The Xplora 4 kids smartwatch was shipped with a backdoor that could be activated remotely by an encrypted SMS to take secret screenshots. The manufacturer says the code was mistakenly left in the firmware, and it has issued a patch to remove it.
CISA is warning that sophisticated hacking groups are chaining together vulnerabilities, such as the recent Zerologon bug and other flaws, to target state and local government networks. In some cases, attackers gained access to election support systems.
Microsoft's IoT platform, Azure Sphere, which launched in February, is the company's bet to address the growing security and management problems around connected devices. A three-month bug bounty program for the platform resulted in resolving a number of vulnerabilities and awarding $374,000 in bounties.
Microsoft is warning that hackers with connections to Iran, as well as other threat actors, are attempting to exploit a critical vulnerability in Windows Server dubbed Zerologon, for which it has issued a partial patch.
Eight months after Microsoft issued a critical security update fixing a remote code execution flaw in Exchange Server, more than half of these mail servers in use remain vulnerable to exploits, according to the security firm Rapid7.
Microsoft has issued additional instructions on how to better implement a patch to fix an elevation of privilege vulnerability called Zerologon in Windows Server that affects the Netlogon Remote Protocol. The update comes as Cisco Talos researchers report a spike in attempts to exploit the flaw.
Microsoft and the Cybersecurity and Infrastructure Security Agency have issued warnings that a critical vulnerability in Windows Server dubbed "Zerologon" is being actively exploited in the wild. They urge users to immediately apply an available partial patch.
U.S. government agencies are supposed to have patched the "Zerologon" vulnerability by now, about six weeks after Microsoft issued a patch. But CISA warns that too many agencies' systems remain unpatched.
The hacking group "Pioneer Kitten," which has suspected ties to the Iranian government, is taking advantage of several unpatched vulnerabilities and using open source tools to target U.S. businesses as well as federal government agencies, according to the Cybersecurity and Infrastructure Security Agency.
The U.S. Cybersecurity and Infrastructure Security Agency warns that hacking groups backed by the Chinese Ministry of State Security are exploiting several unpatched vulnerabilities to target federal agencies.
Independent bug hunters who find flaws in products and services often struggle to hand off their vulnerability report to someone in a position to get it fixed, says longtime security researcher Daniel Cuthbert. He describes steps organizations must take to be able to receive - and act on - bug reports.
The security firm Positive Technologies discovered six vulnerabilities in Palo Alto Networks' PAN-OS, the software that runs the company's next-generation firewalls. The firewall developer has issued patches.
In the three years since Equifax suffered a massive data breach, the consumer credit reporting firm says it has worked tirelessly to overhaul the security shortcomings that allowed the breach to happen. Equifax CISO Jamil Farshchi and other security experts weigh in on important lessons learned.
Ransomware continues to pose a "significant" threat, and email remains one of the top attack vectors being used by both criminals and nation-states, Australia's Cyber Security Center warns in its latest "Cyber Threat Report," which urges organizations to improve their defenses.
The U.S. Cybersecurity and Infrastructure Security Agency is ordering most executive branch agencies and departments to create vulnerability disclosure programs by March 2021. Some agencies, such as the Pentagon, already have robust programs in place.