- 1. Apple Releases iOS 15.2.1 and iPadOS 15.2.1
iOS 15.2.1 and iPadOS 15.2.1 released 1/12/22 address HomeKit vulnerability. (CVE-2022-22588)
- 2. doorLock- Persistent Denial of Service VulnerabilityAffecting iOS 15.2-14.7
A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit.
That could be triggered by changing a HomeKit device's name to a string longer than 500,000 characters. According to Trevor Spiniolas, who uncovered the flaw, once the string is loaded, iOS and iPadOS will reboot and become unusable.
- 3. Take Immediate Actions to Secure QNAP NAS
Attackers are still targeting NAS devices. QNAP publishes steps to secure their NAS devices.
Repeat after me: I solemnly swear not to expose NAS to the Internet.
- 4. QNAP NAS devices hit in surge of ech0raix ransomware attacks
Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt.
- 5. Storage Devices of Major Vendors Impacted by Encryption Software Flaws
Storage devices manufactured by various vendors are reportedly affected by two vulnerabilities (CVE-2021-36750 and CVE-2021-36751) that were uncovered in third-party encryption software used by all the manufactures and could be exploited to conduct brute-force attacks and obtain users' passwords. Potential for brute forcing accounts. Requires local access.
- 6. Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries
Researchers say that after conducting a study of 16 different Uniform Resource Locator (URL) parsing libraries, they found that those libraries contained "inconsistencies and confusions" that could be exploited by attackers to bypass validations and create a variety of attack vectors.
- 7. Uber ignores vulnerability that lets you send any email from Uber.com
A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber.
The vulnerability is in one of Uber's servers which isn't properly sanitizing input, rather than their email servers.
- 8. Apache Maven Central serves millions of old Log4j versions
Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz.
Make sure your development and CI processes are using up-to-date libraries. Don't wait to qualify new versions.
- 9. Log4j 2.17.1 out now, fixes new remote code execution bug
Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832. Apache is urging customers to upgrade as soon as possible to prevent exploitation. According to reports, the moderate-severity issue results from a lack of additional controls on JDNI access in Log4j.
- 10. LastPass users warned their master passwords are compromised
Credential stuffing attacks, where credentials are obtained from third-party breachs not relating to Lastpass, result in valid credentials used from unusual locations which are blocked.
Use unique passwords and enable MFA...
- 11. T-Mobile says new data breach caused by SIM swap attacks
T-Mobile has been the victim of multiple data breaches over the last four years, users should remain vigilant.
- 12. Photography site Shutterfly is dealing with a ransomware attack – CyberScoop
Shutterfly said on Dec. 26 that it was hit by a ransomware attack that struck portions of its network and interrupted elements of its Groovebook app, Lifetouch and BorrowLenses business, manufacturing operations, and some internal systems.
- 13. Bluetooth reboot of pre-school play phone has privacy flaw
Fisher Price's Bluetooth reboot of pre-school play phone has adult privacy flaw ‘Chatter’ can be bugged thanks to kindergarten-grade security.
- 14. UK minister includes Russia, China among ‘hostile nations’
U.K. Minister of State Security and Borders Damian Hinds has accused China, Iran, and Russia of conducting disinformation campaigns and of being involved in various ways in terms of spies on the ground, cyber attacks, soldiers on standby, and disinformation operations.
- 15. New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking