Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

In Other News: WEF’s Unsurprising Cybersecurity Findings, KyberSlash Cryptography Flaw

Noteworthy stories that might have slipped under the radar: WEF releases a cybersecurity report with unsurprising findings, and KyberSlash cryptography vulnerabilities.

Cybersecurity News tidbits

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

Here are this week’s stories:   

WEF publishes cybersecurity report with unsurprising findings

The World Economic Forum (WEF) published its Global Cybersecurity Outlook 2024 report. It is primarily based on survey responses from 200 respondents in almost 50 countries, and supplemented with discussions with 140 executives able to attend a meeting in November 2023.

The outcome will surprise few cybersecurity professionals. Greater resilience and improved public/private cooperation is necessary. Third-parties increase the attack surface. AI will prove disruptive (both in attack and defense), and we can expect AI-assisted disinformation campaigns in the 2024 elections year. Regulations are increasing, and are considered by WEF to be a good thing — even though many non-WEF cybersecurity professionals consider them a threat to cybersecurity implementation.

Equally unsurprising is that difficulties affect smaller companies more drastically than larger companies: the skills gap is wider while the absence of cyberinsurance is more prevalent. There is, however, little of true value to the cybersecurity professional in the trenches of cyber defense.

Advertisement. Scroll to continue reading.

KyberSlash vulnerability in the Kyber KEM post-quantum algorithm

On December 30, 2023, researchers announced a timing vulnerability (dubbed KyberSlash) in several implementations of Kyber (a key encapsulation mechanism selected by NIST for post-quantum cryptography). The vulnerability could allow attackers to recover the private key. This is not the first problem with NIST PQC candidates — see also the cracking of SIKE.

“KyberSlash yet again underscores the importance of [crypto] agility in a robust cryptographic deployment,” commented Joey Lupo, product security architect at QuSecure. Crypto agility allows rapid switching from one encryption algorithm to another if the incumbent is cracked. While this is essential for encryption going forward, crypto agility cannot protect IP that may already be stolen through ‘harvest now, decrypt later’ campaigns.

Self-spreading Mirai-based NoaBot botnet

Since the beginning of 2023, a self-spreading Mirai-based botnet has been actively infecting devices as part of a crypto-mining campaign. Dubbed NoaBot, the malware also features a SSH key backdoor, can be used in distributed denial-of-service (DDoS) attacks, and drops a modified version of the XMRig miner. To date, more than 800 devices appear to have been infected with NoaBot.

Iranian APT targets Albania in wiper attack

An Iran-linked APT that has been launching ransomware and destructive attacks against Albania since at least July 2022 has recently taken control of systems associated with Albanian infrastructure and government organizations and deployed a wiper, according to ClearSky Security. The company believes this Iranian destruction campaign could threaten other countries as well.

North Korean hackers stole $600 million in cryptocurrency in 2023

North Korean hackers stole at least $600 million in cryptocurrency in 2023, according to TRM Labs. North Korea was responsible for nearly a third of all funds stolen in crypto-related attacks last year. 

Paladin Global Institute launched to help protect global critical infrastructure and users

Cyber-focused venture capital firm Paladin Capital Group has launched the Paladin Global Institute, whose goal is to help protect critical infrastructure from cyber threats and enhance online safety through research and advocacy, policy recommendations, and public-private sector collaboration. Kemba Walden, former Acting National Cyber Director, has been named the institute’s president. 

ZDI disclosed 1,900 vulnerabilities in 2023

Trend Micro’s Zero Day Initiative (ZDI) disclosed more than 19,000 vulnerabilities in 2023. Other information on the company’s activity is available in a new report summarizing its contribution to the industry. 

Cloudflare publishes DDoS and API reports

Cloudflare has published a DDoS threat report for the fourth quarter of 2023, as well as its API Security Report for 2024, which is based on the analysis of real traffic data. 

OpenSSL, Chrome, Fortinet, Juniper patches

Patches for OpenSSL, Chrome and products made by Fortinet and Juniper were announced this week.

Vulnerabilities in medical devices, smart home products, and IT management software

Pentagrid identified several vulnerabilities in Lantronix EDS-MD, an IoT gateway for medical devices and equipment. The vulnerabilities include command injection, CSRF, missing authentication, and XSS vulnerabilities, as well as outdated software components.

Gotham Security researchers found critical vulnerabilities in the ConnectWise ScreenConnect remote control software. Two vulnerabilities that have now been patched can allow a non-privileged attacker with existing access to a system to execute arbitrary code with elevated privileges. 

Bitdefender researchers discovered that the Bosch BCC100 thermostat is affected by a vulnerability that allows an attacker on the same network to replace the device firmware with a rogue version.

Related: In Other News: US Ransomware Attacks, 23andMe Blames Victims, Nuclear Waste Hacking Attempt

Related: In Other News: Ubisoft Hack, NASA Security Guidance, TikTok Requests iPhone Passcode

Written By

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.