"Owowa" stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made. [...]

SAP’s still feverishly working to patch another 12 apps vulnerable to the Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some rated at 9.9 criticality. [...]

Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apache’s blanket of a quickly baked patch for Log4Shell also has holes. [...]

Sounil Yu, CISO at JupiterOne, discusses the growing mesh of integrations between SaaS applications, which enables automated business workflows - and rampant lateral movement by attackers, well outside IT's purview. [...]

December's Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities. [...]

The new campaign masqueraded as an Orange Telecom account management app to deliver the latest iteration of Anubis banking malware. [...]

An exclusive roundtable of security researchers discuss the specific implications of CVE-2021-44228 for smaller businesses, including what's vulnerable, what an attack looks like and to how to remediate. [...]

Podcast: Cybereason shares details about its vaccine: a fast shot in the arm released within hours of the Apache Log4j zero-day horror show being disclosed. [...]

Analysts find at least 10 Linux botnets actively exploiting Log4Shell flaw. [...]

The cybersecurity Hiroshima of the year – the Apache Log4j logging library exploit – has spun off 60 bigger mutations in less than a day, researchers said. [...]

Malicious email attachments with macros are one of the most common ways hackers get in through the door. Huntress security researcher John Hammond discusses how threat hunters can fight back. [...]

Scammers are using fake job listings to empty the wallets of young, hopeful victims looking to break into the gaming industry. [...]

The Log4Shell vulnerability critically threatens anybody using the popular open-source Apache Struts framework and could lead to a “Mini internet meltdown soonish.” [...]

Cyberattackers are targeting security vulnerabilities in four plugins plus Epsilon themes, to assign themselves administrative accounts. [...]

The threat group, first identified in June, focuses solely on data exfiltration and subsequent extortion, and has already targeted 40 victims since September. [...]

E-commerce's proverbial Who-ville is under siege, with a rise in bots bent on ruining gift cards and snapping up coveted gifts for outrageously priced resale. [...]

The powerful devices leveraged by the Meris botnet have weaknesses that make them easy to exploit, yet complex for organizations to track and secure, researchers said. [...]

The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases. [...]

Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned. [...]

DoH! Nate Warfield, CTO of Prevailion, discusses new stealth tactics threat actors are using for C2, including Malleable C2 from Cobalt Strike's arsenal. [...]

Unauthenticated, remote attackers can achieve root-level RCE on SMA 100-series appliances. [...]

The flaws, which could enable attackers to disable security and gain kernel-level privileges, affect Amazon WorkSpaces and other cloud services that use USB over Ethernet. [...]

The botnet, which resurfaced last month on the back of TrickBot, can now directly install Cobalt Strike on infected devices, giving threat actors direct access to targets. [...]

There's an argument injection weakness in the Windows 10/11 default handler, researchers said: an issue that Microsoft has only partially fixed. [...]

Underground arbitration system settles disputes between cybercriminals. [...]