On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware. Today, Zyxel acknowledged the same flaw is present in many of its firewall products. This week’s story on the Zyxel patch

Patch comes amid active exploitation by ransomware gangs Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerabili

According to experts at the security firm Sucuri, a critical content injection flaw in WordPress recently disclosed has already been exploited to deface thousands of websites. Recently a critical vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw that affects the WordPress REST API. The vulnerability was discover

A new dangerous Zero-day Content Injection vulnerability has been discovered in the WordPress CMS, it affects the WordPress REST API. A new dangerous vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw in the WordPress REST API. The vulnerability discovered by a security researcher at firm Sucuri could be exploite

Your million dollar 0day just got burned and now worth nothing? No worries – we are still interested in your exploit. The value of 0days can range from a few thousands to even a million dollars for a full remote exploit chain and many companies and governments are willing to buy them. The problem with this approach is your exploits are used for attacks

By Andrew Zonenberg @azonenbergCountless movies feature hackers remotely turning offsecurity systems in order to infiltrate buildings without being noticed. Buthow realistic are these depictions? Time to find out.Today we’re releasing information on a critical securityvulnerability in a wireless home security system from SimpliSafe. This system consis

by Ruben Santamarta @reversemodeIn 2014, IOActive disclosed a series of attacks that affect multiple SATCOMdevices, some of which are commonly deployed on vessels. Although there is nodoubt that maritime assets are valuable targets, we cannot limit the attacksurface to those communication devices that vessels, or even large cruise ships,are usually equipped

The government would love to get its hands on a foolproof way to break into the new highly encrypted iPhone. And it looks like some clever hackers just gave it to them. Bug bounty startup Zerodium just announced that a team has figured out how to remotely jailbreak the latest iPhone operating system and will take home a million dollar prize. It’s unclear if

The fallout from the HackingTeam data dump shows no signs of abating. Since the controversial surveillance software maker was hacked and 400 Gb of its data posted online in early July, a handful of zero-day vulnerabilities and exploits were publicly leaked and continue to find their way into the hands of criminal and state-sponsored hacking groups.The latest

Mozilla released a critical security advisory late last week which may have gone unnoticed during all the action at the BlackHat and Defcon conferences. The bug in its flagship browser Firefox is severe because it can allow an attacker to steal files from Windows and Linux users who just happen to visit a website contaminated by a malicious advert. More imp

The Hacking Team debacle has made headlines all week long and sparked a lot of debates over the sale of cyber weapons to various governments, including oppressive regimes. It didn’t take very long for someone to identify a zero-day vulnerability in the Flash Player within the leaked documents. That vulnerability was almost instantly weaponized in explo

Further ReadingAdobe Flash exploit that was leaked by Hacking Team goes wild; patch now!Hours after the 0day was found, it was added to popular exploit kits.If you’re a Moscow-based zero-day exploit seller, all you have to do is e-mail a spyware company like Hacking Team out of the blue. You can go from initial, unsolicited message to getting paid tens o

On June 23rd, security firm FireEye released a report about targeted attacks leveraging a Flash Player zero-day vulnerability (CVE-2015-3113) in Adobe Flash Player up to version 18.0.0.160. The firm stated that some users would receive a phishing email containing a link to a site hosting the zero-day exploit. The announcement went out around the same time as

Yet again, Adobe has released a new patch to fix a critical vulnerability that "could potentially allow an attacker to take control of the affected system," according to the company.Adobe acknowledged that the flaw (CVE-2015-3113) is "being actively exploited in the wild via limited, targeted attacks." Known affected systems run Internet Explorer for Win

And another password shocker, a few days after ‘cloud’ password service LastPass was pretty seriously hacked (yah if you’re using it, change your master password) critical 0-day flaws in Apple’s password storing keychain have been exposed.Which is kinda funny, as after the LastPass hack I saw some people espousing the usage of Apple&#