#intel

Catch up on the highlights of last week’s cybersecurity conference

New Cortex Xpanse features give organizations visibility and control of their attack surfaces to discover, evaluate, and address cyber risks.

Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).

Funding and new leadership to drive innovation and growth in cloud-native application resiliency; round led by SKK Ventures with T-Mobile and Telefonica.

Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Network in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) - version 430, can access BOE Monitoring database to retrieve and modify (non-personal) system data which would otherwise be restricted. Also, a potential attack could be used to leave the CMS's scope and impact the database. A successful attack could have a low impact on confidentiality, a high impact on integrity, and a low impact on availability.

Categories: News Tags: MuddyWater Tags: Static Kitten Tags: remote access tool Tags: MSP Tags: Iran A new campaign by hacking group MuddyWater has been uncovered in which a legitimate remote access tool is sent to targets from a compromised email account. (Read more...) The post Iranian hacking group uses compromised email accounts to distribute MSP remote access tool appeared first on Malwarebytes Labs.

Categories: News Tags: TikTok Tags: ban TikTok Tags: states that banned TikTok Tags: Indiana bans TikTok Tags: Maryland bans TikTok Tags: Shou Zi Chew Tags: Brendan Carr Tags: ByteDance Tags: Brooke Oberwetter The State of Indiana has filed two lawsuits against TikTok, Inc, the company behind the same name app, and its parent company, ByteDance. (Read more...) The post Indiana sues TikTok, describes it as "Chinese Trojan Horse" appeared first on Malwarebytes Labs.

Categories: News Tags: Lock and Code S03E25 Tags: lock and code Tags: S03E25 Tags: Dustin Childs Tags: Eufy Tags: Snapchat Tags: Apple Tags: Apple AirTag Tags: Google Chrome Tags: V8 vulnerability Tags: Hive Tags: Facebook hoax Tags: PayPal phish Tags: Lazarus Group Tags: SIM swapper Tags: festive scam Tags: holiday scams Tags: Android vulnerability Tags: Bluetooth Tags: SaaS Tags: SaaS best practices Tags: Epic Games Tags: Threat Intelligence Reports The most interesting security related news from the week of December 5 to 11. (Read more...) The post A week in security (December 5 - 11) appeared first on Malwarebytes Labs.

Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks targeting law firms throughout 2020 and 2021 involved a revamped variant of a malware called Janicab that leverages a number of public services like YouTube as dead drop resolvers,

cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade to 0.31.24 or to downgrade to 0.31.22. There are no known workarounds for this vulnerability.