cybersecurity

CISA urges critical GeoServer patch

The US Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch a critical vulnerability in the GeoTools plugin of GeoServer by 5 August 2024. This open-source server, written in Java, is used for sharing, processing, and editing geospatial data.

The remote code execution (RCE) flaw, identified as CVE-2024-36401, is actively exploited in the wild. It allows unauthenticated attackers to execute code remotely via specially crafted input.

GeoServer maintainers have addressed the issue in versions 2.23.6, 2.24.4, and 2.25.2, urging users to upgrade immediately.

Why does it matter?

Despite the unclear origin of the exploitation, a proof-of-concept code for this vulnerability surfaced recently online. The Shadowserver Foundation detected exploitation signs on July 9, advising users to check for compromises and apply patches. While the CISA directive targets federal agencies, it is also recommended for private enterprises to follow suit for enhanced security.

Hacktivist groups target Romanian websites

Romania is experiencing a surge in DDoS attacks from various hacktivist groups, according to recent research by ASERT. The attacks, which began intensifying on 2 June 2024, coincide with Romania’s potential transfer of Patriot missiles to Ukraine. On that day, Romanian websites suffered 352 direct-path attacks, peaking at 1016 on 5 June.

Several hacktivist groups, including CyberDragon and the Cyber Army of Russia, have claimed responsibility for the attacks. The primary targets are government entities, with the banking sector being the second most affected. The escalation is also linked to Romania’s discussions with South Korea about expanding defence cooperation and its involvement in arms exports to Europe.

ASERT warns that the intensity of these attacks is likely to continue, particularly following Romania’s agreement to send a Patriot missile system to Ukraine on 20 June 2024. The increasing threat highlights the need for robust DDoS protection solutions to ensure the availability of crucial websites and services.

Hacktivist group leaks over 1TB of Disney data

Hacktivist group NullBulge has leaked over 1.1 terabytes of data from Disney’s internal Slack channels, encompassing files, messages, unreleased projects, raw images, and code. The group also claims to have obtained logins and links to internal APIs and web pages. Disney has confirmed to the BBC that it is investigating the hack.

NullBulge, which promotes artists’ rights and opposes AI-generated artwork, disseminates the stolen data via its blog using torrent file-sharing systems. The group’s origins and connections are disputed, with SecureWorks noting a lack of evidence for their claim of being Russian and highlighting the English language used in their communications. There are also rumored links to the LockBit ransomware gang.

Cybersecurity experts warn of the lasting impact of such breaches. Jake Moore from ESET emphasised the devastating effects of compromised email accounts, while Adam Pilton from CyberSmart cautioned against the dangerous precedent set by vigilante actions against large corporations. The incident underscores the vulnerability of even the biggest companies to cyberattacks and the persistent challenge of securing sensitive information.

Rite Aid data breach affects millions

Rite Aid, one of the largest drugstore chains in the US, has reported a significant data breach affecting over two million customers. Attackers gained access by impersonating a Rite Aid employee, compromising the company’s systems in early June 2024. Despite detecting the breach within 12 hours, sensitive customer data was stolen, including names, addresses, dates of birth, and government IDs. The company confirmed no Social Security numbers or financial details were accessed.

In response, Rite Aid has contacted affected individuals and reported the incident to law enforcement and regulatory bodies. The breach notification letter emphasises that additional security measures are being implemented to prevent future incidents. The breach affected customers who purchased between 6 June 2017 and 30 July 2018.

The RansomHub ransomware group has claimed responsibility for the breach, stating they stole 10GB of sensitive data from Rite Aid’s networks. The group posted the stolen data on their dark web blog, showcasing their latest victims. Rite Aid acknowledged the breach as a “limited cybersecurity incident” and is finalising its investigation.

Rite Aid, headquartered in Philadelphia, operates over 2,300 locations across the US and serves 1.6 million customers daily. The company reported revenues exceeding $24 billion in 2023 and employs around 51,000 people. The breach has raised significant concerns about data security within the retail industry.

