SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports. 

Here are this week’s stories: 

How Microsoft tightened its cybersecurity grip on the US government

A ProPublica report looks at how Microsoft made the US government dependent on its cybersecurity services. In response to President Biden’s request for help in 2021 following a series of cyberattacks, Microsoft pledged to give the government $150 million in cybersecurity services. However, insiders told the publication that this was in fact a “calculated business maneuver designed to bring in billions of dollars in new revenue, box competitors out of lucrative government contracts and tighten the company’s grip on federal business”.

Wormable XSS in Bing

A researcher has disclosed the details of a recently uncovered vulnerability in Microsoft’s Bing search service. The flaw, a cross-site scripting (XSS) issue, could have allowed an attacker to execute arbitrary code in the targeted users’ browsers via malicious maps, with the researcher describing it as a wormable attack. Microsoft patched the vulnerability within a month. 

Mozilla research into body-centric data collection

Mozilla has published a research paper looking at body-centric data collection, which has experienced growth in the past years. The collection of such data poses a significant risk to individuals and society as a whole. The research found that AI tools amplify existing harms and introduce new risks, and existing legal frameworks fall short in addressing the risks.

Security testing of 30 popular Android VPNs

Top10VPN has published the results of security and privacy testing targeting 30 popular paid VPN apps for Android. The research found the exposure and collection of personal data, data leaks, weak handshake protocols and encryption, risky permissions and hardware, VPN tunnel instability, and the use of third-party DNS servers. 

Court documents shed more light on use of NSO spyware

Court documents made public as part of the lawsuit between WhatsApp and Israeli spyware maker NSO Group revealed that NSO banned some customers from using its Pegasus product due to abuse. The documents also show that NSO installs and operates spyware for its customers, contradicting the company’s previous claims. NSO continues to stand by those claims. 

Google says AI-enhanced fuzzing is paying off

Google says AI-enhanced fuzzing has proven to be highly effective in identifying vulnerabilities in open source projects. Over two dozen vulnerabilities were discovered recently, including an OpenSSL issue that Google believes wouldn’t have been found with existing fuzz targets written by humans.

Government agencies impersonated in DocuSign attacks

SlashNext has seen an increase in DocuSign attacks that rely on emails purporting to come from government agencies. The company says these attacks target businesses and exploit the trust relationship they have with regulatory bodies. SlashNext has seen malicious emails claiming to come from the Department of Health and Human Services, the Maryland Department of Transportation, the State of North Carolina’s Electronic Vendor portal, and various cities. 

Google, Atlassian, Adobe and Nvidia patches

Google has patched a high-severity vulnerability in Chrome and rewarded the reporting researcher with $8,000. 

Atlassian has published its security bulletin for November 2024, informing customers about 19 high-severity flaws resolved in Bamboo, Bitbucket, Confluence, Crowd, Jira and Sourcetree products. 

Nvidia has published two new advisories: one describes a high-severity DoS and information disclosure flaw in Delegated Licensing Service, and one a critical flaw in Base Command Manager that could lead to code execution, DoS, escalation of privilege, or data tampering. Nvidia rarely addresses critical flaws. Only nine other advisories published by the company since 2018 address critical vulnerabilities.

Adobe has released InDesign updates to address medium-severity vulnerability that could lead to a memory leak. 

Linux backdoor used by Chinese hackers

ESET has published a report describing a Linux backdoor, named WolfsBane, that has been used by the China-linked APT Gelsemium. The company says there are no other public reports of this threat actor using Linux malware. 

Analysis of FrostyGoop ICS malware

Palo Alto Networks has conducted a detailed analysis of FrostyGoop, an ICS malware that left a Ukrainian city’s residents without heating. The security firm’s analysis led to new samples being uncovered, as well as related indicators of compromise (IoCs).

Ubuntu privilege escalation vulnerabilities

Qualys has identified five local privilege escalation (LPE) vulnerabilities in a component called ‘needrestart’, which is installed by default on Ubuntu Server. The vulnerabilities can be exploited by any unprivileged user to gain full root access without user interaction.

Related: In Other News: China Hacked Singtel, GuLoader Attacks on Industrial Firms, LastPass Phishing Campaign

Related: In Other News: TSA Wants New Cyber Rules, Scam Call Detection in Android, SIM Swappers Arrested