That's a huge security risk.
Hackers publish personal data on thousands of US police officers and federal agents
Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild:
On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.
We are seeing a high volume of attempts to exploit this vulnerability. The exploits very closely resemble the POC posted by the irresponsible researcher.
We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins. Exploits so far are using a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor.
As continues to be the case, a disgruntled security researcher continues to put the WordPress community at risk by publicly disclosing POCs for zero-day vulnerabilities.
The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild.
Please bear in mind that if the only 2FA options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
I should also note that Google says Android 7.0+ phones also can be used as the Security Key for people who have adopted the company’s super-paranoid Advanced Protection option. This is a far more stringent authentication process for Google properties designed specifically for users who are most likely to be targeted by sophisticated attacks, such as journalists, activists, business leaders and political campaigns.
I’ve had Advanced Protection turned on since shortly after Google made it available. It wasn’t terribly difficult to set up, but it’s probably not for your casual user. For one thing, it requires users to enroll two security keys, and in the event the user loses both of those keys, Google may take days to validate your request and grant you access to your account.
PropertyPak offers all types of 2FA mentioned in the article.
Microsoft Office and its vulnerabilities:
In the past few months, MS Office, with a more than 70% share of attacks, became the most targeted platform.
I’m sure that while reading this post, many among you will be thinking: “But it’s all unsecure!,” “it’ll be hacked before you know it!“, or even “there’s no way I’m getting in a car like that!” And you’d be right once, twice, even three times. Just look, for example, at the market for IoT devices: In the race for ever-improved functionality, manufacturers ignore security. But with IoT devices, cybersecurity negligence can lead to loss of data, privacy violations, and bricking of devices. With driverless cars, it can lead to loss of life.
Adi Shamir (the “A” of RSA) has stated a law of computer security that “Cryptography is typically bypassed, not penetrated”. That’s what happened here, AWS’s S3 encryption was bypassed, and previously at Verizon and GOP.
... Access to data is controlled through other data in computer and networking system called ‘perimeter defense’ which itself is vulnerable to misconfigurations or breaches.
The list of tools FireEye has identified includes a program called SecHack, designed to pull a target user's passwords and other credentials out of a computer's memory so that they can be repeatedly reused to log in to any machine on the network the victim has access to. It essentially re-creates the functionality of an open source, ultracommon tool known as Mimikatz, which was created in 2011 and designed to similarly suck passwords out of a computer's RAM. Another custom tool FireEye found the Triton hackers using is called NetExec, which mimics the functionality of PSExec, a Windows utility that lets administrators run commands on remote computers across a network.
Hackers frequently use PSExec together with credentials stolen by Mimikatz. The Triton hackers similarly combine their custom SecHack and NetExec tools, using them to hopscotch from machine to machine within a network.
Another handful of tools FireEye is naming in its talk allow the hackers to maintain command-and-control communications with compromised machines via a grab bag of backdoors. Each of those backdoors is based on a different remote command tool: Cryptcat, PLINK, Bitvise and OpenSSH. "They’re introducing a bit of variety," Miller speculates. "That may help them maintain access, especially in the face of detection or incident response."
In addition to those custom tools, FireEye has also detailed a more comprehensive collection of other techniques the Triton hackers used ....
Emotet, Bebloh, and PDF phishing attacks are worrisome for one very good reason. They use sophisticated — ingenious, really — techniques to avoid detection in a sandbox environment. Sandboxing has traditionally been used as a tried-and-true method for protecting users from web-based threats by quarantining malicious content before it reaches a user's device. In the past, this has been enough. Attacks have been detected and then placed into a sandbox environment, where they can be walled off from the network and analyzed for future remediations. Up until now, this strategy has worked well.
However, sandboxing relies on detection. If a threat is able to mask itself, shut itself down, or evade detection in some way, it pretty much has free rein to infect users' devices, enabling it to eventually make its way into the network and critical business systems. And that's a problem.
Currently, the only browsers that disable hyperlink auditing by default and continue to provide ways to disable it are Firefox and Brave.
So far, only Palo Alto Networks has confirmed its GlobalProtect app was vulnerable. The company issued a patch for both its Windows and Mac clients.
Neither Cisco nor Pulse Secure have patched their apps. F5 Networks is said to have known about storing since at least 2013 but advised users to roll out two-factor authentication instead of releasing a patch.
... while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn’t particularly matter in this case as the exploit just requires a user to have the browser on their PC.