US government agencies told to patch these critical security flaws or face attack
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new critical vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning federal agencies they have a three-week deadline to apply the available patch, or stop using the affected software altogether. The agency added a missing authentication vulnerability to KEV tracked under CVE-2023-28461, which has a severity score of 9.8, and allows crooks to execute arbitrary code on remote devices. It was discovered in Array Networks AG and vxAG secure access gateways, and was fixed in March 2023, with the first clean version of the software being version 9.4.0.484.
Russian Hackers Used Zero-Day Attack To Hit Firefox, Tor Users
A Russian hacking group has been spotted using two previously unknown vulnerabilities to attack Firefox and Tor browser users on Windows PCs. The antivirus provider ESET described the zero-day attacks as a potentially “widespread campaign” that’s been targeting users in Europe and North America. The Russian hackers have been circulating the hack through a malicious web page apparently posing as fake news organizations. If a vulnerable browser visits the page, it can secretly trigger the software vulnerabilities to install a backdoor on the victims PC. No user interaction with the web page is required, ESET warns.
Microsoft says Word and Excel AI data scraping was not switched to enabled by default (Updated)
Edit 11/26/2024 7:00am PT: Microsoft, via Twitter (below), has now stated that the company does not use the data to train its large language models (AI models). It is not a secret that Microsoft’s Office has Connected Experiences which analyze content created by users. However, according to @nixCraft, an author of Cyberciti.biz, Microsoft’s Connected Experiences feature automatically gathers data from Word and Excel files to train the company’s AI models. This feature is turned on by default, meaning user-generated content is included in AI training unless manually deactivated. However, this deactivation is a very convoluted process. Microsoft has yet to comment on the information, so take it with a grain of salt [EDIT: as stated above, Microsoft has now said this feature does not enable AI].
Another ‘major cyber incident’ at a UK hospital, outpatients asked to stay away
A UK hospital is declaring a “major incident,” cancelling all outpatient appointments due to “cybersecurity reasons.” The Wirral University Teaching Hospital NHS Trust, located in North West England, said the so-called “incident” affects the whole Trust, which oversees Wirral Women and Children’s Hospital, Clatterbridge Hospital, and Arrowe Park Hospital. Although the tech problems began on Monday, officials confirmed to The Register it is still dealing with the fallout as of Tuesday morning. All outpatient appointments were canceled on Monday and the same decision was made today, according to Arrowe Park and Clatterbridge’s social media posting. All patients whose appointments were canceled will be contacted to rearrange them.
Over 1,000 arrested in massive ‘Serengeti’ anti-cybercrime operation
Law enforcement agencies in Africa arrested as part of ‘Operation Serengeti’ more than a thousand individuals suspected of being involved in major cybercriminal activities that caused close to $193 million in financial losses all over the world. The operation was coordinated by the Interpol and Afripol between September 2nd and October 31st and “targeted criminals behind ransomware, business email compromise (BEC), digital extortion and online scams.” In total, authorities in 19 African countries arrested 1,006 suspects and took down 134,089 malicious infrastructures and networks, based on intelligence provided by operational partners Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, Team Cymru, Trend Micro, and Uppsala Security.
Geico, Travelers Fined $11.3M for Lax Data Security
Two auto insurance companies will pay a hefty penalty for what the State of New York says was inadequate security that allowed hackers to compromise personal data of more than 12,000 state residents. New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris said the $11.3 million fines against Government Employees Insurance Co. (GEICO) and the Travelers Indemnity Co. follows what the state deemed “poor data security” practices that allowed cybercriminals to steal driver license numbers. Worse, at the height of the COVID-19 crisis, they used that info to file fraudulent unemployment claims.