17 Sep 2021

Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang

Microsoft and RiskIQ researchers have uncovered several campaigns using a recently patched Microsoft MSHTML flaw, restating calls for organizations to update impacted systems. The vulnerability was first exploited by the Ryuk ransomware gang, which leveraged the bug ahead of the patch, according to the new research. Microsoft released the fix

Read More
17 Sep 2021

USG Warns Of ‘Critical’ Vulnerability That Poses ‘Serious Risk’ To Defense Contractors, Others

Earlier this week, the US FBI and Cybersecurity and Infrastructure Security Agency released a joint advisory warning the public of alleged active exploitation of a critical vulnerability found in a popular password management solution called Zoho. Zoho’s ManageEngine AdSelfService Plus, a tool that aids users in creating strong passwords and

Read More
16 Sep 2021

Household Names Hit with £500K Fine for Spamming Consumers

In the UK, three popular companies have been fined nearly half a million USD collectively by the UK privacy regulator after delivering hundreds of millions of marketing messages to consumers and violating certain marketing laws. We Buy Any Car was allegedly fined £200,000 by the Information Commissioner’s Office after sending

Read More
16 Sep 2021

REvil/Sodinokibi Ransomware Universal Decryptor Key Is Out

Bitdefender collaborated with law enforcement to create a key that would release data encrypted in ransomware attacks before the REvil ransomware gang disappeared from the internet on July 13. The universal decryption key will be free for victims of REvil ransomware attacks. The firm announced that it will be passing

Read More
16 Sep 2021

New Go malware Capoae targets WordPress installs, Linux systems

A new strain of malware called Capoae was publicized earlier this week by security research firm Akamai. The firm stated that the new malware is written in the Golang programming language, which is becoming increasingly popular among threat actors due to its cross-platform capabilities. The malware spreads through known vulnerabilities

Read More
15 Sep 2021

Attackers Impersonate DoT in Two-Day Phishing Scam

Threat actors allegedly impersonated the US Department of Transportation in a two-day phishing campaign, leveraging the recent $1 trillion infrastructure bill. The cyber attackers created new domains mimicking the real DoT site. The campaign combined a series of tactics, such as creating seemingly legitimate domains to evade security detections and

Read More
15 Sep 2021

Microsoft Patches Actively Exploited Windows Zero-Day Bug

In the most recent Patch Tuesday, Microsoft released fixes 66 CVEs, including an RCE bug under active attack. Three of the bugs that were patched in the update were rated critical. One of which has been under active attack for nearly two weeks. One of the other bugs included in

Read More
15 Sep 2021

DOJ fines NSA hackers who assisted UAE in attacks on dissidents

The Justice Department has announced a deal with three former US Intelligence operatives that allows them to pay a fine rather than face jail time for breaking multiple laws when conducting offensive hacking for the government of the United Arab Emirates. The deal is controversial, as it allows the three

Read More
14 Sep 2021

Apple Releases Urgent Patch Following Discovery of Pegasus Spyware

This week, Apple released an urgent update that mitigates a critical vulnerability exploited by the Pegasus mobile software. The flaw, which is tracked as CVE-2021-30860, was first discovered by security researchers at the University of Toronto’s Citizen Lab when analyzing the iPhone of a Saudi activist who had been targeted

Read More
13 Sep 2021

Zero Trust Will Yield Zero Results Without A Risk Analysis

Over the past four years there has been an avalanche of new Zero Trust products. However during the same period there has been no measurable reduction in cyber breaches. To the contrary, ransomware, data exfiltration and lateral moving malware attacks seem to be increasing. If the emergence of Zero Trust was supposed to make us safer, it hasn’t happened. One of the common mistakes we see enterprises IT leaders and many cybersecurity experts make is to think of Zero Trust as a product. it is not.  Zero Trust is a concept where an organization has Zero Trust in a specific individual, supplier or technology that is the source of their cyber risk. One needs to have Zero Trust in something and then act to neutralize that risk. Thus buying a Zero Trust product makes no sense unless it is deployed as a countermeasure to specific cyber risk. Buying products should be the last step taken not the first.

To help enterprises benefit from Zero Trust concepts here is a modified OODA loop type process to guide your strategy development and execution.

Read More