News

Prove Identity, a late-stage startup with roots in the ecommerce mobile payments space, on Tuesday closed a $40 million funding round as it continues a major pivot to the digital identity verification and authentication market. The New York-based company, previously known as Payfone, said the latest investment round led by MassMutual Ventures and Capital One Ventures.  To date, Prove Identity has raised more than $215 million and rebranded itself as an enterprise vendor targeting banks, retailers…

Privacy-focused messaging firm Signal is pouring cold water on widespread rumors of a zero-day exploit in its popular encrypted chat app. “We have seen the vague viral reports alleging a Signal 0-day vulnerability. After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels,” Signal said late Sunday night. Rumors of a Signal zero-day started circulating over the weekend with what…

The US cybersecurity agency CISA is stepping up its efforts to prevent ransomware by making it easier for organizations to learn about vulnerabilities and misconfigurations exploited in these attacks. As part of its Ransomware Vulnerability Warning Pilot (RVWP) program launched in March, the agency has released two new resources to help organizations identify and eliminate security flaws and weaknesses known to be exploited by ransomware groups. “Through the RVWP, CISA determines vulnerabilities that are commonly…

Networking equipment manufacturer Juniper Networks on Thursday announced patches for more than 30 vulnerabilities in Junos OS and Junos OS Evolved, including nine high-severity flaws. The most severe of these issues is an incorrect default permissions bug that allows an unauthenticated attacker with local access to a vulnerable device to create a backdoor with root privileges. Tracked as CVE-2023-44194 (CVSS score of 8.4), the flaw exists because a certain system directory has improper permissions associated…

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar. We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape. Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and…

The maintainers of the cURL data transfer project on Wednesday rolled out patches for a severe memory corruption vulnerability that exposes millions of enterprise OSes, applications and devices to malicious hacker attacks. According to an high-risk bulletin, the flaw poses a direct threat to the SOCKS5 proxy handshake process in cURL and can be exploited remotely in some non-standard configurations. The bug, tracked as CVE-2023-38545, exists in the libcurl library that handles data exchange between…

Microsoft’s security response team on Tuesday pushed out a massive batch of software and OS updates to cover more than 100 vulnerabilities across the Windows ecosystem and warned that three of the flaws are already being exploited in the wild. As part of the scheduled batch of Patch Tuesday fixes, Microsoft joined with tech giants AWS, Google and Cloudflare to address the ‘HTTP/2 Rapid Reset’ zero-day (see separate SecurityWeek coverage) that exposed the internet to…

A recently patched vulnerability affecting a plugin associated with the Newspaper and Newsmag themes has been exploited to hack thousands of WordPress websites as part of a long-running campaign named Balada Injector, GoDaddy-owned web security firm Sucuri warned on Friday. The exploited vulnerability, tracked as CVE-2023-3169, was discovered by a Vietnamese researcher in the TagDiv Composer front-end page builder plugin of the Newspaper and Newsmag premium themes, which have been sold nearly 140,000 times. The…