The new Necro Python exploit targets Visual Tool DVRs used in surveillance systems.

https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/

A stored XSS and arbitrary file-upload bug can be paired with an authorization bypass to wreak havoc.

https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/

Sounil Yu, CISO at JupiterOne, discusses software bills of materials (SBOMs) and the need for a shift in thinking about securing software supply chains.

https://threatpost.com/mandate-zero-trust-software-supply-chains/175333/

Cybercriminals exploited bugs in the world’s largest digital-goods marketplace to create malicious artwork offered as a perk to unsuspecting users.

https://threatpost.com/opensea-nfts-cryptowallet-balances/175453/

The previously unknown SnapMC group exploits unpatched VPNs and webserver apps to breach systems and carry out quick-hit extortion in less time than it takes to order a pizza.

https://threatpost.com/rapid-attacks-extort-ransomware/175445/

Microsoft’s October 2021 Patch Tuesday included security fixes for 74 vulnerabilities, one of which is a zero-day being used to deliver the MysterySnail RAT to Windows servers.

https://threatpost.com/microsoft-patch-tuesday-bug-exploited-mysterysnail-espionage-campaign/175431/

The cyberattacks, linked to a Chinese-speaking APT, deliver the new MysterySnail RAT malware to Windows servers.

https://threatpost.com/windows-zero-day-exploited-espionage/175432/

The bug is under attack. Within hours of the patch release, a researcher published POC code, calling it a “great” flaw that can be used for jailbreaks and local privilege escalation.

https://threatpost.com/apple-urgent-ios-updates-zero-day/175419/

The possible cyberattacks include disabling monitoring, location-tracking of children and malicious redirects of parent-console users.

https://threatpost.com/canopy-parental-control-app-unpatched-xss-bugs/175384/

Three security vulnerabilities in Axis video products could open up the door to a bevy of different cyberattacks on businesses.

https://threatpost.com/ip-surveillance-bugs-axis-rce-data-theft/175350/

The open-source project has rolled out a security fix for CVE-2021-41773, for which public cyberattack exploit code is circulating.

https://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/

Joseph Carson, Chief Security Scientist at ThycoticCentrify, offers a 7-step practical IR checklist for ensuring a swift recovery from a cyberattack.

https://threatpost.com/incident-response-plan-security-disaster/175335/

Coinbase suspects phishing led to attackers getting personal details needed to access wallets but also blamed a flaw in its SMS-based 2FA.

https://threatpost.com/mfa-glitch-coinbase-customers-robbery/175290/

First appearing in March, the group has been leveraging ProxyShell against targets in 10 countries and employs a variety of malware to steal data from compromised networks.

https://threatpost.com/apt-chamelgang-targets-russian-energy-aviation/175272/

This is the second pair of zero days that Google’s fixed this month, all four of which have been actively exploited in the wild.

https://threatpost.com/google-emergency-update-chrome-zero-days/175266/

Jason Kent, hacker-in-residence at Cequence Security, discusses how to track user-agent connections to mobile and desktop APIs, to spot malicious activity.

https://threatpost.com/unmasking-ghoulish-api-behavior/175253/

Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed.

https://threatpost.com/apple-pay-visa-hacked-unlocked-iphones/175229/

Certificate misconfigurations of the EAP protocol in Eduroam (and likely other networks globally) threaten Android and Windows users.

https://threatpost.com/misconfiguration-university-wifi-login-credentials/175157/

The NSA and CISA issued recommendations on choosing and hardening VPNs to prevent nation-state APTs from weaponizing flaws & CVEs to break into protected networks.

https://threatpost.com/vpns-nsa-cisa-guidance/175150/

Apple’s personal item-tracker devices can be used to deliver malware, slurp credentials, steal tokens and more thanks to XSS.

https://threatpost.com/apple-airtag-zero-day-trackers/175143/