In today’s cybersecurity news…
AI code dependencies are a supply chain risk
Security researcher Seth Larson coined “slopsquatting” to describe this new software supply chain attack type. Similar to typosquatting, these attacks see threat actors proactively creating malicious packages on indexes named for ones commonly made up by LLMs when generating code. This isn’t as much of a fishing expedition as it might initially sound. The rate of LLM software package hallucinations varies widely depending on the LLM. Some open source LLMs create hallucinated packages over 35% of the time, while commercial models can hit rates of less than 5% depending on the programming language. A recent research paper from Socket on hallucinated software packages found 58% of hallucinated packages were repeated more than once across ten runs of the same code generation prompt. To their credit, both GPT-4 Turbo and DeepSeek were able to correctly identify hallucinated packages the models created with over 75% accuracy.
Morocco investigates social security leak
The Moroccan National Social Security Fund disclosed that a cyberattack caused a significant amount of data to be leaked on Telegram. Local media reports that over 54,000 files were exfiltrated from the fund, resulting in data leaked on almost 2 million people. This information includes names, national ID numbers, and bank account details. Officials say that some Telegram documents contain “false, inaccurate, or truncated” information. The threat actors JabaROOT took credit for the breach, but officials did not publicly attribute it.
European Commission increases security measures for US-bound staff
The Financial Times’ sources say that the European Commission will issue burner phones and stripped-down temporary laptops to staff coming to the US for the IMF and World Bank spring meetings next week, due to higher surveillance and espionage risks. The EC usually takes these precautions when staff head to China or Ukraine. An EC spokesperson confirmed it recently updated its security advice but did not confirm any specifics. A ruling by the 9th U.S. Circuit Court of Appeals expanded the government’s ability to search devices at the border without a warrant in 2011 under the Obama administration, so this doesn’t appear to be a reaction to new surveillance powers, but how they are being applied.
Celebrating Tax Day… with a scam
A report by The Record found that several cybersecurity firms have seen an increase in tax-based AI-driven scams, focusing on both taxpayers and preparers. These use AI-enabled voice and video phishing attacks to impersonate officials from the IRS or an accountant to obtain financial documents, on top of text-based phishing that we usually see around this time of year. Usually, these schemes direct victims to create profiles on fake IRS portals and upload sensitive information. Consumer-level deepfake tools allow threat actors to “scale their operations while increasing the believability of their scams.”
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta.
Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines.
Dialysis firm hit with ransomware attack
DaVita is a major provider of kidney dialysis and other care services in the US, with over 2,600 outpatient centers. According to an SEC disclosure, it suffered a ransomware attack on April 12th that impacted some operations. The company did not announce any disruption to care facilities due to the attack. It said it began investigating the attack; there is no word on whether any data was stolen in the attack or if any ransom was paid. So far, DaVita has not named any group behind the attack, and no groups have claimed credit.
Flaw in WordPress plugin exploited in four hours
On April 10th, researchers at PatchStack disclosed a critical flaw in the SureTriggers WordPress plugin that allows unauthorized users to create admin accounts due to improper validation of the ST-Authorization HTTP header. Effectively, when a site did not define an internal secret key, the plugin returned null values for both the header and the key, treating them as a match. SureTriggers patched the flaw, but PatchStack saw exploitation begin within four hours of release through the plugin’s APIs. SureTrigger’s developers recommend patching asap and looking for modified content on sites.
ResolverRAT hits healthcare
Morphisec Labs researchers discover a new campaign targeting healthcare and pharmaceutical firms with a new ResolverRAT malware. First observed on March 10th, this campaign uses localized phishing lures using regionally specific languages in messages to get higher clickthrough, using lures related to legal investigations. ResolverRAT starts off with a DLL side-loading technique to launch an in-memory loader to communicate with a C2 server. These communications prove markedly resilient, with an IP rotation system to connect to alternate servers in the event of a takedown, and using certificate pinning and irregular beaconing patterns to avoid detection. Once communication is established, ResolverRAT attempts to exploit data in 16-kilobyte chunks. Researchers found ResolverRAT shares infrastructure and overlapping delivery mechanisms with Lumma and Rhadamanthys malware.
Chrome fixes 20-year-old privacy risk
The upcoming release of Chrome 136 will introduce a triple-key partitioning of “visited” links as a default feature, resolving an issue that could allow for a third-party to determine a user’s browser history. Chrome introduced it as an optional experimental feature in Chrome 132. Until this feature, Chrome stored link visits globally, allowing sites to show visited links in a color other than the familiar default blue. This color change is shown regardless of what site you were on when clicking the link. Researchers have found multiple classes of attacks and scripts to enable tracking, profiling, and phishing from this behavior. The new partitioning will store each visited link with three keys, based on link URL, top-level site, and the frame origin. The browser needs all three keys to display a link as “visited” on a page.