The Polish Cyber Command has warned that the Russian state-backed hacking group Forest Blizzard, also known as Fancy Bear and APT28, has been targeting public and private entities in Poland by exploiting a known Microsoft Outlook vulnerability, tracked as CVE-2023-23397. APT28 has a history of targeting government, non-governmental, energy, and transportation organizations in the US, Europe, and the Middle East. The Computer Security Incident Response Team of the Polish National Research Institute (CSIRT NASK) detected and reported new attacks linked to the group.

Malicious actors can use a new "post-exploitation tampering technique" to trick a target into thinking their Apple iPhone is in Lockdown Mode when it is not, allowing them to perform covert attacks. According to Jamf Threat Labs, if a hacker has already infiltrated a user's device, they can cause Lockdown Mode to be bypassed when the user activates it. The goal is to enable Fake Lockdown Mode on a device that an attacker has compromised through other means, such as unpatched security flaws.

Attackers are targeting WordPress users with a fake security alert about a Remote Code Execution (RCE) flaw. The alert offers a "patch" that actually spreads malicious code capable of hijacking a site. The email campaign, discovered by Wordfence and Patchstack researchers, impersonates WordPress and warns users of a vulnerability, urging them to click on a link to download a plugin in order to fix the flaw. Patchstack warns that this is not a legitimate email and that the plugin will infect the user's website with a backdoor and a malicious administrator account.

According to the US Goverment Acountability Office (GAO), although US federal agencies have made progress in preparing for and responding to cyber threats, too many have failed to meet the deadline to implement incident response capabilities required by law.  The GAO found that 20 US federal agencies have not yet reached the advanced level, tier three, for cyber event logging.

Over a dozen malicious loan apps, collectively known as SpyLoan, have been downloaded more than 12 million times from Google Play this year, but the total is much higher because they are also available on third-party stores and suspicious websites. SpyLoan Android apps steal personal data from a victim's device regarding accounts, device information, call logs, installed apps, calendar events, local Wi-Fi network details, and image metadata. According to researchers, the threat extends to contact lists, location data, and text messages.

Security researchers at industrial cybersecurity firm TXOne Networks have disclosed the details of 10 unpatched vulnerabilities discovered in building automation products made by Austrian company Loytec more than two years ago.  The vulnerabilities have been assigned to the identifiers CVE-2023-46380 through CVE-2023-46389, and their details were disclosed in three separate advisories published on the Full Disclosure mailing list in November.

Google recently announced that the December 2023 Android security updates deliver patches for 94 vulnerabilities.  The first part of the updates resolves 33 vulnerabilities in Android's Framework and System components.  Google noted that three of these are rated "critical severity." Google stated that the most severe of these issues is a critical security vulnerability in the system component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed.

Research from HYAS Infosec's HYAS Labs is contributing to the European Union's Artificial Intelligence (AI) Act. The AI Act is an initiative helping to shape the trajectory of AI governance, with US policies and considerations to follow soon. According to AI Act researchers and framers, the Act mirrors a specific conception of AI systems, considering them as non-autonomous statistical software with possible harms mainly from datasets.

Microsoft discovered ongoing malvertising attacks involving the use of the DanaBot Trojan to spread CACTUS ransomware. Microsoft linked the campaign to Storm-0216, also known as Twisted Spider and UNC2198. Storm-0216 previously used Qakbot malware for initial access, but after the Qakbot infrastructure was taken down, it switched to other malware. The current DanaBot campaign was discovered in November, when Microsoft researchers found that the threat actors were using a private version of the popular info-stealing malware rather than the Malware-as-a-Service (MaaS) offering.

It has recently been revealed that data on Blue Shield of California members may have been exposed due to a vulnerability in the MOVEit file transfer platform.  The insurer was notified on Sept. 1 by a vendor that indicated it was a victim of the data breach.  The vendor found on Aug. 23 that an unauthorized user had tapped into information in the MOVEit server and then took the server offline.  After an investigation, Blue Shield of California discovered that this third party extracted data from the server on May 28 and May 31.