On the first day of Pwn2Own Vancouver 2024, contestants demoed Windows 11, Tesla, and Ubuntu Linux zero-day vulnerabilities and exploit chains to win $732,500 and a Tesla Model 3 car. The competition started with Haboob SA's Abdul Aziz Hariri using an Adobe Reader exploit that combined an API restriction bypass and a command injection bug to gain code execution on macOS to earn $50,000. READ MORE...
The United States Federal Trade Commission (FTC) has warned the public to be cautious if contacted by people claiming to be... FTC staff. In a warning published on its website, the FTC said that scammers were using its employees' real names to steal money from consumers. A typical ruse will see the bogus FTC staffer advising someone to wire or transfer money to "protect" it, send a victim to a Bitcoin ATM, or even demand that they buy gold bars and take it to someone for "safe-keeping." READ MORE...
An emerging and unsophisticated threat actor is spreading various types of malware with accounting report lures in a phishing campaign that relies on readily available malicious and legitimate software for its success. The active phishing campaign by an actor tracked as Fluffy Wolf demonstrates how even largely unskilled threat actors can leverage malware-as-a-service (MaaS) models to conduct successful cyberattacks, according to researchers from digital risk management firm Bi.Zone. READ MORE...
The March 2024 Windows Server updates are causing some domain controllers to crash and restart, according to widespread reports from Windows administrators. Affected servers are freezing and rebooting because of a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with the March 2024 cumulative updates for Windows Server 2016 and Windows Server 2022. READ MORE...
Atlassian on Tuesday announced patches for two dozen vulnerabilities in Bamboo, Bitbucket, Confluence, and Jira products, including a critical-severity bug that could be exploited without user interaction. Tracked as CVE-2024-1597 (CVSS score of 10) and described as an SQL injection issue, the critical-severity flaw impacts the org.postgresql:postgresql third-party dependency of Bamboo Data Center and Server. READ MORE...
A malware campaign offering malware-as-a-service (MaaS) is targeting Android users based in India. According to Broadcom, the campaign distributes malicious APK packages and seeks out banking information, SMS messages, and other sensitive information from a victim's device. This campaign is actively being exploited and distributed under the guise of helpful apps like customer support services, online bookings, or billing and courier services. READ MORE...
Are you using the same passwords in multiple places online? Because if you use the same login credentials in different places online, you're behaving in a very risky way. If a cybercriminal breaches a system and steals the passwords used on one online service, you can bet your bottom dollar they won't waste any time before exploring if those same userid/password combinations might unlock other threats online. READ MORE...
Few Ars readers will have been surprised by the news from last week concerning General Motors' connected cars. As The New York Times reported, some owners of vehicles made by General Motors have been having a hard time getting car insurance. The reason? They unwittingly agreed to share their driving data with a third party. Now, at least one driver is suing. If more follow suit, this could be the push the industry needs to do better. READ MORE...
Ivanti has fixed a critical RCE vulnerability (CVE-2023-41724) in Ivanti Standalone Sentry that has been reported by researchers with the NATO Cyber Security Centre. Though the company is not aware of customers being compromised via the flaw, it "strongly encourages" them to implement the patch immediately. Ivanti Standalone Sentry is an appliance that acts as a gateway between devices and an organization's ActiveSync-enabled email servers or backend resource. READ MORE...
Cybersecurity firm Tenable on Thursday disclosed the details of a one-click vulnerability that could have been exploited to take complete control of user accounts on an AWS service. The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future. READ MORE...