A growing group of OWASP members and board leaders are calling for the AppSec group to make big changes to stay apace with modern development.
About 50 WordPress blogs have been backdoored with a plugin called fuser-master. This plugin is being triggered via popunder traffic from a large ad network. The WordPress sites are loaded on a separate page underneath and display a number of ads.
CatB is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022. The CatB threat actor does not offer a web portal (on TOR or otherwise) to name and shame victims.
Fortinet has released security updates for its FortiNAC and FortiWeb products, addressing two critical-severity vulnerabilities that may allow unauthenticated attackers to perform arbitrary code or command execution.
There’s a new malware threat to Microsoft Internet Information Services (IIS) servers dubbed Frebniss. Discovered by Symantec's Threat Hunter Team, the malware abuse 'Failed Request Event Buffering' (FREB) feature of IIS that is responsible for collecting request metadata such as IP addresses, HTTP show more ... headers, and cookies. By abusing the FREB component, it becomes relatively easier for hackers to evade detection.
Out of a total of seven security defects, five are described as deserialization of untrusted data issues that could be exploited to achieve command execution. Four of them have a CVSS score of 8.8.
Researchers at Unit42 laid bare a Mirai botnet variant dubbed V3G4 that compromised hosts by abusing several vulnerabilities in products from DrayTek, Geutebruck, FreePBX, Atlassian, and others. The botnet infected exposed servers and networking devices running on Linux OS. Successful exploitation of the bugs could let hackers take full control of the hosts and make them a part of the botnet.
Twitter has announced that it's limiting the use of SMS-based two-factor authentication (2FA) to its Blue subscribers. "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors," the company said. "We will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers."
Web hosting services provider GoDaddy on Friday disclosed a multi-year security breach that enabled unknown threat actors to install malware and siphon source code related to some of its services. The company attributed the campaign to a "sophisticated and organized group targeting hosting services." GoDaddy said in December 2022, it received an unspecified number of customer complaints about
