New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord Credentials

Scams pressure victims to "resolve an issue that could impact their status, business."

Microsoft Reverses Course on Blocking Office Macros by Default

Security experts criticize company for reversing course, albeit temporarily, on a decision it made just this February to block macros in files downloaded from the Internet.

DoJ Charges CEO for Dealing $1B in Fake Cisco Gear

Fraudster allegedly passed off refurbished, modified Cisco equipment as new to hospitals, schools, and even the military.

SOAR Market Worth $2.3 Billion by 2027, According to Exclusive Report by MarketsandMarkets

.

Welcome-Back-to-the-Future Shock

This year's RSA Conference saw a strange mix of selling the future and the past — for good reason.

Swimlane Secures $70M Growth Round to Fuel Global Expansion of Next Generation Low-Code Security Automation Platform

.

Worldwide Enterprise Endpoint Security Industry to 2027: Focus on Antivirus, Firewall, Endpoint Device Control, and Anti-Spyware/Anti-Malware

.

Coalition Closes $250 Million in Series F Funding, Valuing the Cyber Insurance Provider at $5 Billion

Funding from Allianz X, Valor Equity Partners, Kinetic Partners, and existing investors will accelerate Coalition’s vision to provide security for all.

Zero Trust Bolsters Our National Defense Against Rising Cyber Threats

The Colonial Pipeline and JBS attacks, among others, showed us our national resilience is only as strong as public-private sector collaboration.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

What Do All of Those Cloud Cybersecurity Acronyms Mean?

Acronyms serve as a gatekeeper — if you don't sling the lingo, you don't belong. So here's a quick guide to the letter salad of cloud cybersecurity.

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

Cyber Skills Center Launches in Tulsa to Develop Diverse, Local Tech Talent Pipeline

New program offers free tech skills training and paid apprenticeships to make education and career pathways more accessible.

Fortress Information Security Sponsors Open Web Application Security Project To Work on Industry-Wide Software Bill of Materials Standards

.

China's Tonto Team APT Ramps Up Spy Operations Against Russia

In a significant spike of activity, the state-sponsored group is going after intelligence on Russian government agencies.

Buggy 'Log in With Google' API Implementation Opens Crypto Wallets to Account Takeover

Improper implementations of authentication APIs at a global crypto wallet service provider could have resulted in the loss of account control — and millions of dollars — from personal and business accounts.

Empower Your Security Operations Team to Combat Emerging Threats

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

Cybersecurity Has a Talent Shortage & Non-Technical People Offer a Way Out

It's time to tap the large reservoir of talent with analytical skills to help tackle cybersecurity problems. Train workers in cybersecurity details while using their ability to solve problems.

Inside NIST's 4 Crypto Algorithms for a Post-Quantum World

With the world potentially less than a decade away from breaking current encryption around critical data, researchers weigh in on planning for the post-quantum world.

Prevention Takes Priority Over Response

Cybersecurity teams continue to emphasize intrusion prevention over incident response, despite US government action.

North Korean State Actors Deploy Surgical Ransomware in Ongoing Cyberattacks on US Healthcare Orgs

US government warns healthcare and public-health organizations to expect continued attacks involving the manually operated "Maui" ransomware.

Apple Debuts Spyware Protection for State-Sponsored Cyberattacks

Apple's new Lockdown Mode protects devices targeted by sophisticated state-sponsored mercenary spyware attacks.

I Built a Cheap 'Warshipping' Device in Just 3 Hours — and So Can You

Here's how I did it and how you can protect your company against such physical/digital hybrid attacks.

Marriott Data Breach Exposes PII, Credit Cards

The hospitality giant said data from 300-400 individuals was compromised by a social-engineering scam targeting the Baltimore airport.

How to Keep EVs From Taking Down the Electrical Grid

They may be environmentally friendly, but the surging popularity of electric cars and plug-in hybrids puts the nation's electrical grid at greater risk for malfeasance.

Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake'

The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide.

Identity Access Management Is Set for Exploding Growth, Big Changes — Report

New research says IAM spending will grow on the back of affordable subscription services, spurred by cloud and mobile adoption, IoT, and continued remote working.

The Cyber-Asset Management Playbook for Supply Chain Modernization

Organizations must balance the risk and reward of new cyber-asset management technologies.

