Lifeboat Foundation

Microsoft Azure Bastion and Azure Container Registry have each been found to have one potentially “dangerous” security flaw that, if taken advantage of, may have resulted in a cross-site scripting (XSS) attack being carried out on the affected service. XSS attacks take occur when threat actors insert arbitrary code into a website that would otherwise be trusted. This code is then run each time visitors who are not aware of the attack visit the website.

Both of the vulnerabilities that Orca found take use of a vulnerability in the postMessage iframe, which makes it possible for Window objects to communicate with one another across domains. The vulnerabilities allowed for illegal access to the victim’s session inside the compromised Azure service iframe. This may result in serious repercussions, such as unauthorized data access, unauthorized alterations, and interruption of the Azure services iframes, among other things. This meant that the vulnerability could be exploited to embed endpoints into remote servers by utilizing the iframe element. This would eventually result in the execution of malicious JavaScript code, which would compromise sensitive data.

However, in order to take advantage of these vulnerabilities, a threat actor would first need to undertake reconnaissance on various Azure services in order to identify vulnerable endpoints contained inside the Azure interface. These endpoints may be missing X-Frame-Options headers or have Content Security Policies (CSPs) that are inadequate.

Join us on Wednesday, June 21 at noon Pacific for the DIY Picosatellites Hack Chat with Nathaniel Evry!

Building a satellite and putting it in orbit was until very recently something only a nation had the resources to accomplish, and even then only a select few. Oh sure, there were a few amateur satellites that somehow managed to get built on a shoestring budget and hitch a ride into space, and while their stories are deservedly the stuff of legends, satellite construction took a very long time to be democratized.

Fast forward a half-dozen or so decades, and things have changed dramatically. Satellite launches are still complex affairs — it’s still rocket science, after all — but the advent of the CubeSat format and the increased tempo of launches, both national and commercial, has pushed the barriers to private, low-budget launches way, way down. So much so, in fact, that the phrase “space startup” is no longer something to snicker about.

After Russian hackers destroyed Viasat satellite ground receivers spanning Europe, SpaceX provided coverage via Starlink, its Lower Earth Orbit satellite constellation, and soon began noticing cyberattacks and software interferences. Now, a year later, the U.S. Department of Defense announced Russia is still attempting to complicate connections within the satellite constellation and others like it.

Documents were leaked by U.S. National Guard airman Ryan Teixeira, as reported by The Washington Post back in April of 2023. Ukraine has also stated it is experiencing similar security issues.

“Russia’s quest to sabotage Ukrainian forces’ internet access by targeting the Starlink satellite operations that billionaire Elon Musk has provided to Kyiv since the war’s earliest days appear to be more advanced than previously known, according to a classified U.S. intelligence report.”

There’s no shortage of emerging applications and projects that promise increased productivity, new levels of automation, and cutting-edge innovation. But all too often, AI initiatives within the enterprise fail to get off the ground, and there can be vast and costly unintended consequences when this technology is applied to the wrong use cases or falls into the wrong hands.

In the case of cyber defense, widespread accessibility to generative AI tools, as well as the increasing sophistication of nation-state actors, means that threats are more personalized and convincing than ever. In an era of algorithms fighting algorithms, human defenders must effectively team up with AI to build cyber resiliency and prevent business disruption.

Presented by expert stakeholders from industry, academia, and government, this event is designed to offer practical guidance for security teams to cut through the noise and unleash the power of AI responsibly and effectively.

The unholy union of SEO spam and AI-generated muck is here. And at the same time, reality, unfortunately, might be going right out the door.

Much like artificial intelligence, quantum computing has the potential to transform many industries. But a cybersecurity threat looms large.

Updated: A flaw in the SS7 protocol made hacking Facebook accounts easier than you’d think. #woops

A hacking group believed to be behind a cybercrime spree in 2021 is once again involved in an active hacking campaign targeting a file transfer tool that could lead to a wave of data breaches, according to US cybersecurity officials.

The hacking group, named “CL0P,” is targeting a file transfer tool called MOVEit that belongs to Progress Software Corp., according to a joint advisory by the Cybersecurity and Infrastructure Security Agency and FBI on June 7.

Officials say CL0P has been attempting to steal data belonging to MOVEit clients since at least May 27. A confirmed victim includes Zellis, a UK-based payroll services provider whose clients include British Airways and the BBC, reports Law360.

In the digital age, SaaS businesses have started embracing transformative technologies, such as Artificial intelligence (AI) and cloud computing. According to a research firm, the market for artificial intelligence (AI) is nearly 100 billion USD, which is expected to grow twentyfold by 2030, up to almost 2 trillion USD.

Although AI promises revolutionary advancements and cloud computing enables efficient storage and processing of massive amounts of data, their rapid adoption also raises concerns about cybersecurity. In 2021, the global cost of cybercrime was estimated to be $6 trillion.