Zero-Click Zoom Bug Allows Code Execution by Sending a Message | 'There's No Ceiling': Ransomware's Alarming Growth Rate

Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required. [TechWeb]( Follow Dark Reading: [RSS]( May 26, 2022 LATEST SECURITY NEWS & COMMENTARY [Zero-Click Zoom Bug Allows Code Execution Just by Sending a Message]( Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required. [VMware, Airline Targeted as Ransomware Chaos Reigns]( Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain. ['There's No Ceiling': Ransomware's Alarming Growth Signals a New Era, Verizon DBIR Finds]( Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out. [Partial Patching Still Provides Strong Protection Against APTs]( Organizations that deploy updates only after a vulnerability is disclosed apply far fewer updates and do so at a lower cost than those that stay up to date on all of their software, university researchers say. [Majority of Kubernetes API Servers Exposed to the Public Internet]( Shadowserver Foundation researchers find 380,000 open Kubernetes API servers. [Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021]( But there was a substantial drop in the overall number of critical vulnerabilities that the company disclosed last year, new analysis shows. [DDoS Extortion Attack Flagged as Possible REvil Resurgence]( A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang. [Interpol's Massive 'Operation Delilah' Nabs BEC Bigwig]( A sprawling, multiyear operation nabs a suspected SilverTerrier BEC group ringleader, exposing a massive attack infrastructure and sapping the group of a bit of its strength. [After the Okta Breach, Diversify Your Sources of Truth]( What subsequent protections do you have in place when your first line of defense goes down? [6 Scary Tactics Used in Mobile App Attacks]( Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene. [Spring Cleaning Checklist for Keeping Your Devices Safe at Work]( Implement zero-trust policies for greater control, use BYOD management tools, and take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees' devices secure. [Industry 4.0 Points Up Need for Improved Security for Manufacturers]( With manufacturing ranking as the fourth most targeted sector, manufacturers that understand their exposure will be able to build the necessary security maturity. [Crypto Hacks Aren't a Niche Concern; They Impact Wider Society]( Million-dollar crypto heists are becoming more common as the currency starts to go mainstream; prevention and enforcement haven't kept pace. [Authentication Is Static, Yet Attackers Are Dynamic: Filling the Critical Gap]( To succeed against dynamic cybercriminals, organizations must go multiple steps further and build a learning system that evolves over time to keep up with attacker tactics. [MORE NEWS /]( [MORE COMMENTARY]( HOT TOPICS [DeFi Is Getting Pummeled by Cybercriminals]( Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say. [Pro-Russian Information Operations Escalate in Ukraine War]( In the three months since the war started, Russian operatives and those allied with the nation's interests have unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine, security vendor says. [Why the Employee Experience Is Cyber Resilience]( A culture of trust, combined with tools designed around employee experience, can work in tandem to help organizations become more resilient and secure. [MORE]( EDITORS' CHOICE [Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems]( The PyPI "pymafka" package is the latest example of growing attacker interest in abusing widely used open source software repositories. LATEST FROM THE EDGE [New Connecticut Privacy Law Makes Path to Compliance More Complex]( As states address privacy with ad-hoc laws, corporate compliance teams try to balance yet another set of similar but diverging requirements. LATEST FROM DR TECHNOLOGY [DBIR Makes a Case for Passwordless]( Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks. Tech Resources - [Incorporating a Prevention Mindset into Threat Detection and Response]( - [The Case for Cyber Risk Management Platforms]( - [Securely Work From Anywhere With the Fortinet Security Fabric]( - [Five Keys to a Secure Work-From-Anywhere Solution]( - [Creating a Regulatory Compliant Medical Device Vulnerability Management Program]( - [The Top 10 API Vulnerabilities]( - [BotGuard for Streaming Service Case Study]( [ACCESS TECH LIBRARY NOW]( - [Outsourcing Cybersecurity: A Decision Maker's Guide]( When it comes to cybersecurity, very few enterprises have all the skills and resources they need on staff. On today's market, your enterprise can outsource a wide variety of cyber tasks, from penetration testing to security monitoring to incident response. ... - [The Value Drivers of Attack Surface Management, Revealed]( The value of modern ASM extends beyond the security benefits. It can save money as well through prevention, lower cyber insurance costs, lower human effort, and higher operational efficiency. Join to find out how modern attack surfaces have changed, why ... [MORE WEBINARS]( FEATURED REPORTS - [Practical Network Security Approaches for a Multicloud, Hybrid IT World]( The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network - [Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal]( With attacks and breaches on the rise, enterprise security teams need full visibility over what they have in their network. DNS is a key tool for visibility and asset discovery. Proactive DNS-layer security - such as using DNS data to ... [MORE REPORTS]( CURRENT ISSUE [Incorporating a Prevention Mindset into Threat Detection and Response]( [DOWNLOAD THIS ISSUE]( [SUBSCRIBE NOW]( [BACK ISSUES]( | [MUST READS]( | [TECH DIGEST]( PRODUCTS & RELEASES [Forescout Launches Forescout Frontline to Help Organizations Tackle Ransomware and Real Time Threats]( [JFrog Launches Project Pyrsia to Help Prevent Software Supply Chain Attacks]( [Mastercard Launches Cybersecurity “Experience Centre”]( [Qualys to Unveil VMDR 2.0 at Qualys Security Conference in San Francisco]( [Corelight Announces New SaaS Platform for Threat Hunting]( [Cybersecurity-Focused SYN Ventures Closes $300 Million Fund II]( [Vishing Attacks Reach All Time High, According to Latest Agari and PhishLabs Report]( [XM Cyber Adds New Security Capability for Microsoft Active Directory]( [Netskope Expands Data Protection Capabilities to Endpoint Devices and Private Apps]( [Nisos Announces $15 Million in Series B Funding Round]( [MORE PRODUCTS & RELEASES]( Dark Reading Weekly -- Published By [Dark Reading]( Informa Tech Holdings LLC | Registered in the United States with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA To update your profile, change your e-mail address, or unsubscribe, [click here.]( To opt-out of any future Dark Reading Weekly Newsletter emails, please respond [here.]( Thoughts about this newsletter? [Give us feedback.](mailto:customerservice_informationhub@techweb.com) Keep This Newsletter Out Of Your SPAM Folder Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. We take your privacy very seriously. Please review our [Privacy Statement.]( [© 2022]( | [Informa Tech]( | [Privacy Statement]( | [Terms & Conditions]( | [Contact Us](mailto:customerservice_informationhub@techweb.com)