VUSec, the Systems and Network Security Group at Vrije Universiteit Amsterdam, and IBM Research Europe have announced Speculative Race Conditions (SRCs) as a new class of vulnerabilities in which thread synchronization primitives using conditional branches can be microarchitecturally evaded on speculative paths via a Spectre-V1 attack. According to researchers, the new SRC attack, dubbed "GhostRace," affects all major CPU vendors. This article continues to discuss the new type of data leakage attack affecting all major CPUs.

Callie Guenther of Critical Start highlights that recent attacks on large financial institutions such as Bank of America call for companies to develop a security culture. The recent surge in cyberattacks against financial institutions represents a significant escalation in the threat landscape, increasing concerns regarding cybersecurity measures and regulatory responses. The February attack on Bank of America, facilitated by a third-party service, highlights the complexity of vulnerabilities that financial institutions face in an interconnected digital ecosystem.

According to the Federal Trade Commission (FTC), experts have detected and blocked nearly 13,000 fake investment platform domains across more than 7000 IPs in January 2024, a 25% increase from December 2023.  The FTC noted that the investment scams accounted for over $4.6b in fraud losses in the United States alone in 2023, marking a troubling 21% increase from the previous year.

As part of its Artificial Intelligence (AI) Cyber Challenge, the Defense Advanced Research Projects Agency (DARPA) has awarded seven companies $1 million each to develop a cyber reasoning system. To "redefine" AI security, the US research agency is supporting seven small businesses in automatically detecting and fixing software vulnerabilities at scale.

Mikhail Vasiliev, a Russian-Canadian national and LockBit ransomware affiliate, has been sentenced to years in prison after pleading guilty to cyber extortion. Vasiliev was first arrested in late 2022, with authorities suspecting him of being involved in the launch of attacks on critical infrastructure organizations and large industrial groups. Europol reported at the time of Vasiliev's arrest that he was involved in cyberattacks with enormous ransom demands.

Stanford University recently notified 27,000 individuals that their personal information was stolen in a ransomware attack on its Department of Public Safety (DPS). The university says that the incident was discovered on September 27, 2023, but the attackers had access to the Stanford DPS network beginning May 12. The university noted that the hackers were evicted from the environment, and the network was secured shortly after the attack was discovered.

Salt Labs researchers discovered three security vulnerabilities in ChatGPT extension functions that could enable unauthorized, zero-click access to users' accounts and services. ChatGPT plug-ins and custom versions of the Artificial Intelligence (AI) system published by developers expand the AI model's capabilities. They enable interactions with external services by granting OpenAI's popular generative AI chatbot access and permission to perform tasks on different third-party websites, including GitHub and Google Drive.

According to cybersecurity researchers at GitGuardian, GitHub users accidentally exposed 12.8 million authentication and sensitive secrets in more than 3 million public repositories in 2023, with most still valid after five days. GitGuardian sent out 1.8 million complimentary email alerts to those who exposed secrets, with only 1.8 percent of those contacted taking prompt action to address the issue.

US law enforcement recently seized $1.4 million worth of Tether (USDT) tokens believed to have been fraudulently obtained through tech support scams.  As part of the alleged scheme, which mainly targeted the elderly across the US, victims were targeted with popups on their computers, claiming that the system had been compromised.  The FBI noted that the victims were directed to contact Microsoft or Apple, depending on the operating system on their machine, by calling a certain phone number that connected them with the perpetrators, who posed as tech support employees.

According to Alfred Chen, an assistant professor at UC Irvine's Donald Bren School of Information and Computer Sciences (ICS), the cyber-physical nature of Indoor Delivery Robot (IDR) systems can result in significant security and safety damages if they are attacked. Computer science Ph.D. student Fayzah Alshammari is researching IDR vulnerabilities to prevent such attacks. Chen says Fayzah's work aims to conduct the first security analysis of IDR systems in real-world commercial environments.