Facebook Businesses Targeted in Infostealer Phishing Campaign

The threat actors deceive their victims by impersonating the legal teams of companies, well-known Web stores, and manufacturers.

Cybersecurity Job Market Stagnates, Dissatisfaction Abounds

The 2024 ISC2 Cybersecurity Workforce Study found that amid a tightening job market and dynamic cyber-threat environment, ongoing staffing and skills shortages are putting organizations at serious risk. Can AI move the needle in defenders' favor?

Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

Chinese APTs lurked in Canadian government networks for five years — and that's just one among a whole host of threats from Chinese bad actors.

Casap Secures $8.5M in Funding

Cybersecurity Training Resources Often Limited to Developers

With a lack of cybersecurity awareness training resources for all employees, organizations are more susceptible to being breached or falling short when it comes to preventing threats.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

Using a malicious Chrome extension, researchers showed how an attacker could inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Recurring Windows Flaw Could Expose User Credentials

Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

A professional-grade tool set, appropriately dubbed "CloudScout," is infiltrating cloud apps like Microsoft Outlook and Google Drive, targeting sensitive info for exfiltration.

French ISP Confirms Cyberattack, Data Breach Affecting 19M

In the latest attack against ISPs, second-largest French provider Free fell victim to unknown cyberattackers who attempted to sell the compromised data it stole from the company on an underground cybercrime forum.

Delta Launches $500M Lawsuit Against CrowdStrike

Delta argues that it lost hundreds of million of dollars in downtime and other costs in the aftermath of the incident, while CrowdStrike says it isn't liable for more than $10 million.

Mozilla: ChatGPT Can Be Manipulated Using Hex Code

LLMs tend to miss the forest for the trees, understanding specific instructions but not their broader context. Bad actors can take advantage of this myopia to get them to do malicious things, with a new prompt-injection technique.

Put End-of-Life Software to Rest

Relying on EOL software leaves critical systems exposed — making it a problem no business can afford to ignore.

SEC Fines Companies Millions for Downplaying SolarWinds Breach

Four companies — Avaya, Check Point, Mimecast, and Unisys — have been charged by the SEC for misleading disclosures in the aftermath of the 2020 SolarWinds compromise.

UnitedHealth Reveals 100M Compromised in Change Healthcare Breach

Eight months after the breach occurred, Change Healthcare has finally sent out millions of notices of compromised data to affected individuals.

Microsoft: Healthcare Sees 300% Surge in Ransomware Attacks

Even after the ransom is paid, such attacks lead to spikes in strokes and heart attacks and increased wait times for patients.

Critical Bug Exploited in Fortinet's Management Console

An attacker compromised one of Fortinet's most sensitive products and mopped up all kinds of reconnaissance data helpful for future mass device attacks.

'Prometei' Botnet Spreads Its Cryptojacker Worldwide

The Russian-language malware primarily enlists computers to mine Monero, but theoretically it can do worse.

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

Russian Trolls Pose as Reputable Media to Sow US Election Chaos

Operation Overload pushes dressed up Russian state propaganda with the aim of flooding the US with election disinformation.

Microsoft SharePoint Vuln Is Under Active Exploit

The risk of exploitation is heightened, thanks to a proof-of-concept that's been made publicly available.

Retail & Hospitality ISAC Launches Program Aimed at Securing Supply Chains

Most US Political Campaigns Lack DMARC Email Protection

Without DMARC, campaigns remain highly susceptible to phishing, domain spoofing, and impersonation.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Cisco Disables DevHub Access After Security Breach

The networking company confirms that cyberattackers illegally accessed data belonging to some of its customers.

Internet Archive Gets Pummeled in Round 2 Breach

This latest breach was through Zendesk, a customer service platform that the organization uses.

Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

The emergence of novel anti-detection kits for sale on the Dark Web limit the effectiveness of a Chrome browser feature that warns users that they have reached a phishing page.

