Theres no getting away from the whole smart-home thing these days. Even if youre not a fan, its getting harder to find a non-smart TV, while air-con systems and refrigerators are increasingly Wi-Fi-enabled. While you are interested in modern technology, most likely youre already kitted out with smart speakers, show more ...
remote-control electric sockets, and so on. Some of all this tech-smartness is just for fun, but many of the features really do save kilowatts, hours — and nerves. So whats the best way to set up a smart home? Two smart-home approaches Before you start setting up your smart home, answer these two questions: Do you understand why you need one? How much are you willing to spend on adapting a home so it is — or becomes — smart? If you do understand why and are ready to get stuck in, it makes sense to go for a turnkey system: study all the features, select an integrated automation system, and buy a smart-home controller and compatible peripherals. And its a good idea to do this during renovations or, if possible, construction. If you have no smart-home experience yet, are renting an apartment, or arent quite sure whether you need a smart home, start with just some particular solutions that look useful to you. After getting to grips with them, you could then think about acquiring a more overarching system. Lets take a look at the pros and cons of both approaches, and illustrate them with some examples from Kaspersky employees. Turnkey smart home A smart home designed and built on a turnkey basis features centralized management of multiple household tasks typically combined into automation scenarios. These scenarios can be run manually or automatically according to certain criteria. For example, when approaching your vacation home in winter, you tap a button on your phone, and the house turns on the heating and garage lights, switches off the alarm, and even plays some ambient music in the lounge. At night, when the CO2 monitor in the bedroom detects stuffiness, the house switches on the ventilation automatically and heats the fresh air to the desired temperature. Such a system requires smart controllers in the heating, lighting, ventilation, multimedia and other systems, and, most importantly, a centralized controller that receives commands from smartphones, sensors, and remotes inside the house, and sends them to endpoint devices. The controller market is populated by reasonably well-known niche players (Abode, Belkin WeMo, Fibaro, Hubitat, etc.) as well as consumer electronics and home-improvement giants (Amazon with Echo Plus, Ikea with Trådfri, Philips Hue, etc.). As a rule, the controller can be managed via remotes, smartphones, and voice assistants, but vendors also offer control options that use a local network without an internet connection. Typically, the controller uses a dedicated smart-home protocol — such as Zigbee, Z-Wave, or Thread — but there are other ecosystems that rely mainly on Wi-Fi and Bluetooth (for example, Apple HomeKit). Hybrid options are also possible (more about them below). Zigbee, Z-Wave, and Thread sensors and regulators communicate only with systems inside the home. They have no internet access and broadcast for very short periods, so they use little power and dont slow down your Wi-Fi. We should also mention the new Thread-based standard, Matter, which aims to tackle the key problem of smart homes: how to integrate devices from different vendors operating on different protocols into a single system. Thanks to Matter, its expected that all smart accessories from most market leaders will be able to talk to each other with minimal configuration adjustments. Amazon, Apple, Google, Haier, Huawei, IKEA, Legrand, LG, Lutron, Midea, Oppo, Samsung, Schneider, and Somfy have all announced Matter support, which bodes well for its future. But the specs were approved only last summer, so a wide range of Matter devices should only hit the stores closer to end of 2023. That said, some devices have already been promised a software upgrade to Matter, such as IKEAs new Dirigera hub. So, if your house is just being built and the electronics (and wiring in the walls) wont be done till later in the year, keep Matter in mind. If you or the house cant wait that long, youll have to choose an older technical solution. Besides convenient automation, an integrated approach to building your smart home means the radio frequencies are less congested by a multitude of Wi-Fi devices like smart bulbs operating in a non-coordinated manner. Also, smart home cybersecurity issues can be sorted out centrally at the controller level. Lastly, youll save money in the long run through more efficient use of resources (like heat, water, and electricity). The cons of this approach are the reverse side of the pros. First, youll have to figure out in advance what to build into your home: lighting groups, temperature control zones, air-con systems, sensors for anything and everything Second, you need to prepare for a large upfront bill: most of the equipment will have to be bought simultaneously. Finally, a note about the risks associated with the psychology of the different members of a household. If any are technophobes, theyll struggle to get to grips with the workings of the smart home. To get around this problem, physical switches and controls duplicating their smart counterparts will be required. Something like a voice assistant is also desirable. Incidentally, physical switches will come to the rescue in the event of a major automation failure or cyberattack. Alex: I planned my smart home back when I was renovating. There are eight underfloor heating zones, six radiators, and 32 light sources — all of which can be controlled locally, without an internet connection. I originally designed the system to be as invisible as possible to us living here, while also being accessible to guests who arent used to