Apache Foundation Calls Out Open-Source Leechers
“[The] community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance,” the ASF said in a position paper published ahead of a high-level White House meeting on open-source software security. “Only a tiny percentage of downstream companies (reusing the…
VMware Plugs Security Holes in Workstation, Fusion and ESXi
Tracked as CVE-2021-22045 (CVSS score of 7.7), the security vulnerability exists in the CD-ROM device emulation function of Workstation, Fusion and ESXi. In an advisory, VMWare said the security defect could be exploited by attackers with access to a virtual machine that has CD-ROM device emulation enabled. An attacker capable of combining the security error…
New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking
Schneider announced the availability of patches on December 14, when it urged customers to immediately apply patches or mitigations. The flaws have been found to impact EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) devices, as well as some products that have reached end of life. The vendor has…
When Threat Research Goes Wrong: Spectacular Screwups and What to Learn from Them
Threat researchers on the cutting edge of cybersecurity have a certain kind of drive — almost a relentless need — to get into the attacker’s mind, solve the “unsolvable” challenge and expose emerging attack techniques. So, it’s not every day these elite researchers come together to share the secrets to their success, and it’s even…
VMware Patches Vulnerabilities in Workspace ONE Access
Two new vulnerabilities were fixed, the most severe of which is CVE-2021-22057 (CVSS score of 6.6), an authentication bypass that affects VMware Verify two factor authentication. By exploiting the vulnerability, a malicious actor who has gained knowledge of the first-factor authentication, may provide it to obtain second-factor authentication from VMware Verify, VMware says. Tracked as…
Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware
Citizen Lab teamed up with the threat-intel team at Facebook parent company Meta to expose Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry. In a detailed technical report published late Thursday, Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on…
Trend Micro Spots Chinese Hackers Targeting Transportation Sector
Also known as Earth Centaur and KeyBoy, the advanced persistent threat (APT) has been around since 2011, conducting espionage campaigns against organizations in government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan. As part of the attacks conducted over the past year and a half, Trend Micro warned that the group…
Corellium Lands $25 Million Investment for Virtualization Tech
Corellium, a Florida-based company with its roots in the iPhone jailbreaking community, said the $25 million Series A also included investments from Cisco investments and other strategic investors. Corellium LogoThe money comes exactly a year after a federal judge dismissed Apple’s copyright lawsuit against Corellium and the two sides reached a settlement on another matter…
Facebook Will Reward Researchers for Reporting Scraping Bugs
As part of its bug bounty program, the company will pay monetary rewards to security researchers who discover flaws that allow attackers to bypass existing scraping limitations and gain access to data at scale. Scrapers – including malicious apps, scripts, and websites – constantly adapt to evade detection, and Facebook says it is seeking ways…
Microsoft Patches 67 Security Flaws, Including Zero-Day Exploited by Emotet
In the final Patch Tuesday release for 2021, the Redmond, Wash. software giant called special attention to CVE-2021-43890, a spoofing vulnerability in the Microsoft Windows AppX installer and warned that the bug is being exploited in the wild by the Emotet malware operation. “Microsoft is aware of attacks that attempt to exploit this vulnerability by…
