Maximum severity vulnerability needs critical updates.
Atlassian issues critical updates. CISA and the FBI warn of AndroxGh0st. A GPU vulnerability hits major manufacturers. A Foxconn subsidiary in Taiwan gets hacked. Australians suffer breached credit cards through credential stuffing. A parade of horrible hackers and scammers. CISO accountability is highlighted at ShmooCon. Cybersecurity VC funding plummets. On the Learning Layer, N2K’s Executive Director of Product Innovation Sam Meisenberg lets us in on an A+ tutoring session. Don’t ask ChatGPT to handle your Amazon product listings.
Today is January 17th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Atlassian issues critical updates.
Atlassian has issued a critical update advisory for its Confluence Data Center and Server products to address a vulnerability which has been rated with the maximum severity of 10.0. The vulnerability is characterized as a template injection issue, and is present in older versions of Confluence Data Center and Server. It poses a significant risk of Remote Code Execution (RCE) by unauthenticated attackers and impacts the confidentiality, integrity, and availability aspects of security.
No workarounds are available for this vulnerability, and Atlassian strongly recommends updating to the latest version to ensure protection, not only against this critical threat but also against other non-critical vulnerabilities mentioned in their January Security Bulletin.
This vulnerability is part of a series of security issues Atlassian has been grappling with. In November 2023, the Cybersecurity and Infrastructure Security Agency (CISA) included a different Confluence Data Center and Server vulnerability in its Known Exploited Vulnerabilities Catalog, following a warning from Atlassian's CISO. Subsequently, Atlassian addressed RCE vulnerabilities in Bamboo & Crowd Data Center and Server, and in December, CISA highlighted the necessity for rapid action against other critical vulnerabilities affecting various Atlassian products.
CISA and the FBI warn of AndroxGh0st.
CISA and the FBI have issued a joint Cybersecurity Advisory (CSA) warning about AndroxGh0st malware. This Python-based malware was first identified by cybersecurity firm Lacework in December 2022, and is being used to establish a botnet for identifying and exploiting victims in vulnerable networks. It targets files containing sensitive information like credentials for high-profile applications.
The advisory details the malware's capabilities, including scanning for and exploiting exposed credentials, API vulnerabilities, and deploying webshells.
To aid in defense, the US agencies are sharing known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the threat actors deploying AndroxGh0st. The malware also has the functionality to generate keys for brute-force attacks.
A GPU vulnerability hits major manufacturers.
Tyler Sorensen, a cybersecurity researcher at Trail of Bits and UC Santa Cruz, discovered a vulnerability affecting GPUs from Apple, AMD, Qualcomm, and Imagination Technologies. Named LeftoverLocals, the vulnerability allows attackers to steal data from GPU local memory. It is especially dangerous for large language models (LLMs) and machine learning (ML) workloads, which tend to process large amounts of sensitive data. The researchers demonstrated a proof of concept, showing that attackers could listen into another user's interactive LLM session across boundaries.
The vulnerability exposes previously unknown security risks in the ML development stack. The affected companies responded differently. Apple patched its A17 and M3 processors, but older devices like the M2 MacBook Air remain vulnerable. The iPhone 15 is not affected. AMD confirmed its processors are impacted and is working on mitigation. Qualcomm released a patch in firmware v2.07 for some devices. Other devices may still be vulnerable. Imagination Technologies released a fix in its DDK release 23.3 in December 2023.
A Foxconn subsidiary in Taiwan gets hacked.
In Taiwan, Foxsemicon Integrated Technology (FITI Group), a Foxconn subsidiary and semiconductor equipment manufacturer, suffered a cyberattack on January 16. Hackers hijacked the company's website, demanding a ransom and threatening to release 5TB of client data. Cyberattacks are common against Taiwan's listed companies, but they usually handle these incidents privately. This attack, however, is notable as it involved defacing the company website and a public ransom demand. The hackers' method of attack remains undisclosed.
Australians suffer breached credit cards through credential stuffing.
Around 15,000 people in Australia have had their credit card information compromised due to a credential stuffing scam targeting major brands in that country. The scam uses stolen passwords to access users' other accounts on different websites, especially affecting customers who reuse login details and save their card information on these sites.
This event serves as a reminder of the importance of using unique passwords for different accounts to enhance online security.
A parade of horrible hackers and scammers.
Moving on to a pair of stories about horrible people, hackers recently targeted online forums used by students and teachers at UC Irvine in California. They attacked Discord groups affiliated with UCI, exposing approximately 3,000 users to graphic videos showing human corpse desecration and animal mutilation. The content was so extreme that it reportedly caused physical distress among some students, including instances of hospitalization due to excessive vomiting.
The cyberattack occurred on January 9, disrupting academic activities and causing significant distress. These Discord servers are student-run and not officially overseen by UC Irvine, according to a university spokesperson.
The attackers apparently gained access through a student's login information and demanded a ransom of $1,000. They claimed responsibility for causing the deletion of one Discord club and boasted about the impact of their actions.
