Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Vulnerabilities / Threats posted in April 2021
Page 1 / 2   >   >>
Ransomware Task Force Publishes Framework to Fight Global Threat
News  |  4/30/2021  | 
An 81-page report details how ransomware has evolved, along with recommendations on how to deter attacks and disrupt its business model.
New Threat Group Carrying Out Aggressive Ransomware Campaign
News  |  4/30/2021  | 
UNC2447 observed targeting now-patched vulnerability in SonicWall VPN.
MITRE Adds MacOS, More Data Types to ATT&CK Framework
News  |  4/30/2021  | 
Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure.
7 Modern-Day Cybersecurity Realities
Slideshows  |  4/30/2021  | 
Security pros may be working with a false sense of security. We explore seven places where old methods and techniques have to change to keep their organizations safe.
The Ticking Time Bomb in Every Company's Code
Commentary  |  4/30/2021  | 
Developers must weigh the benefits and risks of using third-party code in Web apps.
Researchers Connect Complex Specs to Software Vulnerabilities
News  |  4/29/2021  | 
Following their release of 70 different vulnerabilities in different implementations of TCP/IP stacks over the past year, two companies find a common link.
API Hole on Experian Partner Site Exposes Credit Scores
Quick Hits  |  4/29/2021  | 
Student researcher is concerned security gap may exist on many other sites.
Adobe Open Sources Tool for Anomaly Research
News  |  4/29/2021  | 
The One-Stop Anomaly Shop (OSAS) project packages machine-learning algorithms into a Docker container for finding anomalies in security log data.
Your Digital Identity's Evil Shadow
Commentary  |  4/29/2021  | 
In the wrong hands, these shady shadows are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents.
The Challenge of Securing Non-People Identities
Commentary  |  4/29/2021  | 
Non-people identities, which can act intelligently and make decisions on behalf of a person's identity, are a growing cybersecurity risk.
74% of Financial Institutions See Spike in COVID-Related Threats
Quick Hits  |  4/28/2021  | 
Financial losses have also increased among organizations in the last year, with the average cost reaching $720,000.
FBI Works With 'Have I Been Pwned' to Notify Emotet Victims
Quick Hits  |  4/28/2021  | 
Officials shared 4.3 million email addresses with the HIBP website to help inform companies and individuals if Emotet compromised their accounts.
How to Secure Employees' Home Wi-Fi Networks
Commentary  |  4/28/2021  | 
Businesses must ensure their remote workers' Wi-Fi networks don't risk exposing business data or secrets due to fixable vulnerabilities.
Is Your Cloud Raining Sensitive Data?
Commentary  |  4/28/2021  | 
Learn common Kubernetes vulnerabilities and ways to avoid them.
Attacks Targeting ADFS Token Signing Certificates Could Become Next Big Threat
News  |  4/28/2021  | 
New research shows how threat actors can steal and decrypt signing certificates so SAML tokens can be forged.
Ransomware Recovery Costs Near $2M
Quick Hits  |  4/27/2021  | 
The cost of recovering from a ransomware attack has more than doubled in one year, Sophos researchers report.
4 Ways CISOs Can Strengthen Their Security Resilience
Commentary  |  4/27/2021  | 
Security pros must remember bad actors will target their infrastructure, using counter-incident response technology in the process.
Expect an Increase in Attacks on AI Systems
News  |  4/27/2021  | 
Companies are quickly adopting machine learning but not focusing on how to verify systems and produce trustworthy results, new report shows.
Apple Patches Serious MacOS Security Flaw
Quick Hits  |  4/26/2021  | 
The bug can put Mac users at "grave risk" as it allows attackers to bypass Apple's security mechanisms, a researcher reports.
In Appreciation: Dan Kaminsky
News  |  4/26/2021  | 
Beloved security industry leader and researcher passes away unexpectedly at the age of 42.
Shift Left: From Concept to Practice
Commentary  |  4/26/2021  | 
By moving security into development, your team can find and fix vulnerabilities before they become expensive, difficult, and publicly embarrassing problems.
Password Manager Suffers 'Supply Chain' Attack
Quick Hits  |  4/23/2021  | 
A software update to Click Studios' Passwordstate password manager contained malware.
Insider Data Leaks: A Growing Enterprise Threat
Quick Hits  |  4/23/2021  | 
Report finds 85% of employees are more likely to leak sensitive files now than before the COVID-19 pandemic.
New CISA Advisories Warn of ICS Vulnerabilities
Quick Hits  |  4/22/2021  | 
The vulnerabilities exist in Cscape control system application programming software and the Mitsubishi Electric GOT.
Prometei Botnet Adds New Twist to Exchange Server Attacks
Quick Hits  |  4/22/2021  | 
Attackers are using the well-known Microsoft Exchange Server flaw to add machines to a cryptocurrency botnet, researchers say.
Improving the Vulnerability Reporting Process With 5 Steps
Commentary  |  4/22/2021  | 
Follow these tips for an effective and positive experience for both the maintainer and external vulnerability reporter.