smart homes. Among the features are air-con and ventilation control, multiple lighting scenarios, motion sensors for turning lights on and off, sensors for a water leak (that turns the water off if one is detected), and full voice control. Were all totally comfortable with operating the smart home, and the kids have stopped using the wall switches altogether and control the home by voice alone. Smart home bit-by-bit Its also possible to build your smart home piece by piece, step by step. In doing so, the must-have devices include things like smart TVs, smart speakers with voice assistant, robot vacuum cleaner, baby monitor, doorbell with peephole cam, Wi-Fi outlets, and brightness-and-color-adjustable lights. According to our report, smart speakers (24%) and video surveillance systems with Wi-Fi (20%) are currently the most common pieces of smart kit. It makes sense to go smart when you need the basic function of the device anyway, such as a TV or peephole cam. When making your choice, read carefully about all the smart features, and think about the everyday situations in which they might help. If everything looks good, check out the reviews of other buyers: maybe some feature doesnt work that well after all. Alexander: First, I bought smart bulbs from IKEA, a smart speaker with voice assistant, and a Mi Home button. Then I added an infrared emitter to Mi Home to control the air-con. I also bought a breather with a CO2 sensor, which, as it turned out, doesnt integrate with anything. We ended up turning the light bulbs and smart speaker off, while the smart remote for the air-con proved most popular. The great thing about individual smart solutions is that they work out-of-the-box — no setup required. In most cases, they communicate via Wi-Fi with the vendors cloud servers and are controlled from a proprietary app on your smartphone, with no need to fork out for additional controllers. The drawbacks, alas, are also sizeable. The more smart devices you get, the harder it is to manage each of them from a separate app. Combining them into scenarios is highly problematic. Some solutions may be able to integrate with Apple HomeKit or Amazon Alexa, but seamless operation is not guaranteed. Multiple Wi-Fi devices pollute the airwaves, can interfere with each other, and slow down data speeds for important networking tasks — be that gaming or video conferencing. Each standalone internet-connected device creates new security risks. For example: surveillance cams are accessible to outsiders; hackers can talk with family members through a baby monitor; a smart TV remote can eavesdrop on you; smart bulbs can be used to launch DDoS attacks; and ? robot vacuum cleaner can take pictures of you. These problems can be partially solved through correct configuration, which well cover in a separate post. Olga: We bought a smart speaker (Yandex.Station) and some Aqara devices. I thought this would be fun, but not worth the money. I was wrong: it turned out very handy! We can switch the lights, coffee machine, and alarm on and off by voice. And were always talking to the smart speaker, asking for a weather forecast or music. Hybrid solutions Some vendors like to hide a whole army of devices built on different technologies under a common name. A striking example is Xiaomi, which makes humidifiers and vacuum cleaners that go online autonomously, as well as Zigbee-enabled bulbs. Its a similar story with Apple HomeKit, which uses a variety of technologies to control devices from the single Home app: Wi-Fi, Bluetooth, control through a home hub hidden in Apple TV, integration with Zigbee hubs like Philips Hue, and support for the new Matter protocol. There is a definite advantage to this: you can buy and use the device separately, then integrate it into the overall automation system. The disadvantage of the hybrid approach is having to pay again for duplicate technologies in different devices, not to mention again the security risks, malfunctions, and clogging of the airwaves. Another important point is vendor lock-in: with Apple or Xiaomi, its somewhat easier to grow your smart home from disparate solutions. But if you suddenly need a device that is not in your vendors product line, connecting it to your smart home will be a big problem. Even worse is if the manufacturer of your smart home components radically changes its strategy or goes out of business and stops supporting online services or releasing updates, which has been known to happen. Thats another reason why its important that devices have alternative control methods, for example, physical switches. Ilya: I got rid of my Wi-Fi smart home features because they didnt work without the internet. I switched to Zigbee gateways. I also ditched Xiaomi in favor of Tuya due to compatibility problems for different regions. The new system permitted smart two-way switches, so you can control the lighting in long corridors from anywhere without rewiring. We also have smart curtains that draw automatically when the lights go on or it gets dark, and smart outlets make it easy to turn off the iron, even if youre not home. Whats useful and whats not? Unfortunately, few people will be able to figure out in advance which smart home features they really need, and which will just be a bit of fun for a couple of weeks. As our colleagues experience shows, some users for example dont need voice control at all, while others cant live without it. Plan your smart home budget and implementation so that no scenario hits you hard in the pocket or comfort-wise: for instance, when planning centralized control of lighting and heating, dont forget about the good old-fashioned manual switches. And, of course, get ready to protect your smart home from cyberthreats — stay tuned for more details on those in a separate post…
Image: Shutterstock.com Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, show more ...
