 Million in Crypto from General Bytes Bitcoin ATMs Using Zero-Day Flaw
2023-03-21 06:55

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software. "The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using 'batm' user privileges," the company said in an advisory published over the weekend.

General Bytes Bitcoin ATMs hacked using zero-day, $1.5M stolen
2023-03-20 21:36

Leading Bitcoin ATM maker General Bytes disclosed that hackers stole cryptocurrency from the company and its customers using a zero-day vulnerability in its BATM management platform. General Bytes makes Bitcoin ATMs allowing people to purchase or sell over 40 cryptocurrencies.

Hackers mostly targeted Microsoft, Google, Apple zero-days in 2022
2023-03-20 17:08

Hackers continue to target zero-day vulnerabilities in malicious campaigns, with researchers reporting that 55 zero-days were actively exploited in 2022, most targeting Microsoft, Google, and Apple products. According to Mandiant, most of last year's zero-day flaws were exploited by Chinese state-sponsored actors and most concerned operating systems, web browsers, and network management products.

Week in review: Kali Linux gets Purple, Microsoft zero-days get patched
2023-03-19 09:30

CISA warns CI operators about vulnerabilities on their networks exploited by ransomware gangsOrganizations in critical infrastructure sectors whose information systems contain security vulnerabilities associated with ransomware attacks are being notified by the US Cybersecurity and Infrastructure Security Agency and urged to implement a fix. Kali Linux 2023.1 released - and so is Kali Purple!OffSec has released Kali Linux 2023.1, the latest version of its popular penetration testing and digital forensics platform, and the release is accompanied by a big surprise: a technical preview of Kali Purple, a "One stop shop for blue and purple teams." The company has also updated its Penetration Testing with Kali Linux course to incorporate the latest ethical hacking tools and techniques.