Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

In Other News: Google AI Hacking, Font Vulnerabilities, IBM Training Facility

Noteworthy stories that might have slipped under the radar: Google AI bug bounties, font vulnerabilities, IBM opens new training facility.

Cybersecurity News tidbits

SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports. 

Here are this week’s stories:   

IBM opens new cyber response training facility

IBM has launched a new X-Force Cyber Range in Washington, DC. The new cyber response training facility provides custom training exercises for federal agencies, their suppliers and critical infrastructure organizations. The simulations can help organizations find gaps in their incident response plans, learn how to investigate cyberattacks, and gain insight into the mind of threat actors. 

Google terminates thousands of accounts used for influence operations

Google has terminated thousands of accounts used for coordinated influence operations. The company’s latest quarterly TAG bulletin reveals that it targeted domains, Ads accounts, and YouTube channels that were part of operations linked to China, Indonesia, Kuwait, Turkey, Israel and Italy. 

Advertisement. Scroll to continue reading.

Updates on Microsoft’s Secure Future Initiative

Microsoft has shared updates on its recently launched Secure Future Initiative. The steps taken by the company to boost the security of its infrastructure through this initiative include passing much of its code through the CodeQL security analysis engine, donations to the Rust and Alpha-Omega projects, and expanding use of its Microsoft Authentication Library (MSAL).

CISA and NSA release cloud security resources 

CISA and the NSA have published five cybersecurity information sheets focusing on cloud security. The resources cover identity and access management, key management, network segmentation and encryption, data protection, and managed service provider risk mitigations. 

NSA guidance on zero trust maturity

The NSA published new guidance (PDF) on achieving zero trust maturity through the network and environment pillar, an integral part of the zero trust security model. The guide defines network and environment security and provides recommendations on improving security through data flow mapping, macro and micro segmentation, and software defined networking.

Font vulnerabilities

Canva researchers have discovered several vulnerabilities related to the way fonts are handled. The flaws can allow XXE attacks and arbitrary command execution. Each vulnerability has been patched. 

Google AI hacking earns researchers $50,000

Researchers said they earned a total of $50,000 for finding and demonstrating vulnerabilities in Google’s Bard AI (now called Gemini) as part of a hacking competition. The security issues they discovered could have led to user data exfiltration, DoS attacks, and access to a targeted user’s uploaded images.

Network tunneling with QEMU

Kaspersky researchers have analyzed an attack where threat actors abused the QEMU machine emulator for network tunneling. Network tunnels between victim systems and the adversary’s servers can be used to bypass NAT and firewalls to gain access to internal systems. QEMU does not use any extra encryption when tunneling traffic and instead transmits encapsulated packets unencrypted.

Capita discloses £25M ($32M) costs related to 2023 cyberattack

British outsourcing company Capita says that the ransomware attack it fell victim to in March 2023 incurred net costs of £25 million (~$32 million), representing professional fees, recovery and remediation costs, and investments in improving its cybersecurity. For 2023, the company reported (PDF) £106.6 million ($135.5 million) in losses. 

UniCredit bank fined $3.1 million for data breach

The Italian bank UniCredit has been fined by the country’s data protection authority over a 2018 data breach that impacted nearly 780,000 customers. UniCredit has been ordered to pay €2.8 million ($3.1 million), but said it would appeal the decision.

Related: In Other News: Google Flaw Exploited, 3D Printers Hacked, WhatsApp Gets NSO Spyware

Related: In Other News: Spyware Vendor Shutdown, Freenom-Meta Settlement, 232 Threat Groups

Written By

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.