According to security researchers at Defiant, a critical vulnerability in the WPML multilingual plugin for WordPress could expose over one million websites to remote code execution (RCE).  Tracked as CVE-2024-6386 (CVSS score of 9.9), the bug could be exploited by an attacker with contributor-level permissions.  The researchers noted that WPML relies on Twig templates for shortcode content rendering but does not properly sanitize input, which results in a server-side template injection (SSTI).

By aekwall 

Software solutions provider Young Consulting recently notified over 950,000 individuals that their personal information was compromised in a data breach earlier this year.  The incident was discovered on April 13, when the company "became aware of technical difficulties" within its environment.

The US Department of State recently announced a $2.5 million reward for information leading to the arrest of a Belarusian national allegedly involved in the mass distribution of malware.  Volodymyr Kadariya, 38, a Belarussian and Ukrainian national, reportedly participated in a “significant malware organization” that distributed the Angler Exploit Kit and other malware to the computers of millions of victims.

In a study titled "Towards Antifragility of Cloud Systems: An Adaptive Chaos Driven Framework," researchers used different strategies to show how stress can bolster the security of cloud computing systems. They applied "chaos engineering" and adaptive strategies to help the cloud computing system learn from faults and cyberattacks. This article continues to discuss the use of chaos engineering to decrease the vulnerability of cloud computing to cyberattacks.

Lumen Technologies found the Chinese Advanced Persistent Threat (APT) group "Volt Typhoon" exploiting a new zero-day in Versa Director servers to steal credentials and break into downstream customers' networks. The vulnerability was recently added to the US Cybersecurity and Infrastructure Security Agency's (CISA) must-patch list after Versa Networks confirmed the zero-day exploitation, warning that the Versa Director Graphical User Interface (GUI) could be hacked to plant malware on affected devices.

An Apple macOS version of a backdoor named "HZ RAT" targets users of Chinese instant messaging apps such as DingTalk and WeChat. The artifacts almost replicate the functionality of the Windows version of the backdoor, with the only difference being the payload, which is received from the attackers' server in the form of shell scripts.

Park'N Fly recently announced that a data breach exposed the personal and account information of 1 million customers in Canada after hackers breached its network.  The threat actors breached the Park'N Fly networks through stolen VPN credentials in mid-July and stole data from the company.  On August 1, the company determined that customer information was also accessed during the attack.

Cybersecurity researcher Johann Rehberger has disclosed a vulnerability he found in Microsoft 365 Copilot that allows attackers to steal users' sensitive information. According to Rehberger, the exploitation of this flaw involves several advanced techniques, including prompt injection, automatic tool invocation, and ASCII smuggling. The attack starts with a prompt injection through a malicious email or shared document. This injection prompts Microsoft 365 Copilot to search for additional emails and documents without consent from the user.

A massive QR code phishing campaign has exploited Microsoft Sway, a cloud-based tool used for creating online presentations, to host landing pages aimed at tricking Microsoft 365 users into providing their credentials. Netskope Threat Labs discovered the attacks in July 2024, after detecting a significant increase in attacks involving Microsoft Sway to host phishing pages that steal Microsoft 365 credentials. This wave of attacks strongly differs from the minimal activity reported in the first half of the year, suggesting the campaign's large scale.