#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Google | Breaking Cybersecurity News | The Hacker News

Google Releases Android Update to Patch Actively Exploited Vulnerability

Google Releases Android Update to Patch Actively Exploited Vulnerability

May 06, 2022
Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year. Tracked as  CVE-2021-22600  (CVSS score: 7.8), the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service. The issue relates to a  double-free vulnerability  residing in the  Packet  network protocol implementation in the Linux kernel that could cause memory corruption, potentially leading to denial-of-service or execution of arbitrary code. Patches were released by different Linux distributions, including  Debian ,  Red Hat ,  SUSE , and  Ubuntu  in December 2021 and January 2022. "There are indications that CVE-2021-22600 may be under limited, targeted exploitation," Google  noted  in its Android Security Bulletin for May 2022. Specifics about the nature of the attacks are
Google to Add Passwordless Authentication Support to Android and Chrome

Google to Add Passwordless Authentication Support to Android and Chrome

May 05, 2022
Google today announced  plans  to implement support for passwordless logins in Android and the Chrome web browser to allow users to seamlessly and securely sign in across different devices and websites irrespective of the platform. "This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password," Google  said . Apple and Microsoft are also expected to extend the support to iOS, macOS, and Windows operating systems as well as Safari and Edge browsers. The common Fast IDentity Online ( FIDO ) sign-in system does away with passwords entirely in favor of displaying a prompt asking a user to unlock the phone when signing into a website or an application. This is made possible by storing a cryptographically-secured FIDO credential called a passkey on the phone that's used to log in to the online account after unlocking the device. "Once you've done this, you won't need your phone again a
How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte
Google Releases First Developer Preview of Privacy Sandbox on Android 13

Google Releases First Developer Preview of Privacy Sandbox on Android 13

May 02, 2022
Google has officially  released  the first developer preview for the Privacy Sandbox on Android 13, offering an "early look" at the SDK Runtime and Topics API to boost users' privacy online. "The Privacy Sandbox on Android Developer Preview program will run over the course of 2022, with a beta release planned by the end of the year," the search giant  said  in an overview. A "multi-year effort,"  Privacy Sandbox  on Android aims to create technologies that's both privacy-preserving as well as keep online content and services free without having to resort to opaque methods of digital advertising. The idea is to limit sharing of user data with third-parties and operate without cross-app identifiers, including advertising ID, a unique, user-resettable string of letters and digits that can be used to track users as they move between apps. Google originally  announced  its plans to bring Privacy Sandbox to Android earlier this February, following
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Here's a New Tool That Scans Open-Source Repositories for Malicious Packages

Here's a New Tool That Scans Open-Source Repositories for Malicious Packages

May 02, 2022
The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the  Package Analysis  project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software. "The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?," the OpenSSF  said . "The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously," the foundation's Caleb Brown and David A. Wheeler added. In a test run that lasted a month, the tool ide
Google's New Safety Section Shows What Data Android Apps Collect About Users

Google's New Safety Section Shows What Data Android Apps Collect About Users

Apr 27, 2022
Google on Tuesday officially began rolling out a new "Data safety" section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties. "Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties," Suzanne Frey, Vice President of product for Android security and privacy,  said . "In addition, users want to understand how app developers are securing user data after an app is downloaded." The transparency measure, which is built along the lines of Apple's " Privacy Nutrition Labels ," was  first announced  by Google nearly a year ago in May 2021. The Data safety section, which will show up against every app listing on the digital storefront, presents a unified view of what data is being collected, for what purpose it's being used, and how it's handled, while also highlighting what data is being shared with thi
Critical Chipset Bugs Open Millions of Android Devices to Remote Spying

Critical Chipset Bugs Open Millions of Android Devices to Remote Spying

Apr 21, 2022
Three security vulnerabilities have been disclosed in the audio decoders of Qualcomm and MediaTek chips that, if left unresolved, could allow an adversary to remotely gain access to media and audio conversations from affected mobile devices. According to Israeli cybersecurity company Check Point , the issues could be used as a launchpad to carry out remote code execution (RCE) attacks simply by sending a specially crafted audio file. "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera," the researchers said in a report shared with The Hacker News. "In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." The vulnerabilities, dubbed ALHACK, are rooted in an audio coding format originally developed and open-sourced by Apple i
Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021

Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021

Apr 20, 2022
Google Project Zero called 2021 a "record year for in-the-wild 0-days," as  58 security vulnerabilities  were detected and disclosed during the course of the year. The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher  Maddie Stone   said . "Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces," Stone added. The tech giant's in-house security team characterized the exploits as similar to previous and publicly known vulnerabilities, with only two of them markedly different for the technical sophistication and use of logic bugs to escape the sandbox. B
Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw

Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw

Apr 15, 2022
Google on Thursday shipped emergency patches to address two security issues in its Chrome web browser, one of which it says is being actively exploited in the wild. Tracked as  CVE-2022-1364 , the tech giant described the high-severity bug as a case of type confusion in the V8 JavaScript engine. Clément Lecigne of Google's Threat Analysis Group has been credited with reporting the flaw on April 13, 2022. As is typically the case with actively exploited zero-day flaws, the company acknowledged it's "aware that an exploit for CVE-2022-1364 exists in the wild." Additional details about the flaw and the identity of the threat actors have been withheld to prevent further abuse. With the latest fix, Google has patched a total of three zero-day vulnerabilities in Chrome since the start of the year. It's also the second type confusion-related bug in V8 to be squashed in less than a month - CVE-2022-0609  - Use-after-free in Animation CVE-2022-1096  - Type confusio
Google Sues Scammer for Running 'Puppy Fraud Scheme' Website

Google Sues Scammer for Running 'Puppy Fraud Scheme' Website

Apr 12, 2022
Google on Monday disclosed that it's taking legal action against a nefarious actor who has been spotted operating fraudulent websites to defraud unsuspecting people into buying non-existent puppies. "The actor used a network of fraudulent websites that claimed to sell basset hound puppies — with alluring photos and fake customer testimonials — in order to take advantage of people during the pandemic," Google's CyberCrime Investigation Group manager Albert Shin and senior counsel Mike Trinh  said . The fraudulent scheme involved Nche Noel Ntse of Cameroon using a network of rogue websites, Google Voice phone numbers, and Gmail accounts to trick people into paying thousands of dollars online for "adorable puppies" that never arrived. The purported culprit is also alleged to have run a Google Ads campaign to push the fraudulent websites on top of search results pages as part of what Google characterized as "multiple international non-delivery scams.&
Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Mar 26, 2022
Google on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild. Tracked as  CVE-2022-1096 , the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022. Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that's incompatible to what was originally initialized, could have serious consequences in languages that are not  memory safe  like C and C++, enabling a malicious actor to perform out-of-bounds memory access. "When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution," MITRE's Common Weakness Enum
North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms

North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms

Mar 25, 2022
Google's Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. The campaigns, once again "reflective of the regime's immediate concerns and priorities," are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks  aimed at security researchers  last year. The shortcoming in question is  CVE-2022-0609 , a use-after-free vulnerability in the browser's Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It's also the first zero-day flaw patched by the tech giant since the start of 2022. "The earliest evidence we have of this exploit kit being actively deploy
Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

Mar 18, 2022
Google's Threat Analysis Group (TAG) took the wraps off a new  initial access broker  that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ( CVE-2021-40444 ) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally. "Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job," TAG researchers Vlad Stolyarov and Benoit Sevens  said . "These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid." Exotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the
Google Buys Cybersecurity Firm Mandiant for $5.4 Billion

Google Buys Cybersecurity Firm Mandiant for $5.4 Billion

Mar 08, 2022
Google is officially buying threat intelligence and incident response company Mandiant in an all-cash deal approximately valued at $5.4 billion, the two technology firms announced Tuesday. Mandiant is expected to be folded into Google Cloud upon the closure of the acquisition, which is slated to happen later this year, adding to the latter's growing portfolio of security offerings such as BeyondCorp Enterprise , VirusTotal , Chronicle , and the Cybersecurity Action Team . "Today, organizations are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative," Google  said  in a statement. "To address these risks, enterprises need to be able to detect and respond to adversaries quickly; analyze and automate threat intelligence to scale threat detection across organizations; orchestrate and automate remediation; validate their protection against known threats; and visualize their IT environment i
Google Bringing Privacy Sandbox to Android to Limit Sharing of User Data

Google Bringing Privacy Sandbox to Android to Limit Sharing of User Data

Feb 17, 2022
Google on Wednesday announced plans to bring its Privacy Sandbox initiatives to Android in a bid to expand its privacy-focused, but also less disruptive, advertising technology beyond the desktop web. To that end, the internet giant said it will work towards building solutions that prevent cross-app tracking à la Apple's App Tracking Transparency ( ATT ) framework, effectively limiting sharing of user data with third-parties as well as eliminating identifiers such as advertising IDs on mobile devices. "The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk," Anthony Chavez, vice president of product management for Android security and privacy,  said . Privacy Sandbox , launched in 2019, is Google's umbrella term for a set of technologies that will phase out third-party cookies and curb covert tracking, like  fingerprinting , by redu
SolarMarker Malware Uses Novel Techniques to Persist on Hacked Systems

