Security

In a recent security alert, the team behind the popular open-source tool curl has announced the release of fixes for two vulnerabilities: CVE-2023-38545 and CVE-2023-38546.  Today’s release marks a crucial step in addressing these security concerns. Curl, a command-line tool for data transfer supporting various network protocols, plays a vital role in countless applications, with

FortiGuard Labs, the research arm of security firm Fortinet, has uncovered a significant evolution in the IZ1H9 Mirai-based DDoS campaign.  Discovered in September and described in an advisory published on Monday, the new campaign has reportedly rapidly updated its arsenal of exploits, incorporating 13 distinct payloads, targeting various vulnerabilities across different Internet of Things (IoT)

Flagstar Bank, a prominent Michigan-based financial services provider, has warned 837,390 of its US customers about a data breach that occurred through a third-party service provider, Fiserv.  The breach exposed the personal information of a substantial number of customers. It was traced back to vulnerabilities in MOVEit Transfer, a file transfer software used by Fiserv

Two leading US government security agencies have shared the top 10 most common cybersecurity misconfigurations, in a bid to improve baseline security among public and private sector organizations. The report from the NSA and Cybersecurity and Infrastructure Security Agency (CISA) was compiled from their red and blue team assessments, as well agency hunt and incident

Despite the takedown of the Qakbot threat gang’s infrastructure by the FBI in late August, some of the group’s affiliates are still deploying ransomware through phishing campaigns, according to Cisco Talos. Talos threat researchers found new evidence that a threat actor linked to the Qakbot malware loader (also known as QBot or Pinkslipbot) has been

Amazon Web Services (AWS) said it will require multi-factor authentication (MFA) for all privileged accounts starting mid-2024, in a bid to improve default security and reduce the risk of account hijacking. From that time, any customers signing into the AWS Management Console with the root user of an AWS Organizations management account will be required

The number of victims named on ransomware leak sites reached “unprecedented levels” in the four months from March to June 2023, according to Secureworks’ 2023 State of the Threat report. At current levels, 2023 is on course to be the biggest year on record for victim naming on so-called ‘name and shame’ sites since this

Police in Northern Ireland have warned organizations in the province to be on their guard after issuing a new Crime Prevention Notice on “quishing,” or phishing via QR code. Originally published by the Police Service of Northern Ireland (PSNI) Cyber Crime Centre, the notice urges all local businesses to ensure staff cybersecurity awareness training is

Over half (52%) of cybersecurity professionals are experiencing an increase in cyber-attacks compared to a year ago, according to new research from ISACA. The professional association also found that companies are failing to regularly assess cyber risk with less than one in ten (8%) of organizations completing cyber risk assessments monthly while two in five

Cybersecurity Awareness Month was founded in 2004 and this year sees the initiative celebrate 20 years of raising awareness of security issues relating to our use of technology. During the month of October, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) partner to create resources and messaging for organizations to

Microsoft’s Bing Chat has come under scrutiny due to a significant security concern – the infiltration of malicious ads. Malwarebytes researchers have now demonstrated how unsuspecting users seeking software downloads can be tricked into visiting malicious websites and unwittingly downloading malware. Bing Chat, an artificial intelligence (AI) interactive text and image application powered by OpenAI’s

The Russian firm Operation Zero has announced a staggering $20m reward for hacking tools capable of compromising iPhones and Android devices.  The company unveiled this increased payout on X (formerly Twitter) on Tuesday, aiming to attract top-tier researchers and developer teams to collaborate with their platform. Under this program, Operation Zero is willing to pay

The UK’s information commissioner has called for an immediate end to the use of excel spreadsheets to publish Freedom of Information (FOI) data. The data protection regulator issued an advisory notice yesterday to all public authorities in the wake of a hugely damaging leak at the Police Service of Northern Ireland (PSNI) last month. Among other

The US and Japanese authorities have urged multi-nationals to consider implementing zero trust models to mitigate a sophisticated Chinese state-backed cyber-espionage operation. The advisory was issued yesterday by the NSA, FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity

Russian cyber-attacks against Ukraine skyrocketed in the first half of 2023, with 762 incidents observed by Ukraine’s State Service of Special Communications and Information Protection (SSSCIP). This represents a 123% surge compared with the second half of 2022. However, the SSSCIP also found that these attacks were significantly less successful than in the past, with

