-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Critical Bug in Siemens SIMATIC PLCs Could Let Attackers Steal Cryptographic Keys

Critical Bug in Siemens SIMATIC PLCs Could Let Attackers Steal Cryptographic Keys

Oct 12, 2022
A vulnerability in Siemens Simatic programmable logic controller (PLC) can be exploited to retrieve the hard-coded, global private cryptographic keys and seize control of the devices. "An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related  TIA Portal , while bypassing all four of its  access level protections ," industrial cybersecurity company Claroty  said  in a new report. "A malicious actor could use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way." The critical vulnerability, assigned the identifier  CVE-2022-38465 , is rated 9.3 on the CVSS scoring scale and has been addressed by Siemens as part of security updates issued on October 11, 2022. The list of impacted products and versions is below - SIMATIC Drive Controller family (all versions before 2.9.2) SIMATIC ET 200SP Open Controller CPU 1515SP PC2, including SIPLUS variants (...
Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Oct 12, 2022
Microsoft's Patch Tuesday update for the month of October has addressed a total of  85 security vulnerabilities , including fixes for an actively exploited zero-day flaw in the wild. Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the  actively exploited   ProxyNotShell  flaws in  Exchange Server . The  patches  come alongside  updates to resolve 12 other flaws  in the Chromium-based Edge browser that have been released since the beginning of the month. Topping the list of this month's patches is  CVE-2022-41033  (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," the company said in an advisory, cautioning that the shortcom...
BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics

BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics

Oct 11, 2022
The operators behind the BazaCall call back phishing method have continued to evolve with updated social engineering tactics to deploy malware on targeted networks. The scheme eventually acts as an entry point to conduct financial fraud or facilitate the delivery of next-stage payloads such as ransomware, cybersecurity company Trellix  said  in a report published last week. Primary targets of the latest attack waves include the U.S., Canada, China, India, Japan, Taiwan, the Philippines, and the U.K. BazaCall , also called BazarCall, first gained popularity in 2020 for its novel approach of distributing the BazarBackdoor (aka BazarLoader) malware by manipulating potential victims into calling a phone number specified in decoy email messages. These email baits aim to create a false sense of urgency, informing the recipients about renewal of a trial subscription for, say, an antivirus service. The messages also urge them to contact their support desk to cancel the plan, or ...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Oct 11, 2022
A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," GitHub  said  in an advisory published on September 28, 2022. The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity rating of 10 on the CVSS vulnerability scoring system. It has been addressed in  version 3.9.11  released on August 28, 2022. vm2 is a  popular Node library  that's used to run untrusted code with allowlisted built-in modules. It's also one of the most widely downloaded software, accounting for nearly 3.5 million downloads per week. The  shortcoming  is rooted in the error mechanism in Node.js to escape the sandbox, according to application security firm Oxeye, which  discov...
The Latest Funding News and What it Means for Cyber Security in 2023

The Latest Funding News and What it Means for Cyber Security in 2023

Oct 11, 2022
The White House has recently announced a $1 billion cyber security grant program that is designed to help state and local governments improve their cyber defenses, especially about protecting critical infrastructure. The  recent executive order  stems from the $1.2 trillion infrastructure bill that was signed almost a year ago. That bill allocated $1 billion for  protecting critical infrastructure against cyber-attack  in the wake of a series of high-profile ransomware attacks such as the one that brought down the Colonial Pipeline.  Those government agencies who wish to take advantage of these funding opportunities must submit a grant proposal by mid-November. Proposals are only being accepted for the sixty days following the program's announcement. Grant recipients can use the funding to invest in new cybersecurity initiatives or to make improvements to existing defenses. Awardees are guaranteed to receive a minimum of $2 million. However, the program's req...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources