Networking equipment manufacturer Juniper Networks recently announced patches for more than 30 vulnerabilities in Junos OS and Junos OS Evolved, including nine high-severity flaws.  The most severe of these issues is an incorrect default permissions bug that allows an unauthenticated attacker with local access to a vulnerable device to create a backdoor with root privileges.  Tracked as CVE-2023-44194 (CVSS score of 8.4), the company noted that the flaw exists because a specific system directory has improper permissions associated with it.

In order to infect developers with the SeroXen Remote Access Trojan (RAT), malicious NuGet packages with over 2 million downloads impersonate cryptocurrency wallets, cryptocurrency exchanges, and Discord libraries. NuGet is an open-source package manager and software distribution system operating package hosting servers so users can download and use them for development projects. Researchers at Phylum discovered the malicious packages uploaded to NuGet by a user named 'Disti' and published a report warning of the threat. This article continues to discuss the malicious NuGet packages.

According to a new advisory issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, the AvosLocker ransomware gang has been linked to attacks targeting critical infrastructure sectors in the US. The joint advisory details the tactics, techniques, and procedures (TTPs) involved in the Ransomware-as-a-Service (RaaS) operation. The agencies said AvosLocker affiliates infiltrate organizations' networks using legitimate software and open-source remote system administration tools.

According to researchers at the FTC, fraud victims lost $2.7bn to scammers operating on social media between January 2021 and June 2023.  The FTC stated that the sum of money lost to fraud on sites like Instagram and Facebook dwarfed that lost via regular websites and apps ($2bn), phone calls ($1.9bn), and email ($900m).  Most common on social media were reports of online shopping scams (44%), particularly clothing and electronics that were purchased but never arrived.  Investment (20%) and romance fraud (6%) were also common during the period.

Computer scientists from the Artificial Intelligence (AI) security startup Mindgard and Lancaster University in the UK have demonstrated the possibility of copying large chunks of Large Language Models (LLMs) such as ChatGPT and Bard in less than a week for as little as $50. The information gathered from this copying can be used to perform targeted attacks. According to the researchers, these vulnerabilities enable attackers to reveal confidential information, evade guardrails, provide incorrect answers, or stage additional targeted attacks.

Microsoft recently announced the launch of a new bug bounty program focused on artificial intelligence.  The program, which initially focuses on AI-powered Bing, offers rewards of up to $15,000 for vulnerabilities in bing.com in browsers, Bing integration in Edge, Microsoft Start Application, and the Skype mobile applications.  Microsoft noted that any vulnerabilities in the AI-powered Bing experiences on bing.com, including Bing Chat, Bing Chat for Enterprise, and Bing Image Creator, are within the scope of the program.

Australian researchers have developed an algorithm capable of intercepting a Man-in-the-Middle (MitM) cyberattack on an unmanned military robot and shutting it down in seconds. Artificial Intelligence (AI) experts from Charles Sturt University and the University of South Australia (UniSA) trained the robot's operating system to recognize the signature of a MitM eavesdropping cyberattack, in which an attacker interrupts a conversation or data transfer.

Cynthia Sturton, associate professor at the University of North Carolina at Chapel Hill, has received two grants from the National Science Foundation (NSF) in support of projects to strengthen hardware security verification. The first project, titled "Hardware Security Insights: Analyzing Hardware Designs to Understand and Assess Security Weaknesses and Vulnerabilities," will develop more effective methods for understanding how information flows in computer hardware designs, with the goal of enhancing the security of that information.

According to researchers at the cybersecurity company Checkmarx, Telegram, AWS, and Alibaba Cloud users are the target of a new malware campaign that hides malicious code within specific software functions to make it more difficult to detect. In September, Checkmarx discovered the campaign, which has been attributed to a threat actor dubbed "kohlersbtuh15." The malicious actor used the Python programming software repository Python Package Index (PyPI), launching attacks involving typosquatting and starjacking techniques.

New research explores the application of deep learning to analyze spectrogram images of the human eye and its movements as a biometric tool. For recognition and security applications, a group of researchers has created a novel method of personal identification based on eye movements. Since it focuses on the involuntary nature of certain eye movements, the biometric technique has proven resistant to fraudulent attempts. The team reached an accuracy of about 73 percent for eye angle spectrogram identification, and 65 percent for eye coordinate spectrogram identification testing.