π What’s the latest in the cyber world today?
FBI, Courier Frauds, Jenkins Flaw, Outlook Password Exposure Flaw, Microsoft, Outlook Connectivity Glitch, WatchGuard, Panda Security, Mercedes, Private Key Leak, Schneider Electric, Ransomware, Data Breach, Ukrainian Prisoners of War Department, New Jersey Freehold Schools, Timex Group, Stolen SSNs, White House, AI Initiatives and Regulations, Former DHS Employees, Stolen Government Data. UK Lawmakers, Facial Recognition, OpenAI, Privacy Scrutiny, Trump’s Tax Returns, IRS.
Listen to the full podcast
π¨Β Cyber Alerts
The FBI issues a crucial warning on scammers manipulating seniors into liquidating assets for cash or precious metals through deceptive courier services. Perpetrators, posing as tech support or government officials, coerce victims into believing their financial accounts are at risk. This elaborate scheme has resulted in significant financial losses, prompting the FBI to advise against sending valuables and sharing personal information, urging immediate reporting of scams for investigation.
Security researchers raise alarm as proof-of-concept exploits for the recently revealed critical Jenkins vulnerability, CVE-2024-23897, are now public. Jenkins, a widely-used open-source automation server, faces potential remote code execution risks, with maintainers addressing nine security flaws, including the critical one reported by Yaniv Nizry from Sonar. Concerns grow as weaponized exploits emerge, leading to warnings of a potential surge in cyberattacks exploiting this critical flaw, with over 75,000 internet-facing instances identified.
A critical flaw in Microsoft Outlook (CVE-2023-35636) allows attackers to access NTLM v2 hashed passwords, posing a significant security threat. Exploiting the vulnerability involves tricking users into opening a specially crafted file, either through email or a malicious website. Microsoft has addressed this issue in its December 2023 Patch Tuesday security updates, urging users to apply the patches promptly to mitigate the risk of potential attacks exploiting this Outlook vulnerability.
Microsoft is actively investigating a connectivity issue affecting Outlook.com accounts, causing disruptions for users of Outlook 2013, Outlook 2016, Outlook for Microsoft 365, Thunderbird, and various mobile email apps. The problem, reported since January 23, 2024, prompts users to repeatedly enter passwords, even when using App Passwords. Affected customers are advised to use Outlook.com on the web until a fix is implemented. The Outlook Team is diligently working on resolving the issue and promises to provide more details as progress is made toward a solution.
Vulnerabilities in Panda Security products, identified by Sophos, could allow attackers to execute arbitrary code or cause denial of service conditions. The flaws were found in the Panda Kernel Memory Access driver installed with WatchGuard EPDR, Panda AD360, and Panda Dome for Windows. The vulnerabilities were addressed in the latest updates, limiting the impact to authenticated attackers with administrative privileges.
π₯ Cyber Incidents
Researchers at RedHunt Labs uncovered a major security lapse as Mercedes-Benz accidentally exposed internal data, including crucial source code, by leaving a private key accessible online. The security firm discovered an authentication token belonging to a Mercedes employee on a public GitHub repository during a routine internet scan in January. This unintentional exposure had the potential to grant unrestricted access to Mercedes’s entire source code repositories, compromising sensitive information like connection strings, cloud access keys, and design documents.
Schneider Electric Ransomware and BreachΒ Schneider Electric’s Sustainability Business division is grappling with a ransomware attack that has also led to a data breach, the company confirmed on Monday. Limited to this specific division, deemed an “autonomous entity operating its isolated network infrastructure,” the cyberattack has affected systems like Resource Advisor. Despite the disruption, Schneider Electric anticipates a return to normal business operations within two days, but ongoing investigations suggest unauthorized access to data, including customer information. The Cactus ransomware group is suspected to be behind the attack, marking another cybersecurity challenge for Schneider Electric, which had previously fallen victim to the Cl0p gang’s extensive MOVEit attack campaign.
The Ukrainian government department overseeing Prisoners of War (POWs) faced a cyberattack as the Coordination Headquarters for the Treatment of Prisoners of War (KSHPPV) website was hit by a DDoS attack. In a Telegram post, KSHPPV suggested that the attackers sought to suppress information on POW exchanges and the downing of an IL-76 aircraft. This incident follows recent cyberattacks on both Ukrainian and Russian targets, including Naftogaz, Ukraineβs largest gas and oil company, and a reported cyberattack on Russiaβs Far Eastern Scientific Research Center of Space Hydrometeorology.
The Freehold Township School District in New Jersey abruptly closed its schools and offices on Jan. 28 due to a cybersecurity incident, causing technical difficulties. Officials stated that they are actively working with third-party cybersecurity experts to resolve the issue but provided no further details on the nature of the attack. Apologies were issued by Dianne Martello Brethauer, the district assistant superintendent, while Michael Amoroso, president of the Freehold Township Board of Education, mentioned an ongoing investigation and assured that updates on Tuesday’s schedule would be communicated when available.
Timex Group, the renowned US watch manufacturer, disclosed a data breach where attackers infiltrated the company’s systems in June 2023, potentially compromising personal details, including Social Security numbers (SSNs).
π’ Cyber News
The White House highlighted advancements in artificial intelligence (AI) on Monday, showcasing a surge in federal hiring and increased funding for regional AI research. Since President Joe Biden’s executive order in late October positioning the U.S. as an AI leader, departments like State and Transportation, the National Science Foundation, and the Office of Management and Budget have invested in AI innovation and workforce training. Simultaneously, the Department of Commerce proposed regulations requiring infrastructure-as-a-service providers to report transactions enabling foreign individuals to train large AI models for potential malicious online use, aligning with the government’s push for transparency and safety in AI development.
Β Three former Department of Homeland Security (DHS) employees, including the former Acting Inspector General, received prison sentences for stealing U.S. government software and databases containing personal data of 200,000 federal employees. Charles K. Edwards, sentenced to 1.5 years, Sonal Patel, sentenced to 2 years of probation, and Murali Y. Venkata, sentenced to 4 months, had conspired to steal proprietary U.S. software while employed at the U.S. Postal Service Office of Inspector General. The stolen assets were shared with Indian developers to create a commercial product, raising concerns about the exposure of personally identifiable information (PII) from DHS-OIG and USPS-OIG databases.
Β UK lawmakers, including members of the House of Lords, have expressed concerns about the legal basis of live facial recognition technology used by police, urging parliamentary legislation for proper scrutiny. The letter from the Justice and Home Affairs Committee highlighted the expansion of facial recognition without adequate accountability. Questions about the technology’s accuracy and civil liberties have led to calls for legislation, emphasizing the need for parliamentary approval.
Β OpenAI is under scrutiny from the Italian data protection authority, Garante, which found that the company apparently violated European privacy laws. The regulator imposed a temporary ban on OpenAI’s large language model chatbot in 2023, citing violations of the European General Data Protection Regulation. Although in-country access was restored after OpenAI implemented changes, including age verification and an opt-out form, the Italian agency now claims that the company continues to violate privacy laws. OpenAI has 30 days to respond to the findings, and this comes amid increased European scrutiny of the company’s privacy practices, with other regulators in Germany, France, Spain, and Poland also conducting investigations.
Β Charles Littlejohn, sentenced to five years for leaking Donald Trump’s tax returns, meticulously planned to download the former president’s data from an IRS database while evading detection.
