Latest

Cyberwarfare / Nation-State Attacks

Senate SolarWinds Hearing: 4 Key Issues Raised

Rodrigo Figueroa  •  February 24, 2021

The Senate Intelligence Committee's hearing about the supply chain attack that affected SolarWinds and dozens of other companies and federal agencies answered some questions about what went wrong but also raised four key issues.

Endpoint Security

Cybersecurity Agencies Warn of Accellion Vulnerability Exploits

Doug Olenick  •  February 24, 2021

The cybersecurity agencies of five countries have issued a joint advisory warning that hackers are exploiting vulnerabilities in the Accellion File Transfer Appliance to steal data and execute ransomware. Australia's Transport for New South Wales and Canada's Bombardier are the latest victims to be revealed.

3rd Party Risk Management

Senators Grill Cybersecurity Execs on SolarWinds Attack

Doug Olenick  •  February 23, 2021

The CEOs of SolarWinds, Microsoft, FireEye and CrowdStrike rolled out a series of cybersecurity recommendations to a U.S. Senate panel Tuesday while detailing how foreign actors gained access into their firms' systems as a result of the SolarWinds supply chain attack.

Cybercrime

Silver Sparrow Malware Infects 30,000 Macs

Doug Olenick  •  February 23, 2021

A previously undetected malware variant has infected almost 30,000 Apple Macs. So far, however, researchers have not seen the code, called Silver Sparrow, deliver any malicious payloads to these endpoints, according to a new report.

Application Security

Fraudsters Using Telegram API to Harvest Credentials

Prajeet Nair  •  February 22, 2021

A newly-discovered phishing campaign posts harvested credentials using the Telegram messaging app's application programming interface to bypass secure email gateways, report researchers at the Cofense Phishing Defense Center.

Endpoint Security

Mobile Health App and API Security: Common Flaws

Marianne Kolbasuk McGee  •  February 22, 2021

Broken object level authorization, or BOLA, vulnerabilities are among the most common and worrisome weaknesses contained in dozens of mobile health applications used by patients and clinicians, posing security and privacy risks to health information, says cybersecurity researcher Alissa Knight.

Application Security

ENISA Highlights AI Security Risks for Autonomous Cars

Akshaya Asokan  •  February 20, 2021

Autonomous vehicle manufacturers are advised to adopt security-by-design models to mitigate cybersecurity risks, as artificial intelligence is susceptible to evasion and poisoning attacks, says a new ENISA report.

Cybercrime

New Malicious Adware Exploits Apple M1 Chip

Akshaya Asokan  •  February 20, 2021

A security researcher has uncovered what is believed to be the first-ever malware variant that can be successfully executed in Apple's M1 chips, its latest central processor unit for Mac computers.

Application Security

M&A Update: CrowdStrike to Acquire Humio for $400 Million

Doug Olenick  •  February 20, 2021

Security firms Crowdstrike, Palo Alto Networks and Sailpoint are making acquisitions to bolster their product portfolios. Here's a rundown of the deals.

3rd Party Risk Management

Analysis: Russia's Sandworm Hacking Campaign

Anna Delaney  •  February 19, 2021

This edition of the ISMG Security Report features an analysis of the impact of a hacking campaign linked to Russia’s Sandworm that targeted companies using Centreon IT monitoring software. Also featured: a discussion of CIAM trends; a critique of Bloomberg's update on alleged Supermicro supply chain hack.

Application Security

File-Sharing App SHAREit for Android Has Remote Code Flaw

Akshaya Asokan  •  February 17, 2021

A remote code vulnerability in the Android version of the file-sharing app SHAREit could allow hackers to tamper with the app's permissions, enabling them to steal sensitive data, reports security firm Trend Micro.

Governance & Risk Management

Microsoft Patches 12-Year-Old Vulnerability

Akshaya Asokan  •  February 16, 2021

Microsoft has patched a 12-year-old vulnerability in Microsoft Defender that, if exploited, could enable nonadministrative users to escalate privilege in the application. The patch was made after security firm SentinelOne recently notified Microsoft about the flaw.