Why I'm Excited About the Future of Application Security

The future of application security is no longer about reacting to the inevitable — it's about anticipating and preventing attacks before they can cause damage.

EU Adopts Cyber Resilience Act to Regulate Internet of Things

The European Union adopted a new law setting EU-wide cybersecurity requirements for connected devices to ensure their safety.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data

Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.

CISOs: Throwing Cash at Tools Isn't Helping Detect Breaches

A survey shows three-quarters of CISOs are drowning in threat detections put out by a sprawling stack of tools, yet still lack the basic visibility necessary to identify breaches.

ESET-Branded Wiper Attack Targets Israel; Firm Denies Compromise

The security firm is denying an assessment that its systems were compromised in Israel by pro-Palestinian cyberattackers, but acknowledged an attack on one of its partners.

Hong Kong Crime Ring Swindles Victims Out of $46M

The scammers used real-time deepfakes in online dating video calls to convince the victims of their legitimacy.

Internet Archive Slowly Revives After DDoS Barrage

Days after facing a major breach, the site is still struggling to get fully back on its feet.

4 Ways to Address Zero-Days in AI/ML Security

As the unique challenges of AI zero-days emerge, the approach to managing the accompanying risks needs to follow traditional security best practices but be adapted for AI.

Anonymous Sudan Unmasked as Leaders Face Life in Prison

US officials disrupted the group's DDoS operation and arrested two individuals behind it, who turned out to be far less intimidating than they were made out to be in the media.

Port Raises $35M for its End-to-End Internal Developer Portal

Hybrid Work Exposes New Vulnerabilities in Print Security

The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.

Cyber Gangs Aren't Afraid of Prosecution

Challenges with cybercrime prosecution are making it easier for attackers to act with impunity. Law enforcement needs to catch up.

Sidewinder Casts Wide Geographic Net in Latest Attack Spree

The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.

FHE Consortium Pushes for Quantum-Resilient Cryptography Standards

The FHE Technical Consortium for Hardware (FHETCH) brings together developers, hardware manufacturers and cloud providers to collaborate on technical standards necessary to develop commercial fully homomorphic encryption solutions and lower adoption barriers.

North Korea Hackers Get Cash Fast in Linux Cyber Heists

The thieves modify transaction messages to initiate unauthorized withdrawals, even when there are insufficient funds.

Serious Adversaries Circle Ivanti CSA Zero-Day Flaws

Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.

Pokémon Gaming Company Employee Info Leaked in Hack

The gaming company reports that the server has been rebuilt after the leak, but has not confirmed if its insider video game data was leaked.

Microsoft: Schools Grapple With Thousands of Cyberattacks Weekly

Education, including K-12 schools and universities, has become the third most targeted sector due to the high variety of sensitive data it stores in its databases.

ConfusedPilot Attack Can Manipulate RAG-Based AI Systems

Attackers can introduce a malicious document in systems such as Microsoft 365 Copilot to confuse the system, potentially leading to widespread misinformation and compromised decision-making processes.

Fighting Crime With Technology: Safety First

By combining human and nonhuman identity management in one solution, Flock Safety is helping law enforcement solve an impressive number of criminal cases every day.

Why Your Identity Is the Key to Modernizing Cybersecurity

Ultimately, the goal of creating a trusted environment around all digital assets and devices is about modernizing the way you do business.

American Water Reconnects Its Network Taps After Cyber Incident

The company is beginning to bring its systems back online, though the investigation wages on.

Marriot & Starwood Face $52M Settlement After Security Breaches

The hotel giant will be held to higher security standards in a series of proposed requirements, including implementing a new annually reviewed security program.

EU Plans Sanctions for Cyberattackers Acting on Behalf of Russia

The European Union's new sanctions framework will target individuals and organizations engaging in pro-Russian activities such as cyberattacks and information manipulation to undermine EU support for Ukraine.

