Govt Unravelling, AI Hijinx, Bot Chaos, Recall, Oracle, Slopesquatting, Tycoon 2FA… – PSW #870

Bill Swearingen

1. Silicon Valley crosswalk buttons apparently hacked to imitate Musk, Zuckerberg voices

   Crosswalk buttons along the mid-Peninsula appear to have been hacked, so that when pressed, voices professing to be Mark Zuckerberg or Elon Musk begin speaking.

   Videos taken at locations in Redwood City, Menlo Park and Palo Alto show various messages that begin to play when crosswalk buttons are hit. The voices appear to imitate how Zuckerberg and Musk sound.

2. Microsoft warns that anyone who deleted mysterious folder that appeared after latest Windows 11 update must take action to put it back

   In its advisory for this security patch, Microsoft notes: “After installing the updates listed in the Security Updates table for your operating system, a new [inetpub folder] will be created on your [system drive]. This folder should not be deleted, regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”

3. Cybersecurity firm buying hacker forum accounts to spy on cybercriminals

   Swiss cybersecurity firm Prodaft has launched a new initiative called 'Sell your Source' where the company purchases verified and aged accounts on hacking forums to to spy on cybercriminals.

   The goal is to use these accounts to infiltrate cybercrime spaces and communities, collecting valuable intelligence that could lead to the exposure of malicious operations and platforms.

   Prodaft is currently interested in buying accounts for the XSS, Exploit.in, RAMP4U, Verified, and Breachforums cybercrime forums, and offers to pay extra for accounts with moderator or administrator privileges.

4. Tycoon2FA phishing kit targets Microsoft 365 with new tricks

   Trustwave now reports that the Tycoon 2FA threat actors have added several improvements that bolster the kit's ability to bypass detection and endpoint security protections.

   The first highlighted change is the use of invisible Unicode characters to hide binary data within JavaScript, as first reported by Juniper Threat Labs in February. This tactic allows the payload to be decoded and executed as normal at runtime while evading manual (human) and static pattern-matching analysis. The second development is the switch from Cloudflare Turnstile to a self-hosted CAPTCHA rendered via HTML5 canvas with randomized elements.

   Likely, the creators of Tycoon 2FA opted for this change to evade fingerprinting and flagging by domain reputation systems and gain better customization control over the page's content.

   The third major change is the inclusion of anti-debugging JavaScript that detects browser automation tools like PhantomJS and Burp Suite and blocks certain actions associated with analysis.

5. Oracle says “obsolete servers” hacked, denies cloud breach

   Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as "two obsolete servers."

   However, the company added that its Oracle Cloud servers were not compromised, and this incident did not impact customer data and cloud services.

   "Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach," Oracle says in a customer notification shared with BleepingComputer.

   "No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way," it added in emails sent from [email protected], prompting customers to contact Oracle Support or their account manager if they have additional questions.

   "A hacker did access and publish user names from two obsolete servers that were never a part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data."

6. 4chan hacked, sourcecode leaked

   OOPS!

Doug White

1. MITRE support expires for ‘pillar of cybersecurity industry,’ CVE program
2. CISA braces for more cuts, threat-intel efforts are doomed
3. MS-ISAC Loses Funding and Cooperative Agreement with CIS
4. When the government steps back, who steps up to ensure adequate cyber defenses?
5. Windows’ Controversial Recall Is Back—Here’s How to Control It
6. Manage your Recall snapshots and disk space – Microsoft Support
7. AI Hallucinations Create a New Software Supply Chain Threat
8. Identity is the new security architecture, says former CISA director Easterly
9. Malicious bots now make up more than a third of web traffic
10. New Okta Platform features help control surge of non-human identities
11. Oracle Finally Admits to Data Breach, FBI Investigating
12. Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
13. From classrooms to command posts: The cyber education crisis
14. Why companies need to build a strong domain security crisis plan

Jeff Man

1. Ready and Resilient in the Data-Driven Age

   This is a fascinating report about the actual impact of incidents investigated. Hopefully removes the hype and fud and presents what's really happening in the world of cybersecurity breaches. Note: you can just download the report; no need to give up any contact info.

