Critical OpenSSL vulnerability causes security industry to hold its breath

Researchers warn the vulnerability could be the most serious in the industry since 2014's Heartbleed. 

By David Jones • Nov. 1, 2022

GitHub vulnerability raises risk of open source supply chain attack

Researchers from Checkmarx said a flaw in the namespace retirement mechanism put thousands of packages at risk of being hijacked by outside threat actors.

By David Jones • Oct. 27, 2022

White House plans IoT security labeling program for spring 2023

Major connected device manufacturers, retailers and industry groups back efforts to boost cyber awareness.

By David Jones • Oct. 21, 2022

Apache urges users to upgrade Common Text version to block ‘Text4Shell’ vulnerability

Any connection to Log4j is misapplied, researchers said, because Log4j is a much more widely used Java library. 

By David Jones • Oct. 19, 2022

Critical vulnerability surfaces in Apache Commons Text library

Researchers warn an attacker can achieve remote code execution, but the vulnerability is not seen as potentially dangerous as Log4j.

By David Jones • Oct. 17, 2022

Fortinet attacks escalate as company warns large swath of customers to upgrade

The number of unique IPs using the exploit has gone from single digits when the vulnerability was originally announced to about 200. 

By David Jones • Oct. 17, 2022

CISA adds Fortinet CVE to vulnerability catalog after attacks escalate

A critical authentication bypass vulnerability in the company’s firewall and web proxy software allowed unauthenticated attackers to gain access.

By David Jones • Oct. 12, 2022

Microsoft struggles to mitigate Exchange Server CVEs as it races to complete patch

Security researchers have repeatedly called out the company on interim measures that were quickly bypassed.

By David Jones • Oct. 6, 2022

Microsoft updates guidance to prevent future Exchange server attacks

The company had to revise some of its guidance involving the URL Rewrite rule, while organizations continue to wait for a patch.

By David Jones • Oct. 5, 2022

CISA orders federal IT overhaul with automated asset inventory, software scanning

Civilian agencies will be required to check for vulnerabilities in a push to gain better visibility into IT networks.

By David Jones • Oct. 4, 2022

Microsoft warns of potential escalation for Exchange server zero days

The actor, which Microsoft says is state sponsored, installed Chopper web shells to gain hands-on-keyboard access, conduct Active Directory reconnaissance and exfiltrate data. 

By David Jones • Oct. 3, 2022

Microsoft investigating 2 zero-day vulnerabilities in Exchange Server

One vulnerability is a server-side request forgery, while the second allows remote-code execution when an attacker has access to PowerShell. 

By David Jones • Sept. 30, 2022

Strict security rules could push open source community out of federal work, expert says

Agency CISOs and development experts say federal agencies need to work collaboratively with open source community contributors.

By David Jones • Sept. 27, 2022

Organizations rapidly shift tactics to secure the software supply chain

Synopsys’ 13th annual BSIMM study shows rapid increases in automation and use of SBOMs among software producers and other organizations.

By David Jones • Sept. 22, 2022

White House guidance on third-party software seen as a major test of cyber risk strategy

The U.S. hopes that by forcing software producers to meet a set of minimum security standards for federal use, a new baseline strategy will be adopted industrywide. 

By David Jones • Sept. 19, 2022

Researchers warn older D-Link routers are under threat from Mirai malware variant

Attackers are leveraging vulnerabilities in the devices to build botnets and launch DDoS attacks, according to Palo Alto Networks research.

By David Jones • Sept. 8, 2022

CISA Director: Tech industry should infuse security at product design stage

Agency director Jen Easterly outlined a push for faster incident reporting and closer industry collaboration.

By David Jones • Sept. 7, 2022

Feds push for developers to take lead in securing software supply chain

The guidelines from CISA and the NSA come amid a growing movement to “shift left” and evaluate software security earlier in the development cycle. 

By David Jones • Sept. 2, 2022

SaaS sprawl amps up security challenges amid heightened risk

Two-thirds of businesses say they're spending more on SaaS applications year over year, Axonius data shows.

By Roberto Torres • Sept. 1, 2022

Growing cyber risks add to hospital cost squeeze, Fitch cautions

Cyber risk mitigation is becoming more expensive, but with hospitals' cost pressures mounting, spending on security may not be a priority, the ratings agency said.

By Susan Kelly • Aug. 31, 2022

Slack enhances platform security amid rapid expansion and heightened risk

The enterprise messaging platform has faced increased customer concerns about security and privacy.

By David Jones • Aug. 31, 2022

Google tackles open source security with vulnerability rewards program

The program follows a surge in supply chain attacks impacting the open source software ecosystem.

By David Jones • Aug. 30, 2022

How does Privileged Access Management work?

The model is a framework to help you set the right PAM foundation and get your organization on the PAM journey, now and in the future.

Aug. 29, 2022

Researchers say Cisco firewall software remains vulnerable to attack despite patch

Rapid7 researchers also warn only a very small percentage of users have applied updates.

By David Jones • Aug. 26, 2022

Threat actors again target critical SAP ICMAD vulnerabilities

CISA added the most critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog last week.

By David Jones • Aug. 23, 2022