Software Makers May Face Greater Liability in Wake of MOVEit Lawsuit

Makers of vulnerable apps that are exploited in wide-scale supply chain attacks need to improve software security or face steep fines and settlement fees.

Akira ransomware gang spotted targeting Cisco VPN products to hack organizations

The Akira ransomware gang targets Cisco VPN products to gain initial access to corporate networks and steal their data. The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the […]

The post Akira ransomware gang spotted targeting Cisco VPN products to hack organizations appeared first on Security Affairs.

Defense contractor Belcan leaks admin password with a list of flaws

US Government and defense contractor Belcan left its super admin credentials open to the public, Cybernews research team reveals. Belcan is a government, defense, and aerospace contractor offering global design, software, manufacturing, supply chain, information technology, and digital engineering solutions. The company, with reported revenue of $950 million in 2022, is a trusted strategic partner […]

The post Defense contractor Belcan leaks admin password with a list of flaws appeared first on Security Affairs.

Kim Dotcom’s Bitcache a US$13.5m Failure, Liquidator Report Reveals

Founded by Kim Dotcom in 2016, Bitcache was marketed as a groundbreaking blockchain microtransaction solution set to revolutionize a lot of very important crypto stuff; so invest now, before it's too late. Last month Bitcache Limited was put into liquidation. According to Dotcom, the company collapsed because a lawyer sent an invoice for the work he did for the company.

From: TF, for the latest news on copyright battles, piracy and more.

Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders.

In large metropolitan areas, tourists are often easy to spot because they're far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

New HiatusRAT malware attacks target US Defense Department

In a new HiatusRAT malware campaign, threat actors have targeted a server belonging to the U.S. Department of Defense in what researchers described as a reconnaissance attack.

This is a significant shift in tactics, seeing that the attacks previously focused on organizations from Latin America and Europe, being deployed to compromise business-class DrayTek Vigor VPN routers used by medium-sized businesses for remotely connecting to corporate networks.

However, as Lumen's Black Lotus Labs observed, the campaign's reconnaissance efforts took an unexpected turn between mid-June through August. A U.S. military procurement system was also targeted, with Taiwan-based organizations also singled out.

HiatusRAT samples were recompiled to cater to various architectures ranging from Arm, Intel 80386, and x86-64 to MIPS, MIPS64, and i386) and hosted on newly acquired virtual private servers (VPSs).

One of these VPS nodes was used in a data transfer operation with a U.S. military server designated for contract proposals and submissions.

The website's affiliation with contract proposals suggests that the attackers might be seeking publicly accessible information about military requisites or trying to find information on Defense Industrial Base (DIB)-affiliated organizations.

"We suspect this actor was searching for publicly available resources related to current and future military contracts," Lumen's Black Lotus Labs said.

"Given that this website was associated with contract proposals, we suspect the objective was to obtain publicly available information about military requirements and searching for organizations involved in the Defense Industrial Base (DIB), potentially for subsequent targeting."

New HiatusRAT campaign (Lumen Black Lotus Labs)

​This campaign follows an earlier series of attacks where over a hundred businesses, mainly from Europe, North America, and South America, were infected with HiatusRAT to create a covert proxy network.

The malware is primarily used to install additional payloads on infected devices and convert the compromised systems into SOCKS5 proxies for command and control server communication.

"Despite prior disclosures of tools and capabilities, the threat actor took the most minor of steps to swap out existing payload servers and carried on with their operations, without even attempting to re-configure their C2 infrastructure," Lumen said.

As Lumen highlights, this shift in information collection and targeting preferences aligns with Chinese strategic interests, a connection emphasized by the 2023 ODNI annual threat assessment.

U.S. organizations have also been recently targeted in attacks linked to other Chinese-backed threat groups, including Volt Typhoon and Storm-0558.

"We suspect the HiatusRAT cluster serves as another example of tradecraft that could be applied against the U.S. Defense Industrial Base with a sense of impunity. We recommend defense contractors exercise caution and monitor their networking devices for the presence of HiatusRAT," Lumen concluded.

Windows 11 KB5029351 preview update released with Search fixes

Microsoft has released the optional August 2023 cumulative update for Windows 11, version 22H2, with fixes for several issues affecting the Search app.

KB5029351 is a monthly non-security preview update that enables Windows admins and users to test fixes and improvements scheduled for release with the forthcoming September 2023 Patch Tuesday rollout.

The update tackles an issue encountered after waking the system from sleep mode, where the Search app fails to launch when clicking the search icon.

