Thursday, May 19, 2022

6 Scary Tactics Used in Mobile App Attacks

Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Phishing Attacks for Initial Access Surged 54% in Q1

For the first time in a year, security incidents involving email compromises surpassed ransomware incidents, a new analysis shows.

MITRE Creates Framework for Supply Chain Security

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

CISA to Federal Agencies: Patch VMWare Products Now or Take Them Offline

Last month attackers quickly reverse-engineered VMWare patches to launch RCE attacks. CISA warns it's going to happen again.

How Pwn2Own Made Bug Hunting a Real Sport

From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

Lacework Integrates Kubernetes Features to Enhance Security Across Multi-Cloud Environments

Polygraph Data Platform adds Kubernetes audit log monitoring, integration with Kubernetes admission controller, and Infrastructure as Code (IaC) security to help seamlessly integrate security into developer workflows.

CISA: Unpatched F5 BIG-IP Devices Under Active Attack

Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.

The Industry Must Better Secure Open Source Code From Threat Actors

Build security in up front to secure open source code at the foundational level. Apply security controls, have engineering teams test, do code review, and use attacker-centric behavioral analytics to mitigate threats.

Microsoft Flags Attack Targeting SQL Servers With Novel Approach

Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.

2022: The Year Zero Trust Becomes Mainstream

It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.

How Threat Actors Are a Click Away From Becoming Quasi-APTs

As demonstrated in Ukraine and elsewhere, the battlefield for today's warriors extends to the virtual realm with cyber warfare.

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

FBI: E-Tailers, Beware Web Injections for Scraping Credit-Card Data, Backdoors

Law enforcement is warning about a wave of Web injection attacks on US online retailers that are successfully stealing credit-card information from online checkout pages.

New Venture Capital Fund Focuses on Emerging Cybersecurity Tech

The founders behind more than 90 cybersecurity firms have set up a $300 million investment fund.

(ISC)² Unveils 100K in the UK Scheme to Expand the UK Cybersecurity Workforce with 100,000 Free Entry-Level Certification Exams and Education Opportunities

Multi-million-pound commitment will empower everyone from recent graduates to career changers to IT professionals in the UK to begin a successful career in cybersecurity.

Widespread Attack on WordPress Sites Targets Tatsu Builder Plug-in

A widespread attack is underway to exploit known RCE flaw in Tatsu Builder WordPress plug-in, according to a new report.

Training to Beat a Bad Cybersecurity Culture

Creating a company culture for security may need to start by tearing down an anti-security culture.

Local Government's Guide to Minimizing the Risk of a Cyberattack

Most local leaders lack cybersecurity resources so they don't know where their weaknesses are and which areas threat actors are most likely to target, with little focus or understanding of risk.

Google Cloud Aims to Share Its Vetted Open Source Ecosystem

The online giant analyzes, patches, and maintains its own versions of open source software, and now the company plans to give others access to its libraries and components as a subscription.
SecurityWeek

Phishers Add Chatbot to the Phishing Lure

Researchers have discovered a new approach being taken by phishers to increase victim engagement and confidence: the addition of an interactive chatbot. We have all become accustomed to the chatbots used by many of the largest service providers –...
SecurityWeek

QuSecure Lauches Quantum-Resilient Encryption Platform

New firm launches to provide the Easy Button for implementing quantum secure encryption The pressure to implement quantum secure encryption is increasing. This isn’t because functioning quantum computers able to crack asymmetric encryption are expected tomorrow, but because of the...
The Register

Iran, China-linked gangs join Putin’s disinformation war online

They're using the invasion 'to take aim at the usual adversaries,' Mandiant told The Reg Pro-Beijing and Iran miscreants are using the war in Ukraine to spread disinformation that supports these countries' political interests — namely, advancing anti-Western narratives...

6 Scary Tactics Used in Mobile App Attacks

Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.