Open directories pose a significant security threat to organizations as they could leak sensitive data, intellectual property, or technical data that may enable an attacker to compromise an entire system. According to new research from the Internet intelligence platform, Censys, over 2,000 TB of unprotected data, including complete databases and documents, is currently accessible in open directories globally.

The FBI has issued a warning regarding a new trend of ransomware attacks in which multiple strains are launched on victims' networks to encrypt systems in less than two days. The FBI issued a Private Industry Notification in response to trends observed in July 2023. The federal law enforcement agency explains that ransomware affiliates and operators have been observed targeting victim organizations with two different variants. AvosLocker, Diamond, Hive, Karakurt, LockBit, and Quantum are some of the variants used in these dual ransomware attacks.

Security researchers at DomainTools have witnessed a significant increase in cyberattacks targeting the US Postal Service (USPS), mainly through phishing and smishing campaigns.  One smishing message raised suspicions due to its peculiar language, suggesting the involvement of a non-native English speaker or reliance on translation services.  The researchers traced a domain marked with a high-risk score, leading to the discovery of 163 related domains associated with email addresses following a familiar naming convention.

The Lazarus Group has been linked to a cyber espionage attack against an unnamed aerospace company in Spain. The threat actor posed as a recruiter for Meta and approached the company's employees. Peter Kálnai, an ESET security researcher, explained that employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file disguised as a coding challenge or quiz.

The National Security Agency's (NSA) Cybersecurity Information Sheet (CSI) titled "Procurement and Acceptance Testing Guide for Servers, Laptops, and Desktop Computers" encourages US Government departments and agencies operating National Security Systems (NSS) to implement an effective supply chain risk management strategy. NSA recommends that enterprise computing systems be procured with a robust set of security capabilities that are tested before acceptance.

Users of Microsoft's Bing Chat, a GPT-4-powered search engine introduced this year, are being targeted with malicious ads. According to researchers at Malwarebytes, searching for Advanced IP Scanner (network-scanning software) or MyCase (legal case management software) could result in an infection.

A spear-phishing email appearing to be a memo from the president of an Azerbaijan company hid malware behind images in order to infiltrate businesses affiliated with the company. According to researchers at Fortinet, the emails contained a zip file and referenced the conflict between Azerbaijan and Armenia. The images in that file had both legitimate and malicious content. The phishing campaign targeted management teams of businesses associated with the Azerbaijanian company.

According to Microsoft, a sophisticated Chinese cyber-espionage campaign targeting Microsoft Outlook accounts gave Beijing access to tens of thousands of private US government emails.  The Storm-0558 group was able to steal 60,000 emails from 10 State Department accounts, nine of which were used by individuals working on East Asia and Pacific diplomacy.  According to a State Department briefing,  the hackers were also able to get hold of a list containing all of the department’s email accounts.

NIST recently published the final version of its latest guide to operational technology (OT) security.  NIST published the first draft of Special Publication (SP) 800-82r3 (Revision 3) in April 2021, with a second draft being released one year later.  Now, Revision 3 of the OT security guide has been finalized.  The new 316-page document provides guidance on improving the security of OT systems while addressing their unique safety, reliability, and performance requirements.

Hubert Kario, a senior quality engineer on the QE BaseOS Security team at Red Hat, has discovered flaws in a 25-year-old method for encrypting data using RSA public-key cryptography. According to Kario, in a paper titled "Everlasting ROBOT: the Marvin Attack," many software implementations of the PKCS#1 v1.5 padding scheme for RSA key exchange, which were previously thought to be immune to Daniel Bleichenbacher's well-known attack, are actually vulnerable.