Vulnerability Summary for the Week of September 12, 2022

adobe — animate Adobe Animate version 21.0.11 (and earlier) and 22.0.7 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. […]

Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure

researchers-disclose-critical-vulnerability-in-oracle-cloud-infrastructure

Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. “Each virtual disk in Oracle’s cloud has a unique identifier called OCID,” Shir Tamari, head of research at Wiz, said in a series of tweets. “This identifier is not […]

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

15-year-old-unpatched-python-vulnerability-potentially-affects-over-350,000-projects

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and […]

Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners

hackers-targeting-unpatched-atlassian-confluence-servers-to-deploy-crypto-miners

A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. “If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and […]

Over 39,000 Unauthenticated Redis Instances Found Exposed on the Internet

over-39,000-unauthenticated-redis-instances-found-exposed-on-the-internet

An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet in an attempt to install a cryptocurrency miner. It’s not immediately known if all of these hosts were successfully compromised. Nonetheless, it was made possible by means of a “lesser-known technique” designed to trick the servers into writing data to […]

Crypto Trading Firm Wintermute Loses $160 Million in Hacking Incident

crypto-trading-firm-wintermute-loses-$160-million-in-hacking-incident

In what’s the latest crypto heist to target the decentralized finance (DeFi) space, hackers have stolen digital assets worth around $160 million from crypto trading firm Wintermute. The hack involved a series of unauthorized transactions that transferred USD Coin, Binance USD, Tether USD, Wrapped ETH, and 66 other cryptocurrencies to the attacker’s wallet. The company […]

Why Zero Trust Should be the Foundation of Your Cybersecurity Ecosystem

why-zero-trust-should-be-the-foundation-of-your-cybersecurity-ecosystem

For cybersecurity professionals, it is a huge challenge to separate the “good guys” from the “villains”. In the past, most cyberattacks could simply be traced to external cybercriminals, cyberterrorists, or rogue nation-states. But not anymore. Threats from within organizations – also known as “insider threats” – are increasing and cybersecurity practitioners are feeling the pain. […]

U.S. Adds 2 More Chinese Telecom Firms to National Security Threat List

us.-adds-2-more-chinese-telecom-firms-to-national-security-threat-list

The U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, along with its subsidiary ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the list of communications equipment and services that have been deemed a threat to national security. The agency said the companies are subject to the Chinese government’s exploitation, influence, and […]

Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing

record-ddos-attack-with-25.3-billion-requests-abused-http/2-multiplexing

Cybersecurity company Imperva has disclosed that it mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests on June 27, 2022. The “strong attack,” which targeted an unnamed Chinese telecommunications company, is said to have lasted for four hours and peaked at 3.9 million requests per second (RPS). “Attackers used HTTP/2 […]

Critical Remote Hack Flaws Found in Dataprobe’s Power Distribution Units

critical-remote-hack-flaws-found-in-dataprobe’s-power-distribution-units

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an industrial control systems (ICS) advisory warning of seven security flaws in Dataprobe’s iBoot-PDU power distribution unit product, mostly used in industrial environments and data centers. “Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution on the Dataprobe iBoot-PDU device,” the […]