Latest News

2021/02/08

Google Chrome Zero-Day Afflicts Windows, Mac Users

Google warns of a zero-day vulnerability in the V8 open-source engine that’s being actively exploited by attackers.

Google is warning of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers.

A patch has been issued in version 88 of Google’s Chrome browser — specifically, version 88.0.4324.150 for Windows, Mac and Linux. This update will roll out over the coming days and weeks, said Google. The flaw (CVE-2021-21148) stems from a heap-buffer overflow, said Google.
2021/01/27

Apple says iOS 14.4 fixes three security bugs ‘actively exploited’ by hackers

Apple has released iOS 14.4 with security fixes for three vulnerabilities, said to be under active attack by hackers.

The technology giant said in its security update pages for iOS and iPadOS 14.4 that the three bugs affecting iPhones and iPads “may have been actively exploited.” Details of the vulnerabilities are scarce, and an Apple spokesperson declined to comment beyond what’s in the advisory.

It’s not known who is actively exploiting the vulnerabilities, or who might have fallen victim. Apple did not say if the attack was targeted against a small subset of users or if it was a wider attack. Apple granted anonymity to the individual who submitted the bug, the advisory said.
2021/01/27

Cisco DNA Center Bug Opens Enterprises to Remote Attack

A cross-site request forgery (CSRF) vulnerability in the Cisco Digital Network Architecture (DNA) Center could open enterprise users to remote attack and takeover.

The flaw, tracked as CVE-2021-1257, exists in the web-based management interface of the Cisco DNA Center, which is a centralized network-management and orchestration platform for Cisco DNA. It carries a CVSS vulnerability-severity score of 7.1, making it high-severity.

Cisco DNA is the networking giant’s software-defined approach for aligning campus, branch, WAN and remote-worker elements of enterprise networks. The DNA Center allows admins to provision and configure all network devices, and it uses artificial intelligence (AI) and machine learning (ML) to proactively monitor, troubleshoot and optimize networks. It also integrates with third-party systems. In short, the DNA Center allows deep reach and visibility into an organization’s network, all from one point of entry.
2021/01/08

New Year, New Ransomware: Babuk Locker Targets Large Corporations

Despite being a mostly run-of-the-mill ransomware strain, Babuk Locker’s encryption mechanisms and abuse of Windows Restart Manager sets it apart.

Only a few days into the new year, one of the first new ransomware strains of 2021 has been discovered. Dubbed Babuk Locker, the ransomware appears to have successfully compromised five companies thus far, according to new research.

The research author, Chuong Dong, a computer science student at Georgia Tech, said that he first saw the ransomware mentioned in a tweet by a security researcher who goes by “Arkbird” on Twitter. He then discovered information about Babuk on RaidForums, which is a forum for sharing databases of breaches and leaks.
2021/01/05

Researcher Breaks reCAPTCHA With Google’s Speech-to-Text API

An old attack method dating back to 2017 that uses voice-to-text to bypass CAPTCHA protections turns out to still work on Google’s latest reCAPTCHA v3.

That’s according to researcher Nikolai Tschacher, who posted a video proof-of-concept (PoC) of the attack on Jan. 2.

CAPTCHA, introduced in 2014, is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart. ReCaptcha is Google’s name for its own technology and free service that uses image, audio or text challenges to verify that a human is signing into an account. It’s a bit of code available free of charge from Google for accounts that handle less than 1 million queries a month. Google recently started charging for larger reCAPTCHA accounts.