Roundtable: Amid Cyberattack Frenzy, How Can QNAP Customers Protect the Business?

Our roundtable of cybersecurity experts weighs in on what makes QNAP network-attached storage catnip for attackers, and what organizations can do about it.

NIST Picks 4 Quantum-Resistant Cryptographic Algorithms

The US Department of Commerce's National Institute of Standards and Technology has announced the first group of encryption tools that will become part of its post-quantum cryptographic standard.

HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain

Company says it is making changes to its security controls to prevent malicious insiders from doing the same thing in future; reassures bug hunters their bounties are safe.

Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data

A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.

Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk

As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.

Google Chrome WebRTC Zero-Day Faces Active Exploitation

The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.

3 Cyber Threats Resulting From Today's Technology Choices to Hit Businesses by 2024

Companies need to consider the cost to disengage from the cloud along with proactive risk management that looks at governance issues resulting from heavy use of low- and no-code tools.

Name That Edge Toon: On Guard

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

OpenSea NFT Marketplace Faces Insider Hack

OpenSea warns users that they are likely to be targeted in phishing attacks after a vendor employee accessed and downloaded its email list.

Time Constraints Hamper Security Awareness Programs

Even as more attacks target humans, lack of dedicated staff, relevant skills, and time are making it harder to develop a security-aware and engaged workforce, SANS says.

Criminals Use Deepfake Videos to Interview for Remote Work

The latest evolution in social engineering could put fraudsters in a position to commit insider threats.

DragonForce Malaysia Releases LPE Exploit, Threatens Ransomware

The hacktivist group is ramping up its activities and ready to assault governments and businesses with escalating capabilities.

When It Comes to SBOMs, Do You Know the Ingredients in Your Ingredients?

Transitive dependencies can complicate the process of developing software bills of materials.

Microsoft Going Big on Identity with the Launch of Entra

With more staff working remotely, identity, authentication, and access (IAA) has never been more important. Microsoft has a new response.

Google: Hack-for-Hire Groups Present a Potent Threat

Cyber mercenaries in countries like India, Russia, and the UAE are carrying out data theft and hacking missions for a wide range of clients across regions, a couple of new reports said.

18 Zero-Days Exploited So Far in 2022

It didn't have to be this way: So far 2022's tranche of zero-days shows too many variants of previously patched security bugs, according Google Project Zero.

API Security Losses Total Billions, But It's Complicated

A recent analysis of breaches involving application programming interfaces (APIs) arrives at some eye-popping damage figures, but which companies are most affected, and in what ways?

Exchange Servers Backdoored Globally by SessionManager

Malicious IIS module exploitation is the latest trend among threat actors targeting Exchange servers, analysts say.

Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

Titaniam’s ‘State of Data Exfiltration & Extortion Report’ also finds that while over 70% of organizations had heavy investments in prevention, detection, and backup solutions, the majority of victims ended up giving into attackers' demands.

A Fintech Horror Story: How One Company Prioritizes Cybersecurity

A password link that didn't expire leads to the discovery of exposed personal information at a payments service.

NXM Announces Platform That Protects Space Infrastructure and IoT Devices From Cyberattacks

NXM Autonomous Security protects against network-wide device hacks and defends against critical IoT vulnerabilities.

Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration

An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.

Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Patch Now: Linux Container-Escape Flaw in Azure Service Fabric

Microsoft is urging organizations that don't have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the "FabricScape" cloud bug.

What's Your AppSec Personality?

It's time to decide which role to play to best serve your organization's security needs: an auditor, a lawyer, or a developer.

ZuoRAT Hijacks SOHO Routers From Cisco, Netgear

The malware has been in circulation since 2020, with sophisticated, advanced malicious actors taking advantage of the vulnerabilities in SOHO routers as the work-from-home population expands rapidly.

Broken Authentication Vuln Threatens Amazon Photos Android App

The now-patched bug allows an attacker to gain full access to a user's Amazon files.

How to Master the Kill Chain Before Your Attackers Do

In the always-changing world of cyberattacks, preparedness is key.

Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing

External attacks focused on vulnerabilities are still the most common ways that companies are successfully attacked, according to incident data.

Shifting the Cybersecurity Paradigm From Severity-Focused to Risk-Centric

Embrace cyber-risk modeling and ask security teams to pinpoint the risks that matter and prioritize remediation efforts.