Latest News

2020/06/22

Netgear Zero-Day Allows Full Takeover of Dozens of Router Models

Researchers have discovered an unpatched, zero-day vulnerability in firmware for Netgear routers that put 79 device models at risk for full takeover, they said.

The flaw, a memory-safety issue present in the firmware’s httpd web server, allows attackers to bypass authentication on affected installations of Netgear routers, according to two separate reports: One on the Zero Day Initiative (ZDI) by a researcher called “d4rkn3ss” from the Vietnam Posts and Telecommunications Group; and a separate blog post by Adam Nichols of cybersecurity firm Grimm.
2020/06/15

Spies Can Listen to Your Conversations by Watching a Light Bulb in the Room

A team of cybersecurity researchers has developed and demonstrated a novel side-channel attacking technique that can be applied by eavesdroppers to recover full sound from a victim's room that contains an overhead hanging bulb.
The findings were published in a new paper by a team of academics—Ben Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici and Boris Zadov—from the Israeli's Ben-Gurion University of the Negev and the Weizmann Institute of Science, which will also be presented at the Black Hat USA 2020 conference later this August.
2020/06/11

Critical Intel Flaws Fixed in Active Management Technology

Intel has released its June security updates, which address two critical vulnerabilities that, if exploited, can give unauthenticated attackers elevated privileges.

The critical flaws exist in Intel’s Active Management Technology (AMT), which is used for remote out-of-band management of personal computers.

The two critical flaws (CVE-2020-0594 and CVE-2020-0595) exist in the IPv6 subsystem of AMT (and Intel’s Standard Manageability solution, which has a similar function as AMT). The flaws could potentially enable an unauthenticated user to gain elevated privileges via network access. AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 are affected.
2020/06/11

Snake Ransomware Delivers Double-Strike on Honda, Energy Co.

The Snake ransomware has reportedly hit two high-profile companies this week: Honda and a South American energy-distribution company called Enel Argentina.

In a tweet on Monday, the Honda Automobile Customer Service said it was “experiencing technical difficulties and are unavailable.” And later, the Japanese auto giant told the BBC that “Honda can confirm that a cyberattack has taken place on the Honda network.”

Meanwhile, a Honda spokesperson told Forbes, “Honda has experienced a cyberattack that has affected production operations at some U.S. plants. However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”
2020/06/10

Adobe Warns of Critical Flaws in Flash Player, Framemaker

Adobe released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.

In Tuesday’s June Adobe security updates, critical flaws tied to three CVEs were patched in Adobe Framemaker, which is Adobe’s application designed for writing and editing large or complex documents.

The flaws include two critical out-of-bounds write flaws (CVE-2020-9634, CVE-2020-9635), which stem from write operations that then produce undefined or unexpected results. Francis Provencher working with Trend Micro’s Zero Day Initiative (ZDI) was credited with finding these arbitrary code-execution flaws