Security

Staples is still suffering disruption after being hit by a cyber-attack late last week, the retailer has revealed. The office supplies giant apologized to customers for any inconvenience, in an updated service message on its main website. “We continue to experience disruption of our communications and our customer service lines. All other aspects of our

Apple has been forced to patch yet another pair of zero-day vulnerabilities, bringing the total for the year to 20. The tech giant said that the two bugs in its WebKit browser engine were being actively exploited in the wild. The first vulnerability, CVE-2023-42916, is found in a range of Apple products: iPhone XS and

The UK’s security agency has urged the nation’s water sector to apply best practice security measures after a US operator was breached via its industrial control systems. The US Cybersecurity and Infrastructure Security Agency (CISA) revealed earlier this week that an unnamed facility had been taken offline and switched to manual operation after its Unitronics

The UK government has signed what it claims to be a “world-first” charter with some of the biggest technology companies on the planet, which will see the latter commit to blocking and removing fraudulent content from their platforms. Announced late yesterday, the Online Fraud Charter is a voluntary agreement for technology firms to better police fraud

Okta has revealed that an October security breach compromised all users of its customer support system rather than a small subset as previously thought. CSO David Bradbury said last month that only 134 customers were impacted after a threat actor gained access to the support system between September 28 and October 17. They had managed to access

Security experts have urged ownCloud customers to mitigate a critical zero-day vulnerability in its “graphapi” app announced last week, after observing mass exploitation by threat actors. Security vendor GreyNoise raised the alarm after file server and collaboration platform ownCloud revealed the CVSS 10.0-rated vulnerability on November 21. “The ‘graphapi’ app relies on a third-party library

Police in Ukraine have arrested five individuals including the suspected ringleader of a prolific ransomware affiliate believed to have made hundreds of millions of dollars from cyber-attacks. Law enforcers and judicial authorities from seven countries joined forces with Europol to dismantle the group, searching 30 properties in Kyiv, Cherkasy, Rivne and Vinnytsia on November 21.

A prolific threat actor has been spotted on the dark web selling what they claim to be sensitive information stolen from General Electric. General Electric (GE) is one of America’s best-known multinationals, having been founded over 100 years ago by Thomas Edison. It now has a portfolio ranging from aerospace to renewable energy. However, according

Security researchers have found a way to bypass the popular Windows Hello fingerprint authentication technology, after discovering multiple vulnerabilities. Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of the top three fingerprint sensors embedded in laptops. The firm studied a Dell Inspiron 15, a Lenovo ThinkPad T14 and a Microsoft

House sales and purchases across the UK have been disrupted by a cyber-attack affecting multiple conveyancing firms. CTS, a legal sector specialist infrastructure service provider, confirmed in a statement that it has experienced a service outage caused by a cyber-incident. The firm said the cyber-attack has impacted a portion of the services it delivers to

The US Cybersecurity and Infrastructure Security Agency (CISA) has relaunched a key working group, with ambitious plans to understand the effectiveness of security controls in tackling ransomware and other threats. The Cybersecurity Insurance and Data Analysis Working Group (CIDAWG) was originally founded in 2016, although the new iteration will be very different, according to CISA

The British Library has revealed that HR data was stolen and leaked in a recent ransomware breach. The state-run institution, one of the world’s largest public libraries, only admitted last week that an October 28 incident was in fact caused by ransomware. In a further update yesterday it revealed a little more detail. “Following confirmation

Europol has announced a new unit whose job it will be to find and analyze publicly available information indicating Russian war crimes committed in Ukraine. The Operational Taskforce (OTF) will scour the internet to “identify suspects and their involvement in war crimes, crimes against humanity or genocide crimes” through open source intelligence (OSINT), the policing

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a Mitigation Guide specifically tailored for the Healthcare and Public Health (HPH) sector. The new guide outlines defensive mitigation strategies and best practices to counteract prevalent cyber-threats targeting critical infrastructure in the healthcare domain. The paper, published on Friday, emphasizes the importance of vulnerability management,

The UK’s National Cyber Security Centre (NCSC) has revealed details of its first RFC for standards body the Internet Engineering Task Force (IETF) – covering indicators of compromise (IoCs). RFCs are reference documents containing technical specifications and organizational notes for the technical foundations of the internet. RFCs that reach a certain level of maturity can