and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device. The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number. Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number. All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities. Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “Tmobile up!” or “Tmo up!” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber. The information required from the customer of the SIM-swapping service includes the target’s phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number. Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various “Tmo up!” posts from each day and working backwards from Dec. 31, 2022. But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days. The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools. KrebsOnSecurity shared a large amount of data gathered for this story with T-Mobile. The company declined to confirm or deny any of these claimed intrusions. But in a written statement, T-Mobile said this type of activity affects the entire wireless industry. “And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.” TMO UP! While it is true that each of these cybercriminal actors periodically offer SIM-swapping services for other mobile phone providers — including AT&T, Verizon and smaller carriers — those solicitations appear far less frequently in these group chats than T-Mobile swap offers. And when those offers do materialize, they are considerably more expensive. The prices advertised for a SIM-swap against T-Mobile customers in the latter half of 2022 ranged between USD $1,000 and $1,500, while SIM-swaps offered against AT&T and Verizon customers often cost well more than twice that amount. To be clear, KrebsOnSecurity is not aware of specific SIM-swapping incidents tied to any of these breach claims. However, the vast majority of advertisements for SIM-swapping claims against T-Mobile tracked in this story had two things in common that set them apart from random SIM-swapping ads on Telegram. First, they included an offer to use a mutually trusted “middleman” or escrow provider for the transaction (to protect either party from getting scammed). More importantly, the cybercriminal handles that were posting ads for SIM-swapping opportunities from these groups generally did so on a daily or near-daily basis — often teasing their upcoming swap events in the hours before posting a “Tmo up!” message announcement. In other words, if the crooks offering these SIM-swapping services were ripping off their customers or claiming to have access that they didn’t, this would be almost immediately obvious from the responses of the more seasoned and serious cybercriminals in the same chat channel. There are plenty of people on Telegram claiming to have SIM-swap access at major telecommunications firms, but a great many such offers are simply four-figure scams, and any pretenders on this front are soon identified and banned (if not worse). One of the groups that reliably posted “Tmo up!” messages to announce SIM-swap availability against T-Mobile customers also reliably posted “Tmo down!” follow-up messages announcing exactly when their claimed access to T-Mobile employee tools was discovered and revoked by the mobile giant. A review of the timestamps associated with this group’s incessant “Tmo up” and “Tmo down” posts indicates that while their claimed access to employee tools usually lasted less than an hour, in some cases that access apparently went undiscovered for several hours or even days. TMO TOOLS How could these SIM-swapping groups be gaining access to T-Mobile’s network as frequently as they claim? Peppered throughout the daily chit-chat on their Telegram channels are solicitations for people urgently needed to serve as “callers,” or those who can be hired to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials. Allison Nixon is chief research officer for the New York City-based cybersecurity firm Unit 221B. Nixon said these SIM-swapping groups will typically call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the person on the other end of the line to visit a phishing website that mimics the company’s employee login page. Nixon argues that many people in the security community tend to discount the threat from voice phishing attacks as somehow “low tech” and “low probability” threats. “I see it as not low-tech at all, because there are a lot of moving parts to phishing these days,” Nixon said. “You have the caller who has the employee on the line, and the person operating the phish kit who needs to spin it up and down fast enough so that it doesn’t get flagged by security companies. Then they have to get the employee on that phishing site and steal their credentials.” In addition, she said, often there will be yet another co-conspirator whose job it is to use the stolen credentials and log into employee tools. That person may also need to figure out how to make their device pass “posture checks,” a form of device authentication that some companies use to verify that each login is coming only from employee-issued phones or laptops. For aspiring criminals with little experience in scam calling, there are plenty of sample call transcripts available on these Telegram chat channels that walk one through how to impersonate an IT technician at the targeted company — and how to respond to pushback or skepticism from the employee. Here’s a snippet from one such tutorial that appeared recently in one of the SIM-swapping channels: “Hello this is James calling from Metro IT department, how’s your day today?” (yea