In the aftermath of the SolarWinds hack, a better understanding of third-party hacks in any update that you provide to your colleagues, bosses, and even the board of directors may be warranted. Any such update that you provide on SolarWinds should certainly cover whether or not your organization is one of the 300,000 SolarWinds customers and whether or not you were one of the 18,000 or so that were using the specific version of Orion that was hacked (versions 2019.4 through 2020.2.1 HF1). READ MORE...
Threat actors are hacking verified Twitter accounts in an Elon Musk cryptocurrency giveaway scam that has recently become widely active. There is nothing new about cryptocurrency scams on Twitter, especially ones pretending to be giveaways from Elon Musk. In 2018, scammers raked in $180,000 using a successful Elon Musk giveaway scam promoted on Twitter. Over the past week, security researcher MalwareHunterTeam has seen an uptick in verified Twitter accounts hacked. READ MORE...
A researcher has launched Malvuln, a project that catalogues vulnerabilities discovered in malware and provides information on how those vulnerabilities can be exploited. Malvuln is the creation of security researcher John Page (aka hyp3rlinx), who told SecurityWeek that he came up with the idea when he got bored during a COVID-19 lockdown. The Malvuln website currently has 26 entries describing remotely exploitable buffer overflow vulnerabilities and privilege escalation flaws. READ MORE...
Facebook has taken legal action against the makers of malicious Chrome extensions used for scraping user-profiles and other information from Facebook's website and from users' systems without authorization. The two defendants developed and distributed the malicious browser extensions through the Chrome Web Store working under the "Oink and Stuff" business name. "They misled users into installing the extensions with a privacy policy that claimed they did not collect any personal information." READ MORE...
An undisclosed Cross-Site Scripting (XSS) vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project. Apache Velocity is a Java-based template engine used by developers for designing views in a Model-View-Controller (MVC) architecture. READ MORE...
The National Security Agency (NSA) on Wednesday published guidance for businesses on the adoption of an encrypted domain name system (DNS) protocol, specifically DNS over HTTPS. Designed to translate the domain names included in URLs into IP addresses, for an easier navigation of the Internet, DNS has become a popular attack vector, mainly because requests and responses are transmitted in plaintext. DNS over HTTPS, or DoH, aims to address this shortcoming by sending DNS requests over HTTPS. READ MORE...
Craft-beer aficionados relish the endless flavor variations that can be achieved by mixing and matching different varieties of hops, whether one favors refreshing citrus or fruity notes or something a bit more earthy or pine-scented. But some of the chemical compounds that contribute to those flavors are present in such trace amounts that it's difficult for brewers to measure and track them during the brewing process. Now German scientists have devised an automated, efficient method for doing just that. READ MORE...
Chinese authorities have held up two scientists sent to Wuhan, China, by the World Health Organization to investigate the origins of the novel coronavirus-yet another obstacle the Chinese government has thrown at the health agency's efforts to understand how the devastating pandemic began. The two scientists were traveling as part of an international team of 15 that has long been working to gain access to the city where the virus first emerged in late 2019. READ MORE...