Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us
Turns out they're not all that rare. We just don't know how to find them.
Google Play hides app permissions in favor of developer-written descriptions
Let's hope nobody lies about what permissions their app uses.
Ongoing phishing campaign can hack you even when you’re protected with MFA
Campaign that steals email has targeted at least 10,000 organizations since September.
A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys
Hertzbleed attack targets power-conservation feature found on virtually all modern CPUs.
Researchers devise iPhone malware that runs even when device is turned off
Research is largely theoretical but exposes an overlooked security issue.
Researcher uses 379-year-old algorithm to crack crypto keys found in the wild
It takes only a second to crack the handful of weak keys. Are there more out there?
Russia’s Sandworm hackers attempted a third blackout in Ukraine
The attack was the first in five years to use Sandworm's Industroyer malware.
Explaining Spring4Shell: The Internet security disaster that wasn’t
Vulnerability in the Spring Java Framework is important, but it's no Log4Shell.
Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA
Not all MFA is created equal, as script kiddies and elite hackers have shown recently.
Behold, a password phishing site that can trick even savvy users
Just when you thought you'd seen every phishing trick out there, BitB comes along.
Sabotage: Code added to popular NPM package wiped files in Russia and Belarus | Ars Technica
When code with millions of downloads nukes user files, bad things can happen.
New method that amplifies DDoSes by 4 billion-fold. What could go wrong?
New method also stretches out DDoS durations to 14 hours.
Cybercriminals who breached Nvidia issue one of the most unusual demands ever
Chipmaker has until Friday to comply or see its crown-jewel source code released.
VMware Horizon servers are under active exploit by Iranian state hackers
Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday.
Flood of malicious junk traffic makes Ukrainian websites unreachable | Ars Technica
DDoS temporarily take out sites as Ukraine stares down Russian soldiers at its border.
Backdoor RAT for Windows, macOS, and Linux went undetected until now | Ars Technica
Never-before-seen, cross-platform SysJoker came from an "advanced threat actor."
In a first, cryptographic keys protecting SSH connections stolen in new attack | Ars Technica
An error as small as a single flipped memory bit is all it takes to expose a private key. The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.
Intel fixes high-severity CPU bug that causes “very strange behavior”
Among other things, bug allows code running inside a VM to crash hypervisors.
Microsoft profiles new threat group with unusual but effective practices
Octo Tempest employs tactics that many of its targets aren't prepared for.
Hackers can force iOS and macOS browsers to divulge passwords and much more
iLeakage is practical and requires minimal resources. A patch isn't (yet) available.
Vulnerable Arm GPU drivers under active exploitation. Patches may not be available | Ars Technica
Vulnerability allows attackers to tamper with data stored in device memory.
Critical vulnerabilities in Exim threaten over 250k email servers worldwide | Ars Technica
Remote code execution requiring no authentication fixed. 2 other RCEs remain unpatched.
How Google Authenticator made one company’s network breach much, much worse
Google's app for generating MFA codes syncs to user accounts by default. Who knew?
With 0-days hitting Chrome, iOS, and dozens more this month, is no software safe? | Ars Technica
With 70 zero-days uncovered so far this year, 2023 is on track to set a new record.
North Korea-backed hackers target security researchers with 0-day
Google researchers say currently unfixed vulnerability affects a popular software package.
WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April | Ars Technica
Vulnerability allows hackers to execute malicious code when targets open malicious ZIP files.
Microsoft takes pains to obscure role in 0-days that caused email breach
Critics also decry Microsoft's "pay-to-play" monitoring that detected intrusions.
WordPress plugin installed on 1 million+ sites logged plaintext passwords
AIOS bills itself as an "all-in-one" security solution. A just-fixed bug undermined that.
Hackers exploit gaping Windows loophole to give their malware kernel access
Microsoft blocks a new batch of system drivers, but the loophole empowering them remains.
Darknet markets generate millions in revenue selling stolen personal data
A handful of markets were responsible for trafficking most of the data.