Threat actors can use Amazon Web Services Security Token Service (AWS STS) to infiltrate cloud accounts and launch follow-on attacks. According to Red Canary researchers, the service allows threat actors to impersonate user identities and roles in cloud environments. AWS STS is a web service that lets users request temporary, limited-privilege credentials to access AWS resources without creating an AWS identity. These STS tokens have a validity period of 15 minutes to 36 hours.

Preventing exploitable vulnerabilities requires catching coding errors in Application Programming Interface (API) preproduction before they go live. Therefore, "shift left" has become a significant focus in API development, in which DevOps takes responsibility for incorporating security testing into the Software Development Life Cycle (SDLC), lowering the cost and expense of resolving coding errors and vulnerabilities. However, fixing code or knowing business logic abuse possibilities can be time-consuming for developers who are not security experts.

Google recently announced the release of Chrome 120 to the stable channel with patches for 10 vulnerabilities.  According to Google, of the resolved issues, five were reported by external researchers, who received a total of $15,000 in bug bounty rewards.  Based on the reward handed out, the most serious of the flaws is CVE-2023-6508, a high-severity use-after-free issue in Media Stream.  Google says it paid out $10,000 for the bug.  Next in line is CVE-2023-6509, a high-severity use-after-free defect that impacts Chrome’s Side Panel Search component.

IT services and business consulting company HTC Global Services has recently confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data.  HTC Global Services is a managed service provider offering technology and business services to the healthcare, automotive, manufacturing, and financial industries.  According to the ALPHV ransomware group, the leaked data includes passports, contact lists, emails, and confidential documents.

According to Cornell University researchers, attackers could manipulate responses to user prompts from Large Language Models (LLMs) behind Artificial Intelligence (AI) chatbots like ChatGPT by hiding malicious instructions in strategically placed images and audio clips online. Adversaries could use "indirect prompt injection" attacks to redirect users to malicious URLs, collect personal information from users, deliver payloads, and perform other malicious actions.

A vulnerability in an open-source library used widely in the Web3 space compromises the security of pre-built smart contracts, impacting many NFT collections, including Coinbase. Thirdweb, a Web3 development platform, said it became aware of the security flaw on November 20 and pushed a fix two days later. However, the company did not reveal the name of the library or the type or severity of the vulnerability to avoid tipping off attackers.

Japanese car maker Nissan is investigating a recent cyberattack that targeted its systems in Australia and New Zealand, which may have let hackers access personal information.  Nissan Oceania is a regional division of the famous Japanese automaker that covers distribution, marketing, sales, and services in Australia and New Zealand.

According to security researchers at ZeroFox, the LockBit ransomware strain continues to be the primary digital extortion threat to all regions and almost all industries globally.  The researchers found that LockBit was leveraged in more than a quarter of global ransomware and digital extortion (R&DE) attacks in the seven quarters analyzed from January 2022 to September 2023.  This includes 30% of all R&DE attacks in Europe and 25% in North America during the period.

According to security researchers at Forescout, some Sierra Wireless cellular routers are affected by 21 vulnerabilities, including ones that could pose a significant risk to impacted organizations, including in critical infrastructure sectors.  The vulnerabilities, collectively tracked as "Sierra:21", were found in Sierra Wireless AirLink OT/IoT routers that are often used to connect local networks to the web in sectors such as healthcare, manufacturing, government, energy, water, transportation, emergency services, and retail.

The US cybersecurity agency CISA recently added four bugs impacting multiple Qualcomm chipsets to its Known Exploited Vulnerabilities (KEV) Catalog.  All four issues were identified by Google’s Threat Analysis Group and Google Project Zero, which often report security defects exploited by commercial spyware vendors.  CISA noted that three of the flaws tracked as CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063 were patched in October 2023 as zero days after Qualcomm learned from Google’s researchers that they were likely exploited in the wild.