im doing good, how r u) i’m doing great, thank you for asking i’m calling in regards to a ticket we got last week from you guys, saying you guys were having issues with the network connectivity which also interfered with [Microsoft] Edge, not letting you sign in or disconnecting you randomly. We haven’t received any updates to this ticket ever since it was created so that’s why I’m calling in just to see if there’s still an issue or not….” TMO DOWN! The TMO UP data referenced above, combined with comments from the SIM-swappers themselves, indicate that while many of their claimed accesses to T-Mobile tools in the middle of 2022 lasted hours on end, both the frequency and duration of these events began to steadily decrease as the year wore on. T-Mobile declined to discuss what it may have done to combat these apparent intrusions last year. However, one of the groups began to complain loudly in late October 2022 that T-Mobile must have been doing something that was causing their phished access to employee tools to die very soon after they obtained it. One group even remarked that they suspected T-Mobile’s security team had begun monitoring their chats. Indeed, the timestamps associated with one group’s TMO UP/TMO DOWN notices show that their claimed access was often limited to less than 15 minutes throughout November and December of 2022. Whatever the reason, the calendar graphic above clearly shows that the frequency of claimed access to T-Mobile decreased significantly across all three SIM-swapping groups in the waning weeks of 2022. SECURITY KEYS T-Mobile US reported revenues of nearly $80 billion last year. It currently employs more than 71,000 people in the United States, any one of whom can be a target for these phishers. T-Mobile declined to answer questions about what it may be doing to beef up employee authentication. But Nicholas Weaver, a researcher and lecturer at University of California, Berkeley’s International Computer Science Institute, said T-Mobile and all the major wireless providers should be requiring employees to use physical security keys for that second factor when logging into company resources. A U2F device made by Yubikey. “These breaches should not happen,” Weaver said. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.” The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB key and pressing a button on the device. The key works without the need for any special software drivers. The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet. THE ROLE OF MINORS IN SIM-SWAPPING Nixon said one confounding aspect of SIM-swapping is that these criminal groups tend to recruit teenagers to do their dirty work. “A huge reason this problem has been allowed to spiral out of control is because children play such a prominent role in this form of breach,” Nixon said. Nixon said SIM-swapping groups often advertise low-level jobs on places like Roblox and Minecraft, online games that are extremely popular with young adolescent males. “Statistically speaking, that kind of recruiting is going to produce a lot of people who are underage,” she said. “They recruit children because they’re naive, you can get more out of them, and they have legal protections that other people over 18 don’t have.” For example, she said, even when underage SIM-swappers are arrested, the offenders tend to go right back to committing the same crimes as soon as they’re released. In January 2023, T-Mobile disclosed that a “bad actor” stole records on roughly 37 million current customers, including their name, billing address, email, phone number, date of birth, and T-Mobile account number. In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum. In the shadow of such mega-breaches, any damage from the continuous attacks by these SIM-swapping groups can seem insignificant by comparison. But Nixon says it’s a mistake to dismiss SIM-swapping as a low volume problem. “Logistically, you may only be able to get a few dozen or a hundred SIM-swaps in a day, but you can pick any customer you want across their entire customer base,” she said. “Just because a targeted account takeover is low volume doesn’t mean it’s low risk. These guys have crews that go and identify people who are high net worth individuals and who have a lot to lose.” Nixon said another aspect of SIM-swapping that causes cybersecurity defenders to dismiss the threat from these groups is the perception that they are full of low-skilled “script kiddies,” a derisive term used to describe novice hackers who rely mainly on point-and-click hacking tools. “They underestimate these actors and say this person isn’t technically sophisticated,” she said. “But if you’re rolling around in millions worth of stolen crypto currency, you can buy that sophistication. I know for a fact some of these compromises were at the hands of these ‘script kiddies,’ but they’re not ripping off other people’s scripts so much as hiring people to make scripts for them. And they don’t care what gets the job done, as long as they get to steal the money.”
The adversaries obtained a decryption key to a LastPass database containing multifactor authentication and federation information as well as customer vault data, company says.
The opportunistic "SCARLETEEL" attack on a firm's Amazon Web Services account turns into targeted data theft after the intruder uses an overpermissioned service to jump into cloud system.
The framework-as-a-service signals an intensification of the cat-and-mouse game between defenders detecting lateral movement, and cybercriminals looking to go unnoticed.
