As part of its global Secure by Design campaign, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Request for Information (RFI) on the whitepaper titled "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software." CISA and its partners seek information on topics, including incorporating security early in the Software Development Life Cycle (SDLC), recurring vulnerabilities, Operational Technology (OT), the economics of Secure by Design, and more, to better inform the agency's Secure by Design campaign.

The ransomware gang ALPHV/BlackCat has announced that its network of affiliates can now target nuclear power plants, hospitals, and critical infrastructure. The move is a response to recent FBI enforcement activity. ALPHV/BlackCat made the announcement on its leak website, which had been offline since December 7, when it was believed to have been shut down by law enforcement. The previously closed ALPHV/BlackCat website briefly displayed an FBI seizure notice.

A ransomware attack on ESO, a provider of Emergency Medical Services (EMS) software, involves the sensitive details of millions of people, including their healthcare data. One impacted system contained information about patients associated with ESO's customers. SSNs were only exposed in a few cases. Healthcare data can be sold on dark web forums to malicious actors who want to commit medical identity theft. This type of identity theft involves using stolen information to submit forged claims to Medicare and other health insurers.

AT&T Alien Labs researchers discovered JaskaGO, a previously undetected Go-based information stealer that targets Windows and macOS systems. JaskaGO supports a wide range of commands and maintains persistence in various ways. The malware's macOS variant was discovered in July 2023, spreading in the form of installers for pirated legitimate software such as CapCut or AnyConnect. According to the researchers, the recent malware sample still has a low detection rate.

The National Security Agency (NSA) recently published its annual report detailing its efforts in cybersecurity and its work with government partners, foreign partners, and defense industrial base (DIB) entities to improve national security.  The NSA announced that its domain security service blocked 10 billion user connections to known malicious or suspicious domains.

Cybersecurity researchers at PRODAFT have detailed the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national indicted earlier this year by the US government for his alleged role in executing thousands of attacks worldwide. Matveev, who goes by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is alleged to have played a major role in the development and distribution of LockBit, Babuk, and Hive ransomware variants since at least June 2020.

In an email campaign characterized by sophisticated evasion tactics, attackers are exploiting a 6-year-old Microsoft Office Remote Code Execution (RCE) flaw to deliver spyware. According to Zscaler, the threat actors use business-related lures in spam emails that deliver files containing the RCE flaw. The attackers' ultimate goal is to load Agent Tesla, a Remote Access Trojan (RAT) and advanced keylogger discovered in 2014. They want to exfiltrate credentials and other data from an infected system through their Telegram bot.

Mozilla recently announced security updates for Firefox and Thunderbird to address 20 vulnerabilities, including several memory safety issues.  Firefox 121 was released with patches for 18 vulnerabilities, five of which have a high severity rating.  The most severe vulnerability is CVE-2023-6856, a heap buffer overflow bug in WebGL, the JavaScript API for rendering interactive graphics within the browser.  This vulnerability could allow an attacker to perform remote code execution and sandbox escape.

According to the Imperva Threat Research team, the 8220 gang has been exploiting an old Oracle WebLogic Server vulnerability, tracked as CVE-2020-14883, to spread malware. The 8220 gang has been active since 2017, deploying cryptocurrency miners on Linux and Windows hosts by exploiting known vulnerabilities. The group uses publicly available exploits that target well-known vulnerabilities. Although they are considered unsophisticated, the group is constantly changing tactics to avoid detection.

The Federal Criminal Police Office in Germany and the Internet crime-combating unit of Frankfurt have announced the shutdown of a dark web marketplace called Kingdom Market that distributed cybercrime tools, fake government IDs, and more. Authorities from the US, Switzerland, Moldova, and Ukraine were also involved in the law enforcement operation against the marketplace. Kingdom Market was an English-speaking dark web marketplace that had been operating since March 2021.