Software engineers tracking the quality of software bill of materials have stumbled on a startling discovery: Barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government. According to new data from software supply chain security startup Chainguard, SBOMs being generated by existing tools fail to meet the minimum ..
Tag : Identity&Access
There is a problem with API security – it isn’t working very well, and it’s largely down to credential leakage. Most security professionals are confident in their own API credential management; but at the same time, most of the same professionals admit to having experienced a breach effected through compromised API credentials. In a survey ..
Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns. The CVE-2022-24086 bug (CVSS score of 9.8) is described as an improper input validation bug in the checkout process. It could ..
Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet. The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is ..
Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to complete vehicle compromise. Tesla, in tandem with Pwn2Own organizations Zero Day Initiative, is offering a $600,000 cash prize to any hacker capable of writing exploits that pivot through multiple systems in ..
A new Android banking trojan has been found, targeting international banks from the United Kingdom and Italy (including in the U.S.). and five different cryptocurrency services. Twenty-two instances have been discovered, but more are expected. The malware, first detected at the end of October 2021, appears to be new and still being developed. It was ..
UK-based identity verification and fraud prevention solutions provider GBG on Thursday announced that it has agreed to acquire Acuant in a $736 million deal. Acuant is based in California and it specializes in identity verification and Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. The acquisition, which is expected to close by the end ..
Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets. Two of Redmond’s premier threat hunting units — the Microsoft Threat Intelligence Center (MSTIC) ..
Microsoft says it has observed an increase in the use of HTML smuggling in malicious attacks distributing remote access Trojans (RATs), banking malware, and other malicious payloads. HTML smuggling leverages HTML5/JavaScript for the download of files onto a victim machine, which in this case of these attacks is an encoded malicious script designed to assemble ..
Web security services provider Cloudflare says it mitigated a distributed denial-of-service (DDoS) attack that peaked at almost 2 terabytes per second (Tbps). The multi-vector assault was launched by a botnet of approximately 15,000 machines infected with a variant of the original Mirai malware. The bots included Internet of Things (IoT) devices and GitLab instances, Cloudflare ..