Education sector more prepared for cyberattacks than most

An analysis from Immersive Labs shows K-12 and higher ed are more willing to comply with ransomware demands.

By Kara Arundel • March 11, 2022

The threat from within: How to address the employee element in password security

There are numerous sides to the password problem, but here are a few common issues to know.

March 7, 2022

Medtech, hospitals on alert for cyberattacks after Russia's invasion of Ukraine

The Russia-Ukraine conflict has raised the cyberthreat level for medtech and hospitals, putting patient safety at risk.

By Greg Slabodkin • March 2, 2022

Critical SAP CVEs leave broad exposure, fixes require downtime

Thousands of systems remain vulnerable, including applications not connected to the public internet. 

By David Jones • Feb. 17, 2022

Cybersecurity outlook for 2022

Nation-state cyberthreats and Log4j have the security community on high alert; organizations need to master response and remediation.  

By Naomi Eide • Feb. 14, 2022

Log4j highlights ongoing cyber risk from free, open source software: Moody's

Limited investment and slow remediation response continues to challenge open source software.

By David Jones • Feb. 11, 2022

Critical SAP vulnerabilities spur CISA, researcher pleas for urgent patching

Onapsis security researchers warn attackers could take full control of systems to steal data, disrupt critical business functions and launch ransomware.

By David Jones • Feb. 10, 2022

Apache tells US Senate committee the Log4j vulnerability could take years to resolve

While a software bill of materials could improve supply chain security, users still download vulnerable versions of software. 

By David Jones • Feb. 9, 2022

NIST targets software supply chain with guidance on security standards

Guidelines call for developers to attest they use secure software practices.

By David Jones • Feb. 7, 2022

In 2022, you can no longer afford to ignore credential security

Credentials are among the most sought-after targets by hackers due to the low risk and high rewards.

Jan. 31, 2022

Blackberry links initial access broker activity to Log4Shell exploit in VMware Horizon

The threat actor primarily installed cryptomining software onto affected systems. In some cases, however, it deployed Cobalt Strike beacons, Blackberry found.

By David Jones • Jan. 26, 2022

Log4j raises cyber risk for public finance entities, Fitch warns

Local agencies and critical sites face increased operational and financial risk as the vulnerability opens organizations to ransomware or other malicious activity. 

By David Jones • Jan. 19, 2022

Extracting portions of open source in software development threatens app security

While companies employ safeguards to detect flaws in applications, the likelihood of organizations running a complete database of all the places a vulnerability lives is slim.

By Samantha Schwartz • Jan. 19, 2022

Cobalt Strike targets VMware Horizon after UK warnings of Log4Shell threats

Researchers say the threat emulation tool may endanger thousands of vulnerable servers.

By David Jones • Jan. 18, 2022

Big tech pushes White House for open source funding, standards after Log4j

Technology officials are calling on cross-sector collaboration to prevent a recurrence of a Log4j-style security crisis. 

By David Jones • Jan. 14, 2022

Microsoft pushes patch for wormable HTTP vulnerability, exploitation undetected so far

An attacker does not need to interact with a user or have privileged access to infect a system. 

By Samantha Schwartz • Jan. 13, 2022

Log4j threat activity limited, but CISA says actors lay in wait

Microsoft is warning about new activity from a threat actor exploiting the vulnerability in VMware Horizon to deploy ransomware.

By David Jones • Jan. 11, 2022

Log4Shell threat activity targeting VMware Horizon, UK researchers warn

NHS Digital warned unknown threat actors are targeting the servers in order to create web shells and enable future data theft, ransomware or other attacks.

By David Jones • Jan. 10, 2022

FTC threatens enforcement on firms lax about Log4j vulnerability

The FTC warning underscores a commitment by federal regulators to ensure a more secure environment for enterprise and consumer software, according to legal experts and industry analysts. 

By David Jones • Jan. 5, 2022

Log4j activity expected to play out well into 2022

As industry returns from the holiday break, organizations are assessing potential security threats from Log4j, ranging from coin miners to hands-on-keyboard attacks.

By David Jones • Jan. 4, 2022

US allies call for Log4j vigilance as organizations struggle to detect vulnerabilities

The Five Eyes partners are warning about bad actors taking advantage of the holiday break to launch attacks.

By David Jones • Dec. 23, 2021

Organizations still downloading vulnerable Log4j versions

Log4j vulnerabilities impacted more than 17,000 Java packages, representing about 4% of the ecosystem, researchers found.

By David Jones • Dec. 22, 2021

Exploits underway for Zoho ManageEngine zero day, compromising enterprises, MSPs

CISA added the latest ManageEngine vulnerability to its exploit catalog and required government agencies to issue a patch by Dec. 24. 

By Samantha Schwartz • Dec. 21, 2021

Federal authorities brace for long holiday as Log4j threat activity rises

CISA warned civilian agencies to immediately patch systems before Christmas break as researchers see an increase in malicious activity targeting organizations worldwide.

By David Jones • Dec. 20, 2021

Log4j and the problem with trusting open source

Open source isn't the issue — companies need mechanisms to ensure the integrity of the software and code they adopt.

By Samantha Schwartz • Dec. 20, 2021