The Shim maintainers have released version 15.8 to fix six security flaws, including a critical bug that could enable Remote Code Execution (RCE) under certain conditions. Shim is described as a "trivial" software package designed to serve as a first-stage boot loader on Unified Extensible Firmware Interface (UEFI) systems. The vulnerability, tracked as CVE-2023-40547 with a CVSS score of 9.8, could be exploited to bypass Secure Boot.

According to security researchers at Chainalysis, ransomware actors collected over $1bn in extortion money from their victims in 2023, a record high.  The researchers noted that this is a conservative estimate of the financial impact of ransomware last year, as new cryptocurrency addresses are likely to be discovered over time.  The researchers said the figure for 2022 has already been revised up 24% to $567m, for example.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a renewal of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, a public-private partnership with various representatives from public and private sector organizations. They are tasked with identifying challenges as well as developing realistic, actionable, and risk-based recommendations and solutions for managing risks faced by the global ICT supply chain.

In a recent position paper, intelligence agencies in Germany, France, the Netherlands, and Sweden gave their criticism about Quantum Key Distribution (QKD). This encryption method theoretically ensures the security of communications by preventing anyone from intercepting keys without detection. According to the agencies, there are several inherent flaws, and a practical implementation would be too expensive and limited. This article continues to discuss the intelligence agencies' criticism of QKD.

Threat actors have been using fake Facebook job advertisements to trick potential victims into installing a new Windows-based stealer malware called Ov3r_Stealer. According to Trustwave SpiderLabs, this malware steals credentials and cryptocurrency wallets. It then sends them to a Telegram channel monitored by the threat actors. Ov3r_Stealer can gather IP address-based locations, hardware information, passwords, cookies, credit card information, auto-fills, browser extensions, cryptocurrency wallets, Microsoft Office documents, and more.

Cybercriminals have expanded their botnet capabilities with about 3 million malware-infected smart toothbrushes. According to the Swiss newspaper Aargauer Zeitung, remotely controlled toothbrushes were pulled into a Distributed Denial-of-Service (DDoS) attack to access and disrupt a website belonging to a company in Switzerland. The threat actors behind the attack used flaws in the Java programming language to infect the smart toothbrushes. Then they used a single command to direct their requests to the server of interest.

According to the Military Intelligence and Security Service (MIVD) of the Netherlands, a Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices.  It was noted that despite backdooring the hacked systems, the damage from the breach was limited due to network segmentation.  The MIVD stated that the effects of the intrusion were limited because the victim network was segmented from the wider MOD networks.  The victim network had fewer than 50 users.

Microsoft Azure's big-data analytics service, HDInsight, has three high-risk vulnerabilities. Orca Security has released new findings regarding one Denial-of-Service (DoS) vulnerability and two privilege escalation bugs affecting the service. These vulnerabilities invite performance issues, unauthorized administrative access, and all of the associated risks. Attackers could read, write, delete, and conduct any other management operations on an organization's sensitive data.

Commercial Spyware Vendors (CSVs) were behind 80 percent of the zero-day vulnerabilities discovered by Google's Threat Analysis Group (TAG) in 2023 and exploited to spy on devices. Google's TAG has been observing the activities of 40 commercial spyware vendors in order to detect exploitation attempts, protect users of its products, and help protect the larger community by reporting key findings to the proper parties. Google discovered that spyware vendors were behind 35 of the 72 known in-the-wild zero-day exploits affecting its products over the last decade.

Verizon Communications has recently warned that an insider data breach impacts almost half its workforce, exposing sensitive employee information.  A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.  Verizon says it discovered the breach on December 12, 2023, nearly three months later, and determined it contained sensitive information of 63,206 employees.