Researchers have discovered a GitHub account abusing two different features of the website to host stage-two malware. Hackers are increasingly repurposing public services for their activities, housing malware in public code repositories or file-sharing services, and conducting command-and-control (C2) from messaging apps. They sometimes use Software-as-a-Service (SaaS) platforms in unexpected ways. A user by the name of "yeremyvalidslov2342" is continuing this tactic. The individual has been linked to multiple malicious packages identified by ReversingLabs on December 19.

According to a new joint cybersecurity advisory from the US and Australia, the threat actors behind the Play ransomware are estimated to have hit about 300 entities as of October 2023. Authorities said that Play ransomware actors use a double-extortion model, encrypting systems after stealing data. The group has impacted various businesses and critical infrastructure organizations in North America, South America, Europe, and Australia.

According to security researchers at Qualys Threat Research Unit (TRU), a total of 26,447 vulnerabilities were disclosed in 2023, surpassing the previous year by over 1500 CVEs.  Notably, less than 1% of these vulnerabilities posed the highest risk, being actively exploited in the wild by ransomware, threat actors, and malware.  The researchers also found that 97 high-risk vulnerabilities, likely to be exploited, were not part of the CISA Known Exploited Vulnerabilities catalog, and 25% of high-risk vulnerabilities were exploited the same day they were published.

According to the US Department of Justice (DOJ), the FBI successfully breached the BlackCat/ALPHV ransomware operation's servers to monitor activities and obtain decryption keys. On December 7, it was first reported that the group's websites, including the ransomware gang's Tor negotiation and data leak websites, had suddenly stopped working. The BlackCat/ALPHV administrator claimed it was a hosting problem, but researchers discovered it was connected to a law enforcement operation.

Comcast’s Xfinity recently announced that customer information had been compromised in a cyberattack that involved exploitation of the vulnerability known as CitrixBleed.  CitrixBleed, officially tracked as CVE-2023-4966, is a critical vulnerability affecting Citrix’s Netscaler ADC and Gateway appliances. Malicious actors can exploit the flaw to hijack existing sessions, which can give them access to the targeted organization’s systems. Patches were announced by Citrix on October 10, but the vulnerability had been exploited as a zero-day since August.

There are security risks associated with QR codes, which are graphical representations of digital data that can be printed and later scanned by a smartphone or other device. In December 2023, the Federal Trade Commission (FTC) gave another warning about the dangers of scanning a code from an unknown source. Scott Ruoti, assistant professor of computer science at the University of Tennessee, explains why visiting URLs stored in QR codes can be dangerous in various ways.

Researchers at Palo Alto Networks' Unit 42 developed a Machine Learning (ML) model that feeds on "crumbs of information" left by malicious actors and detects tens of thousands of malicious domains each week before they are used for illegal activities. Malicious actors often register many domain names in bulk to ensure redundancy and uptime for phishing campaigns, malware distribution, adversarial Search Engine Optimization (SEO), or other illegal content. Domains are held in reserve until they are needed for specific campaigns.

A novel way to exploit a decades-old protocol that has been used to send emails allows attackers to bypass Domain-based Message Authentication, Reporting, and Conformance (DMARC) and other email security mechanisms, putting organizations and individuals at risk for targeted phishing attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA) will launch a strategic effort to modernize its approach to enterprise cyber threat information-sharing in 2024. This effort will propel three key areas of progress: simplification, partner-centered design, and experience-based learning. CISA, for example, will refocus and consolidate its customer-facing cyber threat intelligence offerings under a new initiative called Threat Intelligence Enterprise Services (TIES) to simplify things.

The US Cybersecurity and Infrastructure Security Agency (CISA) urges manufacturers to eliminate default passwords on Internet-connected systems, citing serious risks that malicious actors could exploit to gain initial access to and move laterally within organizations. In a recent alert, the agency said Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) have gained access to critical infrastructure systems in the US by exploiting Operational Technology (OT) devices with default passwords.