Microsoft has earned special enmity from the cybersecurity community for charging its customers extra for better security protections like threat monitoring, antivirus, and user access management. In January 2023, the company touted that its security division had passed $20 billion in annual revenue.

Microsoft has increasingly shifted its perspective on cybersecurity, transforming it from a protective measure into a substantial revenue stream. This intense focus on profitability has not only become an addiction but has also seriously warped their approach to product design. It's clear that their strategic decisions are now heavily influenced by the potential for financial gain, rather than the foundational aim of ensuring user safety and security.

https://www.cybereason.com/blog/microsofts-failure-to-prioritize-security-puts-everyone-at-risk

Chameleon Android Malware Can Bypass Biometric SecurityActive since early 2023, the malware initially targeted mobile banking applications in Australia and Poland, but has since expanded its reach to the UK and Italy.

When initially uncovered, ThreatFabric explains, Chameleon used multiple loggers, had limited malicious functionality, and contained various unused commands, suggesting that it was still under development. Employing a proxy feature and abusing Accessibility Services, it could perform actions on behalf of the victim, allowing attackers to engage in Account Takeover (ATO) and Device Takeover (DTO) attacks, mainly targeting banking and cryptocurrency applications.

The malware was being distributed through phishing pages, posing as legitimate applications, and using a legitimate content distribution network (CDN) for file distribution.

https://www.securityweek.com/chameleon-android-malware-can-bypass-biometric-security/

The high-severity issue, tracked as CVE-2023-6345, is described as an integer overflow bug in Skia, the open source 2D graphics library that serves as the graphics engine in Chrome, Firefox, and other browsers.

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the internet giant notes in its advisory, without providing specific details on the observed exploitation.

However, the company says that the flaw was reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group (TAG), which suggests that it might be exploited by a spyware vendor.

Over the past several months, Google TAG researchers have uncovered several other zero-day vulnerabilities exploited by vendors of commercial surveillance software, including CVE-2023-5217, a heap buffer overflow in Chrome, patched at the end of September.

The Pentagon’s portfolio boasts more than 800 AI-related unclassified projects, much still in testing. Typically, machine-learning and neural networks are helping humans gain insights and create efficiencies.

Industry advances in computer vision have been essential. Shield AI lets drones operate without GPS, communications or even remote pilots. It’s the key to its Nova, a quadcopter, which U.S. special operations units have used in conflict areas to scout buildings.

On the horizon: The Air Force’s “loyal wingman” program intends to pair piloted aircraft with autonomous ones. An F-16 pilot might, for instance, send out drones to scout, draw enemy fire or attack targets. Air Force leaders are aiming for a debut later this decade.

https://www.securityweek.com/pentagons-ai-initiatives-accelerate-hard-decisions-on-lethal-autonomous-weapons/

The defendant and others then stole about $600,000 from approximately 1,600 victim accounts, by adding a new payment method to the accounts, depositing $5 to each account using the new payment method, and then withdrawing all victim funds.

Law enforcement searched Garrison’s home in February 2023 and discovered software typically used for credential stuffing attacks on his computer, along with approximately 700 config files for these applications.

Additionally, nearly 40 million usernames and passwords that could be used in credentials stuffing attacks were found on his computer.

https://www.securityweek.com/us-teen-pleads-guilty-to-credential-stuffing-attack-on-fantasy-sports-website/

A reportable cyber incident is a cyber incident that leads to, or, if still under the covered entity's investigation, could reasonably lead to any of the following:

1) a substantial loss of confidentiality, integrity, or availability of a covered information system, network, or operational technology;

(2) a disruption or significant adverse impact on the covered entity's ability to engage in business operations or deliver goods, or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death;

(3) disclosure or unauthorized access directly or indirectly to non-public personal information of a significant number of individuals; or

(4) potential operational disruption to other critical infrastructure systems or assets.

https://www.dhs.gov/sites/default/files/2023-09/DHS%20Congressional%20Report%20-%20Harmonization%20of%20Cyber%20Incident%20Reporting%20to%20the%20Federal%20Government.pdf

Unless you updated your browser in the past few days, it likely contains a critical flaw. The recently disclosed vulnerability exists in the WebP code library known as libwebp, which encodes and decodes images in the widely used WebP format. Known generally as a “heap buffer overflow,” the flaw can be exploited using a specially crafted malicious image, allowing an attacker to run malicious code on a targeted device. Google says the bug has already been exploited in the wild.

Initially identified early this week as a zero-day vulnerability in Google’s Chrome browser, the libwebp bug impacts browsers built using Chromium, which means Chrome, Microsoft Edge, Opera, Brave, and more. It also affects apps like Telegram, 1Password, Thunderbird, and Gimp. Patches for the flaw are rolling out now, so keep your eyes peeled for updates.

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

The threat actor was observed configuring a second Identity Provider to act as an 'impersonation app' to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a 'source' IdP in an inbound federation relationship (sometimes called "Org2Org") with the target.

From this, they "manipulated the username parameter for targeted users in the second 'source' Identity Provider to match a real user in the compromised 'target' Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user.

https://www.theregister.com/2023/09/01/okta_scattered_spider/

ChatGPT and other artificially intelligent siblings have been tweaked over and over to prevent troublemakers from getting them to spit out undesirable messages such as hate speech, personal information, or step-by-step instructions for building an improvised bomb. But researchers at last week showed that adding a simple incantation to a prompt can defy all of these defenses in several popular chatbots at once.

The work suggests that the propensity for the cleverest AI chatbots to go off the rails isn’t just a quirk that can be papered over with a few simple rules. Instead, it represents a more fundamental weakness that will complicate efforts to deploy the most advanced AI.

Read the study:
https://llm-attacks.org/