Dark Reading’s digest of the other don’t-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.
It didn’t have to be this way: So far 2022’s tranche of zero-days shows too many variants of previously patched security bugs, according Google Project Zero.
The clever, interactive phishing campaign is a sign of increasingly complex social-engineering attacks, researchers warn.
The previously unknown state-sponsored group is compromising industrial targets with the ShadowPad malware before burrowing deeper into networks.
Malicious invoices coming from the accounting software’s legitimate domain are used to harvest phone numbers and carry out fraudulent credit-card transactions.
A voicemail-themed phishing campaign is hitting specific industry verticals across the country, bent on scavenging credentials that can be used for a range of nefarious purposes.
After bragging in underground forums, the woman who stole 100 million credit applications from Capital One has been found guilty.
A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU.
Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.
A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.
An unpatched remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.
The cloud instances were left open to the public Internet with no authentication, allowing attackers to wipe the data.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
The Chaos ransomware-builder was known for creating destructor malware that overwrote files and made them unrecoverable — but the new Yashma version finally generates binaries that can encrypt files of all sizes.
Credential-stuffing attacks against online accounts are still popular, and they work thanks to continuing password reuse.
Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required.
Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out.
A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.
Just one day after disclosure, cyberattackers are actively going after the command-injection/code-execution vulnerability in Zyxel’s gear.