A report from the Internet Watch Foundation (IWF) has exposed a disturbing misuse of AI to generate deepfake child sexual abuse images based on real victims. While the tools used to create these images remain legal in the UK, the images themselves are illegal. The case of a victim, referred to as Olivia, exemplifies the issue. Abused between the ages of three and eight, Olivia was rescued in 2023, but dark web users are now employing AI tools to create new abusive images of her, with one model available for free download.
The IWF report also reveals an anonymous dark web page with links to AI models for 128 child abuse victims. Offenders are compiling collections of images of named victims, such as Olivia, and using them to fine-tune AI models to create new material. Additionally, the report mentions models that can generate abusive images of celebrity children. Analysts found that 90% of these AI-generated images are realistic enough to fall under the same laws as real child sexual abuse material, highlighting the severity of the problem.
According to a blog post from Microsoft on Saturday, a global tech outage caused by a software update from cybersecurity firm CrowdStrike affected nearly 8.5 million Microsoft devices. That number represents less than one percent of all Windows machines, but the impact was significant, grounding flights, interrupting broadcasts, and disrupting access to essential services such as healthcare and banking.
Despite the relatively small percentage of devices affected, the outage had broad economic and societal effects due to critical enterprises’ widespread use of CrowdStrike’s services. Microsoft noted that CrowdStrike has helped develop a solution to accelerate the fix for Microsoft’s Azure infrastructure. The company is also collaborating with Amazon Web Services and Google Cloud Platform to share information about the outage’s effects across the industry.
The air travel industry was particularly hard hit, with thousands of flights cancelled and passengers experiencing extensive delays. Delta Air Lines, one of the hardest-hit airlines, reported over 600 flight cancellations by Saturday morning, with more expected throughout the day as the industry worked to recover from the IT outage.
Australia’s cyber intelligence agency warned on Saturday about the release of ‘malicious websites and unofficial code’ online, claiming to aid recovery from Friday’s global digital outage. The outage, caused by a botched software update from CrowdStrike, impacted various sectors, including media, retailers, banks, and airlines.
The Australian Signals Directorate (ASD) urged consumers to obtain technical information and updates exclusively from official CrowdStrike sources to avoid falling victim to scams. Cyber Security Minister Clare O’Neil also cautioned Australians to be vigilant against potential scams and phishing attempts.
The outage affected the Commonwealth Bank of Australia, causing temporary disruptions in PayID payments, which were later resolved. National airline Qantas and Sydney airport experienced delays but maintained operations. Prime Minister Anthony Albanese confirmed that critical infrastructure, government services, and emergency phone systems were unaffected.
CrowdStrike, a major cybersecurity provider with nearly 30.000 global subscribers, previously reached a market cap of about $83 billion. Despite the widespread disruption, the swift response helped mitigate further issues and ensured a quick recovery.
A US judge has dismissed most of an SEC lawsuit against software company SolarWinds, which accused it of defrauding investors by concealing security weaknesses linked to a Russia-backed cyberattack. Judge Paul Engelmayer ruled that claims against SolarWinds and its chief information security officer, Timothy Brown, were based on ‘hindsight and speculation’ and lacked concrete evidence.
The judge dismissed most claims related to statements made before the cyberattack, except for one regarding a statement on SolarWinds’ website about its security controls. The SEC had alleged that SolarWinds hid its cybersecurity vulnerabilities before the attack and downplayed its severity afterwards. SolarWinds expressed satisfaction with the decision, calling the remaining claim factually inaccurate.
The cyberattack, known as Sunburst, targeted SolarWinds’ Orion software platform and compromised several US government networks, including the Departments of Commerce, Energy, Homeland Security, State, and Treasury. The US government has attributed the attack to Russia, which has denied involvement.
This case, filed last October, was notable for being one of the first where the SEC sued a company that was a victim of a cyberattack without announcing a settlement. It is also rare for the SEC to sue public company executives not closely involved in preparing financial statements.
Senator Chuck Grassley’s office provided the letter to Reuters, stating that OpenAI’s policies appear to prevent whistleblowers from receiving due compensation for their protected disclosures. The whistle-blowers have requested that the SEC fine OpenAI for each improper agreement and review all contracts containing NDAs, including employment, severance, and investor agreements. OpenAI did not immediately respond to requests for comment.
