Qualcomm has disclosed a critical vulnerability that would enable remote attacks through malicious voice calls over LTE networks. The company listed 26 vulnerabilities, four of which are critical, affecting Qualcomm chipsets. According to Qualcomm, the most severe vulnerability, tracked as CVE-2023-33025 with a CVSS score of 9.8, involves a buffer overflow flaw. It causes memory corruption in the data modem, which happens during Voice-over-LTE (VoLTE) calls when the Session Description Protocol (SDP) body is non-standard.

According to Hudson Researchers, a mysterious hacker by the name of "irleaks" launched a series of attacks against industry-leading companies in Iran. The hacker announced the sale of over 160 million records allegedly stolen from 23 leading insurance companies in Iran. The stolen data is said to include first and last names, birth dates, mobile phone numbers, company national codes, and other information. A sample of the data, which is being sold for $60,000, was also shared.

Over the next 12 months, the European Central Bank (ECB) will stress test 109 banks to determine whether they are adequately prepared for cyberattacks. The tests will prioritize the banks' response and recovery capabilities, not the potential to prevent incidents. The ECB directly supervises the 109 banks in question. The stress test scenario aims to disrupt the banks' day-to-day operations, allowing existing contingency plans to be put to the test. Although the ECB performs stress tests regularly, the emphasis on cyber resilience is new.

According to CloudSEK researchers, the dark web is experiencing a "gold rush" as threat actors target verified accounts on X, formerly Twitter, for large-scale attacks. There has been a surge of posts selling accounts with X gold verification on dark web forums, marketplaces, and Telegram channels. On X, verified organizations can buy a gold checkmark, which is part of the platform's verification system. Blue badges are available for premium subscribers, while gray badges are available for NGOs and government agencies.

"This document recommends guidelines for providers of any systems that use artificial intelligence (AI), whether those systems have been created from scratch or built on top of tools and services provided by others. Implementing these guidelines will help providers build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorized parties. This document is aimed primarily at providers of AI systems who are using models hosted by an organization, or are using external application programming interfaces (APIs).

The Security Service of Ukraine (SSU) has recently revealed that Russian intelligence hacked online surveillance cameras to spy on air defense activities and critical infrastructure in Kyiv ahead of recent missile strikes.  The SSU noted that the Kremlin was able to remotely control two residential cameras, which it used to collect information to target critical infrastructure in Ukraine’s capital Kyiv.  This likely includes the large-scale missile attack that took place on Tuesday, January 2, 2024, in which Russia fired around 100 drones and missiles against Kyiv and Kharkiv.

For the nation's most sensitive systems, cryptography is both the first and last line of defense. The quantum threat exists, and it is critical to modernize in order to protect these systems. In the new video for the National Security Agency's (NSA) Cybersecurity Speaker Series, NSA's Senior Cryptographic Authority, Dr. Adrian Stanger, and NSA's Cryptographic Solutions Technical Director, Dr. William J. Layton, discuss preparing for the post-quantum era with NSA's Cybersecurity Collaboration Center Chief of DIB Defense, Bailey Bickley.

In the days leading up to Christmas, cybercriminals leaked 50 million records on the dark web containing sensitive personal information. Many of the leaks on the dark web were labeled "Free Leaksmas," which could mean the threat actors were sharing their data with other cybercriminals out of mutual gratitude and to attract new customers. Researchers at Resecurity observed several threat actors releasing large data dumps nearly simultaneously on and just before Christmas Eve.

Printing solutions giant Xerox recently confirmed that its US-based subsidiary Xerox Business Solutions experienced a data breach.  The incident, the company says, was limited to Xerox Business Solutions US and was contained by its cybersecurity team.  The company noted that while the attack did not affect Xerox’s corporate systems and had no impact on the company’s operations or data, the investigation launched into the matter determined that personal information was compromised.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. The first is a recently patched flaw in Google Chrome, and the second bug affects Spreadsheet::ParseExcel, an open-source Perl library for reading information from Excel files. The agency has given federal agencies until January 23 to mitigate the two security flaws or to stop using the vulnerable products. The Remote Code Execution (RCE) flaw affects versions 0.65 and older of the Spreadsheet::ParseExcel library.