Tag Archive for: releases

Google Releases Eighth Zero-Day Patch of 2023 for Chrome

/in


Google has issued an urgent update to address a recently discovered vulnerability in Chrome that has been under active exploitation in the wild, marking the eighth zero-day vulnerability identified for the browser in 2023.

Identified as CVE-2023-7024, Google said the vulnerability is a significant heap buffer overflow flaw within Chrome’s WebRTC module that allows remote code execution (RCE).

WebRTC is an open source initiative enabling real-time communication through APIs, and enjoys widespread support among the leading browser makers.

How CVE-2023-7024 Threatens Chrome Users

Lionel Litty, chief security architect at Menlo Security, explains that risk from exploitation is the ability to achieve RCE in the renderer process. This means a bad actor can run arbitrary binary code on the user’s machine, outside of the JavaScript sandbox.

However, real damage relies on using the bug as the first step in an exploit chain; it needs to be combined with a sandbox escape vulnerability in either Chrome itself or the OS to be truly dangerous.

“This code is still sandboxed due to the multiprocess architecture of Chrome though,” Litty says, “so with just this vulnerability an attacker cannot access the user’s files or start deploying malware, and their foothold on the machine goes away when the impacted tab is closed.”

He points out Chrome’s Site Isolation feature will generally protect data from other sites, so an attacker can’t target the victim’s banking information, although he adds there are some subtle caveats here.

For example, this would expose a target origin to the malicious origin if they use the same site: In other words, a hypothetical malicious.shared.com can target victim.shared.com.

“While access to the microphone or camera requires user consent, access to WebRTC itself does not,” Litty explains. “It is possible this vulnerability can be targeted by any website without requiring any user input beyond visiting the malicious page, so from this perspective the threat is significant.”

Aubrey Perin, lead threat intelligence analyst at Qualys Threat Research Unit, notes that the reach of the bug extends beyond Google Chrome.

“The exploitation of Chrome is tied to its ubiquity — even Microsoft…

Source…

Chinese Ministry of Public Security releases 10 typical cases of cracking down on cyberspace violence, illegal crimes

/in


Police officers raise cybersecurity awareness by disseminating education pamphlets among citizens in Yangzhou, East China's Jiangsu Province, on September 14, 2023. Photo: Xinhua

Police officers raise cybersecurity awareness by disseminating education pamphlets among citizens in Yangzhou, East China’s Jiangsu Province, on September 14, 2023. Photo: Xinhua

On Tuesday, China’s Ministry of Public Security released 10 typical cases of cracking down on cases of cyberspace violence and illegal crimes. Those cases included illegally hiring a group of online users to attack others, using hacking methods to obtain large volumes of personal information, and using PS and other technologies to maliciously defame others’ image.

In recent years, cyberspace violence and illegal crimes have becoming increasingly frequent, leading to some individuals experiencing “social death,” mental illness, and even suicide. This has severely disrupted the order of the internet and damaged the online ecosystem, causing a negative social impact. The Chinese public security authorities continue to maintain a “zero tolerance” attitude toward cyberspace violence and illegal crimes and have dealt with a large number of such cases, including insulting and defaming others, spreading rumors, and violating privacy.

In the first typical case, East China’s Jiangsu public security organs targeted a case of a person surnamed Zhang who hired “internet troll army” — a group of users who are paid to post online comments with vested interest on Chinese language websites — to cyberbully others.

