News

Cloud risk management and threat detection firm Rapid7 warns that it has seen organizations being compromised in attacks exploiting a recently patched Zoho ManageEngine vulnerability. Tracked as CVE-2022-47966, the security defect exists in a third-party dependency (Apache xmlsec, also known as XML Security for Java, version 1.4.1), allowing attackers to execute arbitrary code remotely without authentication. Deemed ‘critical severity’, the issue was brought to light in November 2022, when Zoho announced that patches were released…

Read More

A sophisticated ad fraud scheme that spoofed over 1,700 applications and 120 publishers peaked at 12 billion ad requests per day before being taken down, bot attack prevention firm Human says. Dubbed VastFlux, the scheme relied on JavaScript code injected into digital ad creatives, which resulted in fake ads being stacked behind one another to generate revenue for the fraudsters. More than 11 million devices were impacted in the scheme. The JavaScript code used by…

Read More

Wireless carrier T-Mobile on Thursday fessed up to another massive data breach affecting  approximately 37 million current postpaid and prepaid customer accounts. In a filing with the Security and Exchange Commission (SEC), T-Mobile said that an unidentified malicious actor abused an API without authorization to access customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan…

Read More

A top U.S. intelligence official on Thursday urged Congress to renew sweeping powers granted to American spy agencies to surveil and examine communications, saying they were critical to stopping terrorism, cyberattacks and other threats. The remarks by Army Gen. Paul Nakasone, director of the National Security Agency, opened what’s expected to be a contentious debate over provisions of the Foreign Intelligence Surveillance Act that expire at year’s end. The bipartisan consensus in favor of expanded…

Read More

Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. An open-source web-based network monitoring and graphing tool that offers an operational monitoring and fault management framework, Cacti is a front-end application for the data logging utility RRDtool. In early December 2022, the tool’s maintainers announced patches for CVE-2022-46169, a critical-severity (CVSS score 9.8) command injection flaw that could allow unauthenticated attackers to execute code…

Read More

Security researchers are observing exploitation attempts targeting a critical Control Web Panel (CWP) vulnerability, following the publication of proof-of-concept (PoC) code in early January. Formerly CentOS Web Panel, CWP is a popular, free web hosting panel for enterprise-based Linux systems, offering support for the management and security of both servers and clients. Tracked as CVE-2022-44877 (CVSS score of 9.8), the exploited vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) on impacted systems. The…

Read More