The Pwn2Own Toronto 2023 hacking contest started yesterday, and participants successfully hacked NAS devices, printers, mobile phones, and other devices, earning more than $400,000 on the first day.  The highest reward of the day went to team Orca of Sea Security, which executed a two-vulnerability exploit chain (out-of-bounds read and use-after-free) against the Sonos Era 100 speaker, earning $60,000.  The Pentest Limited team earned the second highest reward of the day, at $50,000, for an improper input validation exploit targeting the Samsung Galaxy S23 mobile phone.

By grigby1 

By aekwall 

By krahal

Seiko Group Corporation (SGC) has recently revealed the extent of a data breach that it disclosed initially in August.  The company's latest notice focuses on the security of 60,000 records.  The data breach notification, originally published on its website on August 10, resulted from unauthorized access detected on July 28, 2023, after the ransomware gang BlackCat listed Seiko on its data leak site.

According to the Identity Theft Resource Center (ITRC), nearly three-quarters (73%) of US small business owners reported a cyberattack last year, with employee and customer data most likely to be targeted in data breaches.  The ITRC compiled its data from interviews with 551 small business owners and employees.  The ITRC found that, despite experiencing a record number of attacks, most (85%) of the respondents said they were ready to respond to a cyber incident, up from 70% last year.

According to security researchers at Comparitech, ransomware breaches have cost the US economy tens of billions of dollars in downtime alone over the past seven years.  The researchers analyzed data on all known ransomware attacks affecting medical organizations between 2016 and mid-October 2023, looking at specialist IT news, data breach reports, and state reporting tools.  During the time period, there were 539 reported attacks on healthcare organizations, impacting an estimated 9780 separate hospitals, clinics, and other organizations.

Scientists at the University of Sheffield have found that Natural Language Processing (NLP) tools, such as ChatGPT, can be tricked into generating malicious code, which could lead to cyberattacks. The study is said to be the first to demonstrate that NLP models can be used to attack real-world computer systems in various industries. The results show that Artificial Intelligence (AI) language models are vulnerable to simple backdoor attacks, such as planting a Trojan Horse, which could be activated anytime to steal data or disrupt services.

The Cybernews research team discovered two New England BioLabs (NEB) environment (.env) files hosted publicly on September 18. They contained sensitive information, including database credentials, SMTP server login information, enterprise payment processing information, and more. Both files were designated for the production environment, meaning that they were likely used in real-time operations at the Canada branch of the company.

Recent incidents demonstrate that threat actors see opportunities when new technologies are designed with inadequate security. Technology vendors continue to create functionality and features with the intention of improving digital experiences. They are continuously trying to respond to business and consumer demands for better and faster features. However, new technologies are often developed without much consideration for privacy and security.