Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk | Change Healthcare Targeted in Second Ransomware Attack

Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical." [TechWeb]( Follow Dark Reading: [RSS]( April 11, 2024 LATEST SECURITY NEWS & COMMENTARY [Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk]( Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical." [Round 2: Change Healthcare Targeted in Second Ransomware Attack]( RansomHub, which is speculated to have some connection to ALPHV, has stolen 4TB of sensitive data from the beleaguered healthcare company. [XZ Utils Scare Exposes Hard Truths About Software Security]( Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects. [Home Depot Hammered by Supply Chain Data Breach]( SaaS vendor to blame for exposing employee data that was ultimately leaked on Dark Web forum, according to the home improvement retailer. [Critical Bugs Put Hugging Face AI Platform in a 'Pickle']( One issue would have allowed cross-tenant attacks, and another enabled access to a shared registry for container images; exploitation via an insecure Pickle file showcases emerging risks for AI-as-a-service more broadly. [Top MITRE ATT&CK Techniques and How to Defend Against Them]( A cheat sheet for all of the most common techniques hackers use, and general principles for stopping them. [Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection]( A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations. [NSA Updates Zero-Trust Advice to Reduce Attack Surfaces]( Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users. [Medusa Gang Strikes Again, Hits Nearly 300 Fort Worth Property Owners]( Though a municipal agency assures the public that few are affected, hundreds have their data held ransom for $100,000 by the ransomware gang. [Attack on Consumer Electronics Manufacturer boAt Leaks Data on 7.5M Customers]( In a cyberattack more reminiscent of the 2010s, a seemingly lone hacker fleeced a major corporation for millions of open customer records. [How CISOs Can Make Cybersecurity a Long-Term Priority for Boards]( Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned. [The Fight for Cybersecurity Awareness]( Investing in cybersecurity skills creates a safer digital world for everyone. [How Nation-State DDoS Attacks Impact Us All]( Global organizations and geopolitical entities must adopt new strategies to combat the growing sophistication in attacks that parallel the complexities of our new geopolitical reality. [MORE NEWS /]( [MORE COMMENTARY]( HOT TOPICS [Why Liquid Cooling Systems Threaten Data Center Security & Our Water Supply]( We are potentially encroaching on a water supply crisis if data center operators, utilities, and the government don't implement preventative measures now. [Frameworks, Guidelines & Bounties Alone Won't Defeat Ransomware]( We need more than "do-it-yourself" approaches to threats that clearly rise to the level of national security issues. [White House's Call for Memory Safety Brings Challenges, Changes & Costs]( Improving security in the applications that drive the digital economy is a necessary undertaking, requiring ongoing collaboration between the public and private sectors. [MORE]( PRODUCTS & RELEASES [National Security Agency Announces Dave Luber As Director of Cybersecurity]( [Wiz Acquires Gem Security to Expand Cloud Detection and Response Offering]( [MedSec Launches Cybersecurity Program For Resource-Constrained Hospitals]( [ESET Launches a New Solution for Small Office/Home Office Businesses]( [Action1 Unveils 'School Defense' Program To Help Small Educational Institutions Thwart Cyberattacks]( [Wyden Releases Draft Legislation to End Federal Dependence on Insecure, Proprietary Software]( [MORE PRODUCTS & RELEASES]( EDITORS' CHOICE [CISO Corner: Ivanti's Mea Culpa; World Cup Hack; CISOs & Cyber Awareness]( Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Dealing with a Ramadan cyber spike; funding Internet security; and Microsoft's Azure AI changes. LATEST FROM THE EDGE [Google Gives Gemini a Security Boost]( Google has integrated Mandiant's security offerings into its AI platform to detect, stop, and remediate cybersecurity attacks as quickly as possible. LATEST FROM DR TECHNOLOGY [Ambitious Training Initiative Taps Talents of Blind and Visually Impaired]( Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers. LATEST FROM DR GLOBAL [Solar Spider Spins Up New Malware to Entrap Saudi Arabian Financial Firms]( An ongoing cyberattack campaign with apparent ties to China uses a new version of sophisticated JavaScript remote access Trojan JSOutProx and is now targeting banks in the Middle East. WEBINARS - [Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy]( - [Defending Against Today's Threat Landscape with MDR]( [View More Dark Reading Webinars >>]( WHITE PAPERS - [Application Security's New Mandate in a DevOps World]( - [Making Sense of Your Security Data: The 6 Hardest Problems]( - [The State of Incident Response]( - [Use the 2023 MITRE ATT&CK Evaluation Results for Turla to Inform EDR Buying Decisions]( - [Demystifying Zero Trust in OT]( - [FortiSASE Customer Success Stories - The Benefits of Single Vendor SASE]( - [Fortinet Named a Leader in the Forrester Wave: Zero Trust Edge (ZTE) Solutions]( [View More White Papers >>]( FEATURED REPORTS - [Industrial Networks in the Age of Digitalization]( - [Zero-Trust Adoption Driven by Data Protection]( - [How Enterprises Assess Their Cyber-Risk]( [View More Dark Reading Reports >>]( Dark Reading Weekly -- Published By [Dark Reading]( Informa Tech Holdings LLC | Registered in the United States with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA To opt-out of any future Dark Reading Weekly Newsletter emails, please respond [here.]( Thoughts about this newsletter? [Give us feedback.](mailto:ContactDarkReading@informa.com) Keep This Newsletter Out Of Your SPAM Folder Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: /cdn-cgi/l/email-protection?sp_aid=122773&elq_cid=22844169&sp_eh=9ec2e0353644c03ce56099bfb161a49d1f8a5a22f0d884f0cd961b89d205d529&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Weekly_04.11.24&sp_cid=52968&utm_content=DR_NL_Dark%20Reading%20Weekly_04.11.24&sp_eh=9ec2e0353644c03ce56099bfb161a49d1f8a5a22f0d884f0cd961b89d205d529#a7 If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. We take your privacy very seriously. Please review our [Privacy Statement.]( [© 2024]( | [Informa Tech]( | [Privacy Statement]( | [Terms & Conditions]( | [Contact Us](mailto:ContactDarkReading@informa.com)