Cybersecurity

Findings undercut pledges of NSO Group and Intgellexa their wares won't be abused.

The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates.

Novel attack vectors leverage the CVE-2023-22527 RCE flaw discovered in January, which is still under active attack, to turn targeted cloud environments into cryptomining networks.

Google has more than doubled payouts for Google Chrome security flaws reported through its Vulnerability Reward Program, with the maximum possible reward for a single bug now exceeding $250,000.

The company has assessed four of the five disclosed vulnerabilities as being of high to critical severity.

International sanctions, IT isolation, and shifting attitudes to ethical hacking have bug bounty programs on the rise in Russia, with zero-day acquisition companies potentially poised to profit.

Vulnerability is easy to exploit and allows attackers to remotely execute commands.

Source.

A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.

The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.

Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.