According to blockchain data, a major Cambodian payments firm, Huione Pay, received over $150,000 in cryptocurrency from a digital wallet linked to the North Korean hacking group Lazarus. The funds were sent between June 2023 and February this year from an anonymous wallet used by Lazarus to launder money stolen from three crypto companies through phishing attacks. The FBI reported that Lazarus stole around $160 million from Atomic Wallet, CoinsPaid, and Alphapo last year to fund North Korea’s weapons programs.
Huione Pay, based in Phnom Penh, stated it was unaware of receiving funds indirectly from the hacks and cited multiple transactions between its wallet and the source as the reason. The company declined to explain why it had received the funds or provide details on its compliance policies. Despite blockchain tools allowing companies to identify high-risk wallets, Huione Pay claimed it had no control over the anonymous wallet’s transactions.
The National Bank of Cambodia (NBC) prohibits payment firms like Huione Pay from dealing with cryptocurrencies due to risks like money laundering and financing terrorism. The NBC indicated it might take corrective measures against Huione Pay. Meanwhile, US blockchain analysis firms reported that Huione Pay was among several platforms receiving stolen crypto, which was converted into different currencies, including tether (USDT), to obscure the money trail. Southeast Asia has become a hotspot for high-tech money laundering and cybercrime operations, highlighting the need for stronger regulatory measures.
Indonesia is starting to recover data encrypted in a significant ransomware attack last month, which impacted over 160 government agencies. The cybercriminals, identified as Brain Cipher, initially demanded $8 million in ransom but later apologised and released the decryption key for free, according to cybersecurity firm StealthMole.
The attack disrupted several government services, including immigration and primary airport operations. Officials acknowledged that much of the data had yet to be backed up. Chief Security Minister Hadi Tjahjanto stated that data for 30 public services across 12 ministries had been recovered using a ‘decryption strategy,’ though details were not provided.
The Communications Ministry is gradually restoring services and assets affected by the attack. It remains to be seen if the government used Brain Cipher’s decryption key directly. Neither Hadi nor Communications Minister Budi Arie Setiadi commented on the matter.
Ransomware attacks involve encrypting data and demanding a ransom to unlock it. In this case, the attackers used malicious software known as Lockbit 3.0.
Representative Cathy McMorris Rodgers stated that intelligence officials at the March hearing warned of dangers from foreign-controlled apps like TikTok, which could misuse American data. Despite the law, China has not intended to relinquish control over such applications, suggesting potential nefarious uses against Americans.
TikTok criticised the legislative process, claiming it was secretive and rushed. The Justice Department is set to respond to the legal challenges by 26 July, with a court hearing scheduled for 16 September.
The courts halted a previous attempt to ban TikTok by former President Trump in 2020. The current efforts focus on national security concerns, citing the app’s extensive data collection and the risks posed by Chinese ownership.
Several Macau government websites were hacked, prompting a criminal investigation, Chinese state media reported on Wednesday. The hacked sites included those of the office of the secretary for security, the public security police, the fire services department, and the security forces services bureau, causing service disruptions.
Security officials in Macau’s Special Administrative Region believe the cyberattack originated from overseas. However, no further details have been disclosed at this time.
In response, authorities collaborated with telecommunications operators to restore the affected services as quickly as possible. The investigation into the source of the intrusion is ongoing.
As deepfake pornography becomes an increasing threat to women online, both international and domestic lawmakers face difficulties in creating effective protections for victims. The issue has gained prominence through cases like that of Amy Smith, a student in Paris who was targeted with manipulated nude images and harassed by an anonymous perpetrator. Despite reporting the crime to multiple authorities, Smith found little support due to the complexities of tracking faceless offenders across borders.
Recent data shows that deepfake pornography is predominantly used for malicious purposes, with 98% of such videos being explicit. The FBI has identified a rise in “sextortion schemes,” where altered images are used for blackmail. Public awareness of these crimes is often heightened by high-profile cases, but many victims are not celebrities and face immense challenges in seeking justice.
Efforts are underway to address these issues through new legislation. In the US, proposed bills aim to hold perpetrators accountable and require prompt removal of deepfake content from the internet. Additionally, President Biden’s recent executive order seeks to develop technology for detecting and tracking deepfake images. In Europe, the AI Act introduces regulations for AI systems but faces criticism for its limited scope. While these measures represent progress, experts caution that they may not fully prevent future misuse of deepfake technology.
