Cloud security company Orca has published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services, including two bugs that could have been exploited without authentication. SSRF flaws, Orca explains, typically allow attackers to access the host’s IMDS (Cloud Instance Metadata Service), enabling them to view information such as hostnames, MAC addresses, and ..
Tag : NEWS&INDUSTRY
A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports. Generally available since November 2022, following a private preview period, GitHub Codespaces is a free cloud-based integrated development environment (IDE) that allows developers to create, edit, and run code in their browsers via a ..
When the Supreme Court last June stripped away constitutional protections for abortion, concerns grew over the use of period tracking apps because they aren’t protected by federal privacy laws. Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes. Some Washington state lawmakers want to ..
Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free. Written in Golang, BianLian emerged in August 2022 and has been used in targeted attacks against entertainment, healthcare, media, and manufacturing organizations. Once it has been executed on a victim’s machine, the malware identifies all available ..
Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet. The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is ..
A series of vulnerabilities affecting industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to internal operational technology (OT) networks from the internet. The US Cybersecurity and Infrastructure Security Agency (CISA) last week published an advisory to inform organizations about five vulnerabilities identified by a researcher at industrial ..
Canadian liquor distributor Liquor Control Board of Ontario (LCBO) has announced that a web skimmer injected into its online store was used to steal users’ personal data. One of the largest liquor sellers in Canada, LCBO retails and distributes alcoholic beverages throughout the Ontario province, operating over 670 stores and employing more than 8,000 people. ..
The US Department of Defense (DoD) is getting ready to launch the third installment of its ‘Hack the Pentagon’ bug bounty program, which will focus on the Facility Related Controls System (FRCS) network. Hack the Pentagon was launched in 2016 on HackerOne, when the DoD invited ethical hackers to find and report security defects in ..
Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer’s laptop. The incident was initially disclosed on January 4, when CircleCI urged customers to rotate their secret keys. In an updated incident report on Friday, the company said that it was ..
A hacktivist group has made bold claims regarding an attack on an industrial control system (ICS) device, but industry professionals have questioned their claims. The hacktivist group known as GhostSec, whose recent operations have focused on ‘punishing’ Russia for its invasion of Ukraine, claims to have conducted the first ever ransomware attack against a remote ..