Wiz, a cloud security provider, discovered two critical architecture flaws in generative Artificial Intelligence (AI) models uploaded to Hugging Face, the leading AI model and application-sharing platform. Wiz Research described the two flaws and the potential risk they pose to AI-as-a-service providers. The risks include shared inference infrastructure takeover and shared Continuous Integration and Continuous Deployment (CI/CD) takeover. This article continues to discuss how attackers could exploit the AI infrastructure risks.

A new version of "JSOutProx" is targeting financial institutions in the Asia-Pacific (APAC) and Middle East and North Africa (MENA). Resecurity described JSOutProx as a sophisticated attack framework that uses both JavaScript and .NET. It uses the .NET (de)serialization feature to communicate with a core JavaScript module on the victim's machine. Once executed, the malware allows the framework to load different plugins, which perform additional malicious actions against the victim. This article continues to discuss findings regarding the evolving JSOutProx threat. 

Omni Hotels & Resorts has recently told customers that the recent disruptions have been caused by a cyberattack that forced it to shut down some systems.  The Texas-based Omni Hotels & Resorts runs 50 upscale hotels and resorts across North America, offering more than 23,000 rooms.  The company says it started responding to a cyberattack on March 29.  The company noted that it is currently working to determine the scope of the event, including the impact on any data or information maintained on Omni systems.

Cancer treatment and research center City of Hope recently started notifying over 800,000 individuals that their personal and health information was compromised in a data breach.  A National Cancer Institute (NCI)-designated comprehensive cancer center, City of Hope is based in Duarte, California, but has a network of clinical practice locations and offices throughout the US.  City of Hope noted that the data breach occurred between September 19 and October 12, 2023.

Carnegie Mellon University's (CMU) Software Engineering Institute (SEI) and OpenAI published a white paper titled "Considerations for Evaluating Large Language Models for Cybersecurity Tasks." The paper finds that Large Language Models (LLMs) could be useful for cybersecurity professionals. However, LLMs should be evaluated using real and complex scenarios to gain a better understanding of the technology's capabilities and risks. LLMs form the foundation of today's generative Artificial Intelligence (AI) platforms, including Google's Gemini, Microsoft's Bing AI, and OpenAI's ChatGPT.

A researcher named Bartek Nowotarski has disclosed a new Denial-of-Service (DoS) attack method called "HTTP/2 Continuation Flood," which could pose a more serious threat than Rapid Reset, the vulnerability exploited in 2023 to launch the largest Distributed DoS (DDoS) attacks ever. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University (CMU) helped coordinate disclosure with impacted companies and open source projects. HTTP/2 Continuation Flood is a class of vulnerabilities impacting many HTTP/2 protocol implementations.

Google is testing a new Chrome feature called Device Bound Session Credentials (DBSC) to help protect users from session cookie theft by malware. The prototype, which is currently being tested against some Google Account users running Chrome Beta, is planned to become an open web standard, according to the company's Chromium team. By binding authentication sessions to the device, DBSC will disrupt the cookie theft industry, as exfiltrating these cookies will no longer be valuable.

Attackers are using Google Ads to spread information-stealing malware, launching an ad-tracking feature to lure corporate users with fake ads for collaborative groupware such as Slack and Notion. AhnLab Security Intelligence Center (ASEC) researchers found a malicious campaign involving a statistical feature that embeds URLs for delivering malware, including the Rhadamanthys stealer. The feature allows advertisers to insert external analytic website addresses into ads in order to collect and use access-related data from their visitors.

The Heartbleed bug turned ten years old on April 1. In March 2014, Google and Codenomicon discovered the Heartbleed bug in OpenSSL, and it was reported on April 1, 2014. The issue was a small error in the OpenSSL implementation of the TLS/DTLS protocols in versions 1.0.1 to 1.0.1f, but the impact was significant. It enabled the theft of X.509 certificate secret keys, usernames and passwords, communications, and documents by remote attackers. According to Netcraft figures from April 2014, two-thirds of the Internet used servers that applied OpenSSL, and exploitation was undetectable.

Fawn Ngo, an associate professor at the University of South Florida College of Behavioral and Community Sciences, explored the connections among demographic characteristics, cyber hygiene practices, and cyber victimization using a sample of Limited English Proficiency (LEP) Internet users.