Tuesday, January 31, 2023
Internet Storm Center Infocon Status

LATEST

GitHub says hackers cloned code-signing certificates in breached repository

Enlarge GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom. Code-signing certificates place...
Security Affairs

QNAP addresses a critical flaw impacting its NAS devices

Taiwanese vendor QNAP is warning customers to install QTS and QuTS firmware updates to address a critical flaw impacting its NAS devices. QNAP released QTS and QuTS firmware updates to address a critical vulnerability, tracked as CVE-2022-27596 (CVSS v3 score: 9.8), that...
The Register

Chromebook SH1MMER exploit promises admin jailbreak

Schools' laptops are out if this one gets around, but beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.…

MusicLM: Google AI generates music in various genres at 24 kHz

Enlarge / An AI-generated image of an exploding ball of music. (credit: Ars Technica) On Thursday, researchers from Google announced a new generative AI model called MusicLM that can create...

Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine

The incidents are the latest indication of the growing popularity of dangerous disk wipers, created to disrupt and degrade critical infrastructure and other organizations.
The CyberWire Podcast

Criminal evolutions, disgruntled insiders, and gangsta wannabes. New wiper attacks hit Ukrainian targets, with less effect than the first rounds early last year. And support your local hacktivist?

Gootloader's evolution. Yandex source code leaked (and Yandex blames a rogue insider). New GRU wiper malware is active against Ukraine. Latvia reports cyberattacks by Gamaredon. Russia and the US trade accusations...

Cybercrime Ecosystem Spawns Lucrative Underground Gig Economy

The complex nature of cyberattacks has increased demand for software developers, reverse engineers, and offensive specialists — attracting workers facing financial insecurity.
The Register

The wages of sin aren’t that great if you’re a developer choosing the dark side

Salary report shows OKish pay, plus the possibility of getting ripped off and the whole prison thing Malware developers and penetration testers are in high demand across dark web job posting sites, with a few astonishing - but mostly...

10M JD Sports Customers' Info Exposed in Data Breach

UK sportswear retailer asks exposed customers to stay "vigilant" against phishing attempts following cyberattack.

IT and Security Professionals Spend an Average of 4,300 Hours Annually Achieving or Maintaining Compliance

New research from Drata shows compliance remains a business challenge for many organizations.

Make Developers the Driver of Software Security Excellence

Those who are wrangling code every day could fuel a genuinely transformational approach to security — if they are adequately upskilled.
The Register

Gootloader malware updated with PowerShell, sneaky JavaScript

Perhaps a good time to check for unwelcome visitors The operators behind Gootloader, a crew dubbed UNC2565, have upgraded the code in cunning ways to make it more intrusive and harder to find.…

Facebook Bug Allows 2FA Bypass Via Instagram

The Instagram rate-limiting bug, found by a rookie hunter, could be exploited to bypass Facebook 2FA in vulnerable apps, researcher reports.

BrandPost: What’s Next in Securing Healthcare

Over the last decade, healthcare has offered new lines of services such as telehealth and remote patient monitoring, expanded accessibility and ease for both patients and healthcare professionals, and supported innovations that measurably improve patient outcomes. It’s a profound...
Reduce Cyber Risk

RCR 107: Conduct Security Control Testing (CISSP Domain 6)

Description: Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career....
Infosecurity Magazine

JD Sports Confirms Breach Affected 10 Million Customers

The cyber-attack hit the company between November 2018 and October 2020

Serious Security: The Samba logon bug caused by outdated crypto

Enjoy our Serious Security deep dive into this real-world example of why cryptographic agility is important!

Fake Texts From the Boss, Bogus Job Postings and Frankenstein Shoppers — Oh My!

Experian’s annual Future of Fraud Forecast highlights five fraud threats facing businesses and consumers in 2023.

Massive Yandex code leak reveals Russian search engine’s ranking factors

Enlarge / The Russian logo of Yandex, the country's largest search engine and a tech company with many divisions, inside the company's headquarters. (credit: SOPA Images / Getty Images) Nearly...

Convincing, Malicious Google Ads Look to Lift Password Manager Logins

Users searching for Bitwarden and 1Password's Web vaults on Google have recently reported seeing paid ads with links to cleverly spoofed sites for stealing credentials to their password vaults.
TechRepublic

Get nine ethical hacking courses for just $30

Learn some of today's most popular attacks and how to mitigate them with The All-in-One Ethical Hacking & Penetration Testing Bundle. The post Get nine ethical hacking courses for just $30 appeared first on TechRepublic.
Infosecurity Magazine

Hackers Use TrickGate Software to Deploy Emotet, REvil, Other Malware

Threat actors used TrickGate to conduct between 40 and 650 attacks per week in the last two years
990FollowersFollow

LEADERS

Graham Cluley

Latvia says Russian hackers tried to phish its Ministry of Defence

The Kremlin-backed Gamaredon hacking group is being blamed for an attempted phishing attack against the Latvian Ministry of Defence. Read more in my article on the Hot for Security blog.
Graham Cluley

If a locked filing cabinet is stolen along with its key, can you say it’s still locked? GoTo thinks you can

GoTo says that hackers stole its customers' "encrypted backups." But they also say the hackers stole the decryption keys. To say the backups were encrypted is a bit like trying to argue that a locked box is locked, if the...
Graham Cluley

Hackers steal 10 million customer details from JD Sports

If you've purchased trainers from sports fashion retailer JD Sports in the past, your personal details could now be in the hands of hackers. Read more in my article on the Hot for Security blog.
Bruce Schneier

NIST Is Updating Its Cybersecurity Framework

NIST is planning a significant update of its Cybersecurity Framework. At this point, it’s asking for feedback and comments to its concept paper. Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)? Are the proposed changes sufficient...

Weekly Update 332

Presently sponsored by: CrowdSec - Gain crowd-sourced protection against malicious IPs and benefit from the most accurate CTI in the world. Get started for free.Breaches all over the place today! Well, this past week, and there's some debate as...