SolarMarker Malware Uses Novel Techniques to Persist on Hacked Systems

Feb 01, 2022
In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems. Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021. Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set,  reported in April , took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines. Then in August, the malware was  observed  targeting healthcare and education sectors with the goal of gathering credentials and sensitive information.
Google Drops FLoC and Introduces Topics API to Replace Tracking Cookies for Ads

Google Drops FLoC and Introduces Topics API to Replace Tracking Cookies for Ads

Jan 26, 2022
Google on Tuesday announced that it is abandoning its controversial plans for replacing third-party cookies in favor of a new Privacy Sandbox proposal called  Topics , which categorizes users' browsing habits into approximately 350 topics. The new mechanism , which takes the place of  FLoC  (short for Federated Learning of Cohorts), slots users' browsing history for a given week into a handful of top pre-designated interests (i.e., topics), which are retained only on the device for a revolving period of three weeks. Subsequently, when a user visits a participating site, the Topics API selects three of the interests — one topic from each of the past three weeks — to share with the site and its advertising partners. To give more control over the framework, users can not only see the topics but also remove topics or disable it altogether. By labeling each website with a recognizable, high-level topic and sharing the most frequent topics associated with the browsing history,
Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

Jan 20, 2022
An exploration of zero-click attack surface for the popular video conferencing solution Zoom has yielded two previously undisclosed security vulnerabilities that could have been exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory. Natalie Silvanovich of Google Project Zero, who  discovered  and reported the  two   flaws  last year, said the issues impacted both Zoom clients and Multimedia Router (MMR) servers, which transmit audio and video content between clients in  on-premise deployments . The weaknesses have since been addressed by Zoom as part of  updates  shipped on November 24, 2021. The goal of a zero-click attack is to stealthily gain control over the victim's device without requiring any kind of interaction from the user, such as clicking on a link. While the specifics of the exploit will vary depending on the nature of vulnerability being exploited, a key trait of zero-click hacks is their ability not to leave behind
Chrome Limits Websites' Direct Access to Private Networks for Security Reasons

Chrome Limits Websites' Direct Access to Private Networks for Security Reasons

Jan 17, 2022
Google Chrome has announced plans to prohibit public websites from directly accessing endpoints located within private networks as part of an upcoming major security shakeup to prevent intrusions via the browser. The proposed change is set to be rolled out in two phases consisting of releases Chrome 98 and Chrome 101 scheduled in the coming months via a newly implemented W3C specification called private network access ( PNA ). "Chrome will start sending a  CORS  preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server," Titouan Rigoudy and Eiji Kitamura  said . "This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true." What this means is that starting with Chrome version 101, any website accessible via the internet will be made to seek explicit permi
France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies

France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies

Jan 07, 2022
The Commission nationale de l'informatique et des libertés (CNIL), France's data protection watchdog, has slapped Facebook (now Meta Platforms) and Google with fines of €150 million ($170 million) and €60 million ($68 million) for violating E.U. privacy rules by failing to provide users with an easy option to reject cookie tracking technology. "The websites facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies," the  authority   said . "However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies." Facebook told  TechCrunch  that it was reviewing the ruling, while Google said it's working to change its practices in response to the CNIL fines. HTTP cookies are small pieces of data created while a user is browsing a website and placed on the user's computer or other device by the user's web browser to track online
Google Releases New Chrome Update to Patch Dozens of New Browser Vulnerabilities

Google Releases New Chrome Update to Patch Dozens of New Browser Vulnerabilities

Jan 06, 2022
Google has rolled out the first round of updates to its Chrome web browser for 2022 to fix 37 security issues, one of which is rated Critical in severity and could be exploited to pass arbitrary code and gain control over a victim's system. Tracked as  CVE-2022-0096 , the flaw relates to a  use-after-free bug  in the Storage component, which could have devastating effects ranging from corruption of valid data to the execution of malicious code on a compromised machine. Security researcher Yangkang ( @dnpushme ) of Qihoo 360 ATA, who has previously disclosed  zero-day vulnerabilities  in Apple's WebKit, has been credited with discovering and reporting the flaw on November 30, 2021. It's also worth pointing out that 24 of the 37 uncovered flaws came from external researchers, including its Google Project Zero initiative, while the others were flagged as part of its ongoing internal security work. Of the 24 bugs, 10 are rated High, another 10 are rated Medium, and three
Cybersecurity Resources