Week in review: Microsoft patches zero-day, Apple security updates, HashiCorp Vault vulnerability

Week in review

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

Making risk-based decisions in a rapidly changing cyber climate
In this Help Net Security interview, Nicole reveals the three key indicators she uses to assess an industrial organization’s cybersecurity readiness and provides valuable insights for businesses and governments on fortifying their critical infrastructure against cyber threats.

Data-backed insights for future-proof cybersecurity strategies
In this Help Net Security interview, Travis Smith, VP of the Qualys TRU, talks about the 2023 Qualys TruRisk Threat Research Report, which provides security teams with data-backed insights to help them better understand how adversaries exploit vulnerabilities and render attacks.

Google delivers secure open source software packages
Google has announced the Google Cloud Assured Open Source Software (Assured OSS) service, which aims to be a trusted source of secure open source packages, and the deps.dev API, which provides access to security metadata for 50+ million open source package versions.

3CX compromise: More details about the breach, new PWA app released
3CX has released an interim report about Mandiant’s findings related to the compromise the company suffered last month, which resulted in a supply chain attack targeting cryptocurrency companies.

Microsoft patches zero-day exploited by attackers (CVE-2023-28252)
It’s April 2023 Patch Tuesday, and Microsoft has released fixes for 97 CVE-numbered vulnerabilities, including one actively exploited zero-day (CVE-2023-28252).

Apple rushes fixes for exploited zero-days in iPhones and Macs (CVE-2023-28205, CVE-2023-28206)
Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities (CVE-2023-28205, CVE-2023-28206) in macOS, iOS and iPadOS.

Zelle users targeted with social engineering tricks
Cybercriminals have been leveraging social engineering techniques to impersonate the popular US-based digital payments network Zelle and steal money from unsuspecting victims, according to Avanan.

LinkedIn now allows you to verify your workplace
To combat the surge of fake LinkedIn accounts in recent years, Microsoft has introduced Entra Verified ID, a new feature that allows users to verify their workplace on the business-focused social media platform.

Kodi forum breach: User data, encrypted passwords grabbed
The developers of Kodi, the widely used open-source media player app, have revealed a data breach of its user forum.

Beware of companies offering paid sextortion assistance
Sextortion victims are already in a vulnerable position, and shady companies are taking advantage of this vulnerability to offer “sextortion assistance” services for huge sums – services that they may be unable to render or that won’t help the victims in any way.

Why it’s time to move towards a passwordless future
Adversaries don’t need to use sophisticated methods to gain access to enterprise systems or to deploy ransomware – they can just buy or steal credentials and log in.

Cybercriminals use simple trick to obtain personal data
People reveal more personal information when you ask them the same questions a second time – according to new research from the University of East Anglia.

How to transform cybersecurity learning and make content more engaging
In this Help Net Security video, Dr Jason Nurse, Director of Science and Research at CybSafe, and Associate Professor at The University of Kent, discusses how delivering cybersecurity content can be more engaging.

5 steps to building NSA-level access control for your app
Access control has become a main concern when it comes to developing secure web applications, and the NSA has a lot to say about it. Especially when it comes to the biggest access management pitfall developers make.

HashiCorp Vault vulnerability could lead to RCE, patch today! (CVE-2023-0620)
Oxeye discovered a new vulnerability (CVE-2023-0620) in the HashiCorp Vault Project, an identity-based secrets and encryption management system that controls access to API encryption keys, passwords, and certificates.

Key factors driving changes in the perception of the CISO role
In this Help Net Security video, Michael Scott, CISO at Immuta, talks about the internal and external factors driving the changes in workload and perception of the CISO role, including the evolving relationship of the CISO and C-suite, and how to power the use of data rather than restrict it.

The new weakest link in the cybersecurity chain
Organizations frequently run Internet-facing IT systems with years-old software that hasn’t been patched and that are not integrated into any security monitoring framework.

Hybrid work environments are stressing CISOs
The impact of the hybrid workforce on security posture, as well as the risks introduced by this way of working, are posing concerns for CISOs and driving them to develop new strategies for hybrid work security, according to Red Access.

Tactics that make crypto giveaway scams so successful
In this Help Net Security video, Tony Lauro, Director of Security Technology and Strategy at Akamai, discusses why crypto giveaway scams are so successful.

DDoS alert traffic reaches record-breaking level of 436 petabits in one day
With over one billion websites worldwide, HTTP/HTTPS application-layer attacks have increased by 487% since 2019, with the most significant surge in the second half of 2022, according to NETSCOUT.

Threat hunting programs can save organizations from costly security breaches
To better understand the perspective of threat hunters who are in the trenches defending their organizations every day, Team Cymru surveyed 218 experienced security analysts to learn what works and what doesn’t in their threat hunting program, how they measure success, and the biggest challenges they face.

Consumers take data control into their own hands amid rising privacy concerns
Data Subject Requests (DSRs), which are formal requests made by individuals to access, modify, or delete their personal data held by a company, increased by 72% from 2021 to 2022. The increase was primarily driven by deletion and access requests, according to DataGrail.

MSPs urged to refine security solutions in response to growing SMB needs
MSPs are focusing on automation and integration between their core tools to improve efficiency, service delivery and cost management, according to Kaseya.

Criminal businesses adopt corporate behavior as they grow
As criminal groups increase in size, they adopt corporate-like behavior, but this shift brings about its own set of challenges and costs, according to Trend Micro.

New infosec products of the week: April 14, 2023
Here’s a look at the most interesting products from the past week, featuring releases from BigID, Binarly, Cynalytica, GitGuardian, Netskope, Searchlight Cyber, ThreatX, and Wazuh.

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS
More about

Don't miss