The Register

Social engineering: 'low-cost, hard to patch, and scales well'

North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.…

Fortune 500 companies and one US defense contractor got taken for $5m in four-year scam

Two Americans have been jailed for a combined 200 months for helping North Korea generate $5 million through fraudulent IT worker schemes.…

Forged metadata made AI reviewer treat hostile changes as though they came from known maintainer

Security boffins say Anthropic's Claude can be tricked into approving malicious code with just two Git commands by spoofing a trusted developer's identity.…

Publisher claims misconfigured Salesforce-hosted page leaked data

Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild.…

Just migrate already, would you? But if you can't, Redmond will take your cash

Microsoft will keep delivering security updates for old versions of Exchange Server and Skype for Business Server, after admitting that some customers aren't ready to make the move to newer products.…

Your cybersecurity is only as good as the physical security of the servers

PWNED  Welcome back to Pwned, the column where we immortalize the worst vulns that organizations opened up for themselves. If you’re the kind of person who leaves your car doors unlocked with a pile of cash in the center console, this week’s story is for you.…

Browser fingerprinting is everywhere

Google markets its Chrome browser by citing its superior safety features, but according to privacy consultant Alexander Hanff, Chrome does not protect against browser fingerprinting – a method of tracking people online by capturing technical details about their browser.…

Like the majority of the companies participating, it remains a mystery

Last week, Anthropic surprised the world by declaring that its latest model, Mythos, is so good at finding vulns that it would create chaos if released. Now, under the title of Project Glasswing, over 50 selected companies and orgs are allowed to test the hyped up LLM to find security holes in their own products. But just how many problems have they really discovered?…

No reports of active exploitation (yet)

Watch out for more Fortinet vulns! Two critical bugs in Fortinet's sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems.…

Some customer orgs tell staff to block inbound email from the provider

Autovista confirms that it called in outside support to help clean up a ransomware infection currently affecting systems in Europe and Australia.…

Latest in a string of cases that have earned France an unfortunate title

A mother and her ten-year-old son are now free after being kidnapped for around 20 hours while the father was being extorted for hundreds of thousands of euros.…

Vuln old enough to drive lands on CISA's exploited list

While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.…

Command prefix will require password by default

The latest version of Raspberry Pi OS now requires a password for sudo by default.…

Open Rights Group says years of reliance on US giants have left Britain exposed

Britain has spent years wiring its public sector into US Big Tech, and a new report says that dependence could quickly become a national security headache.…

Researchers who found the flaws scored beer money bounties and warn the problem is probably pervasive

Exclusive  Security researchers hijacked three popular AI agents that integrate with GitHub Actions by using a new type of prompt injection attack to steal API keys and access tokens, and the vendors who run agents didn’t disclose the problem.…

The company's new software keeps an eye on your agents and backs up data.

Keep your agents close and your agent-monitoring software closer. Commvault’s new AI Protect can discover and monitor AI agents running inside AWS, Azure, and GCP environments and even roll back their actions when something goes wrong.…

One CVE under attack, one already disclosed by angry bug hunter, and 163 more

Attackers exploited a spoofing vulnerability in Microsoft SharePoint Server before Redmond issued a fix as part of April's mega Patch Tuesday.…

Honey, the skids are fighting again

Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit.…

One was patched almost 14 years ago

Crooks are exploiting four Microsoft vulnerabilities - one patched 14 years ago and another tied to ransomware activity - according to America's lead cyber-defense agency, which on Monday gave federal agencies two weeks to patch them.…

Google Sites lure leads to bogus root certificate

Imagine getting asked to do something by a person in authority. An unknown malware slinger targeting open source software developers via Slack impersonated a real Linux Foundation official and used pages hosted on Google.com to steal developers' credentials and take over their systems.…