Month: November 2022

A callback phishing extortion campaign by Luna Moth (aka Silent Ransom Group) has targeted businesses in multiple sectors, including legal and retail. The findings come from Palo Alto Network’s security team Unit 42, which described the campaign in a new advisory published earlier today. “This campaign leverages extortion without encryption, has cost victims hundreds of

Over 1500 apps have been found leaking the Algolia API key & Application ID, potentially exposing user data. Security researchers at CloudSEK shared the data with Infosecurity before publication, adding that 32 of the above applications were found to have critical Admin secrets hardcoded and that the team had identified 57 unique admin keys so far.

by Paul Ducklin Phishing scams that try to trick you into putting your real password into a fake site have been around for decades. As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because: Password managers

On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) published the final part of its three-section series on securing the software supply chain. The publication, which follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers, provides recommended practices for customers to ensure the integrity and

by Paul Ducklin Remember those Exchange zero-days that emerged in a blaze of publicity back in September 2022? Those flaws, and attacks based on them, were wittily but misleadingly dubbed ProxyNotShell because the vulnerabilities involved were reminiscent of the ProxyShell security flaw in Exchange that hit the news in August 2021. Fortunately, unlike ProxyShell, the

The US authorities have urged all agencies to patch VMware systems after revealing that Iranian state-backed actors exploited the Log4Shell bug to compromise a government organization. The alert from the Cybersecurity and Infrastructure Security Agency (CISA) claimed the unnamed Federal Civilian Executive Branch (FCEB) organization was compromised as long ago as February 2022. An incident

The PCI Security Standards Council (PCI SSC) has published a new standard designed to improve the security of mobile-based payments and ease compliance efforts. The council, a cross-industry payment card group responsible for the ubiquitous PCI DSS standard, said the launch recognizes the different security requirements for regular versus mobile payments.    Its new standard, Mobile Payments

Cybersecurity has become a public good with the industry tasked with maintaining society’s trust in digital technologies, according to the UK’s National Cyber Security Centre (NCSC) founding CEO. Speaking during the (ISC)2 Secure UK & Europe event, the former NCSC CEO Ciaran Martin highlighted the societal impact of the recent ransomware attack on Australian healthcare

Over half (56%) of Black Friday spam emails received between October 26 and November 6 2022 were scams, according to research from Bitdefender. The firm’s antispam researchers analyzed all unsolicited Black Friday-related emails delivered to its customers over the period, with the vast majority (68%) sent on the final three days (November 4, 5 and

Hundreds of Amazon relational database service (RDS) instances have been found exposed monthly, with extensive leakage of personally identifiable information (PII). The discovery has been made by security researchers at Mitiga, who published a post about the findings on Wednesday. The Platform-as-a-Service (PaaS) tool, first released by Amazon in 2009, provides a database platform based on

Several IT professionals worry that cybersecurity-specific funding might be at risk, suggests new data by JumpCloud. According to the company’s Q4 2022 IT Trends for Small and Medium-Sized Enterprises (SMEs) report, 44% of those surveyed agree their organization will cut spending on cybersecurity in the next year. Published earlier today, the research document also mentions

Swiss authorities have apprehended a Ukrainian national wanted by the Federal Bureau of Investigation (FBI) for 12 years for connections with a cyber-criminal group that stole millions of dollars from bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov was arrested in Geneva on October 23, 2022, and is now pending extradition to the US,

by Paul Ducklin THREE BILLION DOLLARS IN A POPCORN TIN? Radio waves so mysterious they’re known only as X-Rays. Were there six 0-days or only four? The cops who found $3 billion in a popcorn tin. Blue badge confusion. When URL scanning goes wrong. Tracking down every last unpatched file. Why even unlikely exploits can

by Paul Ducklin A bug bounty hunter called David Schütz has just published a detailed report describing how he crossed swords with Google for several months over what he considered a dangerous Android security hole. According to Schütz, he stumbled on a total Android lockscreen bypass bug entirely by accident in June 2022, under real-life

by Naked Security writer He was sentenced under his real-life name of Ramon, but in back in his boastful days of pretending to be a seriously successful real estate agent based in Dubai, you may have seen and heard of him as Ray, or, to give him his full nickname, Ray Hushpuppi. To be clear,

by Paul Ducklin Researchers at cloud coding security company Oxeye have written up a critical bug that they recently discovered in the popular cloud development toolkit Backstage. Their report includes an explanation of how the bug works, plus proof-of-concept (PoC) code showing how to exploit it. Backstage is what’s known as a cloud developer portal

by Paul Ducklin Firefox’s latest once-every-four-weeks security update is out, bringing the popular alternative browser to version 107.0, or Extended Support Release (ESR) 102.5 if you prefer not to get new feature releases every month. (As we’ve explained before, the ESR version number tells you which feature set you have, plus the number of times

by Paul Ducklin Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet… …including, of course, right here on Naked Security! As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter

by Paul Ducklin DON’T LET ONE LOUSY EMAIL PASSWORD SINK THE COMPANY Microsoft’s tilt at the MP3 marketplace. Apple’s not-a-zero-day emergency. Cracking the lock on Android phones. Browser-in-the-Browser revisited. The Emmenthal cheese attack. Business Email Compromise and how to prevent it. Click-and-drag on the soundwaves below to skip to any point. You can also listen