Furthermore, it enhances the Search app's reliability while addressing an issue affecting the search box dimensions on Microsoft Surface Pro and Surface Book devices in tablet mode.

Notably, monthly "C" updates are optional; unlike Patch Tuesday releases, they do not come with security-related fixes.

To install the KB5029351 update, click the 'Download and install' button in Settings > Windows Update to check for new updates.

Alternatively, you can download it from the Microsoft Update Catalog and install it manually.

​​​​Other highlights in Windows 11 KB5029351

Today's optional update comes with additional fixes and improvements, with some of the most important ones listed below:

• This update adds new functionality that affects app defaults.
• This update addresses an issue that affects print jobs that are sent to a virtual print queue. They fail without an error.
• This update addresses an issue that causes high CPU use. This occurs when you enable the "fBlockNonDomain" policy.
• This update addresses an issue that affects disk partitions. The system might stop working. This occurs after you delete a disk partition and add the space from the deleted partition to an existing BitLocker partition.

The complete list of fixes and improvements can be found in the KB5029351 support bulletin.

With this update, Microsoft also introduced a new policy named "Enable optional updates," which gives admins better control of how monthly optional updates are installed on enterprise devices.

The same policy can be used to control the deployment of controlled feature rollouts (CFR) across endpoints.

A temporary fix is available for this issue, with Windows admins being advised to provision end-user devices before the Windows 11 22H2 upgrade to get around the provisioning issues.

When Leadership Style Is a Security Risk

Risk-aware leaders can be a cybersecurity advantage. Their flexible leadership style and emphasis on security first help set the tone and demonstrate a commitment to avoiding risk.

Microsoft Excel to let you run Python scripts as formulas

Microsoft is adding the Python programming language to Microsoft Excel, allowing users to create powerful functions for analyzing and manipulating data.

The public preview of the feature is now available to Microsoft 365 Insiders in the Beta channel, with the goal to ultimately roll out the feature to Excel for Windows in 16.0.16818.2000.

However, even if you join the Microsoft 365 Insiders Beta channel to test the new feature, there is no guarantee that Python in Excel will be available, as Microsoft is rolling it out slowly to test the feature.

Python in Excel

The new Python in Excel feature brings a new 'PY' function that allows users to embed Python code directly in a cell to be executed like any macro or regular Excel function.

However, instead of running the Python scripts locally, Excel will execute the code in the cloud using a hypervisor-isolated container on Azure Container Instances. Microsoft says this container environment will include Python and a curated set of Anaconda libraries to prevent security issues.

These libraries include the data visualization and analysis tool 'pandas' and the visualization tool 'Matplotlib.'

As the Python scripts will run in an isolated container, they will not have access to any local resources, including the local network, computer, files, and a Microsoft 365 authentication token.

To embed a Python script in Excel, users will use the =PY() function to open a text area where they can enter the Python code they wish to execute.

The code is then executed in the cloud container, and the results are sent back and displayed in the worksheet. Microsoft says this is all done anonymously so that your Python code is not linked back to a particular user.

"Python in Excel makes it possible to natively combine Python and Excel analytics within the same workbook - with no setup required," Microsoft explains in an announcement.

"With Python in Excel, you can type Python directly into a cell, the Python calculations run in the Microsoft Cloud, and your results are returned to the worksheet, including plots and visualizations."

Using the Python Panda library in Excel
Source: Microsoft

Microsoft treats Python in Excel like other embedded scripting languages, automatically blocking them if a document contains a Mark of The Web (MoTW).

Windows automatically adds MoTW flags to all documents and executables downloaded from untrusted sources, such as the internet, using a special 'Zone. Id' alternate data stream.

These MotW labels tell Windows, Microsoft Office, web browsers, and other apps that the file should be treated with suspicion and will cause the document to be opened in Protected View, preventing the execution of macros and embedded Python scripts.

"If you open a workbook that contains Python code from the internet, Excel Protected View won't run Python formulas in the workbook. If a workbook is opened with Microsoft Defender Application Guard, Python formulas don't run by default," explains Microsoft.

To test Python in Excel, join the Microsoft 365 Insider Program and enroll in the Beta channel. However, as previously said, this feature may take some time to roll out to everyone

Akira ransomware targets Cisco VPNs to breach organizations

There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data.

Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

Cisco VPN solutions are widely adopted across many industries to provide secure, encrypted data transmission between users and corporate networks, typically used by remotely working employees.

Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away.

Akira targets Cisco VPNs

Sophos first noted Akira's abuse of VPN accounts in May, when researchers stated that the ransomware gang breached a network using "VPN access using Single Factor authentication."

