IT Security Newsletter

IT Security Newsletter - 10/9/2024

Written by Cadre | Wed, Oct 9, 2024

Patch Tuesday, October 2024 Edition

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools. One of the zero-day flaws stems from a security weakness in MSHTML, the proprietary engine of Microsoft's Internet Explorer web browser. READ MORE...

AI girlfriend site breached, user fantasies stolen

A hacker has stolen a massive database of users' interactions with their sexual partner chatbots, according to 404 Media. The breached service, Muah.ai, describes itself as a platform that lets people engage in AI-powered companion NSFW chat, exchange photos, and even have voice chats. As you can imagine, data like this is very sensitive, so the site assures customers that communications are encrypted and says it doesn't sell any data to third parties. READ MORE...

Credit monitoring and supply chain risk company hacked

Hackers stole sensitive employee data from a software-as-a-service company that advises consumers on trade credit and provides supply chain risk monitoring, according to a Securities and Exchange Commission filing. CreditRiskMonitor.com said on Tuesday that hackers got away with an unspecified amount of data between July 9 and July 17. The pilfered files included personally identifiable information of employees and independent contractors, but does not include customer data, CreditRiskMonitor noted. READ MORE...

5 Zero-Days in Microsoft's October Update to Patch Immediately

Microsoft's October security update addressed a substantial 117 vulnerabilities, including two actively exploited flaws and three publicly disclosed but as yet unexploited bugs. The update is the third largest so far this year in terms of disclosed CVEs, after April's 147 CVEs and July's set of 139 flaws. A plurality of the bugs (46) enables remote code execution (RCE), and 28 others give threat actors a way to elevate privileges. READ MORE...

Two never-before-seen tools, from same group, infect air-gapped devices

Researchers have unearthed two sophisticated toolsets that a nation-state hacking group-possibly from Russia-used to steal sensitive data stored on air-gapped devices, meaning those that are deliberately isolated from the Internet or other networks to safeguard them from malware. One of the custom tool collections was used starting in 2019 against a South Asian embassy in Belarus. A largely different toolset created by the same threat group infected an EU government organization three years later. READ MORE...

How foreign influence campaigns manipulate your social media feeds

Foreign influence campaigns, or information operations, have been widespread in the run-up to the 2024 US presidential election. Influence campaigns are large-scale efforts to shift public opinion, push false narratives, or change behaviors among a target population. Russia, China, Iran, Israel, and other nations have run these campaigns by exploiting social bots, influencers, media companies, and generative AI. READ MORE...

Ivanti warns of three more CSA zero-days exploited in attacks

American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks. As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September. Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and more. READ MORE...

30% of customer-facing APIs are completely unprotected

70% of customer-facing APIs are secured using HTTPS, leaving nearly one-third of these APIs completely unprotected, according to F5. This is a stark contrast to the 90% of web pages that are now accessed via HTTPS, following the push for secure web communications over the past decade. The average organization now manages 421 different APIs, with most hosted in public cloud environments. READ MORE...

  • ...in 1919, the Cincinnati Reds win the World Series after eight members of the Chicago White Sox throw the game, resulting in the infamous "Black Sox" Scandal.
  • ...in 1962, the visible light-emitting diode (LED), now the basis for most modern video, computer, and phone screens, is first demonstrated in Syracuse, New York.
  • ...in 1964, Mexican-American film director Guillermo del Toro ("The Shape of Water", "Pan's Labyrinth") is born in Guadalajara.
  • ...in 1980, Pope John Paul II greets the Dalai Lama during a private audience in Vatican City.