Google parent company Alphabet eyes $23 billion acquisition of Wiz

Alphabet, the parent company of Google, is in advanced discussions to acquire cybersecurity startup Wiz for around $23 billion, making it the technology giant’s largest potential acquisition. The primarily cash-funded deal could be finalized soon, according to a source familiar with the matter.

Wiz, founded in Israel and now headquartered in New York, is known for its cloud-based cybersecurity solutions powered by AI. With about $350 million in revenue in 2023 and serving 40% of Fortune 100 companies, Wiz has quickly become one of the fastest-growing software startups globally. Recently, Wiz raised $1 billion in a funding round, valuing the company at $12 billion.

The potential acquisition comes amid increased regulatory scrutiny of large tech companies under President Joe Biden‘s administration. Despite the investigation, the technology sector has seen a surge in mergers and acquisitions, with tech deals jumping over 42% year-on-year to $327.2 billion in the first half of the year. Alphabet’s interest in Wiz follows its decision not to pursue a takeover of online marketing software company HubSpot.

AT&T data breach impacts 109 million customers

AT&T has confirmed a massive data breach, with call logs of approximately 109 million customers stolen from an online database on the company’s Snowflake account. The breach occurred between 14 April and April 25, 2024, and affects nearly all of AT&T’s mobile customers. The stolen data includes call and text records from May 1 to 31 October, 2022, and January 2, 2023.

The stolen information includes telephone numbers of AT&T wireline customers and other carriers, numbers interacting with AT&T or MVNO wireless numbers, interaction counts, and aggregate call durations. Cell site identification numbers were also exposed to some records. While the records did not contain sensitive personal information like customer names or Social Security numbers, the communications metadata can potentially be used to derive identities.

After discovering the breach, AT&T collaborated with cybersecurity experts and law enforcement, including the FBI and the Department of Justice. Public notification was delayed twice due to potential national security risks. AT&T has since implemented additional cybersecurity measures and plans to notify affected customers. The company states that there is no evidence the accessed data has been made publicly available and that this incident is unrelated to the 2021 data breach impacting 51 million customers.

The breach adds AT&T to a growing list of high-profile victims, including T-Mobile, which suffered multiple data breaches. Snowflake, the cloud-based database provider used by AT&T, has introduced mandatory multi-factor authentication to prevent future breaches.

Government entities in Australia to assess foreign control risks in tech

Australia has instructed all government entities to review their technology assets for risks of foreign control or influence. The directive aims to address increasing cyber threats from hostile states and financially motivated attacks. The Australian Signals Directorate (ASD) recently warned of state-sponsored Chinese hacking targeting Australian networks.

The Department of Home Affairs has issued three legally-binding instructions requiring over 1,300 government entities to identify Foreign Ownership, Control or Influence (FOCI) risks in their technology, including hardware, software, and information systems. The organisations in question must report their findings by June 2025.

Additionally, government entities are mandated to audit all internet-facing systems and services, developing specific security risk management plans. They must also engage with the ASD for threat intelligence sharing by the end of the month, ensuring better visibility and enhanced cybersecurity.

The new cybersecurity measures are part of the Protective Security Policy Framework, following Australia’s ban on TikTok from government devices in April 2023 due to security risks. The head of the Australian Security Intelligence Organisation (ASIO) has highlighted the growing espionage and cyber sabotage threats, emphasising the interconnected vulnerabilities in critical infrastructure.

National blockchain ‘Nigerium’ aims to boost Nigeria’s tech security

The Nigerian Government has announced the development of a locally-made blockchain called ‘Nigerium’, designed to secure national data and enhance cybersecurity. The National Information Technology Development Agency (NITDA) is leading this initiative to address concerns about reliance on foreign blockchain technologies, such as Ethereum, which may not align with Nigeria’s interests.

NITDA Director General Kashifu Abdullahi introduced the ‘Nigerium’ project during a visit from the University of Hertfordshire Law School delegation in Abuja. He highlighted the need for a blockchain under Nigeria’s control to maintain data sovereignty and position the country as a leader in the competitive global tech landscape. The project, proposed by the University of Hertfordshire, aims to create a blockchain tailored to Nigeria’s unique requirements and regulatory framework.