2. https://www.beyondtrust.com/resources/whitepapers/microsoft-vulnerability-report

   In contrast to the Data Security Incident Response Report, you have the 12th annual Microsoft Vulnerabilities Report, which offers a comprehensive dissection of Microsoft's current vulnerability and security landscape: the successes, the emerging risks, and everything in between. Of course, for this one you DO have to give up your contact info (which I haven't). Some highlights: - Total vulnerabilities rose to 1,360 in 2024—a record high since the report began. - There were 587 Windows vulnerabilities in 2024, 33 were critical. - Windows Server had 684 vulnerabilities in 2024, 43 were critical.

3. Whistleblower org says DOGE may have caused ‘significant cyber breach’ at US labor watchdog

   WTF...

4. Hackers Lurked in US Bank Regulator’s Systems for Over a Year After 2023 Security Breach

   Sounds like some good, old-fashioned espionage going on here. A compromised admin account goes undetected for a year? Also interesting, the security breach was not discovered until February 11 of this year, and the compromised admin account was disabled on February 12. Why did it take them a day to disable the admin account???

5. In last minute reversal, US agency extends support for cyber vulnerability database

   Oh, never mind... ...although, it still might be worth the conversation about the utility/efficacy of CVE.

6. Oracle Confirms Hacking Incident Involving Obsolete Servers

   Time for our weekly "piling on" Oracle update...

7. Hertz says personal data breached in connection with Cleo file-transfer flaws

   The company disclosed critical flaws in Cleo Harmony, VLTrader and Lexicon in December. The flaws were tracked as CVE-2024-50623, an unrestricted file upload and download vulnerability, and CVE-2024-55956, which allows an unauthenticated user to import and execute arbitrary bash or PowerShell commands on a host system.

Joshua Marpet

1. Why Cybersecurity Needs More Business-Minded Leaders
2. Sorry A.I., No Copyrights for You
3. FedRAMP Director Pete Waterman just went on this podcast today
4. Westlaw Rival Seeks Early Appeal Of 1st AI Ruling On Fair Use
5. Ransomware gang ‘CrazyHunter’ Targets Taiwan Orgs

Lee Neely

1. Windows warning: Don’t delete that weird ‘inetpub’ folder. Already did? Here’s your fix

   Windows 10 and Windows 11 users who installed last week's April Patch Tuesday updates may have noticed a strange new folder appear on their system drive, or C drive. Named "inetpub," the folder is associated with Microsoft's IIS nd is part of a security fix for CVE-2025-21204, a Windows Process Activation privilege elevation vulnerability. To address users’ confusion about the folder, Microsoft has updated the vulnerability’s advisory to read: "This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users."

   Don't pre-create the folder or the April update will likely not be installed. The folder is created with system permissions to thwart malicious attempts to create that folder. If you've deleted it, you can enable IIS in the "Turn Windows features on or off" control panel, which creates the folder with SYSTEM ownership, after which you disable IIS and reboot.

2. Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks

   Fortinet has published an analysis of threat actor activity involving exploitation of known vulnerabilities to maintain remote read-only access to FortiGate devices even after the devices were updated to fixed versions of FortiOS.

   https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity

   There are mitigations for this in the latest versions of FortIOS. Updating to the latest version will remove the link if present. While you can deploy the AV/IPS signature to find that link if present, applying the updated OS gets you on the latest version which doesn't allow the link to work if present as well as fixing the link.

3. Hertz says customers’ personal data and driver’s licenses stolen in data breach

   This is another Cleo file transfer service victim, with data accessed between October and December of 2024. While Hertz is working to notify customers, if you're a customer of Hertz (which includes Thrifty and Dollar rentals) you may want to check for unexpected activity. Hertz is offering two years of free ID and credit monitoring services for potentially affected users.

