GitLab fixed a high-severity XSS vulnerability, tracked as CVE-2024-4835, that allows attackers to take over user accounts. An attacker can exploit this issue by using a specially crafted page to exfiltrate sensitive user information. The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. The flaw was addressed with the release…

Security researchers at Tenable have discovered a potentially critical memory corruption vulnerability in Fluent Bit, a core component in the monitoring infrastructure of many cloud services. The vulnerability, dubbed Linguistic Lumberjack and tracked as CVE-2024-4323, stems from coding flaws within Fluent Bit’s built-in HTTP server. Left unresolved the vulnerability could lead to denial of service,…

Microsoft released its monthly batch of security fixes on Tuesday, which included patches for three vulnerabilities that already had exploits available. Two of those vulnerabilities are being actively exploited, with one being used by multiple groups to deliver malware, including the QakBot trojan. Microsoft’s updates addressed 61 vulnerabilities across its products, but only one was…

Microsoft issued a patch Tuesday for a Windows zero-day vulnerability that security researchers say operators of the QakBot botnet and other hackers actively exploited. U.S. authorities in August dismantled the botnet, also known as Qbot, and told reporters that it “ceased to operate” as a result of an antimalware campaign dubbed Operation Duck Hunt. Malware…

In summary, Trend Micro has found only one criminal LLM: WormGPT. Instead, there is a growing incidence, and therefore potential use, of jailbreaking services: EscapeGPT, BlackHatGPT, and LoopGPT. (The RSA presentation is supported by a separate Trend Micro blog.) There is also an increasing number of ‘services’ whose purpose is unclear. These provide no demo…

The case is yet another reason why everyone — not just politicians and celebrities — should be concerned about this increasingly powerful deep-fake technology, experts say. “Everybody is vulnerable to attack, and anyone can do the attacking,” said Hany Farid, a professor at the University of California, Berkeley, who focuses on digital forensics and misinformation….

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). “UAT4356 deployed…

Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company’s Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single…

The holy month of Ramadan is a period where Middle East-based companies step up cybersecurity with extra vigilance and outsourced support amid shortened working hours and increased e-commerce activity. The ninth month of the Muslim calendar is observed around the world as followers take the time to reflect and practice fasting, and cybersecurity teams often…