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released a detailed cybersecurity advisory on the sophisticated Scattered Spider threat group, urging critical infrastructure (CNI) firms to implement its mitigation recommendations. The group (also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest and Muddled Libra) is thought to be responsible for big-name

involving the spoofing of luxury brands, including Louis Vuitton, Rolex, and Ray-Ban. The hackers craft enticing emails promising heavy discounts on these luxury products, with the email addresses manipulated to mimic the authenticity of the brands. Despite the appearance of legitimacy, a closer look reveals that the email origins have no connection to the actual

The Cloud Security Alliance (CSA) has introduced the Certificate of Competence in Zero Trust (CCZT), the industry’s inaugural authoritative zero trust certification.  CSA said the certification responds to the evolving landscape of pervasive technology and the inadequacy of legacy security models. It aims to equip security professionals with the knowledge necessary to develop and implement

The US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has unveiled its inaugural roadmap for artificial intelligence (AI). The initiative aligns with President Biden’s recent Executive Order, which directed DHS to globally promote AI safety standards, safeguard US networks and critical infrastructure, and address the potential weaponization of AI. The roadmap

Security researchers have discovered a total of 3938 unique secrets on PyPI, the official third-party package management system for the Python community, across all projects, with 768 of them validated as authentic.  Notably, 2922 projects contained at least one unique secret. Among the leaked secrets were various credentials, including AWS Keys, Redis credentials, Google API

The global online gaming community is facing a rising threat from cyber-criminals exploiting vulnerabilities inherent in gamers’ interactions with digital content.  A recent report by Sekoia.io has shed light on a targeted campaign using Discord messages and fake download websites to distribute information-stealing malware within the gaming sphere. According to the post, gamers, in their quest for

Two giants of the banking and legal sectors have been breached by suspected ransomware actors, according to reports. Allen & Overy is one of the UK’s “Magic Circle” law firms. It released a statement yesterday revealing a “data incident” impacting a “small number of storage servers.” Although the firm did not name ransomware as the

Microsoft has revealed a new threat campaign exploiting a zero-day vulnerability in the popular SysAid IT helpdesk software. Posting to X (formerly Twitter) yesterday, the Microsoft Threat Intelligence account said the group is the same one responsible for the MOVEit data theft and extortion campaign – a threat actor known as Lace Tempest (aka DEV-0950,

Most British lawmakers are unaware or misinformed about how and where facial recognition technology (FRT) is being used, and the privacy threats it poses, according to a new Privacy International study. The rights group commissioned YouGov to poll 114 UK MPs about the technology, which uses AI to extract biometric data from facial images captured

The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. The 370-page report, Modern Asian APT groups: Tactics, Techniques and Procedures, published today, is based on an examination of around one hundred cybersecurity incidents that unfolded across different regions globally, commencing

Google-owned Mandiant has revealed that Sandowrm, a Russia-backed hacking group, conducted a disruptive cyber-attack targeting a Ukrainian critical infrastructure organization in late 2022. Mandiant, which was involved in responding to the attack, shared some of the findings of its post-mortem analysis in a report published on November 9, 2023. The intrusion began on, or before,

The Singapore-based luxury complex Marina Bay Sands revealed it was hit by a security incident that exposed the personal data of 665,000 customers. According to a statement published by the resort, the incident occurred on October 19-20 and involved unauthorized third-party access to its non-casino customers’ loyalty program membership data. The leaked data included personally

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a Russian national for her involvement in laundering and transferring funds using virtual currency on behalf of Russian elites.  Ekaterina Zhdanova reportedly played a pivotal role in assisting Russian elites and illicit actors in evading US and international sanctions, particularly by

Microsoft has announced a major new cybersecurity initiative designed to help the company better respond to the increasing speed, scale and sophistication of today’s cyber-threats. The Secure Future Initiative has been driven in part by the growing sophistication of state-sponsored actors, in particular the Volt Typhoon campaign targeting US critical infrastructure and the more recent

The UK Frontier AI Taskforce, a government-funded initiative launched in April 2023 as the Foundation Model Taskforce, is evolving to become the UK AI Safety Institute. British Prime Minister Rishi Sunak announced the creation of the Institute during his closing speech at the AI Safety Summit, held in Bletchley Park, England, on November 2, 2023.