CyberSecurity Updates

05 May

Azure API Management flaws highlight server-side request forgery risks in API development

Data Breaches, Malware, Social Engineering

Microsoft recently patched three vulnerabilities in its Azure API Management service, two of which enabled server-side request forgery (SSRF) attacks that could have allowed hackers to access internal Azure assets. The proof-of-concept exploits serve to highlight common errors that developers could make when trying to implement blacklist-based restrictions for their own APIs and services. Web APIs have become an integral part of modern application development, especially in the cloud. They allow services to communicate and…

Read More
05 May

Orca integrates cloud app security platform with GPT-4

Data Breaches, Malware, Social Engineering

Agentless cloud security provider Orca Security has integrated Microsoft Azure OpenAI GPT-4 into its cloud-native application protection platform (CNAPP) under the ChatGPT implementation program that the cybersecurity company started earlier this year. “With our transition to Azure OpenAI, our customers benefit from the security, reliability, and enterprise level support that Microsoft provides,” said Avi Shua, chief innovation officer and co-founder of Orca Security.  “By integrating GPT-4 into Orca Security’s CNAPP platform, security practitioners can instantly…

Read More
05 May

Pro-Russian Hackers Claim Downing of French Senate Website

Information, News

The French Senate’s website was offline on Friday after pro-Russian hackers claimed to have taken it down, in just the latest such cyberattack since Russia invaded Ukraine last year. “Access to the site has been disrupted since this morning,” the upper house of Parliament said on Twitter shortly before midday, saying a team was busy fixing the problem. A group calling itself NoName on Telegram claimed responsibility, saying it had acted because “France is working…

Read More
05 May

Microsoft patches 3 vulnerabilities in Azure API Management

Data Breaches, Malware, Social Engineering

Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic. The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January. The Azure API…

Read More
05 May

IOTW: Former Uber CSO charged with concealing data breach

Attacks, Data Breaches

Former Uber CSO, Joe Sullivan, has been sentenced to three years’ probation for his involvement in covering up a data breach in 2016 that affected 57 million Uber users. Sullivan was convicted on October 5 of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with his attempts to cover up the hack. US district judge William Orrick sentenced Sullivan on May 4 to three years’ probation and 200…

Read More
05 May

Google launches entry-level cybersecurity certificate to teach threat detection skills

Data Breaches, Malware, Social Engineering

Google has announced a new entry-level cybersecurity certificate to teach learners how to identify common risks, threats, and vulnerabilities, as well as the techniques to mitigate them. Designed and taught by Google’s cybersecurity experts, the Google Cybersecurity Certificate aims to prepare learners for entry-level jobs in cybersecurity in less than six months with no prior experience required, create greater opportunities for people around the world, and help fill the growing number of open cyber roles,…

Read More
05 May

The top 8 password attacks and how to defend against them

Attacks, Data Breaches

Did you know that the very first password attack happened in 1962? At that time, MIT’s CTSS (Compatible Time-Sharing System) was the first to utilize passwords for granting individual access. Allen Scherr, a Ph.D. researcher, wanted to use the CTSS beyond his allocated weekly hours. In order to extend his usage time, he decided to borrow passwords from other people. Scherr managed to obtain all the passwords stored in the CTSS system by submitting a…

Read More
05 May

The Merck appeal: cyber insurance and the definition of war

Data Breaches, Malware, Social Engineering

Pharmaceutical firm Merck recently won an appeal that could mean its insurers will have to pay up on a $1.4-billion judgment related to the NotPetya cyberattack in 2017. The New Jersey appellate division judges hearing the appeal judge noted that the plain definition of war applies to the various insurance policies and that a cyberattack against an accounting firm not engaged in hostilities, while criminal and based on ill-will, was not tantamount to an act…

Read More
04 May

$10M Is Yours If You Can Get This Guy to Leave Russia

Information, Insights

The U.S. government this week put a $10 million bounty on a Russian man who for the past 18 years operated Try2Check, one of the cybercrime underground’s most trusted services for checking the validity of stolen credit card data. U.S. authorities say 43-year-old Denis Kulkov‘s card-checking service made him at least $18 million, which he used to buy a Ferrari, Land Rover, and other luxury items. Denis Kulkov, a.k.a. “Nordex,” in his Ferrari. Image: USDOJ.…

Read More
04 May

Patch manager Action1 to add vulnerability discovery, prioritization

Data Breaches, Malware, Social Engineering

Cloud-native, patch-management application provider Action1 is set to add vulnerability discovery and prioritization capabilities to its namesake flagship platform to help businesses stay ahead of software exploits. The plan is part of a company strategy to expand beyond its traditional patch management features and add capabilities aimed at enhancing an organization’s resilience to cybersecurity threats. “The new features will enable customers to see beyond what is patchable into what is actually vulnerable,” said Mike Walters,…

Read More