Fear, panic and Log4j: One year later

Fears of catastrophic cyberattacks have thus far failed to materialize. But federal authorities stress threat actors are playing the long game.

By David Jones • Dec. 9, 2022

Internet Explorer is still a viable zero-day attack vector

North Korea-linked threat actors are using a technique that has been widely used to exploit Internet Explorer via Office files since 2017, Google found.

By Matt Kapko • Dec. 7, 2022

Three-quarters of retail, hospitality applications have security flaws

Nearly 1 in 5 vulnerabilities in the retail and hospitality industry are considered high severity, Veracode found, creating considerable risks to the organization. 

By David Jones • Nov. 22, 2022

Iran-linked threat actors exploiting Log4Shell via unpatched VMware, feds warn

The actors compromised a federal civilian agency, CISA and the FBI said. Authorities warned VMware users to assume breach and hunt for threats if they skipped patches or workarounds.

By David Jones • Nov. 16, 2022

High risk, critical vulnerabilities found in 25% of all software applications and systems

Research from Synopsys showed weak SSL/TLS configurations were the most prevalent form of vulnerability.

By David Jones • Nov. 15, 2022

CISA wants to change how organizations prioritize vulnerabilities

Federal authorities want to take the guesswork and manual decision making processes out of the messy world of vulnerabilities.

By Matt Kapko • Nov. 14, 2022

CISA warns unpatched Zimbra users to assume breach

Months after warnings to patch the Zimbra Collaboration Suite, government and private sector organizations are under attack from multiple threat actors.

By David Jones • Nov. 11, 2022

Citrix CVEs need urgent security updates, CISA says

Though there's no active exploitation yet, Tenable researchers warn they expect threat actors to target the Citrix systems in the near term.

By David Jones • Nov. 10, 2022

Microsoft finally releases security updates for ProxyNotShell zero days

The company linked a limited set of recent Exchange Server attacks to state-backed threat actors.

By David Jones • Nov. 8, 2022

OpenSSL releases patch for 2 high-severity vulnerabilities after prior warning

The organization pulled back on earlier warnings of a critical vulnerability, however still urged organizations to apply the upgrades.

By David Jones • Nov. 1, 2022

Critical OpenSSL vulnerability causes security industry to hold its breath

Researchers warn the vulnerability could be the most serious in the industry since 2014's Heartbleed. 

By David Jones • Nov. 1, 2022

GitHub vulnerability raises risk of open source supply chain attack

Researchers from Checkmarx said a flaw in the namespace retirement mechanism put thousands of packages at risk of being hijacked by outside threat actors.

By David Jones • Oct. 27, 2022

White House plans IoT security labeling program for spring 2023

Major connected device manufacturers, retailers and industry groups back efforts to boost cyber awareness.

By David Jones • Oct. 21, 2022

Apache urges users to upgrade Common Text version to block ‘Text4Shell’ vulnerability

Any connection to Log4j is misapplied, researchers said, because Log4j is a much more widely used Java library. 

By David Jones • Oct. 19, 2022

Critical vulnerability surfaces in Apache Commons Text library

Researchers warn an attacker can achieve remote code execution, but the vulnerability is not seen as potentially dangerous as Log4j.

By David Jones • Oct. 17, 2022

Fortinet attacks escalate as company warns large swath of customers to upgrade

The number of unique IPs using the exploit has gone from single digits when the vulnerability was originally announced to about 200. 

By David Jones • Oct. 17, 2022

CISA adds Fortinet CVE to vulnerability catalog after attacks escalate

A critical authentication bypass vulnerability in the company’s firewall and web proxy software allowed unauthenticated attackers to gain access.

By David Jones • Oct. 12, 2022

Microsoft struggles to mitigate Exchange Server CVEs as it races to complete patch

Security researchers have repeatedly called out the company on interim measures that were quickly bypassed.

By David Jones • Oct. 6, 2022

Microsoft updates guidance to prevent future Exchange server attacks

The company had to revise some of its guidance involving the URL Rewrite rule, while organizations continue to wait for a patch.

By David Jones • Oct. 5, 2022

CISA orders federal IT overhaul with automated asset inventory, software scanning

Civilian agencies will be required to check for vulnerabilities in a push to gain better visibility into IT networks.

By David Jones • Oct. 4, 2022

Microsoft warns of potential escalation for Exchange server zero days

The actor, which Microsoft says is state sponsored, installed Chopper web shells to gain hands-on-keyboard access, conduct Active Directory reconnaissance and exfiltrate data. 

By David Jones • Oct. 3, 2022

Microsoft investigating 2 zero-day vulnerabilities in Exchange Server

One vulnerability is a server-side request forgery, while the second allows remote-code execution when an attacker has access to PowerShell. 

By David Jones • Sept. 30, 2022

Strict security rules could push open source community out of federal work, expert says

Agency CISOs and development experts say federal agencies need to work collaboratively with open source community contributors.

By David Jones • Sept. 27, 2022

Organizations rapidly shift tactics to secure the software supply chain

Synopsys’ 13th annual BSIMM study shows rapid increases in automation and use of SBOMs among software producers and other organizations.

By David Jones • Sept. 22, 2022

White House guidance on third-party software seen as a major test of cyber risk strategy

The U.S. hopes that by forcing software producers to meet a set of minimum security standards for federal use, a new baseline strategy will be adopted industrywide. 

By David Jones • Sept. 19, 2022