After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers. In early attacks observed by Microsoft, attackers were able to exploit a series of vulnerabilities to access on-premises Exchange…

On April 7, at the Pwn2Own 2021 hacking competition, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for a remote code execution exploit that works against web browsers that are based on Google’s open source Chromium project. The researchers demonstrated the exploit against both Chrome and Microsoft Edge. Visiting a specially crafted website…

Wyatt Travnichek, 22, was charged last month with remotely accessing the Post Rock Rural Water District’s systems in March 2019, about two months after he quit his job with the utility. He’s accused of shutting down the facility’s cleaning and disinfecting procedures. When he worked for the utility, he would monitor the water plant remotely…

The bug, specifically a memory corruption issue, was found to impact QNAP NAS devices running Surveillance Station versions 5.1.5.4.2 and 5.1.5.3.2, and was addressed in February this year. Tracked as CVE-2020-2501, this security hole is a stack-based buffer overflow that could be abused by remote attackers to execute code on an affected system, without authentication….

Over the course of three days, participants made 23 attempts, targeting Safari, Chrome, Edge, Windows 10, Ubuntu, Microsoft Teams, Zoom, Parallels, Oracle VirtualBox, and Microsoft Exchange. Oracle VirtualBox was only targeted by one team and their attempt failed. The other products were all hacked by at least one team. Results from Pwn2Own 2021The highest rewards…

Developed by Greyware Automation Products, Inc., Domain Time II is a time synchronization software designed to help enterprises ensure accurate time across their networks. The suite of tools provides testing, administration, and auditing capabilities. Domain Time II consists of client and server programs, and both use the same executable to check for updates, namely dttray.exe….

The competition’s organizer, Trend Micro’s Zero Day Initiative (ZDI), said there were seven attempts on the first day and five of them were successful. A team called Devcore earned $200,000 for taking complete control of a Microsoft Exchange server by chaining authentication bypass and local privilege escalation vulnerabilities. A researcher who uses the online moniker…