Security

The list of US government agencies compromised in the SolarWinds hack continues to expand, with reports of infiltrations at Treasury, Commerce, Homeland Security, and potentially State, Defense, and the CDC. This is a big deal for national security: It is the largest known data breach of US government information since the Office of Personnel Management hack in 2014, and could give hackers a trove of inside information.

Researchers from IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days.

FireEye has built its reputation on defending high-stakes clients from hackers. Today, the cybersecurity firm acknowledged that it had itself been the victim of a breach—and that the attackers made off with some of its offensive tools. It's a startling admission but almost certainly not as devastating as it may first sound.

VMware has rolled out security updates to address a zero-day vulnerability that impacts VMware Workspace One Access and other platforms for both Windows and Linux systems.

The bug, indexed as CVE-2020-4006, was publically disclosed last month and VMware warned that it could allow an attacker to take control of a vulnerable system. The company also published workaround instructions to help admins mitigate the flaw on affected systems.

The National Security Agency says that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.

Spotify has reportedly begun resetting the passwords of up to 350,000 accounts that were breached as the result of a credential-stuffing attack. A company called vpnMentor, as found by ZDNet, says that it discovered a treasure trove of hacked account data available online. This information was used by some nefarious types to gain access to the streaming music platform and generally cause havoc. ZDNet says that the company has now begun

Device manufacturers were quick to capitalize on the rise of the Internet of Things (IoT) and the possibilities of what could be accomplished if so-called smart devices were able to communicate with one another. However, as they worked to bring these devices to market quickly, many hardware makers failed to secure them properly by doing things such as not actively encouraging users to change the default credentials of their devices.

VMware has warned its customers about a critical vulnerability present across several of its products, including Workspace One Access and Identity Manager, that could allow cyber criminals to take control of vulnerable machines.

Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update: A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.

Google has patched two zero-day vulnerabilities in its Chrome browser, the third time in two weeks that the company has fixed a Chrome security flaw that’s under active exploit.