A malicious version of Final Cut Pro that largely went unnoticed by antivirus engines is being used by cybercriminals to mine cryptocurrency on macOS systems. There have been dozens of uploads from 2019 and 2021 that were injected with a malicious payload to surreptitiously mine cryptocurrency. Despite an earlier show more ...
iteration being a known quantity to the security community, most of the security products from different vendors could not detect malicious applications.
ESET researchers uncovered a connection between the North Korean Lazarus APT group and WinorDLL64 - a new backdoor associated with the Wslink malware downloader. Wslink, primarily a malicious loader, can be leveraged by the attacker for lateral movement as well. WinorDLL64 is a fully-featured backdoor implant that can exfiltrate, overwrite, and delete files for file manipulation.
Cyber attack risks faced by businesses across states and reported data breaches are relative to the respective state governments’ cybersecurity investment, according to Network Assured.
Password management software firm LastPass says one of its DevOps engineers had a personal home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources.
The Australian government on Monday said it planned to overhaul its cybersecurity rules and set up an agency to oversee government investment in the field and help coordinate responses to hacker attacks.
Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests.
On the one-year anniversary of Russia’s war against Ukraine, the US Department of the Treasury announced a new set of sanctions against tens of entities that are allegedly helping the Kremlin, including its cyber operations.
The activity, which was detected by the BlackBerry Research and Intelligence Team on February 20, 2023, is also said to encompass Ecuador, Chile, and Spain, suggesting a slow expansion of the hacking group's victimology footprint.
Nearly 200,000 new mobile banking Trojans emerged in 2022 — a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.
A cyberattack on Pipefitters Local 537, a Boston-based labor union’s health fund, resulted in the loss of $6.4 million, but it does not appear that the personal information of members was stolen or compromised, union officials said.
India recorded a total virus count of 37,697,022, which was over 4,18,000 viruses per day in Q4 of 2022, a new report showed on Monday. According to Fortinet, India alone accounted for 5.81% of the global virus count deducted in the previous quarter.
News Corp, the mass media and publishing giant, revealed a data breach that affected the personal data and PHI of several employees. The compromised data include names, SSNs, driver's license numbers, passport and financial data, and medical and health insurance information. The breach has affected multiple news show more ...
arms of the publishing conglomerate, including the New York Post, The Wall Street Journal, and other U.K. news operations.
Vouched announced $6.3 million financing led by BHG VC and SpringRock Ventures, as well as prior investors Darrell Cavens and Mark Vadon. Vouched’s expansion plans build upon the company’s rapid growth over the past year.
The service is investigating a major ransomware attack that has compromised some of its most sensitive information, including law enforcement materials, and the personal information of employees, and potential targets of federal investigations.
The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the service's long operational history.
The threat actors claim to have obtained 19,444 unique records from an Activision Azure database and are offering it for free. The leaked data contains names, phone numbers, job titles, locations, and email addresses of Activision employees.
The strategy, created by the Office of the National Cyber Director (ONCD), also gives high-level authorization to law enforcement and intelligence agencies to hack into foreign networks to prevent attacks or to retaliate against APT campaigns.
The vulnerability is tracked as CVE-2023-26009 in the Houzez plugin and CVE-2023-26540 in the theme. The vendor was informed about the security hole and patched it with the release of versions 2.6.4 (plugin) and 2.7.2 (theme).
The head of the CISA called the status quo in cybersecurity today “unsustainable,” saying companies, consumers, and government must collectively shift their expectations to make software and hardware manufacturers responsible for insecure products.
Resecurity identified one of the largest investment fraud networks by size and volume of operations defrauding users from Australia, Canada, China, Colombia, the EU, India, Singapore, Malaysia, UAE, Saudi Arabia, Mexico, the US, and other regions.
The Series D round was co-led by Lightspeed Venture Partners and Greenoaks Capital Partners, with participation from angel investors including Starbucks owner Howard Schultz and French business magnate Bernard Arnault.
Threat analysts at CYFIRMA claim that this new framework was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution in exchange for a subscription fee.
A hacker group, dubbed Clasiopa by the analysts at Broadcom company Symantec, is reportedly launching attacks against organizations in the materials research sector. The group boasts a unique toolset, including the custom Atharvan backdoor. Criminals have also used modified versions of the publicly available Lilith RAT and the Thumbsender hacking tool in this attack.
Researchers spotted a new ChromeLoader malware campaign that is being propagated via VHD files named after popular games, such as ROBLOX, Elden Ring, Call of Duty, Pokemon, Animal Crossing, and others. x hijacks browser searches to show advertisements and later modifies the browser setting and collects credentials and browser data.