4. Medical Lab Hack Affects Planned Parenthood Patients

   Initial reports were that only some patients and employees were affected. The subsequent investigation found patients in 31 states were impacted. LSC is offering identity theft protection services for 12 or 24 months, depending on the state of residence and has established a call center for obtaining information about the incinent including about weather a specific Planned Parenthood center was affected. No gang is taking credit for the breach, LSC has hired cybersecurity firms to monitor for their data to appear on the dark web, which hasn't as of April 10th.

5. Northeast Radiology Settles Alleged Risk Analysis HIPAA Violation with OCR

   The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its fourth financial penalty for a HIPAA violation under the Trump administration – its 6th financial penalty under its risk analysis HIPAA enforcement initiative.

   The takeaway being that if you're handling/managing PHI/HIPAA data, make sure that you're monitoring and mitigating risks and vulnerabilities related to that data. Leverage the position that proper protection will be less expensive than a breach investigation, credit restoration and enforcement actions.

6. AI-hallucinated code dependencies become new supply chain risk

   A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names. The term slopsquatting was coined by security researcher Seth Larson as a spin on typosquatting, an attack method that tricks developers into installing malicious packages named after ones commonly made up by AI models in coding examples. Right now, the only to mitigate the risk is manual verification of package names and to never assume a package in AI-generated code is real or safe. You should already be using dependency scanners, lock files and hash verification to pin known trusted packages. You can further reduce the hallucinations by reducin the AI "temperature" setting, making it less random if you're using AI-assisted or vibe coding. Whitepaper: https://arxiv.org/pdf/2406.10279

7. CA/Browser Forum Votes to Cut Certificate Lifespan to 47 Days

   Members of the Certificate Authority/Browser Forum have voted to shorten the lifespan to just under seven weeks. The changes will roll out gradually over the next several years until March 2029, when SLS/TLS certificate lifetimes will be limited to 47 days. On March 15, 2026, the maximum lifecycle will be 200 days, requiring six-month renewals, on March 15, 2027, it shrinks to 100 days, requiring 90 day renewals. Finally on March 15, 2029, the interval shrinks to 47 days, with an expected monthly renewal.  At this point the move is to automate all SSL/TLS your certificate renewals.

8. Recall AI for Copilot+ Released to Windows 11 Insiders

   Microsoft has released Windows 11 Build 26100.3902 to Windows Insiders in the Release Preview Channel, including a preview of the Recall AI feature for Copilot+ PCs. While Microsoft has agreed to release Recall AI as an opt-in feature, even if you're opted-out, you don't know what others are set for, allowing the data you collaborate on to be captured by the system if enabled.  Beyond assessing the risk, and developing a consistent implementation policy for your enterprise, also consider what you want for your third-party business partners.

9. Kidney dialysis firm DaVita hit by weekend ransomware attack

   DaVita has operations in the US and 13 other countries. providing clinc and at-home based dialysis services. They are one of the largest kidney care providers, primarily focused on life sustaining services (e.g., three times weekly dialyses) until a patient receives a new kidney. No gang has taken credit for the attack. If you're a DaVita patient, watch their web site for service impacts and updates.

10. How cyberattackers exploit domain controllers using ransomware

    Microsoft describes how ransomware actors are targeting domain controllers to quickly gain access to and compromise "highly privileged accounts" and to take advantage of centralized network access to affect the greatest number of assets within the targeted organization. Microsoft writes that they’ve "seen in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. Additionally, in more than 35% of cases, the primary spreader device—the system responsible for distributing ransomware at scale—is a domain controller."

Sam Bowne

1. I Tested The AI That Calls Your Elderly Parents If You Can’t Be Bothered

   An AI startup promises to call your elderly parents for you if you don’t have time, or simply don’t want to.

