SecurityWeek’s cybersecurity information roundup supplies a concise compilation of noteworthy tales that may have slipped beneath the radar.
We offer a worthwhile abstract of tales that won’t warrant a whole article, however are nonetheless essential for a complete understanding of the cybersecurity panorama.
Every week, we curate and current a set of noteworthy developments, starting from the most recent vulnerability discoveries and rising assault methods to important coverage modifications and business reviews.
Listed below are this week’s tales:
Amazon ECS assault
Candy Safety has disclosed the main points of ECScape, an assault methodology that permits privilege escalation in Amazon ECS from a compromised container. The safety agency’s researchers managed to acquire keys that will enable an attacker to maneuver laterally, entry personal repositories and secrets and techniques, and seize broad management of the cloud atmosphere. Candy Safety stated AWS acknowledged the assault might work towards a whole lot of thousands and thousands of machines and containers worldwide, however the cloud big doesn’t classify it as a vulnerability in its merchandise. It did, nonetheless, replace its documentation because of the analysis.
Alera Group knowledge breach impacts 155,000
Insurance coverage and monetary providers agency Alera Group revealed that an intrusion detected in August 2024 resulted within the private data of 155,000 clients and workers getting compromised. Hackers had entry to the corporate’s methods between July 19 and August 4, 2024, and obtained extremely delicate data, together with SSNs, passports, and medical data. Commercial. Scroll to proceed studying.
Nvidia guarantees GPUs don’t and shouldn’t have kill switches and backdoors
In a brand new weblog publish, Nvidia says embedding backdoors and kill switches into chips could be a present to hackers and hostile actors, and would undermine international digital infrastructure and fracture belief in US know-how.
Chanel knowledge breach
Chanel has joined the more and more lengthy record of vogue retailers focused just lately by hackers. The corporate stated menace actors focused a third-party service. Chanel is probably going one of many many organizations focused by the ShinyHunters cybercrime group in a marketing campaign aimed toward Salesforce cases. Different victims embody Dior, Louis Vuitton, Google and Cisco.
CISA points emergency directive for Microsoft trade vulnerability
CISA has issued an emergency directive instructing federal businesses to handle a just lately disclosed Microsoft Alternate vulnerability by August 11. The vulnerability, CVE-2025-53786, was disclosed on August 6 and it impacts hybrid deployments. It permits attackers with admin entry to escalate privileges. CISA says whereas there isn’t a proof of in-the-wild exploitation, it’s “deeply involved on the ease with which a menace actor might escalate privileges and acquire important management of a sufferer’s M365 Alternate On-line atmosphere”.
Streamlit vulnerability enabled inventory market dashboard tampering
Cato Networks has found a vulnerability in Streamlit, an open supply framework for constructing knowledge purposes, together with ML prototypes, healthcare analytics dashboards, and monetary knowledge visualizations. The flaw, patched in March, might allow menace actors to conduct a cloud account takeover assault. Cato demonstrated the vulnerability’s potential impression by displaying how menace actors might manipulate inventory market dashboards constructed with Streamlit.
Publicity evaluation of US power sector
SixMap has launched a complete cybersecurity evaluation of 21 US power suppliers. The analysis recognized 39,986 hosts with 58,862 providers uncovered to the web throughout these organizations. Roughly 7% of all uncovered providers are working on non-standard ports, creating harmful blind spots for safety groups. The analysis additionally discovered that, on common, every group had 9% of its hosts within the IPv6 area, one other space of potential danger, as most safety groups don’t have any approach of monitoring these property.
Satellite tv for pc hacking analysis
VisionSpace Applied sciences researchers demonstrated at Black Hat how simple it’s to hack satellites by exploiting software program vulnerabilities within the satellites themselves and the bottom stations used to manage them. The researchers discovered vulnerabilities that may be exploited to crash the software program on a satellite tv for pc, and likewise confirmed how hackers might change a satellite tv for pc’s orbit by sending instructions to its thrusters, The Register reported.
Federal court docket submitting system hack
Delicate court docket knowledge from a number of US states is believed to have been uncovered following a severe breach of the digital case submitting system utilized by federal courts, Politico discovered from sources. The total extent of the breach continues to be being investigated. Whereas it’s unclear who was behind the hack, state-sponsored menace actors are the primary suspect.
Axis Communications video surveillance vulnerabilities
Researchers at Claroty have discovered doubtlessly severe vulnerabilities in Axis Communications video surveillance merchandise. An attacker might hijack video feeds, shut down cameras, or transfer laterally throughout a goal community. Web scans revealed over 6,500 uncovered cases, with greater than half situated within the US. Axis has launched patches and says it’s not conscious of in-the-wild exploitation.
Associated: In Different Information: Microsoft Probes ToolShell Leak, Port Cybersecurity, Raspberry Pi ATM Hack
Associated: In Different Information: $30k Google Cloud Construct Flaw, Louis Vuitton Breach Replace, Assault Floor Progress