Meanwhile, in the UK, hundreds of pet owners have been targeted by scammers demanding ransom for lost pets. BBC News reports that these fraudsters scan online forums where owners post about their lost dogs and cats, then falsely claim to have the pets, demanding large sums for their return. This scam preys on the owners' desperation to reunite with their pets, often using social engineering tactics to make their claims seem credible.
Local police are investigating this widespread scheme, and having some success. One case involved a man in his twenties who was sentenced to three years and eight months in prison for such blackmail. He demanded thousands of pounds, sometimes threatening harm to the animals, and was caught after phone evidence linked him to these crimes.
With over 200 victims identified across the UK, the investigation continues to pursue others involved in these offenses.
CISO accountability is highlighted at ShmooCon
Zach Wittacker from TechCrunch filed a report from the ShmooCon hacker conference in Washington DC, where cybersecurity experts discussed the growing risks and legal responsibilities in their field. A key theme was the increased legal scrutiny and risks facing professionals, especially in light of recent high-profile legal cases involving cybersecurity mishandlings, like those at Uber and SolarWinds.
The conference also highlighted the impact of the new SEC cyber reporting rules, which mandate companies to report significant security incidents within four business days. This has led to a surge in data breach disclosures and emphasizes the ongoing responsibility of companies to update these disclosures.
The heightened legal and public scrutiny is particularly affecting high-level cybersecurity roles. The accountability placed on executives, especially Chief Information Security Officers (CISOs), has made some professionals cautious about taking on these positions. Despite these challenges, experts like startup lawyer Elizabeth Wharton, former SEC prosecutor Danette Edwards, and tech investor Cyndi Gula advised maintaining thorough documentation and careful communication. They emphasized the importance of transparency and the need to adapt to the scrutinized environment. Moreover, the shift to remote work has complicated the task of maintaining a trusting corporate culture while ensuring everything is properly documented and communicated. The panel stressed the importance of continuing to engage with cybersecurity roles, urging professionals to adapt to these evolving challenges and maintain a proactive stance in their communications and documentation practices.
Cybersecurity VC funding plummets.
Two years ago, cybersecurity venture funding was booming, reaching over $23 billion. However, in 2023, the sector experienced a significant decline, with funding falling to around a third of that amount, the lowest since 2018. According to Crunchbase, security companies raised $8.2 billion across 692 venture capital deals in 2023, compared to $16.3 billion in 941 deals the previous year. This downturn was particularly noticeable in Q4, which saw only $1.6 billion raised, marking the lowest quarter since Q3 2018.
Despite this drop, some cyber startups still managed to secure substantial funding. BlueVoyant closed a Series E of over $140 million, Dallas-based Island raised $100 million in a Series C round, and Verkada secured a $100 million investment.
Ofer Schreiber of YL Ventures attributes this decrease in funding to the aftereffects of the 2021 surge in cybersecurity investment, characterized by high valuations and substantial funding rounds. He notes that poor decisions made during this period continue to affect the sector. Many firms are still trying to grow into the large valuations they received when funding was more readily available.
Startups that raised money in 2021 are now facing the need for additional funding or considering selling as they approach the end of their financial runway. However, Schreiber observes that startups are now adopting a more responsible approach to laying their foundations, considering current market conditions and investor appetite.
Despite the downturn, the demand for cybersecurity solutions remains strong. Global conflicts and the rise of generative AI technologies have escalated cyber threats, making cybersecurity a top concern for companies and governments.
Don’t ask ChatGPT to handle your Amazon product listings.
And finally, Amazon's marketplace is facing a peculiar issue with product listings evidently created using ChatGPT, leading to absurd and incorrect descriptions. A bizarre example includes a dresser named "I'm sorry but I cannot fulfill this request it goes against OpenAI use policy," highlighting the misuse of AI in generating product names and descriptions without proper oversight or proofreading. This issue extends beyond a single product, with various items, from outdoor furniture to hoses, carrying similar AI-generated, nonsensical names and descriptions.
These listings seem to be the work of resellers using ChatGPT to quickly create product listings, likely aiming to optimize for search engines. This approach has resulted in listings that are confusing and inaccurate, raising questions about the effectiveness of Amazon's review process for products on its site. Amazon has responded by removing these listings and promising to enhance their systems.
The situation reflects broader challenges in Amazon's marketplace, which has faced criticism for AI-generated fake reviews, potentially unsafe products, and copyright issues. The Wall Street Journal previously reported finding thousands of unsafe or deceptively labeled items on Amazon.
While the use of ChatGPT for product listings presents lower risks compared to unsafe products, it still signifies a concerning trend in e-commerce. Vendors are minimally investing in their product listings, relying on AI automation for content creation. Amazon, in providing a platform for these vendors, faces scrutiny for its role in this issue, especially as the company explores monetizing AI technology itself.
“Hey Alexa - come up with a snazzy name for my fancy new dresser!”
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. You can email us at email@example.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.