University Suspends Project After Researchers Submitted Vulnerable Linux Patches
News  |  4/22/2021  | 
A Linux maintainer pledges to stop taking code submissions from the University of Minnesota after a research team purposely submitted vulnerabilities to show software supply chain weaknesses.
Name That Toon: Greetings, Earthlings
Commentary  |  4/22/2021  | 
Caption time! Come up with something out of this world for Dark Reading's latest contest, and our panel of experts will reward the winner with a $25 Amazon gift card.
Looking for Greater Security Culture? Ask an 8-Bit Plumber
Commentary  |  4/22/2021  | 
After 40 years of navigating catastrophes, video game character Mario can help us with a more intelligent approach to DevOps and improving security culture.
10 Free Security Tools at Black Hat Asia 2021
Slideshows  |  4/22/2021  | 
Researchers are set to demonstrate a plethora of tools for conducting pen tests, vulnerability assessments, data forensics, and a wide range of other use cases.
Nearly Half of All Malware Is Concealed in TLS-Encrypted Communications
News  |  4/22/2021  | 
Forty-six percent of all malware uses the cryptographic protocol to evade detection, communicate with attacker-controlled servers, and to exfiltrate data, new study shows.
Justice Dept. Creates Task Force to Stop Ransomware Spread
Quick Hits  |  4/21/2021  | 
One goal of the group is to take down the criminal ecosystem that enables ransomware, officials say.
Zero-Day Flaws in SonicWall Email Security Tool Under Attack
News  |  4/21/2021  | 
Three zero-day vulnerabilities helped an attacker install a backdoor, access files and emails, and move laterally into a target network.
Business Email Compromise Costs Businesses More Than Ransomware
Commentary  |  4/21/2021  | 
Ransomware gets the headlines, but business paid out $1.8 billion last year to resolve BEC issues, according to an FBI report.
How to Attack Yourself Better in 2021
Commentary  |  4/21/2021  | 
Social engineering pen testing is just one step in preventing employees from falling victim to cybercriminals.
Attackers Heavily Targeting VPN Vulnerabilities
News  |  4/21/2021  | 
Threat actors like attacking the technology because they provide a convenient entry point to enterprise networks.
Pulse Secure VPN Flaws Exploited to Target US Defense Sector
News  |  4/20/2021  | 
China-linked attackers have used vulnerabilities in the Pulse Secure VPN appliance to attack US Defense Industrial Base networks.
Attackers Compromised Code-Checking Vendor's Tool for Two Months
News  |  4/20/2021  | 
A script used to upload sensitive reportswith access to credentials and datastoreslikely sent information on hundreds, possibly thousands, of companies to attackers.
Dept. of Energy Launches Plan to Protect Electric Grid from Cyberattack
Quick Hits  |  4/20/2021  | 
Over the next 100 days, the DoE will work with electric utilities to improve visibility, detection, and response for industrial control systems.
2020 Changed Identity Forever; What's Next?
Commentary  |  4/20/2021  | 
For all the chaos the pandemic caused, it also sparked awareness of how important an identity-centric approach is to securing today's organizations.
Beware the Bug Bounty
Commentary  |  4/20/2021  | 
In recent months, bug-bounty programs have shifted from mitigating risk to inadvertently creating new liabilities for customers and vendors.
Attackers Test Weak Passwords in Purple Fox Malware Attacks
Quick Hits  |  4/19/2021  | 
Researchers share a list of passwords that Purple Fox attackers commonly brute force when targeting the SMB protocol.
SolarWinds: A Catalyst for Change & a Cry for Collaboration
Commentary  |  4/19/2021  | 
Cybersecurity is more than technology or safeguards like zero trust; mostly, it's about collaboration.
High-Level Admin of FIN7 Cybercrime Group Sentenced to 10 Years in Prison
Quick Hits  |  4/16/2021  | 
Fedir Hladyr pleaded guilty in 2019 to conspiracy to commit wire fraud and conspiracy to commit computer hacking.
Security Gaps in IoT Access Control Threaten Devices and Users
News  |  4/16/2021  | 
Researchers spot problems in how IoT vendors delegate device access across multiple clouds and users.
How the Biden Administration Can Make Digital Identity a Reality
Commentary  |  4/16/2021  | 
A digital identity framework is the answer to the US government's cybersecurity dilemma.
Software Developer Arrested in Computer Sabotage Case
Quick Hits  |  4/15/2021  | 
Officials say Davis Lu placed malicious code on servers in a denial-of-service attack on his employer.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
News  |  4/15/2021  | 
Treasury Department slaps sanctions on IT security firms that it says supported Russia's Foreign Intelligence Service carry out the attacks.
6 Tips for Managing Operational Risk in a Downturn
Commentary  |  4/15/2021  | 
Many organizations adjust their risk appetite in an economic downturn, as risk is expanded to include supplier and customer insolvency, not to mention cash-flow changes.
Nation-State Attacks Force a New Paradigm: Patching as Incident Response
Commentary  |  4/15/2021  | 
IT no longer has the luxury of thoroughly testing critical vulnerability patches before rolling them out.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41617
PUBLISHED: 2021-09-26
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with gro...
CVE-2021-3830
PUBLISHED: 2021-09-26
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.