In today’s cybersecurity news…
New malware phishing campaign hidden in SVG files
Researchers at VirusTotal have identified this phishing campaign in Columbia. It is hidden inside SVG files that create convincing fake portals that resemble those of Colombia’s judicial system. “VirusTotal detected this campaign after it added support for SVGs to its AI Code Insight platform, which itself uses machine learning to generate summaries of suspicious or malicious behavior found in the files.” SVG stands for Scalable Vector Graphics, is used to generate images of lines, shapes, and text through textual mathematical formulas in the file,” and is already in use by threat actors because they can display HTML and execute JavaScript when the graphic is loaded.
Anthropic agrees to pay $1.5bn in book piracy lawsuit
AI firm Anthropic has agreed to a $1.5 billion settlement with authors who alleged the company used pirated books to train its chatbot Claude. The deal, pending judicial approval, would compensate authors about $3,000 for each of 500,000 affected works, potentially the largest copyright payout ever. The lawsuit was brought by Andrea Bartz, Charles Graeber, and Kirk Wallace Johnson, later expanding to represent thousands of writers. A judge previously ruled that while training AI on copyrighted works isn’t illegal, Anthropic wrongfully sourced books from piracy sites. Avoiding a December trial, the company sidesteps possible damages in the multiple billions.
Qantas penalizes executives for cyberattack
Following up on a story we covered in July, Qantas has cut annual bonuses for senior leaders by 15% after a July cyberattack exposed data of 5.7 million people. The airline reported a $1.5 billion profit for the past fiscal year but said the penalty reflects accountability for the incident. CEO Vanessa Hudson’s pay was reduced by $250,000 as part of the decision. Chairman John Mullen noted the move balances responsibility with recognition of efforts to support customers and strengthen protections. Qantas added that it is facing rising social engineering threats and is using lessons from the breach to enhance its risk management framework.
CISA orders federal agencies to patch Sitecore zero-day
Federal civilian agencies have until September 25 to patch the vulnerability within the content management system following a recent attack involving the bug, which affects several of its products. It also has a CVE number and a place in CISA’s KEV catalog. “A key issue with the bug is the use of a sample machine key that was included in Sitecore deployment guides from 2017 and earlier. Many customers simply used the sample machine key and never rotated it to something new. Researchers at Mandiant stated they it recently stopped an attack “where hackers leveraged the exposed sample machine key to gain access.”
Huge thanks to this week’s episode sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta.
Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC.
Get started at Vanta.com/headlines.
Chess.com discloses data breach
The data breach impacted the organization, one of the world’s largest chess playing portals after threat actors “gained unauthorized access to a third-party file transfer application used by the platform.” This occurred in June and lasted for two weeks. According to the investigation that followed, the incident impacted PII of just 4,500 users, a very small percentage of the platform’s estimated 200 million member user base. Representatives from Chess.com emphasize that “the incident only affected the unnamed third-party app, while its own infrastructure and member accounts remained unaffected,” and that no financial information has been exposed.
NYU team behind AI-powered malware PromptLock malware
On August 28, we brought you the story of PromptLock, analyzed by ESET and though to be the world’s first AI powered malware. Researchers at NYU’s Tandon School of Engineering have now confirmed they created the code “as part of a project meant to illustrate the potential harms of AI-powered malware.” The team has published an academic paper, and call the project “Ransomware 3.0” since it “exploits large language models (LLMs) to autonomously plan, adapt, and execute the ransomware attack lifecycle.”
Frostbyte10 bugs threatens refrigerators at major grocery chains
Researchers at OT security firm Armis have discovered ten vulnerabilities, which they have named as the Frostbyte10, located in Copeland E2 and E3 controllers. These OT controllers are widely used in supermarkets and cold storage facilities to manage refrigeration, HVAC, and lighting. Three of the ten flaws were rated critical, potentially allowing attackers to alter temperatures, spoil food and medicine, and disrupt supply chains. After having been alerted, Copeland released firmware updates to fix them. Customers are urged to upgrade promptly, especially as the E2 model reaches end-of-life in October.
Academics build AI-powered Android vulnerability discovery and validation tool
Two researchers from Nanjing University and the University of Sydney have developed A2, an AI-powered framework that automates Android application vulnerability discovery and validation. A2 “mirrors human experts’ analysis and validation activities by first reasoning about an application’s security and then validating each potential flaw through exploitation attempts. Testing on benchmarks showed A2 achieves significantly higher coverage, uncovering more than 100 true zero-day vulnerabilities.”