This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Ken Athanasiou, CISO, VF Corporation
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Sophos warns of increased stealth among Chinese hackers
The cybersecurity firm has released a report that shows the evolving tactics of Chinese advanced persistent threat groups over the past 5 years, with “a notable shift from widespread, indiscriminate attacks towards narrow targeting of high value organizations.” The report says that “CVE exploitation was the most common initial access vector used in these attacks, although cases of initial access using valid administrative credentials from the LAN side of the device were also observed.”
Bug bounty program yields 34 flaws in open-source AI tools
The flaws, which were discovered in open-source AI and machine learning tools, were disclosed Tuesday as part of Protect AI’s huntr bug bounty program. The report includes 18 high-severity flaws ranging from denial-of-service (DoS) to remote code execution (RCE). Security researchers from Protect AI, Dan McInerney and Marcello Salvati, stated, “Through our own research and the huntr community, we’ve found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats … these tools are Open Source and downloaded thousands of times a month to build enterprise AI Systems.”
(SCWorld)
Google claims first vulnerability found using AI
Google’s Big Sleep project, a collaboration between Project Zero and DeepMind, recently uncovered its first real-world vulnerability: a stack buffer underflow in SQLite. Found with the help of an AI model in October, this flaw went undetected by traditional fuzzing, sparking interest in AI as a supplementary tool for vulnerability research. Though an argument could be made as to whether this was actually the first time a learning language model (LLM) was used to discover a vulnerability, a security researcher with Neuroengine said he discovered a zero-day using an LLM in April, publishing his results in June, but tells InfoSecurity Magazine he believes Google’s announcement was a “honest mistake.”
(InfoSecurity Magazine), (Security Week)
Thanks to today’s episode sponsor, Vanta
Visit vanta.com to learn more about Questionnaire Automation.
Schneider Electric breached for second time this year
Schneider Electric confirmed a breach on its developer platform after a threat actor named “Grep” claimed to have stolen 40GB of data from the company’s JIRA server. The intruder reportedly used exposed credentials and a MiniOrange REST API to scrape 400,000 rows of user data, including 75,000 unique email addresses and full names of Schneider Electric employees and customers though the company emphasized their products and services remain unaffected. Grep, who is part of a newly formed hacking group called International Contract Agency (ICA), had threatened to leak the data if the company did not acknowledge the breach, so we’ll have to wait and see what the threat actor does next. This is not the first time Schneider Electric was breached this year, in January the company sustainability division was ransomed and terabytes of data was allegedly stolen.
Columbus drops case against whistleblower
Over the summer, we covered the Rhysida ransomware attack against the city of Columbus, Ohio. The group leaked 3.1 terabytes of data stolen from the city, which officials claimed was encrypted and corrupted. Security researcher David Leroy Ross, also known as Connor Goodwolf, claimed the data was intact and accessible online. The city subsequently sued Ross for damages and sought an order to stop him from discussing the data leak. Now, the two parties have agreed to drop the case. Ross got the case dismissed with prejudice, which means the city can’t sue him again for the same thing, but agreed to a permanent injunction to only share data related to this leak considered in the public record with written approval from the city.
Australia plans social media ban for teens
Described as “world-leading” legislation to ban children under 16 from social media, the law will be tabled in Australia’s parliament next week, and is aimed at “mitigating the harm social media is inflicting on Australian children.” The ban would apparently not apply to young people already on social media. Parental consent will not be considered, meaning no exemptions. At the same time, the government says that “the onus would be on social media platforms to show they are taking reasonable steps to prevent access.” As noted by the BBC, “previous attempts at restricting access, including by the European Union, have largely failed or faced backlash from tech firms. Questions remain over how implementation would work given there are tools which can circumvent age-verification requirements.”
(BBC News)