Threatpost

Monday's CISA advisory is a staunch reminder for federal government and private sector entities to apply patches for flaws in F5 BIG-IP devices, Citrix VPNs, Pulse Secure VPNs and Microsoft Exchange servers.

A misconfigured, Mailfire-owned Elasticsearch server impacted 70 dating and e-commerce sites, exposing PII and details such as romantic preferences.

The flaws are disclosed as Oracle reportedly partners with TikTok as concerns in the U.S. over spying continue.

Close to 2,000 e-commerce sites were infected over the weekend with a payment-card skimmer, maybe the result of a zero-day exploit.

The Russia-linked threat group is harvesting credentials for Microsoft's cloud offering, and targeting mainly election-related organizations.

Attackers check the victims' Office 365 credentials in real time as they are typed into the phishing landing page, by using authentication APIs.

Vulnerability-disclosure policies (VDPs), if done right, can help provide clarity and clear guidelines to both bug-hunters and vendors when it comes to going public with security flaws.

The high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram affects more than 100,000 WordPress websites.

Just months before the U.S. presidential election, hackers from Russia, China and Iran are ramping up phishing and malware attacks against campaign staffers.

A cloud misconfiguration at the gaming-gear merchant potentially exposed 100,000 customers to phishing and fraud.

The "BLURtooth" flaw allows attackers within wireless range to bypass authentication keys and snoop on devices utilizing implementations of Bluetooth 4.0 through 5.0.

Cyberattacks have caused several school systems to delay students' first day back - and experts warn that new COVID-related delays could be the new "snow days."

New opt-in COVID-19 Exposure Notifications Express systems baked into Apple’s iOS and available on Android need privacy guardrails, say privacy advocates.

The Cynet 360 platform is built on three pillars; Extended Detection and Response (XDR), Response Automation, and Managed Detection and Response (MDR).

The Linux-targeted code can steal phone-call metadata, likely in spy campaigns or for use in VoIP fraud.

The malware has popped up in a targeted campaign and a new infection routine.

The September Android security bulletin addressed critical- and high-severity flaws tied to 53 CVEs overall.

Using a legitimate tool called Weave Scope, the cybercrime group is establishing fileless backdoors on targeted Docker and Kubernetes clusters.

Researchers warn of critical vulnerabilities in a third-party industrial component used by top ICS vendors like Rockwell Automation and Siemens.

Malware can take over common device functions as well as creates a phishing page to steal Facebook credentials.