'

Fat Patch Tuesday, February 2024 Edition

Fat Patch Tuesday, February 2024 Edition

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks. Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut … Read more

U.S. Organizations Targeted in Bumblebee Malware Campaign

U.S. Organizations Targeted in Bumblebee Malware Campaign

A number of U.S.-based organizations were targeted with emails last week that attempted to spread the well-known Bumblebee malware. The campaign uses a slightly modified attack chain for Bumblebee and marks the return of the malware after a four-month absence from the threat landscape. Bumblebee is a sophisticated downloader first spotted in March 2022, which … Read more

Categories duo

QNAP Fixes Pair of Command Injection Flaws

QNAP Fixes Pair of Command Injection Flaws

QNAP has fixed two vulnerabilities in its QTS and QuTS hero operating systems, including a high-severity command-injection bug that could allow an attacker to execute arbitrary code on a vulnerable device. The vulnerability exists in several versions of the operating systems, which run on various QNAP network-attached storage devices, including many enterprise-grade appliances. Stephen Fewer, … Read more

Categories duo

Attackers target new Ivanti XXE vulnerability days after patch

Attackers target new Ivanti XXE vulnerability days after patch

Days after Ivanti announced patches for a new vulnerability in its Connect Secure and Policy Secure products, proof-of-concept exploit code has already been published for the flaw and security companies are reporting exploitation attempts in the wild. This follows a difficult month for Ivanti customers who had to deploy emergency mitigations and patches for three … Read more

Tool sprawl is hurting application security, US CSOs say

Tool sprawl is hurting application security, US CSOs say

Eight out of the top 10 data breaches in 2023 can be attributed to application attack surfaces, as attackers shift focus from classic infrastructure configurations to targeting vulnerable applications and APIs, according to a study from CrowdStrike. Eight breaches alone exposed around 1.7 billion records, according to the study, which surveyed 400 US-based security professionals … Read more

AI adoption in security taking off amid budget, trust, and skill-based issues

AI adoption in security taking off amid budget, trust, and skill-based issues

While the application of AI has picked up in cybersecurity, large-scale adoption still suffers from a lack of expertise, budget, and trust, according to a MixMode report. The report, commissioned through the Ponemon Institute, surveyed 641 IT and security practitioners in the US to understand the state of AI in cybersecurity and found the adoption … Read more

How to strengthen your Kubernetes defenses

How to strengthen your Kubernetes defenses

The runaway success of Kubernetes adoption by enterprise software developers has created motivation for attackers to target these installations with specifically designed exploits that leverage its popularity. Attackers have become better at hiding their malware, avoiding the almost trivial security controls, and using common techniques such as privilege escalation and lateral network movement to spread … Read more

A changing world requires CISOs to rethink cyber preparedness

A changing world requires CISOs to rethink cyber preparedness

Following a tumultuous 2023, it might seem remarkable to suggest that 2024 could bring unprecedented security events to world affairs. Yet many factors suggest this will be the case. Around 50 countries will vote in 2024, including the world’s three largest democracies and several nations in geopolitical hotspots. Ten of those countries will send nearly … Read more

High-profile incidents put spotlight on non-production system security

High-profile incidents put spotlight on non-production system security

In 2018, the US Federal Trade Commission (FTC) entered a settlement with Uber over the company’s data privacy and protection policies. The FTC alleged that Uber software engineers would develop and test software that could connect to cloud data using inadequate cloud access controls for its test environments. In connection with this case, the Commission … Read more