2. EU issues US-bound staff with burner phones over spying fears

   The European Commission is issuing burner phones and basic laptops to some US-bound staff to avoid the risk of espionage, a measure traditionally reserved for trips to China. “They are worried about the US getting into the commission systems.” “The transatlantic alliance is over.”

3. Palantir wants to poach top high school grads with a new anti-college internship: ‘Skip the debt. Skip the indoctrination.’

   The company just launched its Meritocracy Fellowship, a four-month, paid internship for recent high school grads not currently enrolled in college. Palantir CEO Alex Karp has expressed extreme doubt about the value of higher education: "Everything you learned at your school and college about how the world works is intellectually incorrect."

4. Thieves easily and mysteriously unlock and stole a bunch of Tesla vehicles on camera

   Tesla vehicles are notoriously hard to steal, but this is being questioned as a couple of thieves were caught on camera easily and mysteriously unlocking and stealing a bunch of them in Miami. It’s unclear how they were able to unlock and drive the vehicles, but relay attacks and hacks are possible explanations.

5. Forget Tariffs—Apple’s iPhone Encryption Problem May Be Even Worse

   The U.K.'s order for Apple to backdoor its own encryption to let governments peek inside, described by EFF as an “emergency for us all,” has now so weakened its U.K. user security, that even its Chinese users appear better protected.

   Now the EU has announced ProtectEU, “a European Internal Security Strategy to support Member States and bolster the EU’s ability to guarantee security for its citizens,” including “a roadmap on lawful and effective access to data for law enforcement.”

6. U.S. cyber defenders shaken by Trump’s attack on their former boss

   “Every day feels somehow more bizarre than the last. It is incredibly difficult to focus on our mission,” one current Cybersecurity and Infrastructure Security Agency employee said.

7. Ex-Meta exec tells Senate Zuck dangled US citizen data in bid to enter China

   Zuckerberg was willing to do almost anything to get the social network into China - including, she alleged, offering up Americans' data.

8. Researchers concerned to find AI models misrepresenting their “reasoning” processes

   Simulated reasoning models frequently fail to disclose when they've used external help or taken shortcuts, despite features designed to show their "reasoning" process.

9. US Bank Regulator Didn’t Have Safeguard on Hacked Email Account

   The US Office of the Comptroller of the Currency didn’t have 2FA enabled on an email account hackers exploited to spy on the messages of more than 100 bank regulators for over a year. The attackers got in through a password spray attack.

10. Windows 11 tests sharing apps screen and files with Copilot AI

    If you share your screen with Copilot Vision, it can help you navigate the app. "File Search" allows you to find a particular file on your device and ask questions about its contents.

    At the moment, Copilot Vision (screen share) and File Search features are gradually rolling out in the Windows Insider Program. Microsoft hasn't clarified how the data is being processed or encrypted, but we'll likely learn more about the privacy policies when the feature exits the testing program.

11. CISA extends funding to ensure ‘no lapse in critical CVE services’

    The U.S. government has extended MITRE's funding for 11 months. A group of CVE Board members announced the launch of the CVE Foundation, a non-profit organization established to secure the CVE program's independence in light of MITRE's warning that the U.S. government might not renew its contract for managing the program.

    Over the last year, the individuals involved in the launch have been developing a strategy to transition the program to this dedicated foundation, eliminating "a single point of failure in the vulnerability management ecosystem" and ensuring "the CVE Program remains a globally trusted, community-driven initiative."

12. A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

    The DOGE team demanded and obtained high-privilege accounts, turned off logging, disabled two-factor authentication, and exfiltrated a large amount of data using DNS tunneling and other methods. When the NLRB security tech complained, a threatening note was taped to his door, including threatening language, sensitive personal information and overhead pictures of him walking his dog, apparently from a drone.

    Within minutes after DOGE accessed the NLRB's systems, someone with an IP address in Russia started trying to log in, using the correct username and password for one of the newly created DOGE accounts.