Fear, ignorance and forgetfulness are some of the reasons for widespread shortcomings in reporting cyber-attacks and breaches, both internally and externally, according to a new global survey conducted by Keeper Security. The study, Cybersecurity Disasters Survey Incident Reporting & Disclosure, was published on September 26, 2023. It found that, despite cyber-attacks being top of mind

Dear Naked Security readers, Firstly, thank you for your interest, your time, and your contributions to the Naked Security community. Your invaluable engagement and expertise have helped improve cybersecurity for everyone. We have recently added the extensive catalog of Naked Security articles to the Sophos News blog platform, enabling us to provide all Sophos security

A Nigerian extradited to the US had pleaded guilty to his part in a multimillion-dollar business email compromise (BEC) conspiracy. Kosi Goodness Simon-Ebo, 29, pleaded guilty late last week to conspiracy to commit wire fraud and conspiracy to commit money laundering. From February to July 2017, he conspired with several others, including some living in

The year 2023 has seen a surge of over 700 advertisements on the dark web offering Distributed Denial of Service (DDoS) attacks through Internet of Things (IoT) devices, suggests a new report by Kaspersky. These services come at varying price points, depending on factors like DDoS protection and verification on the target’s end, ranging from

The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Football League (NFL), Allegiant Stadium and Super Bowl LVIII partners, has conducted a cybersecurity tabletop exercise this week in preparation for Super Bowl LVIII. The exercise aimed to assess and enhance cybersecurity response capabilities, plans and procedures for the upcoming event. The Super

A US government contractor working as an IT administrator at the State department is facing a maximum penalty of death or life in prison after being arrested on serious espionage charges. Abraham Teklu Lemma, 50, of Silver Spring, Maryland, has been charged with delivering national defense information to aid a foreign government, conspiracy to deliver

The typical business in the US and UK loses over 4% of their online revenue every year due to malicious bot attacks, according to a new report from Netacea. The firm’s Death by a Billion Bots report was compiled from a survey of 440 businesses with an average online revenue of $1.9bn across the travel,

The International Criminal Court (ICC) yesterday confirmed the discovery of suspicious activity inside its IT network but revealed little else of a worrying security breach last week. The Netherlands-headquartered tribunal, which tries suspects of war crimes and crimes against humanity, posted a brief statement to X (formerly Twitter). “At the end of last week, the International

“I’m here to recruit you.” Was Christopher Wray, director of the FBI, really joking when he said that hiring people for the FBI was the reason for his presence at the Mandiant mWISE conference? During his opening keynote speech on September 18, Wray explained how collaborating with the private sector has changed the FBI’s approach

A further multimillion-dollar distribution of funds from Western Union to victims of fraud perpetrated via its payment network has begun, following a previous payout of $365m. The new $40m tranche of money was forfeited by the Colorado-headquartered financial services giant to the Department of Justice (DoJ) to reimburse 25,000 victims in the US and abroad.

China’s malicious cyber activity informs its preparations for a potential military conflict with the US, a new report from the Department of Defense (DoD) has claimed. The agency’s 2023 Cyber Strategy highlighted the People’s Republic of China (PRC) and Russia’s embrace of malicious cyber activity “as a means to counter US conventional military power and

Four out of five (80.3%) security vulnerabilities observed in organizations across all sectors come from a cloud environment, Palo Alto Networks’ Unit 42 found in its latest Attack Surface Threat Research. The report, published on September 14, 2023, outlined the most common cloud security flaws, of which 60% come from web framework takeover (22.8%), remote

A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. The European aerospace giant said it has launched an investigation into the incident. “As a major high-tech and industrial player, Airbus is also a target for malicious actors,”

An infamous threat group connected to the North Korean state has been blamed for a major attack on cryptocurrency exchange CoinEx on Tuesday. The Hong Kong-headquartered exchange warned users in a post on X (formerly Twitter) on September 12 that it had “detected anomalous withdrawals from several hot wallet addresses used to store CoinEx’s exchange

The UK Government suffers from a major shortage of cybersecurity experts, putting critical services at high risk of cyber-attacks, a new report from the Parliament’s Public Accounts Committee (PAC) has found. The Committee revealed a major digital skills shortage in the civil service, which has under half the number of digital, data and tech professionals