IT Security Newsletter

IT Security Newsletter - 6/14/2023

Written by Cadre | Wed, Jun 14, 2023

Krebs on Security: Microsoft Patch Tuesday, June 2023 Edition

Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month's relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn't marred by the active exploitation of a zero-day vulnerability in Microsoft's products. READ MORE...

LastPass CEO reflects on lessons learned, regrets and moving forward from a cyberattack

Karim Toubba didn't have much of a honeymoon at LastPass. Less than four months after he joined the company as CEO, a cyberattack that would evolve into one of the most high-profile security blunders of 2022 was underway. While LastPass first notified customers of a compromise in August, it wasn't until days before last year came to a close that LastPass revealed a cloud-based backup of all customer vault data was stolen by a still-unidentified threat actor. READ MORE...

Switzerland under cyberattack

Swiss government websites are under DDoS attacks, but several ransomware gangs have also turned their sights on Swiss government organizations, cantonal governments, cities and companies in the last few months. "Several Federal Administration websites are/were inaccessible on Monday 12 June 2023, due to a DDoS attack on its systems," the Swiss National Cyber Security Centre (NCSC) said on Monday. "The Swiss government's portal remains accessible." READ MORE...

Patch Tuesday: Critical Flaws in Adobe Commerce Software

Silicon Valley software giant Adobe on Tuesday shipped patches for critical flaws in multiple products, including a dozen issues that expose Adobe Commerce users to code execution attacks. As part of its scheduled batch of Patch Tuesday updates, Adobe documented at least 12 security problems in the widely deployed Adobe Commerce (formerly Magento) product and warned that successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read. READ MORE...

ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities

Siemens and Schneider Electric on Tuesday released a total of 16 advisories addressing well over 200 vulnerabilities affecting their industrial products. Siemens has released a dozen new advisories covering a total of roughly 200 vulnerabilities. A vast majority of these flaws impact third party components. Schneider Electric has released four new advisories covering a total of five vulnerabilities. READ MORE...

SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates

SAP on Tuesday announced the release of eight new security notes as part of its June 2023 Security Patch Day, including two notes that address high-severity vulnerabilities. Five other notes were updated. The most important of SAP's new security notes resolves a stored cross-site scripting (XSS) bug in UI5 Variant Management. The issue can be exploited to gain user-level access to the UI5 Varian Management application and compromise confidentiality, integrity, and availability. READ MORE...

Gozi banking malware "IT chief" finally jailed after more than 10 years

Yesterday, we wrote about cybercrime charges that were finally unsealed for a massive cryptocurrency heist that was allegedly conducted over a three-year period starting back in 2011. Today's long-term cybercrime justice story concerns the last member of the so-called Gozi Troika, three men who were originally charged in January 2013 for malware-related crimes that apparently kicked off way back in the late 2000s: READ MORE...

Fake zero-day PoC exploits on GitHub push Windows, Linux malware

Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware. These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named 'High Sierra Cyber Security,' who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research. READ MORE...

WordPress Stripe payment plugin bug leaks customer order details

The WooCommerce Stripe Gateway plugin for WordPress was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin. WooCommerce Stripe Payment is a payment gateway for WordPress e-commerce sites, which currently has 900,000 active installations. It allows websites to accept payment methods such as Visa, MasterCard, American Express, Apple Pay, and Google Pay through Stripe's payment processing API. READ MORE...

  • ...in 1777, the Continental Congress adopts "The Stars and Stripes" as the flag of the United States of America.
  • ...in 1900, Hawaii becomes a United States territory.
  • ...in 1942, Anne Frank begins writing in the diary she received for her 13th birthday.
  • ...in 1951, UNIVAC I, the first US-produced commercial computer, is dedicated by the US Census Bureau.