Security
Headlines
HeadlinesLatestCVEs

Latest News

Money Laundering 101, and why Joe is worried

In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime.

TALOS
#vulnerability#google#cisco#git#zero_day#chrome
GHSA-pfqj-w6r6-g86v: Pitchfork HTTP Request/Response Splitting vulnerability

### Impact HTTP Response Header Injection in Pitchfork Versions < 0.11.0 when used in conjunction with Rack 3 ### Patches The issue was fixed in Pitchfork release 0.11.0 ### Workarounds There are no known work arounds. Users must upgrade.

GHSA-963h-3v39-3pqf: Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

## Impact Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the `vega-interpreter`. ## Workarounds - Use `vega` with [expression interpreter](https://vega.github.io/vega/usage/interpreter/) - Upgrade to a [newer Vega version](https://github.com/vega/vega/releases/tag/v5.32.0) (`5.32.0`) ### POC Summary Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function. ### POC Details Consider the function call `replace('foo', {__proto__: /h/.constructor.prototype, global: false})`. Since `pattern` has `RegExp.prototype[@@replace]`, `pattern.exec('foo')` winds up being called. The resulting malicious call looks like this: ``` replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false}) ``` Since functions cannot be returned from this, an attacker that wishes to escalate to XSS mu...

OpenAI Bug Bounty Program Increases Top Reward to $100,000

OpenAI Bug Bounty program boosts max reward to $100,000, expanding scope and offering new incentives to enhance AI security and reliability.

New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records

Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands. DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat. "The threat actor behind

RedCurl Uses New QWCrypt Ransomware in Hypervisor Attacks

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including…

When Getting Phished Puts You in Mortal Danger

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

GHSA-29m8-wh9p-5wc4: Apache Kylin Code Injection via JDBC Configuration Alteration

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue.

GHSA-3v67-545x-ffc3: Apache Kylin Server-Side Request Forgery (SSRF) via `/kylin/api/xxx/diag` Endpoint

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes the issue.

&#8220;This fraud destroyed my life.&#8221; Man ends up with criminal record after ID was stolen

A man didn't just have his ID stolen, identity theft ruined his life and robbed him of a promising future.