This week
ChatGPT as your Security Copilot
- Microsoft has announced that it is bringing artificial intelligence to security workflows. Security Copilot provides users with a prompt box to ask questions, share files and malware samples, and get advice on investigations and response activities.
- The introductory video shows some very cool functionality. Still, it is clear that the system is far from perfect though: Security Colpilot confidently discusses an issue with Windows 9, an operating system that does not exist. Getting precise results from security tooling is important when investigating potential incidents. It’s not helpful if the AI system hallucinates employees or customers because they fit a pattern of who could have been affected, for example. While touted as a way to improve accessibility to advanced security capabilities, if you don’t have the skills and aren’t able to spend the time reviewing the accuracy of each response, you could end up well off-course quickly.
- Microsoft also announced that Exchange Online will soon be able to throttle and block emails originating from older, unpatched versions of Exchange and general availability of a platform-agnostic Incident Response Retainer.
- It’s not all been good news for the Redmond-based company, though, as bug bounty hunters found an app used to control the Bing search engine was misconfigured and any member of the public with a Microsoft account could log in. Naturally, they gave the Hackers movie the top spot for the search ‘best soundtracks’.
Supply chain attack at VOIP service provider linked to North Korea
- 3CX: Attackers have compromised software distributed by VOIP provider 3CX to more than 600,000 organisations like BMW, McDonald’s, and the NHS. The supply chain attack planted info-stealing malware in the Windows and MacOS versions of the 3CXDesktopApp to harvest credentials and other information from Chrome, Edge, Firefox and other web browsers.
- 3CX’s CEO, Nick Galea acknowledged mistakes in how his company handled the situation, admitting “because of the way VOIP apps work, it wouldn’t be the first time [we got flagged]. It happens quite frequently — so I have to be honest we didn’t take it that seriously”.
- Researchers from CrowdStrike a linking the attack to the North Korean group ‘Labyrinth Chollima’. Electron Windows App versions 18.12.407 and 18.12.416 and the Electron Mac App versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 are affected, and apparently the malware was inserted into libraries compiled through Git.
- North Korea is also apparently turning to mining pools to launder stolen cryptocurrency in a move that indicates clamp-down on ‘mixer’ services is working.
Interesting stats
70% of company boards will include one member with cyber security expertise by 2026, and 75% of employees will acquire, modify or create technology outside of IT’s visibility by 2027 (up from 41% in 2022), according to predictions from Gartner
Other newsy bits / in brief
-
Vulkan Files: A whistleblower angry at the invasion of Ukraine has leaked documents showing how consultancy NTC Vulkan is supporting Russia’s FSB, GRU and SVR intelligence agencies. The projects include a system to scan and record details of vulnerabilities across the Internet, generate fake social media profiles used for domestic disinformation, and intercept and monitor mobile and Internet communications. One document links the company to the Sandworm group that is believed to be behind the NotPetya ransomware attack.
-
Competitive advantage? Chinese researchers have found that e-commerce app Pinduoduo has been using zero-day to compromise user’s devices. It’s unclear it’s a supply chain attack, work of a malicious insider, or to boost the app’s metrics.
-
Latitude Financial, an Australian consumer lender, has lost 14 million customer records in a March data breach that the company original said affected only 225,000 customer records. The personal information includes driver’s licence and passport numbers, physical and email addresses, and financial information used in Latitude’s credit-checking processes. TMX Finance, a US loan company, also disclosed a data breach this week affecting 4,822,580 of its customers.
-
Fortra’s GoAnywhere file transfer system was used at a children’s mental health care company Brightline, with the Clop ransomware group threatening to leak their stolen data from the startup ‘soon’. File transfer appliances are being targeted repeatedly, with cybercriminals finding a vulnerability and executing mass attacks to gain access and steal data before companies can react. Rapid7 said this week that it had helped respond to an incident where IBM’s Aspera Faspex servers had been compromised. IBM released a patch for the 9.8/10 critical vulnerability in January.
-
Twitter source code has appeared on the profile of an anonymous GitHub user — presumably one of the social media network’s 5,500 former employees.
-
WordPress plugin Elementor Pro, used on 11 million websites, is being exploited by attackers to redirect visitors to malicious domains.
-
Spyware: US President Biden has signed an executive order that prohibits government organisations from using commercial spyware known to have been used against the US or in human rights abuses. Meanwhile, CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalogue that have been used in spyware campaigns and urged agencies to patch.
-
Privacy: Facebook parent company Meta has announced that users in the EU will be able to opt out of sharing first-party data with advertisers. Users must submit a form, and Meta will review the reasons before the request is approved.
-
ChatGPT has been ‘temporarily banned’ in Italy by the country’s data protection authority over privacy concerns.
-
Infostealers: New macOS ‘MacStealer’ malware steals passwords from iCloud Keychain and passwords, cookies and card details from popular web browsers. A toolkit dubbed ‘AlienFox’ scans for misconfigured servers to steal credentials and authentication secrets for cloud email services.
-
Costa Rica: The White House has announced $25 million of cyber security aid to Costa Rica to bolster defences in the wake of a series of ransomware attacks that affected the whole country.
-
Industry news: Spera, an ‘identity security posture management platform’ has announced a $10 million seed funding round.
-
NCSC has relaunched its scheme recognising cyber security consultancies. Assured Consultancy Service Providers are “capable of offering those services to the same standard as [NCSC]”. This week also saw CEO Lindy Cameron introduce a refreshed ‘toolkit’ to help board members govern cyber risk.