Critical Apache OFBiz Vulnerability Allows Preauth RCE

The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers. [TechWeb]( Follow Dark Reading: [RSS]( August 06, 2024 LATEST SECURITY NEWS & COMMENTARY [Critical Apache OFBiz Vulnerability Allows Preauth RCE]( The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers. [Sophisticated Android Spyware Targets Users in Russia]( Researchers say "LianSpy" malware has been in use in a covert data gathering operation that's gone undetected for at least three years. [20K Ubiquiti IoT Cameras & Routers Are Sitting Ducks for Hackers]( In the cloud, patches disseminate automatically. On your computer, you get notified. IoT devices, meanwhile, can escape attention for years on end. [China's Evasive Panda Attacks ISP to Send Malicious Software Updates]( The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity. [Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware]( The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV. [FTC Slams TikTok With Lawsuit After Continued COPPA Violations]( Though TikTok is expected to adhere to certain COPPA-outlined measures, the social media giant has failed to meet those expectations, the Feds allege. [Protect Data Differently for a Different World]( Adopting a military mindset toward cybersecurity means the industry moves beyond the current network protection strategies and toward a data-centric security approach. [How Regional Regulations Shape Global Cybersecurity Culture]( Ultimately, a more cyber-secure world requires a global governing body to regulate and campaign for cybersecurity, with consistent regulatory requirements in the various regions around the world. [MORE NEWS /]( [MORE COMMENTARY]( HOT TOPICS [Attacks on Bytecode Interpreters Conceal Malicious Injection Activity]( By injecting malicious bytecode into interpreters for VBScript, Python, and Lua, researchers found they can circumvent malicious code detection. [Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day]( A simple toggle in Proofpoint's email service allowed for brand impersonation at an industrial scale. It prompts the question: Are secure email gateways (SEGs) secure enough? [Implementing Identity Continuity With the NIST Cybersecurity Framework]( Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages. [Is the US Federal Government Increasing Cyber-Risk Through Monoculture?]( In a monoculture, cybercriminals need to look for a weakness in only one product, or discover an exploitable vulnerability, to affect a significant portion of services. [MORE]( PRODUCTS & RELEASES [AI-Driven Executive Impersonations Emerge As Significant Threat to Business Payment Processes]( [ESET Reveals Latest Cloud-Native Authentication Solution]( [Protect AI Acquires SydeLabs to Red Team Large Language Models]( [MORE PRODUCTS & RELEASES]( EDITORS' CHOICE [Fortune 50 Co. Pays Record-Breaking $75M Ransomware Demand]( The runaway success of an upstart ransomware outfit called "Dark Angels" may well influence the cyberattack landscape for years to come. LATEST FROM THE EDGE [Name That Edge Toon: Pointing Fingers]( Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card. LATEST FROM DR TECHNOLOGY [Startup Spotlight: LeakSignal Helps Plug Leaky Data in Organizations]( Cybersecurity startup LeakSignal, a finalist in this year's Black Hat USA Startup Spotlight competition, helps organizations see where data is leaking within their environments. LATEST FROM DR GLOBAL [China's APT41 Targets Taiwan Research Institute for Cyber Espionage]( The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies. WEBINARS - [The Rise of AI-Powered Malware and Application Security Best Practices]( - [CISO Perspectives: How to make AI an Accelerator, Not a Blocker]( [View More Dark Reading Webinars >>]( WHITE PAPERS - [How to Use Threat Intelligence to Mitigate Third-Party Risk]( - [Ten Elements of Insider Risk in Highly Regulated Industries]( - [5 Critical Controls for World-Class OT Cybersecurity]( - [IT Risk & Compliance Platforms: A Buyer's Guide]( - [State of Enterprise Cloud Security]( - [Google Threat Intelligence]( - [A Year in Review of Zero-Days Exploited In-the-Wild in 2023]( [View More White Papers >>]( FEATURED REPORTS - [Managing Third-Party Risk Through Situational Awareness]( - [2024 InformationWeek US IT Salary Report]( [View More Dark Reading Reports >>]( Dark Reading Daily -- Published By [Dark Reading]( Informa Tech Holdings LLC | Registered in the United States with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA To opt-out of any future Dark Reading Daily Newsletter emails, please respond [here.]( Thoughts about this newsletter? [Give us feedback.](mailto:ContactDarkReading@informa.com) Keep This Newsletter Out Of Your SPAM Folder Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: /cdn-cgi/l/email-protection?sp_aid=124978&elq_cid=22844169&sp_eh=9ec2e0353644c03ce56099bfb161a49d1f8a5a22f0d884f0cd961b89d205d529&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Daily_08.06.24&sp_cid=54588&utm_content=DR_NL_Dark%20Reading%20Daily_08.06.24&sp_eh=9ec2e0353644c03ce56099bfb161a49d1f8a5a22f0d884f0cd961b89d205d529#5c If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. We take your privacy very seriously. Please review our [Privacy Statement.]( [© 2024]( | [Informa Tech]( | [Privacy Statement]( | [Terms & Conditions]( | [Contact Us](mailto:ContactDarkReading@informa.com)