<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

IT Security Newsletter - 5/20/2024

SHARE

Breaches

Nissan reveals ransomware attack exposed 53,000 workers' social security numbers

Nissan North America has revealed that extortionists who demanded a ransom after breaking into its external VPN and disrupted systems last year also stole the social security numbers of over 53,000 staff. The security breach occurred on November 7, 2023. Upon initial investigation, Nissan and external experts brought in by the firm found that although cybercriminals had accessed its systems without authorisation, the only data access had been mostly business-related. READ MORE...


WebTPA data breach impacts 2.4 million insurance policyholders

The WebTPA Employer Services (WebTPA) data breach disclosed earlier this month is impacting close to 2.5 million individuals, the U.S. Department of Health and Human Services notes. Some of the impacted people are customers at large insurance companies such as The Hartford, Transamerica, and Gerber Life Insurance. WebTPA is a GuideWell Mutual Holding Corporation subsidiary and a third-party administrator (TPA) that provides customized administrative services to health plans and insurance companies. READ MORE...

Hacking

How two brothers allegedly swiped $25M in a 12-second Ethereum heist

The US Department of Justice has booked two brothers on allegations that they exploited open source software used in the Ethereum blockchain world to bag $25 million (£20 million). The pair - computer scientists Anton, 24, of Boston, and James Pepaire-Bueno, 28, of New York - are accused of carrying out what deputy attorney general Lisa Monaco called a "technologically sophisticated, cutting-edge scheme they plotted for months." READ MORE...


US woman allegedly aided North Korean IT workers infiltrate 300 firms

?The U.S. Justice Department charged five individuals today, a U.S. Citizen woman, a Ukrainian man, and three foreign nationals, for their involvement in cyber schemes that generated revenue for North Korea's nuclear weapons program. They were allegedly involved between October 2020 and October 2023 in a campaign coordinated by the North Korean government "to infiltrate U.S. job markets through fraud in an effort to raise revenue for the North Korean government and its illicit nuclear program." READ MORE...

Malware

Banking malware Grandoreiro returns after police disruption

The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks. In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 million in losses. READ MORE...

Information Security

User Outcry as Slack Scrapes Customer Data for AI Model Training

Enterprise workplace collaboration platform Slack has sparked a privacy backlash with the revelation that it has been scraping customer data, including messages and files, to develop new AI and ML models. By default, and without requiring users to opt-in, Slack said its systems have been analyzing customer data and usage information (including messages, content and files) to build AI/ML models to improve the software. READ MORE...


Financial institutions have 30 days to disclose breaches under new rules

The Securities and Exchange Commission (SEC) will require some financial institutions to disclose security breaches within 30 days of learning about them. On Wednesday, the SEC adopted changes to Regulation S-P, which governs the treatment of the personal information of consumers. Under the amendments, institutions must notify individuals whose personal information was compromised "as soon as practicable, but not later than 30 days" after learning of unauthorized network access or use of customer data. READ MORE...

Exploits/Vulnerabilities

Critical Flaw in AI Python Package Can Lead to System and Data Compromise

A critical vulnerability discovered recently in a Python package used by AI application developers can allow arbitrary code execution, putting systems and data at risk. The issue, discovered by researcher Patrick Peng (aka retr0reg), is tracked as CVE-2024-34359 and it has been dubbed Llama Drama. Cybersecurity firm Checkmarx on Thursday published a blog post describing the vulnerability and its impact. READ MORE...


CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

The US cybersecurity agency CISA on Thursday added two D-Link product CVEs to its Known Exploited Vulnerabilities (KEV) Catalog, urging federal agencies to address them as soon as possible. The first CVE, CVE-2014-100005, collectively tracks decade-old security defects impacting legacy D-Link routers that reached End-Of-Life (EOL) status. On Thursday, CISA also expanded the KEV list with CVE-2024-4761, a Chrome zero-day patched earlier this week. READ MORE...

Science & Culture

Sony Music opts out of AI training for its entire catalog

Sony Music is sending warning letters to more than 700 artificial intelligence developers and music streaming services globally in the latest salvo in the music industry's battle against tech groups ripping off artists. The Sony Music letter, which has been seen by the Financial Times, expressly prohibits AI developers from using its music-which includes artists such as Harry Styles, Adele, and Beyoncé-and opts out of any text and data mining of any of its content for any purposes. READ MORE...

On This Date

  • ...in 1873, Levi Strauss and Jacob Davis receive a patent for rugged work pants with riveted seams, better known today as Levi's 501 blue jeans.
  • ...in 1899, Jacob German, operator of a taxicab for the Electric Vehicle Company, becomes the first driver to be arrested for speeding. He is driving 12 mph.
  • ...in 1911, comics and sci-fi writer Gardner Fox, the creator of The Flash and the Justice League of America, is born in Brooklyn, NY.
  • ...in 1927, Charles Lindbergh takes off in his custom-built plane, The Spirit of St. Louis, for the first-ever solo transatlantic flight