Ubuntu Security Notice 5902-1 - It was discovered that PHP incorrectly handled certain invalid Blowfish password hashes. An invalid password hash could possibly allow applications to accept any password as valid, contrary to expectations. It was discovered that PHP incorrectly handled resolving long paths. A remote show more ...
attacker could possibly use this issue to obtain or modify sensitive information. It was discovered that PHP incorrectly handled a large number of parts in HTTP form uploads. A remote attacker could possibly use this issue to cause PHP to consume resources, leading to a denial of service.
Ubuntu Security Notice 5821-3 - USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately, it was missing a commit to fix it properly in pip. Sebastian Chnelik discovered that wheel incorrectly handled certain file names when validated against a regex expression. An attacker could possibly use this issue to cause a denial of service.
WordPress WoodMart Theme versions 7.1.1 and below suffer from a cross site request forgery vulnerability due to missing nonce validation on the process_form function.
Red Hat Security Advisory 2023-0945-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.
Osprey Pump Controller version 1.0.1 allows an unauthenticated attacker to create an account and bypass authentication, thereby gaining unauthorized access to the system.
Red Hat Security Advisory 2023-0895-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Debian Linux Security Advisory 5365-1 - Patrick Monnerat discovered that Curl's support for "chained" HTTP compression algorithms was susceptible to denial of service.
Osprey Pump Controller version 1.0.1 suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the eventFileSelected HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts.
Ubuntu Security Notice 5899-1 - It was discovered that AWStats did not properly sanitize the content of whois responses in the hostinfo plugin. An attacker could possibly use this issue to conduct cross-site scripting attacks.
Red Hat Security Advisory 2023-0970-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include HTTP response splitting and out of bounds read vulnerabilities.
Osprey Pump Controller version 1.0.1 suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the userName HTTP POST parameter called by index.php script.
Osprey Pump Controller version 1.0.1 suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the pseudonym HTTP POST parameter called by index.php script.
Ubuntu Security Notice 5901-1 - Hubert Kario discovered that GnuTLS had a timing side-channel when handling certain RSA messages. A remote attacker could possibly use this issue to recover sensitive information.
Red Hat Security Advisory 2023-0978-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only show more ...
allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0977-01 - Red Hat OpenShift Data Science 1.22.1 security update. Issues addressed include an improper authorization vulnerability.
Red Hat Security Advisory 2023-0959-01 - The GNU tar program can save multiple files in an archive and restore files from an archive. Issues addressed include a buffer overflow vulnerability.
Ubuntu Security Notice 5896-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a show more ...
denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.
Ubuntu Security Notice 5888-1 - It was discovered that Python incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. Hamza Avvan discovered that Python incorrectly handled show more ...
certain inputs. If a user or an automated system were tricked into running a specially crafted input, a remote attacker could possibly use this issue to execute arbitrary code.
Romanian cybersecurity company Bitdefender has released a free universal decryptor for a nascent file-encrypting malware known as MortalKombat. MortalKombat is a new ransomware strain that emerged in January 2023. It's based on a commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey. Xorist, detected since 2010,
A new post-exploitation framework called EXFILTRATOR-22 (aka EX-22) has emerged in the wild with the goal of deploying ransomware within enterprise networks while flying under the radar. "It comes with a wide range of capabilities, making post-exploitation a cakewalk for anyone purchasing the tool," CYFIRMA said in a new report. Some of the notable features include establishing a reverse shell
As digital transformation takes hold and businesses become increasingly reliant on digital services, it has become more important than ever to secure applications and APIs (Application Programming Interfaces). With that said, application security and API security are two critical components of a comprehensive security strategy. By utilizing these practices, organizations can protect themselves
The threat actor known as Blind Eagle has been linked to a new campaign targeting various key industries in Colombia. The activity, which was detected by the BlackBerry Research and Intelligence Team on February 20, 2023, is also said to encompass Ecuador, Chile, and Spain, suggesting a slow expansion of the hacking group's victimology footprint. Targeted entities include health, financial, law
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive
LastPass, which in December 2022 disclosed a severe data breach that allowed threat actors to access encrypted password vaults, said it happened as a result of the same adversary launching a second attack on its systems. The company said one of its DevOps engineers had their personal home computer breached and infected with a keylogger as part of a sustained cyber attack that exfiltrated