Critical Mozilla Firefox Zero-Day Allows Code Execution

The bug is already being exploited in the wild, but Firefox has provided patches for those who may be vulnerable.

Fidelity Notifies 77K Customers of Data Breach

The third-party actor had access for two days, in the financial services company's second major breach of the year.

Microsoft Previews New Windows Feature to Limit Admin Privileges

In the latest Windows preview, Microsoft adds a feature — Administrator Protection — designed to prevent threat actors from easily escalating privileges and restrict lateral movement.

Australia Intros Its First National Cyber Legislation

The bill is broken up into several pieces, including ransomware reporting and securing smart devices, among other objectives.

Mamba 2FA Cybercrime Kit Targets Microsoft 365 Users

A stealthy new underground offering uses sophisticated adversary-in-the-middle (AitM) techniques to convincingly serve up "Microsoft" login pages of various kinds, with dynamic enterprise branding.

3 More Ivanti Cloud Vulns Exploited in the Wild

The security bugs were found susceptible to exploitation in connection to the previously disclosed, critical CVE-2024-8963 vulnerability in the security vendor's Cloud Services Appliance (CSA).

Cloud, AI Talent Gaps Plague Cybersecurity Teams

Cyber pros are scrambling to stay up-to-date as the businesses they work for quickly roll out AI tools and keep expanding their cloud initiatives.

5 CVEs in Microsoft's October Update to Patch Immediately

Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.

Healthcare's Grim Cyber Prognosis Requires Security Booster

As healthcare organizations struggle against operational issues, two-thirds of the industry suffered ransomware attacks in the past year, and an increasing number are caving to extortion and paying up.

The Perils of Ignoring Cybersecurity Basics

The massive outage involving a faulty Falcon update is an excellent illustration of what happens when organizations neglect security fundamentals.

How Major Companies Are Honoring Cybersecurity Awareness Month

The annual event reinforces best practices while finding new ways to build a culture where employees understand how their daily decisions affect company security. Find out how AWS, IBM, Intuit, SentinelOne, and Gallo are spreading the word.

GorillaBot Goes Ape With 300K Cyberattacks Worldwide

Among those affected by all this monkeying around with DDoS in September were some 4,000 organizations in the US.

Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations.

CISO Paychecks: Worth the Growing Security Headaches?

CISOs' cash compensation tops $400,000 now, but with the high pay comes struggles, rapidly changing responsibilities, and tight budgets.

Malicious Chrome Extensions Skate Past Google's Updated Security

Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.

Single HTTP Request Can Exploit 6M WordPress Sites

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

What the White House Should Do Next for Cyber Regulation

Creating a new office of cyber-regulation strategy is the government's best opportunity to improve security and to protect Americans in an increasingly dangerous world.

Name That Edge Toon: And For My Next Trick ...

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

MITRE Launches AI Incident Sharing Initiative

The collaboration with industry partners will improve collective AI defenses. Trusted contributors receive protected and anonymized data on real-world AI incidents.

iPhone 'VoiceOver' Feature Could Read Passwords Aloud

CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

The successful disruption of notorious Russian hacker group Star Blizzard's operations arrives one month out from the US presidential election — one of the APT's prime targets.

CISA Adds High-Severity Ivanti Vulnerability to KEV Catalog

Ivanti reports that the bug is being actively exploited in the wild for select customers.

Ukraine-Russia Cyber Battles Tip Over Into the Real World

"Pig butchering," generative AI, and spear-phishing have all transformed digital warfare.

AI 'Nude Photo Generator' Delivers Infostealers Instead of Images

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

NSA Releases 6 Principles of OT Cybersecurity

Organizations can use this guide to make decisions for designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as enable business continuity for critical services.

Unix Printing Vulnerabilities Enable Easy DDoS Attacks

All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.

LockBit Associates Arrested, Evil Corp Bigwig Outed

A global operation cuffed four LockBit suspects and offered more details into the org chart of Russia's infamous Evil Corp cybercrime gang.

Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.