Security News This Week: The Cloud Company at the Center of a Global Hacking Spree


Between a cascade of indictments against former US president Donald Trump, a tumultuous 2024 election season (in which Trump is a main character), and the rapid rise of generative artificial intelligence, 2024 is shaping up to be a complete nightmare.

At the center of it will be a rise in personalized disinformation. Not only will there be more BS to sift through thanks to tools like ChatGPT and Google’s Bard, but the disinformation will likely be more effective, and even tailored to target specific groups with frightening consequences. Of course, some of this could be fixed with new regulations. But the US Congress still hasn’t figured out how to tackle privacy, and regulating AI will only be more difficult.

In addition to disinformation, people keep figuring out new ways to break through the guardrails that generative AI tools have in place to stop malicious activities. The latest is something called an “adversarial attack,” which researchers at Carnegie Mellon University found can be carried out simply by attaching a string of nonsense-looking instructions to the end of certain prompts entered into tools like ChatGPT. While it’s possible to block specific attack strings, nobody yet knows how to fix this flaw entirely.

AI might be the new frontier for security researchers. But regular ol’ platforms are still a wealth of terrible vulnerabilities. The latest is the Points platform, which provides the underlying tech for dozens of major travel rewards programs. Researchers recently discovered flaws in the Points API that exposed people’s private information. And a bug in a Points administrator website could have allowed an attacker to give themselves unlimited airline miles and hotel points. But don’t get any big ideas, hackers—all the flaws have since been fixed.

The Points bugs aren’t the only ones patched recently. If you use Apple iOS, Google Android, or Microsoft products, check our list of the recent security updates you’ll want to install right now.

But that’s not all. Each week, we round up the security and privacy stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A single cloud firm has provided server space to at least 17 state-sponsored hacking groups from countries including China, Russia, and North Korea, according to researchers at security firm Halcyon. The firm, Cloudzy, also provided its cloud storage to state-backed hackers from Iran, India, Pakistan, and Vietnam, as well as two ransomware groups, researchers found. While Halcyon estimates that “roughly half” of Cloudzy’s business “was malicious,” according to Reuters, the company pins it at just 2 percent. But who’s counting, really?

Renowned hacker crew Cult of the Dead Cow (cDc) has big plans for social media. No, they’re not launching another Twitter alternative (mercifully)—they’ve created a framework for encrypting social media, The Washington Post reports. The networked application framework, dubbed Veilid, would give companies the ability to release encrypted versions of their apps, allowing users greater privacy protections against prying eyes. Veilid (pronounced vay-lid) will formally debut next week at the Def Con security conference in Las Vegas, and cDc promises “flagship apps available from the launch.”

Microsoft revealed this week that state-backed hackers linked to Russia carried out “highly targeted” phishing attacks through the company’s Teams platform. The hackers used previously compromised Microsoft 365 accounts “owned by small businesses” to create domains that were then used to dupe their targets through Microsoft Teams messages, “by engaging a user and eliciting approval of multifactor authentication (MFA) prompts,” Microsoft wrote. The hackers are believed to be part of a group widely known as APT29 or Cozy Bear, which Microsoft calls Midnight Blizzard. Western authorities say APT29 is part of Russia’s Foreign Intelligence Service (SVR). You might remember the group from such hits as 2020’s historic SolarWinds hack and 2016’s breach of the Democratic National Committee.

A couple arrested in 2022 for allegedly stealing and laundering $4.5 billion in bitcoin from the Bitfinex exchange pleaded guilty on Thursday to a variety of charges stemming from the 2016 hack. Ilya Lichtenstein admitted to hacking Bitfinex and pleaded guilty to a conspiracy to launder the ill-gotten fortune. His wife, Heather Rhiannon Morgan, also entered guilty pleas on charges of conspiracy to launder money and conspiracy to defraud the United States. Lichtenstein’s admission ends the mystery of who hacked the cryptocurrency exchange, which suffered from several security issues, according to an internal report obtained by the Organized Crime and Corruption Reporting Project and reviewed by WIRED. If convicted, Lichtenstein faces up to 20 years in prison, while Morgan could spend 10 years behind bars.



Source link