The internet security department of Jiangsu public security organs found that during his probation period, Zhang illegally obtained a victim’s private information by installing tracking and eavesdropping devices in order to achieve long-term control over the victim. He spread and promoted indecent videos, images, and insulting articles about the victim through purchasing internet accounts and hiring an online “army.” He also sent reports with false accusation to the victim’s workplace in someone else’s name, causing the victim to suffer from post-traumatic stress disorder. In January 2023, Zhang was taken into custody by the public security organs in accordance with the law. Currently, Zhang has been sentenced to six years in prison and fined 10,000 yuan ($1,397.96) for the crimes of infringing on…

Source…

Comcast Business Releases 2023 Small Business Cybersecurity Report

/in


Comcast Business SecurityEdge™ blocked over 1.1 billion malware attacks, countered 1.1 billion bot attacks, and thwarted 395 million phishing attempts during the second quarter of 2023

PHILADELPHIA–(BUSINESS WIRE)–
Comcast Business has released findings from its 2023 Comcast Business l Small Business Cybersecurity Report. The report found that small businesses were under frequent threat from cyber-attacks from July 2022 to June 2023, with daily malware activity roughly doubling year-over-year and peaks in both holiday seasons.

“As small businesses embrace remote and hybrid work policies, relying on off-network and mobile devices for access to applications and data, they become more appealing targets for cybercriminals,” said Shena Seneca Tharnish, Vice President of Secure Networking and Cybersecurity Solutions at Comcast Business. “In the past year, SecurityEdge™ has successfully thwarted billions of threats, helping to protect tens of thousands of small businesses.”

The widespread use of internet-connected devices has given rise to a substantial surge in threat actors targeting small and medium-sized businesses (SMBs), with malware, phishing, and botnets being the most common threats. Additionally, there is a concerning lack of security measures in place for mobile devices, as Comcast Business found that nearly 1 in 10 devices, on average, attempted to connect to domains associated with malware, phishing, or malicious bot activity.

“In our current digital age, the importance of safeguarding devices and data, regardless of their location, cannot be overstated. It’s critical for organizations of all sizes to stay secure in order to maintain trust from employees, customers, and other stakeholders,” said Jonathan Morgan, Vice President of Network Security Product Management at Akamai. “With Comcast Business’s SecurityEdge, customers can rest assured that they have the right tools and support in place to help protect their connected devices. We’re proud to be a key component in that solution with our Secure Internet Access services that protect businesses and families across the globe.”

The second annual Comcast Business Small Business…

Source…

ZeroFox Releases Brand Protection Trends Report, Finds 164% Increase in Cyber Threats Targeting … | News

/in


WASHINGTON, July 31, 2023 (GLOBE NEWSWIRE) — In our increasingly interconnected digital world, brands face a growing array of external cybersecurity threats that can jeopardize their reputation, customers’ trust, and financial bottom line. According to the latest trend report from ZeroFox (Nasdaq: ZFOX), an enterprise software-as-a-service leader in external cybersecurity, digital threats targeting brands increased by 164% between the first and second quarters of 2023 – a significant jump that underscores the cruciality of securing an organization’s brand against digital risks such as impersonations and fraud.

In the 2023 Brand Protection Trend Report, ZeroFox Intelligence analyzed threat actor behavior targeting organizations’ brands in the second quarter of 2023. The report highlights a concerning quarter-over-quarter spike in both domain and executive impersonations seeking to exploit the trust that brands have built with their customers, causing significant damage to brand reputation and customer loyalty. Brands are a lucrative pawn for threat actors, as hijacking an already-established brand makes it easier to deceive victims in various fraud, scam, and otherwise malicious campaigns.

Key Findings

Among the key findings in the report, ZeroFox Intelligence observed:

  • A 35% increase in verified alerts for brand threats related to fraud, scams, and piracy quarter-over-quarter across the ZeroFox customer base, and a nearly 20% increase in brand-related impersonations.
  • A 26% increase in fraudulent activity tied to brands observed in this quarter; more specifically, fraudulent job postings identified rose by over 50%.
  • A nearly 20% increase in spoofed domains increased in the second quarter of 2023 versus the first quarter, with just over one-third tied to phishing campaigns.
  • A 22% increase in key personnel and corporate social media impersonation accounts with a biography, name and image to legitimize these profiles; those that used a biography with a name only increased 35%.

“Because job seekers and consumers often blame targeted organizations for scams that abuse their brand, these organizations must proactively protect against domain and…

Source…