Security News > 2023 > February

Millions of Russians in almost a dozen cities throughout the country were greeted Wednesday morning by radio alerts, text messages, and sirens warning of an air raid or missile strikes that never occurred. According to reports from news operations in Russia, a woman's voice was broadcast through a number of radio stations - including Relax FM, Avatoradio, Yumor FM, and Comedy Radio - saying, "Attention, an air raid warning is being announced. Go to the shelter immediately. Attention, Attention, threat of a missile strike."

Cybersecurity researchers are warning of "Imposter packages" mimicking popular libraries available on the Python Package Index repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.

Criminals have targeted datacenter operators in Singapore and China, tapping into their CCTV cameras, accessing their tenant lists and then attacking those customers. That lateral movement included accessing a list of the datacenter operator's CCTV cameras "With associated video stream identifiers used to monitor datacenter environments, as well as credential information related to operators and customers."

Amid uncertain economic conditions, the technology sector has been a hot topic of discussion in recent months due to the mass amounts of layoffs across the industry. In this Help Net Security video, Nick Tausek, Lead Security Automation Architect at Swimlane, talks about how with the stress, anxiety, frustration, and unknown of what lies ahead for these suddenly unemployed workers, organizations need to prepare themselves for insider threats.

94% of CISOs report being stressed at work, with 65% admitting work-related stress issues are compromising their ability to protect their organization, according to Cynet. According to the report, 74% say they are losing team members because of work-related stress issues, with 47% of these CISOs having more than one team member exit their role over the last 12 months.

The findings of the report deliver an in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software with the goal of helping security, legal, risk, and development teams better understand the open source security and license risk landscape. "An increase in the average number of open source components rising 13% in this year's audits further reinforces the importance of implementing a comprehensive SBOM that lists all open source components in your applications their licenses, versions, and patch status. This is a foundational strategy towards understanding and reducing business risk by defending against software supply chain attacks," Schmitt continued.

More than 80 law firms say they are "Deeply troubled" by the US Securities and Exchange Commission's demand that Covington & Burling hand over names of its clients whose information was stolen by Chinese state-sponsored hackers. In an amicus brief filed this week, 83 firms with a total of more than 50,000 attorneys employed backed their fellow lawyers in Covington's ongoing battle with America's financial watchdog.

Threat actors are exploiting the popularity of OpenAI's ChatGPT chatbot to distribute malware for Windows and Android, or direct unsuspecting vitims to phishing pages. Security researcher Dominic Alvieri was among the first to notice one such example using the domain "Chat-gpt-pc.online" to infect visitors with the Redline info-stealing malware under the guise of a download for a ChatGPT Windows desktop client.

The U.S. National Security Agency has issued guidance to help remote workers secure their home networks and defend their devices from attacks. "At a minimum, you should schedule weekly reboots of your routing device, smartphones, and computers. Regular reboots help to remove implants and ensure security," the NSA said.

Google last year paid its highest bug bounty ever through the Vulnerability Reward Program for a critical exploit chain report that the company valued at $605,000. In total, Google spent over $12 million for more than 2,900 vulnerabilities in its products discovered and reported by security researchers.