The National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and industry partners have published "Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption." This Cybersecurity Technical Report (CTR) aims to help software developers, suppliers, and customer stakeholders ensure the integrity and security of software through contractual agreements, software updates, notifications, and vulnerability mitigations.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the Service Location Protocol (SLP) vulnerability, tracked as CVE-2023-29552 with a CVSS score of 7.5, to its Known Exploited Vulnerabilities (KEV) catalog. The SLP is a legacy service discovery protocol that enables computers and other devices to find services in a local area network without initial configuration. The flaw is a Denial-of-Service (DoS) vulnerability that an unauthenticated, remote attacker can exploit to register arbitrary services.

Russia's Sandworm Advanced Persistent Threat (APT) group used Living-off-the-Land (LotL) techniques to cause a power outage in a Ukrainian city during missile strikes in October last year. Sandworm, which is linked to Russia's Main Center for Special Technologies, has a long history of cyberattacks in Ukraine, including the 2015 and 2016 BlackEnergy-induced blackouts, the NotPetya wiper, and more recent campaigns that overlap with the Ukraine war. This article continues to discuss the Sandworm APT's disruption of power in Ukraine.

A new set of malicious Python packages has infiltrated the Python Package Index (PyPI) repository, aiming to steal sensitive information from compromised developer systems. According to Checkmarx, the packages appear harmless obfuscation tools, but they contain malware called BlazeStealer. The malware retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers control over the victim's computer.

OpenAI has confirmed that ChatGPT and its API experienced a major outage on Wednesday due to what appeared to be a distributed denial-of-service (DDoS) attack.  The organization reported seeing problems with its LLM-based chatbot and API on November 7.  The disruptions were initially described as partial outages, but a major outage was reported on November 8.

Japanese electronics manufacturer Japan Aviation Electronics is recovering from a cyberattack for which the Alphv/BlackCat ransomware group has claimed responsibility.  The company was founded in 1953 and headquartered in Shibuya, Tokyo.  Japan Aviation Electronics manufactures electrical connectors, aerospace electronics, and user interface related devices.  The company noted that the incident occurred on November 2 and involved some of its servers being accessed by an unauthorized external party.

Researchers at the University of North Dakota (UND) will use an award from the US Department of Energy (DOE) to develop algorithms for a cybersecurity software tool that will help Distributed Energy Resources (DERs) securely participate in energy markets. Examples of DERs include solar and wind power generation methods and devices such as electric vehicle chargers. As these devices, which are typically connected to the Internet, are increasingly being added to power grids across the US, additional cybersecurity measures are required.

Although smart speakers such as Alexa offer convenience, they have raised some privacy concerns. As Columbia University researchers have pointed out, companies have developed technology that poses even greater threats to privacy: Artificial Intelligence (AI) and Machine Learning (ML) capable of determining a user's emotional state or mood based on their voice. Many researchers have been working on using voice data to infer emotions, mood, or even mental health, according to Asif Salekin, assistant professor of electrical engineering and computer science at Columbia University.

Experts at a recent virtual conference by R Street, a non-profit think tank, discussed the issues of data privacy and data security. Lack of regulation passed by congress leaves many companies amassing large data on users, customers, and consumers. with no requirements on how to safeguard and manage the information. Several bills have been introduced by congress, but as yet nothing has made it into law.

A recent threat intelligence assessment released by Microsoft’s Threat Analysis Center (MTAC) has warned of potential unprecedented challenges to the security of elections over the next year.  Microsoft suggested that authoritarian nation states may attempt to interfere with electoral processes using a combination of traditional methods and emerging technologies, including AI.  Microsoft stated that there is a need for governments, technology companies, businesses, and civil society to collaborate and take proactive steps to safeguard elections.