Microsoft network breached through password-spraying by Russian-state hackers (arstechnica.com)
Senior execs' emails accessed in network breach that wasn't caught for 2 months.
Terrapin Attack - Attack Discovered Against SSH (terrapin-attack.com)
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel...
SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols (www.securityweek.com)
A new attack technique named SMTP Smuggling can allow malicious actors to send out spoofed emails that bypass authentication mechanisms.
Google researchers report critical zero-days in Chrome and all Apple OSes (arstechnica.com)
Discoveries made by Google's Threat Analysis Group, which tracks nation-state hacking.
In a first, cryptographic keys protecting SSH connections stolen in new attack (arstechnica.com)
An error as small as a single flipped memory bit is all it takes to expose a private key.
Hackers Accessed 632,000 Email Addresses at US Justice, Defense Departments (www.bloomberg.com)
The eight-page report said hackers were able to obtain access to the data by exploiting vulnerability in the MOVEit file transfer program
Hackers can force iOS and macOS browsers to divulge passwords and much more (arstechnica.com)
iLeakage is practical and requires minimal resources. A patch isn't (yet) available.
Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto (www.bleepingcomputer.com)
Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada.
WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April (arstechnica.com)
Vulnerability allows hackers to execute malicious code when targets open malicious ZIP files.
European govt email servers hacked using Roundcube zero-day (www.bleepingcomputer.com)
The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day since at least October 11 to attack European government entities and think tanks.
Google Play apps with 2.5M installs load ads when screen's off (www.bleepingcomputer.com)
The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery.
Google: Android patch gap makes n-days as dangerous as zero-days (archive.is)
The problem stems from the complexity of the Android ecosystem, involving several steps between the upstream vendor (Google) and the downstream manufacturer (phone manufacturers), significant discrepancies in security update intervals between different device models, short support periods, responsibility mixups, and others...
New Android malware uses OCR to steal credentials from images (www.bleepingcomputer.com)
Two new Android malware families named 'CherryBlos' and 'FakeTrade' were discovered on Google Play, aiming to steal cryptocurrency credentials and funds or conduct scams.
How Hype Will Turn Your Security Key Into Junk (fy.blackhats.net.au)
In the last few months there has been a lot of hype about "passkeys" and how they are going to change authentication forever. But that hype will come at a cost....