CyberSecurity Updates

28 Dec

Netwrix Acquires Remediant for PAM Technology

Information, Malware, News

Data security software vendor Netwrix has acquired Remediant, an early-stage startup working on technology in the PAM (privileged access management) category. Financial terms of the acquisition were not disclosed.  Remediant, based in San Francisco and backed by Dell Technologies Capital and ForgePoint Capital, raised $15 million in Series A venture capital funding in August 2019. Remediant, founded in 2015 by security practitioners Paul Lanzi  and Tim Keeler, built a PAM software product that offered continuous…

Read More
28 Dec

EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer

Information, News

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University…

Read More
28 Dec

Log4Shell remains a big threat and a common cause for security breaches

Data Breaches, Malware, Social Engineering

The Log4Shell critical vulnerability that impacted millions of enterprise applications remains a common cause for security breaches a year after it received patches and widespread attention and is expected to remain a popular target for some time to come. Its long-lasting impact highlights the major risks posed by flaws in transitive software dependencies and the need for enterprises to urgently adopt software composition analysis and secure supply chain management practices Log4Shell, officially tracked as CVE-2021-44228,…

Read More
27 Dec

2022 in review: 10 of the year’s biggest cyberattacks

Information

The past year has seen no shortage of disruptive cyberattacks – here’s a round-up of some of the worst hacks and breaches that have impacted a variety of targets around the world in 2022 The past year has seen the global economy lurch from one crisis to another. As COVID-19 finally began to recede in many regions, what replaced it has been rising energy bills, soaring inflation and a resulting cost-of-living crisis – some of…

Read More
27 Dec

Critical “10-out-of-10” Linux kernel SMB hole – should you worry?

Information, Uncategorized

by Paul Ducklin Just before the Christmas weekend – in fact, at about the same time that beleaguered password management service LastPass was admitting that, yes, your password vaults were stolen by criminals after all – we noticed a serious-sounding Linux kernel vulnerability that hit the news. The alerts came from Trend Micro’s Zero Day Initiative (ZDI), probably best known for buying up zero-day security bugs via the popular Pwn2Own competitions, where bug-bounty hunting teams…

Read More
27 Dec

Threat Actor Accessed Unencrypted Customer Metadata, LastPass Reports

Attacks, Malware

The primary risk introduced by this breach is the combination of the unencrypted metadata with customer account information. With those two pieces of information, malicious actors can put together a profile of websites the exposed customers have accounts on, combine that with open source intelligence (OSINT) from social media, and perform activities such as spearphishing, vishing, or other social engineering techniques against employees. Additional social engineering awareness training may be effective over the next couple…

Read More
27 Dec

RisePro Infostealer Being Distributed Via Pay-Per-Install Service PrivateLoader

Attacks, Malware

Pay-per-install services aren’t new, but their presence usually indicates a reasonable degree of confidence by the service provider that their malware will provide the desired end state to their client. Primarily, companies should keep any Detection and Response systems (EDR/MDR/XDR/etc.) and Anti-Virus (AV) up-to-date to identify the latest detected malware campaigns. Additionally, netflow analysis and DNS monitoring can help detect command and control (C2) and data exfiltration, which requires an understanding of baseline user behavior…

Read More
27 Dec

EarSpy Attack Uses Speaker to Eavesdrop on Android Users

Attacks, Malware

Although this proof of concept (PoC) was crafted for academic proposes, it does establish that if an attacker were to trick a victim into downloading the right application, these types of data could be extracted from the victim’s phone calls. The researchers suggest that phone manufacturers should ensure sound pressure stays stable during calls and place the motion sensors in a position where internally originating vibrations are either leaving motion sensors unaffected, or at the…

Read More
27 Dec

Data of 400 Million Twitter Users for Sale as Irish Privacy Watchdog Announces Probe

Information, News

An individual is offering to sell the data of more than 400 million Twitter users, just as Ireland’s data protection watchdog has announced an investigation into the recent data leaks impacting the social media giant. On December 23, someone posted a message on a popular hacking forum announcing the sale of a database containing the names, usernames, email addresses, phone numbers and follower counts of over 400 million Twitter accounts. A sample of roughly 1,000…

Read More
27 Dec

CPRA explained: New California privacy law ramps up restrictions on data use

Data Breaches, Malware, Social Engineering

On January 1, 2023, 20, the California Privacy Rights Act (CPRA) will go into effect. Approved by ballot measure as Proposition 24 in November 2020, it created a new consumer data privacy agency and put California another step ahead of other states in terms of privacy productions for consumers—and data security requirements for enterprises. California already had a privacy law in place, the California Consumer Privacy Act (CCPA), adopted in 2018. It went into effect in…

Read More