Fileless malware, true to its name, is malicious code that uses existing legitimate programs in a system for compromise. It operates directly in the Random Access Memory (RAM) without requiring any executable files in the hard drive. Differing from conventional malware, fileless attacks are stealthier in nature, falling under the category of low-observable characteristics (LOC) attacks.
CISA, the United States's Cybersecurity and Infrastructure Security Agency, has ordered federal agencies to patch their iPhones against vulnerabilities that can be used as part of a zero-click attack to install spyware from the notorious NSO Group.
Identifying and understanding the most common cloud security risks is crucial to a successful cloud computing adoption strategy. Organizations migrating to the cloud continually face new threats and discover vulnerabilities that were not present when they operated software deployed on-premises. According to IBM’s Cost of a Data Breach report, almost half of all data breaches are happening in the cloud, with attacks on systems hosted on public clouds costing an average of $5.02 million.
A selection of this week’s more interesting vulnerability disclosures and cyber security news. Here we are again with another zero day affecting iMessage…
A new comprehensive study by researchers at RWTH Aachen University in Germany did a study on over 300,000 docker images finding that 8.5% contained API keys and private keys that malicious actors could exploit in the wild.
Numerous U.S.-based companies that operate online have customers from the European Union (EU) or other parts of the European Economic Area (EEA). If your business engages with these customers, it is subject to the EU’s General Data Protection Regulation (GDPR). This extensive data privacy regulation has an impact on many U.S. entities due to its extraterritorial reach.
Under Data Encryption, the CISA Zero Trust Maturity Model v2.0 cites the criticality of “cryptographic agility” on the third (out of four) level of maturity. Cryptographic agility is the ability to change the underlying cryptographic algorithms in applications and communications channels. I believe this highlights the importance for organizations to be able to pivot their encryption algorithms to a post-quantum cryptographic world.
Cybercriminals can't ascertain your phone password just from a Wi-Fi signal, but they can come close according to a method described in a recent research paper. Researchers have demonstrated a method that uses Wi-Fi signals to infer numerical passwords, and the mechanics behind it are nothing short of intriguing. Side-channel attacks often remind me of James Bond-like espionage. So does a research paper that is to appear at ACM CCS later this year.
As the aftermath unfolds, the details around the recent attack on MGM Resorts, providing crucial insight into the attacks impact, who’s responsible, and how it started. On September 11, Las Vegas-based MGM Resorts International reported a cybersecurity “issue” affecting many of the company’s systems.
Four days later, $52 million in lost revenues and counting, a cyber attack on MGM Resorts International, a $14 billion Las Vegas gaming empire with Hollywood-famous hotel spreads like the Bellagio, Cosmopolitan, Excalibur, Luxor, and the MGM Grand itself, had the house brought down by a perfect example of vishing…a 10-minute phone call. Gamblers could not gamble. Guests could not access rooms. Lights went out. Panic set in.