However, an incident responder, known as 'Aura,' shared further information on Twitter on how they responded to multiple Akira incidents that were conducted using Cisco VPN accounts that weren't protected by multi-factor authentication.

In a conversation with BleepingComputer, Aura stated that due to the lack of logging in Cisco ASA, it remained unclear if Akira brute-forced the VPN account credentials or if they bought them on dark web markets.

A SentinelOne report shared privately with BleepingComputer and focusing on the same attack method presents the possibility of Akira exploiting an unknown vulnerability in Cisco VPN software that might be able to bypass authentication in the absence of MFA.

SentinelOne found evidence of Akira using Cisco VPN gateways in leaked data posted on the group's extortion page and observed Cisco VPN-related traits in at least eight cases, indicating this is part of an ongoing attack strategy by the ransomware gang.

Cisco VPN trait seen in eight Akira attacks
Source: SentinelOne

Remote RustDesk access

Additionally, SentinelOne's analysts observed Akira using the RustDesk open-source remote access tool to navigate compromised networks, making them the first ransomware group known to abuse the software.

Because RustDesk is a legitimate tool, its presence is unlikely to raise any alarms, so it can offer stealthy remote access to breached computers.

Other benefits that arise from using RustDesk include:

• Cross-platform operation on Windows, macOS, and Linux, covering Akira's full targeting range.
• P2P connections are encrypted and hence less likely to be flagged by network traffic monitoring tools.
• Supports file transfer which can facilitate data exfiltration, streamlining Akira's toolkit.

Other TTPs observed by SentinelOne in Akira's latest attacks include SQL database access and manipulation, disabling firewalls and enabling RDP, disabling LSA Protection, and disabling Windows Defender.

These not-so-subtle changes are performed after the attackers establish their presence in the environment and are ready to proceed to the final phases of their attack.

In late June 2023, Avast released a free decryptor for Akira ransomware. However, the threat actors have patched their encryptors since then, and Avast's tool will only help victims of older versions.

Carderbee hacking group hits Hong Kong orgs in supply chain attack

Image: Midjourney

A previously unidentified APT hacking group named 'Carderbee' was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets' computers with the PlugX malware.

Symantec reports that the legitimate software used in the supply chain attack is Cobra DocGuard, created by Chinese developer' EsafeNet,' and used in security applications for data encryption/decryption.

The fact that Carderbee uses PlugX, a malware family widely shared among Chinese state-backed threat groups, indicates that this novel group is likely linked to the Chinese threat ecosystem.

A supply chain attack

Symantec's researchers spotted the first signs of Carderbee activity in April 2023. However, an ESET report from September 2022 highlights a malicious update in Cobra DocGuard being used as the initial compromise point, so the threat actor's activity might date back to September 2021.

Symantec said they saw the Cobra DocGuard software installed on 2,000 computers but only observed malicious activity in 100, indicating that the threat actors only further compromised high-value targets.

For those targeted devices, Carderbee used the DocGuard software updater to deploy a range of malware strains, including PlugX. However, it remains unclear how the threat actors were able to conduct the supply chain attack using the legitimate updater.

The updates arrive in the form of a ZIP file fetched from "cdn.streamamazon[.]com/update.zip," which is decompressed to execute "content.dll," which acts as a malware downloader.

Interestingly, the downloader for PlugX malware is digitally signed using a certificate from Microsoft, specifically Microsoft Windows Hardware Compatibility Publisher, making detecting the malware more challenging.

Microsoft disclosed in December 2022 that hackers abused Microsoft hardware developer accounts to sign malicious Windows drivers and post-compromise rootkits.

The malicious DLL pushed by Carderbee also contains x64 and x86 drivers, used to create the Windows services and registry entries required for persistence.

Eventually, PlugX is injected into the legitimate 'svchost.exe' (Service Host) Windows system process to evade AV detection.

The PlugX sample seen by Symantec in these attacks features the following capabilities:

• Command execution via CMD
• File enumeration
• Checking running processes
• File downloading
• Firewall ports opening
• Keylogging

Symantec says Carderbee's exact targeting scope remains murky. While links to the 'Budworm' group are likely based on the collected evidence, the extent of their relationship remains unclear.

The use of a supply chain attack and signed malware makes this new threat very stealthy, and the selective deployment of malware indicates high-level preparation and reconnaissance.

​Hitachi Energy AFF66x

1. EXECUTIVE SUMMARY

• ​CVSS v3 9.6
• ​ATTENTION: Exploitable remotely/low attack complexity
• ​Vendor: Hitachi Energy
• ​Equipment: AFF66x
• ​Vulnerabilities: Cross-site Scripting, Use of Insufficiently Random Values, Origin Validation Error, Integer Overflow or Wraparound, Uncontrolled Resource Consumption, NULL Pointer Dereference

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Hitachi Energy reports these vulnerabilities affect the following AFF660/665 products:

• ​AFF660/665: Firmware 03.0.02 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​CROSS-SITE SCRIPTING CWE-79

​In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names DNS servers returned via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.

​CVE-2021-43523 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 ​USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

​ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must rely on unauthenticated IPv4 time sources. There must be an off-path attacker who could query time from the victim's ntpd instance.

​CVE-2020-13817 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).

3.2.3 ​ORIGIN VALIDATION ERROR CWE-346

​ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

​CVE-2020-11868 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 ​INTEGER OVERFLOW OR WRAPAROUND CWE-190

​TCP_SKB_CB(skb)->tcp_gso_segs value is subject to an integer overflow in the Linux kernel when handling TCP selective acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit.

​CVE-2019-11477 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.5 ​UNCONTROLLED RESOURCE CONSUMPTION CWE-400

​A vulnerability named “non-responsive delegation attack” (NRDelegation attack) has been discovered in various DNS resolving software. The NRDelegation attack works by having a malicious delegation with a considerable number of non-responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack could cause a resolver to spend time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It could trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, which could lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but still requires resources to resolve the malicious delegation. Unbound will continue to try to resolve the record until it reaches hard limits. Based on the nature of the attack and the replies, Unbound could reach different limits. From version 1.16.3 on, Unbound introduces fixes for better performance when under load by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.

​CVE-2022-3204 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.6 ​NULL POINTER DEREFERENCE CWE-476

​snmp_oid_compare in snmplib/snmp_api.c in NetSNMP before 5.8 has a NULL pointer exception bug that an unauthenticated attacker could use to remotely cause the instance to crash via a crafted UDP packet, resulting in denial of service.

​CVE-2018-18066 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Energy
• ​COUNTRIES/AREAS DEPLOYED: Worldwide
• ​COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

​Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

​Hitachi Energy recommends the following actions:

• ​Update to upcoming AFF660/665 FW 04.6.01 release when available.
• ​Configure only trusted DNS server(s).
• ​Configure the NTP service with redundant trustworthy sources of time.
• ​Restrict TCP/IP-based management protocols to trusted IP addresses.
• ​Disable the SNMP server (CLI and web interface will continue to function as they use an internal connection).

​Hitachi Energy recommends the following general mitigations:

• ​Recommended security practices and firewall configurations could help protect a process control network from attacks originating from outside the network.
• ​Physically protect process control systems from direct access by unauthorized personnel.
• ​Ensure process control systems have no direct connections to the internet and are separated from other networks via a firewall system with minimal exposed ports.
• ​Do not use process control systems for internet surfing, instant messaging, or receiving emails.
• ​Scan portable computers and removable storage media for malware prior connection to a control system.

​For more information, see Hitachi Energy’s Security Advisory: 8DBD000167.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

​Trane Thermostats

1. EXECUTIVE SUMMARY

• ​CVSS v3 6.8
• ​ATTENTION: Low attack complexity
• ​Vendor: Trane
• ​Equipment: XL824, XL850, XL1050, and Pivot thermostats
• ​Vulnerability: Injection

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root using a specially crafted filename.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Trane reports this vulnerability affects the following thermostats:

• ​Trane Technologies XL824 Thermostat: Firmware versions 5.9.8 and earlier
• ​Trane Technologies XL850 Thermostat: Firmware versions 5.9.8 and earlier
• ​Trane Technologies XL1050 Thermostat: Firmware versions 5.9.8 and earlier
• ​Trane Technologies Pivot Thermostat: Firmware versions 1.8 and earlier

3.2 VULNERABILITY OVERVIEW

3.2.1 ​INJECTION CWE-74

​A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.

​CVE-2023-4212 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• ​COUNTRIES/AREAS DEPLOYED: Worldwide
• ​COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

​Houlton McGuinn reported this vulnerability to Trane.

4. MITIGATIONS

​Trane Technologies has pushed the patch out to all devices. The patch is available to all affected devices. As soon as the device is connected to the internet, it will check for a new firmware version. If a new version is available, the device will download and install it. Other than connecting the device to the internet, no user interaction is required.