The indigenous blockchain offers several advantages, including enhanced security, data control, and economic growth. By managing its own blockchain, Nigeria can safeguard sensitive information, improve cyber defence capabilities, and promote trusted transactions within its digital economy. The collaboration between the private and public sectors is crucial for the success of ‘Nigerium’, marking a significant step towards technological autonomy.

If successful, ‘Nigerium’ could place Nigeria at the forefront of blockchain technology in Africa, ensuring a secure and prosperous digital future. This initiative represents a strategic move towards maintaining data sovereignty and fostering innovation, positioning Nigeria to better control its technological destiny.

FTC bans NGL app from minors, issues $5 million fine for cyberbullying exploits

The US Federal Trade Commission (FTC) and the Los Angeles District Attorney’s Office have banned the anonymous messaging app NGL from serving children under 18 due to rampant cyberbullying and threats.

The FTC’s latest action, part of a broader crackdown on companies mishandling consumer data or making exaggerated AI claims, also requires NGL to pay $5 million and implement age restrictions to prevent minors from using the app. NGL, which marketed itself as a safe space for teens, was found to have exploited its young users by sending them fake, anonymous messages designed to prey on their social anxieties.

The app then charged users for information about the senders, often providing only vague hints. The FTC lawsuit, which names NGL’s co-founders, highlights the app’s deceptive practices and its failure to protect users. However, the case against NGL is a notable example of FTC Chair Lina Khan’s focus on regulating digital data and holding companies accountable for AI-related misconduct.

The FTC’s action is part of a larger effort to protect children online, with states like New York and Florida also passing laws to limit minors’ access to social media. Regulatory push like this one aims to address the growing concerns about the impact of social media on children’s mental health.

AI cybersecurity in devices deemed high-risk by European Commission

AI-based cybersecurity and emergency services components in internet-connected devices are expected to be classified as high-risk under the AI Act, according to a European Commission document seen by Euractiv. The document, which interprets the relationship between the 2014 Radio Equipment Directive (RED) and the AI Act, marks the first known instance of how AI-based safety components will be treated under the new regulations. The RED pertains to wireless devices, including those using Wi-Fi and Bluetooth, beyond traditional radios.

Under the AI Act, high-risk AI systems will be subject to extensive testing, risk management, security measures, and documentation. The Act includes a list of use cases where AI deployment is automatically considered high-risk, such as in critical infrastructure and law enforcement. It also sets criteria for categorising other high-risk products, requiring third-party conformity assessments in line with sector-specific regulations. AI cybersecurity and emergency services components meet these criteria under the RED, thus being classified as high-risk.

Even in cases where the RED allows for self-assessment compliance with harmonised standards, these AI-based components are still deemed high-risk. The AI Act references numerous sectoral regulations that could classify AI products as high-risk, extending beyond electronics to medical devices, aviation, heavy machinery, and personal watercraft. The preliminary interpretation suggests that self-assessment standards are insufficient to remove the high-risk classification from AI products in these industries.

The AI Act imposes significant requirements on high-risk AI systems, while those not in this category face only minor transparency obligations. The Commission’s document is a preliminary interpretation, and the full application of the AI Act, which spans over 500 pages, remains to be seen. Despite initial estimates that 5-15% of AI systems would be classified as high-risk, a 2022 survey of EU-based startups indicated that 33-50% of these startups consider their products high-risk. Further interpretive work is needed to understand how the AI Act will impact various sectors.

Why does it matter?

The abovementioned proceedings highlight the European Commission’s stringent approach to regulating AI-based cybersecurity and emergency services in internet-connected devices. By classifying these components as high-risk, the AI Act mandates rigorous testing, security measures, and documentation, ensuring robust safety standards. This move underscores the EU’s commitment to protecting critical infrastructure and sensitive data and signals significant regulatory implications for various industries, potentially influencing global standards and practices in AI technology.