Cloudflare, Google, and Amazon AWS have disclosed that a zero-day vulnerability called HTTP/2 Rapid Reset in the HTTP/2 protocol has been exploited to launch massive, high-volume Distributed Denial-of-Service (DDoS) attacks. Cloudflare discovered the zero-day vulnerability developed by an unknown threat actor in August 2023. The vulnerability exploits the standard HTTP/2 protocol, a crucial component of the Internet and most websites. This new attack works by making hundreds of thousands of "requests" that are then promptly canceled.

UK-based cable manufacturing giant Volex was recently targeted in a cyberattack involving unauthorized access to some of the company’s IT systems and data.  The company stated that all its sites remain operational, and it does not expect any financial impact caused by the incident to be material.  However, it did admit that there has been some “minimal disruption to global production levels.”  Specialist third-party consultants have been engaged to investigate the nature and extent of the incident and to implement the incident response plan.

A leading genetics testing firm recently confirmed that threat actors accessed customers’ profile information following a credential stuffing campaign.  San Francisco-headquartered 23andMe offers DNA testing, ancestry information, and personalized health insights for millions of customers.  A threat actor known as “Golem” posted an ad to BreachForums last week, offering “raw data profiles,” “tailored ethnic groupings,” “individualized data sets,” and much more to online buyers.  Prices start at $1,000 for 100 profiles and max out at $100,000 for 100,000 profiles.

Google has recently announced the expansion of its vulnerability rewards program with two events focused on Chrome’s V8 JavaScript rendering engine and on Kernel-based Virtual Machine (KVM).  The v8CTF, which has already started, allows security researchers to earn monetary rewards for successfully exploiting a V8 version running on Google’s infrastructure.  According to the program’s rules, security researchers submitting valid exploits are eligible for a reward of $10,000.  The kvmCTF is set to be launched later this year.

The District of Columbia Board of Elections (DCBOE) recently confirmed that voter records were compromised in a data breach at a third-party services provider.  An independent agency of the District of Columbia Government, the DCBOE is responsible for the administration of ballot access, elections, and voter registration.  The agency stated that on 10/5, it became aware of a cybersecurity incident involving DC voter records.  While the incident remains under investigation, DCBOE’s internal databases and servers were not compromised.

A team of researchers led by the University of North Carolina at Charlotte is working to develop a more secure and reliable power grid. The team will build advanced cybersecurity research capacity in order to better understand how to protect and optimize the energy grid as clean energy sources and production continue to evolve globally.

The invasion of Ukraine by Russia prompted an unprecedented number of individuals to join patriotic cyber gangs. Therefore, to protect civilians, the International Committee of the Red Cross (ICRC) has published rules of engagement for civilian hackers involved in conflicts. According to the ICRC, this is not the first time civilian hackers have operated in an armed conflict, nor will it be the last.

The Rochester Institute of Technology (RIT) will use the $500,000 funding from the Google Cybersecurity Clinics Fund to train new cybersecurity professionals and provide public services. The funding from Google[.]org, the company's philanthropic arm, is part of a $20 million partnership with the Consortium of Cybersecurity Clinics announced by Google's CEO, Sundar Pichai, in June. RIT's cybersecurity clinic will deploy student teams to provide free cyber assessment services and resources to community groups, including nonprofits, small businesses, municipal organizations, and schools.

In a recent experimental breakthrough in secure quantum communication, researchers at the Indian Institute of Technology (IIT) Delhi have achieved a trusted-node-free Quantum Key Distribution (QKD) up to 380 kilometers in standard telecom fiber with a low Quantum Bit Error Rate (QBER). Low QBER enables the Differential Phase Shift (DPS) QKD scheme to be resistant to collective and individual attacks. This article continues to discuss IIT Delhi's experimental breakthrough in secure quantum communication.

Oospy, a short-lived spyware operation that emerged earlier this year after its predecessor Spyhide was compromised, has ceased operations. In July, Oospy appeared online as a rebranding of the phone monitoring app called Spyhide, which enabled the surveillance of tens of thousands of Android device owners. After a security breach exposed the operation and its administrators, Spyhide was shut down.