​If a user wants to verify that they received a patch for this vulnerability, they can verify the firmware version is greater than what is listed above by navigating to the "About" screen on the thermostat. Menu > System Info > About.

​For more information, users may contact their local Trane sales office.

​Trane has published a service database article on their website (login required).

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability have been reported to CISA at this time. This vulnerability is not exploitable remotely.

Ivanti warns customers another zero-day is under active attack

U.S. software giant Ivanti has scrambled to patch another zero-day vulnerability under active attack. The vulnerability, tracked as CVE-2023-38035 with a vulnerability severity rating of 9.8 out of 10, affects the software company’s Sentry product. Ivanti Sentry (formerly MobileIron Sentry) is a mobile gateway designed to manage, encrypt, and secure network traffic between employee devices […]

TP-Link Smart Bulb Vulnerabilities Expose Households to Hacker Attacks

Vulnerabilities in the TP-Link Tapo L530E smart bulb and accompanying mobile application can be exploited to obtain the local Wi-Fi password.

The post TP-Link Smart Bulb Vulnerabilities Expose Households to Hacker Attacks appeared first on SecurityWeek.

The Physical Impact of Cyberattacks on Cities

Understanding potential threats and regularly updating response plans are the best lines of defense in the new world of cyberattacks.

Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries

Cris Thomas, also known as Space Rogue, was a founding member of the Lopht Heavy Industries hacker collective.

The post Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries appeared first on SecurityWeek.

US Military Targeted in Recent HiatusRAT Attack

The threat actor behind HiatusRAT was seen performing reconnaissance against a US military procurement system in June 2023.

The post US Military Targeted in Recent HiatusRAT Attack appeared first on SecurityWeek.

TP-Link Smart Bulb Users at Risk of WiFi Password Theft

By Habiba Rashid

TP-Link Tapo L530E Smart Bulb found vulnerable, putting user WiFi credentials at risk.

This is a post from HackRead.com Read the original post: TP-Link Smart Bulb Users at Risk of WiFi Password Theft

Ransomware Group Starts Leaking Data From Japanese Watchmaking Giant Seiko

The BlackCat/ALPHV ransomware group has started publishing data allegedly stolen from Japanese watchmaking giant Seiko.

The post Ransomware Group Starts Leaking Data From Japanese Watchmaking Giant Seiko appeared first on SecurityWeek.

Australian Energy Software Firm Energy One Hit by Cyberattack

Energy One, an Australian company that provides software products and services to the energy sector, has been hit by a cyberattack.

The post Australian Energy Software Firm Energy One Hit by Cyberattack appeared first on SecurityWeek.

'Cuba' Ransomware Group Uses Every Trick in the Book

How a Russian cybercrime group using Cuban Revolution references and iconography has emerged as one of the most profitable ransomware operations.

CISOs Tout SaaS Cybersecurity Confidence, But 79% Admit to SaaS Incidents, New Report Finds

A new State of SaaS Security Posture Management Report from SaaS cybersecurity provider AppOmni indicates that Cybersecurity, IT, and business leaders alike recognize SaaS cybersecurity as an increasingly important part of the cyber threat landscape. And at first glance, respondents appear generally optimistic about their SaaS cybersecurity. Over 600 IT, cybersecurity, and business leaders at

Applying AI to License Plate Surveillance

License plate scanners aren’t new. Neither is using them for bulk surveillance. What’s new is that AI is being used on the data, identifying “suspicious” vehicle behavior:

Typically, Automatic License Plate Recognition (ALPR) technology is used to search for plates linked to specific crimes. But in this case it was used to examine the driving patterns of anyone passing one of Westchester County’s 480 cameras over a two-year period. Zayas’ lawyer Ben Gold contested the AI-gathered evidence against his client, decrying it as “dragnet surveillance.”

And he had the data to back it up. A FOIA he filed with the Westchester police revealed that the ALPR system was scanning over 16 million license plates a week, across 480 ALPR cameras. Of those systems, 434 were stationary, attached to poles and signs, while the remaining 46 were mobile, attached to police vehicles. The AI was not just looking at license plates either. It had also been taking notes on vehicles’ make, model and color—useful when a plate number for a suspect vehicle isn’t visible or is unknown.

Cyberattack on UK IT Firm Swan Retail Affects 300 Retailers

By Deeba Ahmed

Hundreds of impacted retailers could not process payments, complete orders, or trade online due to the attack on Swan Retail.

This is a post from HackRead.com Read the original post: Cyberattack on UK IT Firm Swan Retail Affects 300 Retailers