Saturday, June 25, 2022
Internet Storm Center Infocon Status

LATEST

Security Affairs

Oracle spent 6 months to fix ‘Mega’ flaws in the Fusion Middleware

Researchers disclose technical details of a critical flaw in Fusion Middleware, tracked as CVE-2022–21445, that Oracle took six months to patch. Security researchers have published technical details of a critical Fusion Middleware vulnerability, tracked as CVE-2022–21445, that was reported to...
Security Affairs

Multiple malicious packages in PyPI repository found stealing AWS secrets

Researchers discovered multiple malicious Python packages in the official PyPI repository stealing AWS credentials and other info. Sonatype researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal secrets (i.e. AWS credentials and environment...
The Register

We’re now truly in the era of ransomware as pure extortion without the encryption

Why screw around with cryptography and keys when just stealing the info is good enough Feature  US and European cops, prosecutors, and NGOs recently convened a two-day workshop in the Hague to discuss how to respond to the growing...
The Hacker News

Learn NIST Inside Out With 21 Hours of Training @ 86% OFF

In cybersecurity, many of the best jobs involve working on government projects. To get a security clearance, you need to prove that you meet NIST standards. Cybersecurity firms are particularly interested in people who understand the RMF, or Risk Management...

EXCLUSIVE: Meta Failed To Protect Instagram’s Child Models From Pedophiles

A photographer accused of selling photos to pedophiles is allowed back on Instagram. Forbes alerts Meta to over a dozen accounts with over half a million followers sexualizing child and teenage models. Now the tech giant is coming under...
The CyberWire Podcast

Lazarus Targets Chemical Sector With 'Dream Job.' [Research Saturday]

Alan Neville, a Threat Intelligence Analyst from Symantec Broadcom, joins Dave to discuss their research "Lazarus Targets Chemical Sector." Symantec has observed the North Korea-linked threat group known as Lazarus conducting...

Weekly Update 301

Presently sponsored by: Varonis for Salesforce. Protect Salesforce data from overexposure and cyberthreats. Try it free!First up, I'm really sorry about the audio quality on this one. It's the exact same setup I used last week (and carefully tested...
MSRC

A Man of Action: Meet Callum Carney

Hidden Talents: He was a competitive swimmer for many years. Instrument of Choice: His fingers were made for the keyboard, but he used to play the trumpet. 5 pieces of entertainment for the rest of his life: The Office,...

Threat Intelligence Services Are Universally Valued by IT Staff

Most of those surveyed are concerned about AI-based attacks and deepfakes, but suggest that their organization is ready.
The Register

More than $100m in cryptocurrency stolen from blockchain biz

'A humbling and unfortunate reminder' that monsters lurk under bridges Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.…

Why We're Getting Vulnerability Management Wrong

Security is wasting time and resources patching low or no risk bugs. In this post, we examine why security practitioners need to rethink vulnerability management.
Bruce Schneier

Friday Squid Blogging: Squid Cubes

Researchers thaw squid frozen into a cube and often make interesting discoveries. (Okay, this is a weird story.) As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read...
The CyberWire Podcast

Lithuania warns of DDoS. Some limited Russian success in cyber phases of its hybrid war. Spyware infestations in Italy and Kazakstan. Tabletop exercises. Ransomware as misdirection

Lithuania's NKSC warns of increased DDoS threat. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Hey,...
Infosecurity Magazine

#InfosecurityEurope2022: Preparing for Future Challenges and Opportunities

The closing keynote panel explored how we can anticipate the future of cybercrime

APT Groups Swarming on VMware Servers with Log4Shell

CISA tells organizations running VMware servers without Log4Shell mitigations to assume compromise.

Mitek launches MiVIP platform to fight identity theft

A new easy-to-deploy identity platform was announced this week to help address growing concerns about identity theft. The Mitek Verified Identity Platform (MiVIP) melds the company's mobile technologies with those of its recent acquisitions to give its customers flexible...
TechRepublic

Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022. The post Black Basta may be an all-star ransomware gang made up of former Conti and REvil members appeared first on TechRepublic.
Computerworld

The surveillance-as-a-service industry needs to be brought to heel

Here we go again: another example of government surveillance involving smartphones from Apple and Google has emerged, and it shows how sophisticated government-backed attacks can become and why there's justification for keeping mobile platforms utterly locked down.What has happened? I...
TechRepublic

Best cybersecurity certifications in 2022

Solidify your skills as a cybersecurity professional by becoming certified. Here is a list of some of the best cybersecurity certifications available today. The post Best cybersecurity certifications in 2022 appeared first on TechRepublic.

Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say

A new study says 97% of open source vulnerabilities linked to software supply chain risks are not attackable — but is "attackability" the best method for prioritizing bugs?
Computerworld

Italian spyware firm is hacking into iOS and Android devices, Google says

Google's Threat Analysis Group (TAG) has identified Italian vendor RCS Lab as a spyware offender, developing tools that are being used to exploit zero-day vulnerabilities to effect attacks on iOS and Android mobile users in Italy and Kazakhstan.According to a...

OpenSSL issues a bugfix for the previous bugfix

Fortunately, it's not a major bugfix, which means it's easy to patch and can teach us all some useful lessons.
Infosecurity Magazine

#InfosecurityEurope2022: The Interactivity Between Nation-State Attackers and Organized Crime Gangs

Geoff White also touched upon the emerging world of cryptocurrency theft
Security Affairs

Threat actors continue to exploit Log4Shell in VMware Horizon Systems

The U.S. CISA and the Coast Guard Cyber Command (CGCYBER) warn of attacks exploiting the Log4Shell flaw in VMware Horizon servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), published a joint...
Infosecurity Magazine

#InfosecurityEurope2022: Security awareness must be in the moment

Annual or quarterly security training will not protect organizations from phishing and other human threats
972FollowersFollow

LEADERS

Weekly Update 301

Presently sponsored by: Varonis for Salesforce. Protect Salesforce data from overexposure and cyberthreats. Try it free!First up, I'm really sorry about the audio quality on this one. It's the exact same setup I used last week (and carefully tested...
Bruce Schneier

Friday Squid Blogging: Squid Cubes

Researchers thaw squid frozen into a cube and often make interesting discoveries. (Okay, this is a weird story.) As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read...
Bruce Schneier

On the Dangers of Cryptocurrencies and the Uselessness of Blockchain

Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is...
Graham Cluley

Amazon thinks it’s really cool that Alexa can mimic your dead grandma’s voice

Amazon has demonstrated an experimental feature that demonstrates how a child can choose to have a bedside story read to him by his Alexa... using his dead grandmother's voice.
Graham Cluley

NHS warns of scam COVID-19 text messages

The UK's National Health Service has warned the public about a spate of fake messages, sent out as SMS text messages, fraudulently telling recipients that they have been exposed to the Omicron variant of COVID-19. Read more in my article...