Nearly half of organizations regularly and knowingly ship vulnerable code despite using AppSec tools, according to Veracode. Among the top reasons cited for pushing vulnerable code were pressure to meet release deadlines (54%) and finding vulnerabilities too late in the software development lifecycle (45%). Respondents said that the lack of developer knowledge to mitigate issues and lack of integration between AppSec tools were two of the top challenges they face with implementing DevSecOps. However, nearly … More →
30% of businesses globally have seen an increase in attacks on their IT systems as a result of the pandemic, HackerOne reveals. This is according to C-Level IT and security execs at global businesses, 64% of which believe their organization is more likely to experience a data breach due to COVID-19. Remote working and expanding attack surfaces “The COVID-19 crisis has shifted life online,” says Marten Mickos, CEO of HackerOne. “As companies rush to meet … More →
Fraudsters launched a new phishing attack in which they sent out a fake cPanel advisory warning recipients about fabricated security vulnerabilities. On August 5, cPanel and WebHost Manager (WHM) users began reporting of having received a fake advisory that appeared to have originated from the company. The fake advisory informed recipients that cPanel had released […]… Read More
A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host. About ManageEngine ADSelfService Plus ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology. “ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows … More →
In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs. A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting … More →
Let’s pause for a second here and think about the astonishingly smart palm-sized device – that is our phone. A decade or two ago it would have been impossible to imagine all the things that a modern-day smartphone can do. A day without our smartphone is quite unimaginable. From remembering…
In the past several years, a flood of vulnerabilities has hit industrial
control systems (ICS) – the technological backbone of electric
grids, water supplies, and production lines. These vulnerabilities
affect the reliable operation of sensors, programmable controllers,
software and networking equipment used to automate and monitor the
physical processes that keep our modern world running.
FireEye’s acquisition of iSIGHT provided tremendous visibility into
the depth and breadth of vulnerabilities in the ICS landscape and how
threat actors try to exploit them. To make matters worse, many of
these vulnerabilities are left unpatched and some are simply
unpatchable due to outdated technology, thus increasing the attack
surface for potential adversaries. In fact, nation-state cyber threat
actors have exploited five of these vulnerabilities in attacks since 2009.
Unfortunately, security personnel from manufacturing, energy, water
and other industries are often unaware of their own control system
assets, not to mention the vulnerabilities that affect them. As a
result, organizations operating these systems are missing the warnings
and leaving their industrial environments exposed to potential threats.