Week in review: Linux bug gives root access to attackers, UPS devices’ vulns, IoT security for OEMs


Here’s an overview of some of last week’s most interesting news, articles and interviews:

Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)
Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities (CVE-2022-26485, CVE-2022-26486) exploited by attackers in the wild.

Easily exploitable Linux bug gives root access to attackers (CVE-2022-0847)
An easily exploitable vulnerability (CVE-2022-0847) in the Linux kernel can be used by local unprivileged users to gain root privileges on vulnerable systems by taking advantage of already public exploits.

Widely used UPS devices can be hijacked and destroyed remotely
Three vulnerabilities in ubiquitous APC Smart-UPS (uninterruptible power supply) devices could allow remote attackers to use them as an attack vector, disable or completely destroy them, Armis researchers have discovered.

March 2022 Patch Tuesday: Microsoft fixes RCEs in RDP client, Exchange Server
Microsoft marks March 2022 Patch Tuesday with patches for 71 CVE-numbered vulnerabilities, including three previously unknown “critical” ones and three “important” ones that were already public (but not actively exploited by attackers).

War in Ukraine: What type of cyber attacks can we expect next?
The cyber activities related to the ongoing war in Ukraine have run the gamut from wiper malware hitting organizations and the border control in Ukraine, DDoS attacks aimed at government and media websites, and cyber disruption of satellite-based internet service, to preparations for watering hole attacks, next-level disinformation campaigns, and phishing campaigns.

Kali Linux on bare-metal gets snapshotting functionality
The Offensive Security team has released Kali Unkaputtbar, a new feature that allows Kali Linux installed on bare-metal to make system snapshots automatically, thus enabling users to roll back to a previous system state after a botched upgrade.

Every business is a cybersecurity business
Hybrid working, with some staff dialing in remotely and others based in the office, forms the basis of how many organizations work, yet many businesses are still not fully equipped for the inevitable security risks that decentralization creates.

Sharp rise in SMB cyberattacks by Russia and China
SaaS Alerts unveiled the findings of its latest report which analyzed approximately 136 million SaaS security events across 2,100 small and medium businesses (SMBs) globally and identified cyber trends negatively impacting businesses.

5 steps that simplify IoT security for OEMs
As digital transformation materializes, businesses are becoming more reliant on devices that support valuable IoT services. As the reliance on these devices grows, so does the number of cyberattacks on connected solutions.

BBC targeted with 383,278 spam, phishing and malware attacks every day
The BBC (British Broadcasting Corporation) were the target of nearly 50 million malicious email attacks between 1st October 2021 and the end of January 2022.

Increasing security for single page applications (SPAs)
Single page applications (SPAs) have become the most popular way to create websites that feel faster for the end-user without hitting the server every time a user interacts with an application.

IT leaders confident in their ability to manage a ransomware attack: They should know better
ExtraHop released findings from a survey on ransomware that sheds light on the discrepancies between how IT decision makers (ITDMs) see their current security practices, and the reality of the ransomware attack landscape.

Understanding US Defense Department’s relaxed cybersecurity protocols under CMMC 2.0
Department of Defense (DoD) contractors struggling to comply with upcoming cybersecurity regulations under the Cybersecurity Maturity Model Certification (CMMC) can breathe a sigh of relief—the DoD has announced its intent to release CMMC 2.0, with promises to streamline the certification process and ease security regulations for contractors and sub-contractors handling low-priority information.

70% of breached passwords are still in use
SpyCloud announced a report that examines trends related to exposed data. Researchers identified 1.7 billion exposed credentials, a 15% increase from 2020, and 13.8 billion recaptured Personally Identifiable Information (PII) records obtained from breaches in 2021.

Data privacy laws are an opportunity to become more honest in reaching your target audience
Data privacy regulations are designed to give consumers more transparency into and control over how their data is collected, shared and used, especially as more consumers grow concerned about how their data is accessed and used by big data companies.

How frustrated and burned out are security analysts?
Security analysts play a vital role ensuring that their organizations stay safe and secure. But barriers to their work, like a lack of staff, overwork, and tedious tasks are causing frustration and burnout, a Tines report reveals.

Why are CAPTCHAs still used?
The success of your online business hinges on your customers’ ability to properly recognize crosswalks or traffic lights. I’m, of course, referring to CAPTCHAs, the online security tool that asks end users to prove they’re human by recognizing specific elements in various images.

Organizations need to change their current password usage and policies, and do it fast
Password-related attacks are on the rise. Stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks over the last two years on SolarWinds, Colonial Pipeline, and others made possible by hackers stealing a single password.

Does the future of digital identity offer us greater security and convenient experiences?
Much of the promise associated with future digital identity infrastructures is associated with greater automation of the identity lifecycle and the provision of greater control of personal data to end-users.

ICS vulnerability disclosures surge 110% over the last four years
Industrial control system (ICS) vulnerability disclosures grew a staggering 110% over the last four years, with a 25% increase in the second half (2H) of 2021 compared to the previous six months, according to a research released by Claroty.

Fraud detection and prevention costs merchants more than fraud itself
European merchants spent nearly €7 billion on fraud detection and prevention in 2021 alone – more than three times the value lost to fraud in the same year, CMSPI estimates.

Small business owners worried about the cybersecurity of their commercial vehicles
Small business owners are adding electric vehicles to their service fleets, a survey released by HSB reports, but they worry about cybersecurity when connecting them to public charging stations.

Mid-market tackling high rate of costly attacks, worsened by complex, siloed defences and staff burnout
Mid-market organizations in the UK suffered significant financial and operational damage as a result of cyberattacks in 2021, and want to see fundamental change to how cybersecurity is designed and run, a Censornet research reveals.

Start a cybersecurity career with the help of (ISC)², exam costs only $125
There’s never been a time when entry-level cybersecurity professionals were more in demand. Starting your career with a certification from (ISC)² means you’re showing potential employers that you have the drive, knowledge and skills to succeed.

Improve your organization’s cyber hygiene with CIS CSAT Pro
Essential cyber hygiene is the foundation for any good cybersecurity program. The Center for Internet Security (CIS) defines essential cyber hygiene as Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls).

New infosec products of the week: March 11, 2022
Here’s a look at the most interesting products from the past week, featuring releases from AvePoint, Dasera, Elastic, Imperva, Palo Alto Networks, Reciprocity, SpyCloud, and Veeam.

More about

Don't miss