SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
OpenSSF and OpenJS Foundations report incidents similar to XZ backdoor
The Open Source Security (OpenSSF) and OpenJS Foundations reported that they may have been targeted in backdooring attempts, similar to the XZ Utils project. They received several suspicious emails from individuals urging them to update a popular JavaScript project to “address any critical vulnerabilities”, but provided no specific information. Just like in the case of the XZ backdoor and other similar incidents, they requested to be designated as project maintainers.
Cybersecurity startups raised $2.7 billion in Q1
A Crunchbase analysis shows that cybersecurity startups raised nearly $2.7 billion across 154 deals in the first quarter of 2024. This is a significant increase compared to the previous three quarters. Crunchbase highlighted the comeback of big funding rounds, with nine startups raising $100 million or more.
Vulnerability can allow AI supply chain attacks
A CERT/CC advisory reveals that Lambda Layers in third party TensorFlow-based Keras models could allow attackers to inject arbitrary code that may then run with the same privileges as the running application. In one possible attack scenario, the attacker could trojanize a popular model and distribute it, tainting the supply chain of dependent AI/ML applications.
HackerOne asks DOJ to expand good-faith CFAA and DMCA protections
HackerOne has written to the DOJ requesting that its good-faith security research protections be expanded from security to include research into AI artifacts. AI needs to be tested for “bias, discrimination, toxic content, misinformation, and other algorithmic flaws,” which may fall outside the current protections for security research. This could leave good-faith AI researchers vulnerable to criminal liability for exposing safety concerns.
Vulnerabilities in the OSS AI/ML supply chain
Protect AI has published its April 2024 Vulnerability Report, describing 48 vulnerabilities found in the OSS AI/ML supply chain and reported through its bug bounty program. This represents a 220% increase from the number reported in November 2023. A ‘critical’ severity rating has been assigned to 17 vulnerabilities.
Bill requiring warrant to acquire data from third parties passes House
The House has passed a bill that would limit how the government can acquire data from third parties. Named the ‘Fourth Amendment Is Not For Sale Act’, the legislation requires law enforcement and other government entities to obtain a warrant before buying information from data brokers.
LLM agents autonomously exploit vulnerabilities
A team of researchers has shown that LLM agents can autonomously exploit vulnerabilities in real-world systems. They conducted tests on a dataset of 15 one-day vulnerabilities. When provided the CVE description, GPT-4 was capable of exploiting 87% of the vulnerabilities.
FIN7 cybercriminals target US automotive industry
BlackBerry reported that the FIN7 cybercrime group has targeted a large automotive manufacturer based in the US, and warned that the attack was possibly part of a bigger campaign. FIN7 used spear-phishing against employees who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool.
Moldovan botnet operator charged in US
Moldovan national Alexander Lefterov has been indicted in the United States for his alleged role in a cybercrime operation that involved a botnet of thousands of compromised computers. The cybercriminals stole credentials for financial accounts from the hacked systems, and allowed others to leverage the botnet to distribute ransomware and other malware. The botnet has not been named. Lefterov remains at large and he has been added to the FBI’s Most Wanted list.
Related: In Other News: 100,000 Affected by CISA Breach, Microsoft AI Copilot Ban, Nuclear Site Prosecution
Related: In Other News: Moscow Sewage Hack, Women in Cybersecurity Report, Dam Security Concerns