A recently announced study will focus on the future challenges associated with autonomous vehicles (AVs) regarding cybersecurity and more. The ASIS Foundation awarded funding to the University of Portsmouth and the University of West London to study AV security and regulations. The project seeks to answer important questions about the effectiveness of existing regulatory frameworks and standards governing the secure and safe expansion of AV use. In addition, it will analyze how these regulations address threats, risks, and opportunities in the security sector.

The Food and Agriculture Risk Modeling (FARM) project, led by Mary Lancaster, a Pacific Northwest National Laboratory (PNNL) epidemiologist and data scientist, and PNNL researchers, is the first exploration of the cybersecurity vulnerabilities of an increasingly smart food and agriculture sector for the Department of Homeland Security (DHS). Advanced technology is the future of agriculture, and there are already numerous examples of technologies controlled by smart devices and computer systems.

Prasad Calyam, cybersecurity professor and director of the Mizzou Center for Cyber Education, Research, and Infrastructure, is leading the project to establish a new cybersecurity approach that better protects classified information and battlefield communications. His team is exploring the design and implementation of zero trust security in relation to military operations.

Microsoft has recently fixed three zero-day vulnerabilities in its latest security update round this month, all of which are being actively exploited in the wild.  October’s Patch Tuesday fixed 104 vulnerabilities, only 12 of which were labeled “Critical.” The first zero-day bug, CVE-2023-41763, is an elevation of privilege vulnerability in Skype, which allows an attacker to send a specially crafted network call to a target Skype for Business server.  The second zero-day is CVE-2023-36563, an information disclosure vulnerability in WordPad that allows disclosure of NTLM hashes.

Threat actors continue to exploit a critical vulnerability in unpatched NetScaler Gateways, inserting malicious scripts into the HTML content of the authentication web page in order to steal user credentials. The vulnerability, tracked as CVE-2023-3519, was reported in July when the Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its catalog of Known Exploited Vulnerabilities (KEV).

Researchers at Cybernews have further revealed the intrusive nature of Android apps. According to Statista, Android dominates the global mobile operating system (OS) market with a 70.5 percent share. However, while this popular OS provides app developers with a great deal of flexibility, it also poses a threat to user data protection and privacy. In the most recent Cybernews study, 50 apps dedicated to personal finance, such as payment providers, investment platforms, cryptocurrency, and more, were examined.

Google recently announced the release of Chrome 118 to the stable channel with fixes for 20 vulnerabilities, including 14 reported by external researchers.  Google noted that the most severe of the externally reported flaws is CVE-2023-5218, a critical bug described as a use-after-free issue in Site Isolation, Chrome’s component responsible for preventing sites from stealing other sites’ data.

According to the 2023 Financial Services Sector Threat Landscape report by Trustwave SpiderLabs, the most commonly spoofed companies in phishing emails aimed at the financial services industry are Microsoft and American Express. The report cited phishing and email-borne malware as the most used methods for gaining a foothold within organizations. These developments have contributed to these attacks' continued relevance and effectiveness.

In an attempt to steal Microsoft account credentials, hackers are using LinkedIn Smart Links in phishing attacks to circumvent security measures and avoid detection. Smart Links are a component of LinkedIn's Sales Navigator service, which is used for marketing and tracking, enabling business accounts to email content with trackable links to look at engagement. Smart Links use LinkedIn's domain followed by an eight-character code parameter, so they appear to come from a trustworthy source and are able to evade email security.

Microsoft has attributed the exploitation of a critical vulnerability in Atlassian Confluence Data Center and Server to the nation-state actor Storm-0062, also known as DarkShadow or Oro0lxy. Since September 14, 2023, the company's threat intelligence team has observed the vulnerability being exploited in the wild. According to Microsoft, any device with a network connection to a vulnerable application can exploit the vulnerability, tracked as CVE-2023-22515, to create a Confluence administrator account within the application.