Wednesday, August 10, 2022

Software Development Pipelines Offer Cybercriminals 'Free-Range' Access to Cloud, On-Prem

A Q&A with NCC Group's Viktor Gazdag ahead of a Black Hat USA session on CI/CD pipeline risks reveals a scary, and expanding, campaign vector for software supply chain attacks and RCE.

Microsoft Patches Zero-Day Actively Exploited in the Wild

The computing giant issued a massive Patch Tuesday update, including a pair of remote execution flaws in the Microsoft Support Diagnostic Tool (MSDT) after attackers used one of the vulnerabilities in a zero-day exploit.

Halo Security Emerges From Stealth With Full Attack Surface Management Platform

The latest startup to enter the attack surface management space also has a free scanning service to audit the contents of any website.

Cybrary Unveils Next-Generation Interactive, Hands-On Training Experience to Upskill Cybersecurity Professionals

New SOC Analyst Assessment delivers threat-informed training in a live lab environment to help cybersecurity professionals defend their organizations against the latest adversarial tactics and techniques.

Researchers Debut Fresh RCE Vector for Common Google API Tool

The finding exposes the danger of older, unpatched bugs, which plague at least 4.5 million devices.

Abusing Kerberos for Local Privilege Escalation

Upcoming Black Hat USA presentation will examine the implications of Kerberos weaknesses for security on the local machine.

Domino's Takes a Methodical Approach to IoT

The success of Domino's Flex IoT project can be attributed in large part to the security best practices it followed.

Russia-Ukraine Conflict Holds Cyberwar Lessons

Initial attacks used damaging wiper malware and targeted infrastructure, but the most enduring impacts will likely be from disinformation, researchers say. At Black Hat USA, SentinelOne's Juan Andres Guerrero-Saade and Tom Hegel will discuss.

US Oil and Gas Sector at Risk of a Cyberbreach, According to BreachBits Study

Study offers a cyber "state of the industry" analysis from a hacker's perspective to help companies anticipate attacks.

Netscout Arbor Insight Leverages Patented ASI Technology to Enhance Security and Operational Awareness for Network Operators of Any Scale

Extends all aspects of the Arbor Sightline solution with unique, real-time multidimensional DDoS and traffic analytics capabilities.

Lacework Updates Threat Detection To Uncover More Malicious Activity and Speed Investigation at Scale

New time series model and enhanced alerting experience make it easy for organizations to address more threats in the cloud while enabling faster investigations.

Don't Take the Cyber Safety Review Board's Log4j Report at Face Value

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

Machine-learning algorithms alone may miss signs of a successful attack on your organization.

10 Malicious Code Packages Slither into PyPI Registry

The discovery adds to the growing list of recent incidents where threat actors have used public code repositories to distribute malware in software supply chain attacks.

Dark Reading News Desk: Live at Black Hat USA 2022

LIVE: Dark Reading News Desk at Black Hat USA 2022

Deepfakes Grow in Sophistication, Cyberattacks Rise Following Ukraine War

A rising tide of threats — from API exploits to deepfakes to extortionary ransomware attacks — is threatening to overwhelm IT security teams.

HYAS Infosec Announces General Availability of Cybersecurity Solution for Production Environments

HYAS Confront provides total visibility into your production environment, giving you insight into potential issues like cyber threats before they become problems.

We Have the Tech to Scale Up Open Source Vulnerability Fixes — Now It's Time to Leverage It

Q&A with Jonathan Leitschuh, inaugural HUMAN Dan Kaminsky Fellow, in advance of his upcoming Black Hat USA presentation.

What Adjustable Dumbbells Can Teach Us About Risk Management

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

Pipeline Operators Are Headed in the Right Direction, With or Without TSA's Updated Security Directives

A worsening threat landscape, increased digitization, and the long-term positive effects of modern security strategies are pushing critical infrastructure operators to do better.

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Enlarge (credit: Getty Images) At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not...
Brian Krebs

Microsoft Patch Tuesday, August 2022 Edition

Microsoft today released updates to fix a record 141 security vulnerabilities in its Windows operating systems and related software. Once again, Microsoft is patching a zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows....

One of 5G's Biggest Features Is a Security Minefield

New research found troubling vulnerabilities in the 5G platforms carriers offer to wrangle embedded device data.
The Register

Patch Tuesday: Yet another Microsoft RCE bug under active exploit

Oh, and that critical VMware auth bypass vuln? Miscreants found it, too August Patch Tuesday clicks off the week of hacker summer camp in Las Vegas this year, so it's basically a code cracker's holiday too. …