Apple patches a MacOS gatekeeper bypass vulnerability requiring an update to patch. Though this vulnerability requires some social engineering to exploit, it is believed to be actively exploited since Jan. 9. Some Digital Ocean customers were affected by a breach exposing personally identifiable information. A WordPress trac conversation considers blocking FLoC as a security release, and Creative Commons Search is coming to WordPress.org in a few weeks. Google Chrome has another RCE bug.

Attacks on unpatched SolarWinds systems continue, and we're now learning of a supply chain attack that started in late January 2021 affecting 29K Codecov customers, as well as a 0day actively attacked affecting customers of PulseSecure VPN. Customers of these 3 services are well known enterprise & government organizations. Two add-on plugins experiencing active attacks: Kaswara Modern WPBakery Page Builder Addons & The Plus Addons for Elementor. Vulnerabilities are patched in Redirection for Contact Form 7.

An FBI initiative began remotely removing webshells from infected Microsoft Exchange servers. WordPress 5.7.1 was released with a few security patches. Over 15 Elementor addon plugins were found to have vulnerabilities affecting over 3.5M sites. Google Chrome was found to have two 0day vulnerabilities. The US & UK blame Russian hackers for the attack campaigns against SolarWinds. Organizations are still being urged to patch the 5 vulnerabilities being exploited in ongoing attacks.

A new Wix ad campaign targets WordPress but ends up being tone deaf in both content and strategy. New details emerge about the PHP compromise, but the full story remains unclear. Facebook user data from 2019 ends up on the dark web, and Have I Been Pwned adds a phone number check to help users determine if they’ve been affected. GitHub Actions are being used by cryptojackers, Gigaset Android phones have been infected with malware in a supply chain attack, and new phishing methods emerge using Telegram.

The self-hosted Git repository for PHP was compromised, with attackers adding a backdoor to a development version of PHP 8.1. The intrusion was detected by the PHP community quickly, and no production environments were affected. Ubiquiti experienced an intrusion in January that was far worse than originally reported; attackers gained access to nearly all of the AWS assets for the company who has shipped 85 million IoT devices.

Attackers continue to exploit recently patched vulnerabilities in Thrive Themes, though not all of them are successful. Two vulnerabilities are patched in the Facebook for WordPress plugin installed on over half a million sites. Google Chrome version 90 will use HTTPS by default, bringing significant improvements to speed and security. A ransomware insurance provider experiences a breach, and Slack’s new “Slack Connect” feature has some security concerns.

An attack shows how a SMS enablement service was used to bypass SMS 2FA for $16. We discuss the recently patched vulnerabilities in Elementor affecting 7M+ WP sites and how easily these XSS vulnerabilities can be exploited. We also talk about the SQL Injection vulnerabilities in Tutor LMS. The fire at OVH in France that took 3.5 million sites offline also took down some advanced persistent threat (APT) actors. And there's yet another Chrome use-after-free zero-day vulnerability being actively exploited.

A data breach exposes 150,000 security cameras used by organizations around the world, including Tesla and Cloudflare. State-sponsored hacking groups exploit Microsoft Exchange vulnerabilities. A fire in a French data center belonging to hosting company OVH affects millions of websites, including some prominent WordPress services like Imagify and WP Rocket. WordPress 5.7 was released this week with many new features.

The Wordfence Threat intelligence team finds vulnerabilities in two plugins, the User Profile Picture plugin and the WooCommerce Upload Files plugin. WordPress 5.7 is set to release on Tuesday, March 9 with numerous enhancements for the block editor, a new robots.txt API, and a stay of execution on jQuery-migrate. A zero day affecting Microsoft Exchange Server allows attackers to steal emails. And Brave buys a search engine to add to their growing privacy-oriented portfolio.

WordPress 5.7 is due to be released on Mar. 9, and it allows admins to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for C2, while VMWare fixes a critical RCE in all default vCenter installs. We talk about the ramifications of vulnerability disclosures and how last year's File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price of cybersecurity failures.