Fortinet released security patches for a critical vulnerability (CVE-2023-37936) involving a hard-coded cryptographic key. This flaw lets remote, unauthorized attackers use the key to execute unauthorized code through specially crafted cryptographic requests. The use of hard-coded cryptographic key in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through …

A critical flaw in Google’s “Sign in with Google” system has put millions of Americans at risk of data theft. This vulnerability primarily impacts former employees of startups that have shut down. Truffle Security identifies that the issue arises from how Google’s OAuth login handles changes in domain ownership. When …

U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a second security flaw affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products to its Known Exploited Vulnerabilities (KEV) catalog, noting that it is actively being exploited. CVE-2024-12686 is a medium-severity vulnerability (CVSS score: 6.6) that could let an attacker …

Executive Summary: Native Resource Abuse: Threat actor dubbed Codefinger uses compromised AWS keys to encrypt S3 bucket data via SSE-C, leveraging AWS’s secure encryption infrastructure in a way that prevents recovery without their generated key. Irrecoverable Data Loss: AWS CloudTrail logs only an HMAC of the encryption key, which is …

India has made strides in cybersecurity by clarifying ministerial roles in September 2024 and implementing a National Security Directive that limits telecom infrastructure procurement to trusted sources. It is also considering similar protocols for other vital sectors like power. To address the shortage of cybersecurity professionals, the government is investing …

BGD e-GOV CIRT report highlights a recent surge in phishing attacks targeting Bangladeshi government organizations, law enforcement, and educational institutions. These attacks aim to steal sensitive information by impersonating official entities and using malicious attachments and links. Key details include: Target Sectors: Government organizations Law enforcement agencies Educational institutions Phishing …

A deceptive proof-of-concept exploit for CVE-2024-49113, known as “LDAPNightmare,” on GitHub spreads infostealer malware that steals sensitive data and sends it to an external FTP server. Trend Micro discovered a case where hackers trick users into infecting themselves with malware. Trend Micro reports a malicious GitHub repository that seems to …

In a sophisticated phishing campaign, uncovered cybercriminals are exploiting CrowdStrike’s recruitment branding to target developers and deploy the XMRig cryptominer. This scam uses fake job offers to trick victims into downloading harmful software disguised as an “employee CRM application.” The attack starts with a phishing email pretending to be from …

In October 2024, security researcher Ben Sadeghipour discovered a vulnerability in Facebook’s ad platform that allowed him to run commands on its internal server, giving him control over it. After Sadeghipour reported the vulnerability to Meta, Facebook’s parent company, it was fixed within an hour, and he received a $100,000 …

In 2025, malware attacks will persist. To prepare, organizations should familiarize themselves with common malware families. Here are five to focus on now. LockBit: LockBit is a major ransomware targeting Windows devices and is a significant threat in Ransomware-as-a-Service (RaaS) attacks. Its decentralized structure has allowed it to infiltrate high-profile …