The "Science of Security (SoS) Program Review: 2011-2023" report is now available.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 24-01 in response to the widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances. Ivanti recently released information about two vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, which enable an attacker to move laterally across a target network, exfiltrate data, and gain persistent system access.

The Russia-backed Advanced Persistent Threat (APT) group ColdRiver, also known as Blue Charlie, Callisto, Star Blizzard, or UNC4057, has unleashed custom malware called Spica. According to Google's Threat Analysis Group (TAG), Spica is the first custom malware developed and used by ColdRiver. ColdRiver typically targets Non-Governmental Organizations (NGOs), former intelligence and military officers, and NATO governments for cyber espionage.

VMware has confirmed the active exploitation of a critical vCenter Server Remote Code Execution (RCE) that was patched in October 2023. The vCenter Server management platform is for VMware vSphere environments and helps administrators manage ESX and ESXi servers, as well as Virtual Machines (VMs). The vulnerability, discovered by Trend Micro, stems from an out-of-bounds write flaw in vCenter's DCE/RPC protocol implementation.

The US government recently published new guidance aimed at helping organizations in the water and wastewater (WWS) sector improve their cyber resilience and incident response capabilities.  Released in response to an increased interest by financially and politically motivated threat actors in the United States WWS sector, the guide outlines how water utility owners and operators can interact with federal partners to prepare for, mitigate, and respond to incidents.

Protect AI has released a new report highlighting vulnerabilities recently discovered in open-source Artificial Intelligence (AI) and Machine Learning (ML) tools by its bug bounty program. The first vulnerability posed a significant risk of server takeover and the loss of sensitive data. The MLflow tool, used for storing and tracking models, was discovered to contain a critical flaw in its code that could trick users into connecting to a malicious remote data source, thus allowing attackers to run commands on a victim's system.

A novel campaign is targeting vulnerable Docker services, with threat actors deploying both the XMRig cryptocurrency miner and the 9Hits Viewer software as part of a multi-pronged monetization strategy. According to the cloud security company Cado, this is the first documented case of malware using the 9Hits application as a payload. The development further demonstrates that adversaries are constantly looking for new ways to profit from compromised hosts. This article continues to discuss findings regarding the novel campaign targeting vulnerable Docker services.

Border0 researchers warn that users who expose poorly secured PostgreSQL and MySQL servers online risk having their databases wiped by a ransomware bot. The attackers request a small sum to return and not publish the data. However, those who pay will not recover their data because the bot takes a small portion of it before wiping it all. This article continues to discuss how the ransomware bot operates.