Critical Apache OFBiz Vulnerability Allows Preauth RCE

The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers.

Follow Dark Reading:

August 06, 2024

LATEST SECURITY NEWS & COMMENTARY Critical Apache OFBiz Vulnerability Allows Preauth RCE The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers. Sophisticated Android Spyware Targets Users in Russia Researchers say "LianSpy" malware has been in use in a covert data gathering operation that's gone undetected for at least three years. 20K Ubiquiti IoT Cameras & Routers Are Sitting Ducks for Hackers In the cloud, patches disseminate automatically. On your computer, you get notified. IoT devices, meanwhile, can escape attention for years on end. China's Evasive Panda Attacks ISP to Send Malicious Software Updates The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity. Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV. FTC Slams TikTok With Lawsuit After Continued COPPA Violations Though TikTok is expected to adhere to certain COPPA-outlined measures, the social media giant has failed to meet those expectations, the Feds allege. Protect Data Differently for a Different World Adopting a military mindset toward cybersecurity means the industry moves beyond the current network protection strategies and toward a data-centric security approach. How Regional Regulations Shape Global Cybersecurity Culture Ultimately, a more cyber-secure world requires a global governing body to regulate and campaign for cybersecurity, with consistent regulatory requirements in the various regions around the world. MORE NEWS / MORE COMMENTARY HOT TOPICS Attacks on Bytecode Interpreters Conceal Malicious Injection Activity By injecting malicious bytecode into interpreters for VBScript, Python, and Lua, researchers found they can circumvent malicious code detection. Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day A simple toggle in Proofpoint's email service allowed for brand impersonation at an industrial scale. It prompts the question: Are secure email gateways (SEGs) secure enough? Implementing Identity Continuity With the NIST Cybersecurity Framework Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages. Is the US Federal Government Increasing Cyber-Risk Through Monoculture? In a monoculture, cybercriminals need to look for a weakness in only one product, or discover an exploitable vulnerability, to affect a significant portion of services. MORE PRODUCTS & RELEASES AI-Driven Executive Impersonations Emerge As Significant Threat to Business Payment Processes ESET Reveals Latest Cloud-Native Authentication Solution Protect AI Acquires SydeLabs to Red Team Large Language Models MORE PRODUCTS & RELEASES EDITORS' CHOICE Fortune 50 Co. Pays Record-Breaking $75M Ransomware Demand The runaway success of an upstart ransomware outfit called "Dark Angels" may well influence the cyberattack landscape for years to come. LATEST FROM THE EDGE Name That Edge Toon: Pointing Fingers Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card. LATEST FROM DR TECHNOLOGY Startup Spotlight: LeakSignal Helps Plug Leaky Data in Organizations Cybersecurity startup LeakSignal, a finalist in this year's Black Hat USA Startup Spotlight competition, helps organizations see where data is leaking within their environments. LATEST FROM DR GLOBAL China's APT41 Targets Taiwan Research Institute for Cyber Espionage The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies. WEBINARS The Rise of AI-Powered Malware and Application Security Best Practices CISO Perspectives: How to make AI an Accelerator, Not a Blocker View More Dark Reading Webinars >> WHITE PAPERS How to Use Threat Intelligence to Mitigate Third-Party Risk Ten Elements of Insider Risk in Highly Regulated Industries 5 Critical Controls for World-Class OT Cybersecurity IT Risk & Compliance Platforms: A Buyer's Guide State of Enterprise Cloud Security Google Threat Intelligence A Year in Review of Zero-Days Exploited In-the-Wild in 2023 View More White Papers >> FEATURED REPORTS Managing Third-Party Risk Through Situational Awareness 2024 InformationWeek US IT Salary Report View More Dark Reading Reports >>

Dark Reading Daily -- Published By Dark Reading Informa Tech Holdings LLC | Registered in the United States with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA To opt-out of any future Dark Reading Daily Newsletter emails, please respond here. Thoughts about this newsletter? Give us feedback. Keep This Newsletter Out Of Your SPAM Folder Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. We take your privacy very seriously. Please review our Privacy Statement.

© 2024 | Informa Tech | Privacy Statement | Terms & Conditions | Contact Us