SAN MATEO, CA, January 27, 2025 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Malicious generative AI creates malware and phishing emails
Researchers from Abnormal Security are reporting on a new malicious generative AI tool called GhostGPT that criminals can use to generate malware and assist in creating phishing emails. Sold through Telegram, GhostGPT is believed to be connected to a “jailbroken version of ChatGPT or another open-source large language model (LLM), ensuring uncensored responses for customers.” GhostGPT is the latest in several tools that can help even low-skilled criminals fire off cyberattacks, with full access to the model granted after users pay a fee. The model’s creators say that user activity is not recorded, meaning that any activity on the platform is concealed. The researchers say that interest in GhostGPT is high, receiving thousands of views on online forums. Read more.
LinkedIn sued for misusing personal data in AI training
A class action lawsuit filed on behalf of LinkedIn Premium customers alleges that the Microsoft-owned business and employment platform shared their private messages with third parties without permission so that they could train generative AI models. LinkedIn is said to have quietly introduced a privacy setting that let users disable the sharing of their personal data and then followed up with a change in its privacy policy that stated that the platform’s data would be used to train AI models and that opting out would “not affect training data that has already taken place.” The lawsuit alleges that these efforts by LinkedIn to “cover its tracks” show that the platform was aware that it violated customer privacy and its previous promises about its use of customer data. Read more.
DHS cyber review board cleaned out by Trump administration
The Cyber Safety Review Board (CSRB) has been purged of non-government members as part of the Trump administration’s effort to cut costs within the federal government. According to a memo from the Department of Homeland Security, all advisory committees within the agency had been terminated “effective immediately.” The memo says, “Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS’s strategic priorities.” The CSRB is engaged in an active investigation into the hacking of US telecoms by Chinese threat group Salt Typhoon, and it remains to be seen how this shakeup may impact or delay the process. Brian Krebs, who served as the director of CISA until being fired by Trump in 2020 for disagreeing with the President’s assertion of widespread computer fraud in the 2020 election, served on CSRB’s advisory board. Read more.
FTC says companies tweak prices after customer surveillance
A report from the FTC says that retailers are employing “intermediary firms” to algorithmically tweak their prices based on “consumer-related data and their behaviors and preferences, the location, time, and channels by which a consumer buys the product.” Dubbed “surveillance pricing,” this tactic sees consumers paying different prices for the same products depending on their whereabouts, browser history, and even mouse movements. “The FTC should continue to investigate surveillance pricing practices because Americans deserve to know how their private data is being used to set the prices they pay and whether firms are charging different people different prices for the same good or service,” outgoing FTC Chair Lina M. Khan said this week. Read more.
Hewlett Packard Enterprise investigates hacker’s claims of data breach
Hewlett Packard Enterprise (HPE) responded to a hacker’s claims to have stolen the company’s sensitive data by launching an investigation. The hacker, IntelBroker, has a penchant for breaching large organizations such as Cisco, Apple, AMD, General Electric, and Europol, which lends credence to their assertions. The stolen data is said to include source code, private GitHub repositories, Docker builds, and digital certificates. HPE is reported to have immediately activated its cyber response protocols and disabled related credentials when news of the alleged hack broke. However, it said there had been no operational impact on the organization and no current evidence that customer data had been compromised. IntelBroker claims that the breach was a direct hack of the company and did not involve the compromise of a third party. Read more.
Ransomware actors pose as tech support via Microsoft Teams
Sophos researchers are tracking activity clusters using Microsoft 365 instances, Microsoft Teams, and email bombing to distribute ransomware between November and December 2024. The attackers first flood a targeted organization with emails to the extent that IT steps in to solve the problem. Then, they reach out to their target through Microsoft Teams, posing as a legitimate IT support member or a “Help Desk Manager” to request a remote screen session through Teams or Microsoft Quick Assist. Once they access the victim’s device, malware is deployed, and the attacker can move laterally within the targeted network. Attacks like this are successful because teams are generally not well-versed in identifying phony support calls. “Nobody is trained on the whole idea of: you have an inbound call from someone who’s your IT support, you just had an IT problem, and you may have already put in a trouble ticket for IT. How do you assure that the person who’s calling you on your internal communications system is, in fact, your IT person?” said Sean Gallagher, principal threat researcher at Sophos. Read more.
Mercedes-Benz User Experience Systems vulnerabilities allow remote access
The Mercedes-Benz User Experience infotainment system available on various models of the premium auto maker’s vehicles has been found to harbor significant vulnerabilities, according to findings from Keen Labs. Tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, the myriad of flaws found in the system can be exploited to allow for an attacker to gain unauthorized access to certain car functions and control them remotely. The functionalities that could be manipulated include changing internal vehicle lighting and displaying images on the dashboard screen, which could confuse or mislead drivers. However, access to functionalities such as braking and steering is not available via these exploits. Read more.
Microsoft Exchange 2016 and 2019 ends support October 2025
Microsoft is giving admins plenty of notice, reminding them that Exchange 2016 and Exchange 2019 will no longer be supported after October 14, 2025. “Customer installations of Exchange 2016 and Exchange 2019 will, of course, continue to run after October 14, 2025; however, due to the upcoming end of support date and potential future security risks, we strongly recommend customers act now,” reads a notice by the Exchange Team. The products will no longer receive technical support or bug fixes after this date, nor will Microsoft issue time zone updates or security fixes, meaning those that stick with the servers may be vulnerable to security breaches. Microsoft urges users to move to Exchange Online or upgrade to Exchange Server Subscription Edition when it debuts this year. Exchange 2016 reached its mainstream end date in October 2020, and Exchange 2019 reached the end of mainstream support on January 9, 2024. Read more.
ChatGPT crawler vulnerability allows DDoS attacks on websites
Cyberattackers can trigger Distributed Denial of Service (DDoS) attacks on websites via a major crawler vulnerability within OpenAI’s ChatGPT. “ChatGPT crawler can be triggered to DDoS a victim website via HTTP request to unrelated ChatGPT API. This defect in OpenAI software will spawn a DDoS attack on unsuspecting victim website, utilizing multiple Microsoft Azure IP address ranges on which ChatGPT crawler is running,” said researcher Benjamin Flesch. This is possible because OpenAI “fails to implement checks against duplicate hyperlinks or to set a limit on the total number of URLs that can be submitted,” allowing threat actors to exploit the platform by “crafting malicious HTTP requests that lead to thousands of connections directed at a specific website, thereby reducing its availability.” The vulnerability has been submitted to OpenAI and Microsoft. Read more.
New highly targeted Lazarus Group campaign discovered
North Korea’s notorious state-sponsored threat gang Lazarus group is engaging in a new campaign that targets software engineers, according to researchers from SecurityScorecard. The objective of the campaign, called Operation 99, is to “steal sensitive data from developer environments, including source code, secrets and configuration files and cryptocurrency wallet keys.” The techniques the group is using are evolving, with this campaign specifically victimizing developers in the tech supply chain and using upgraded malware that is harder to detect and more flexible. Lazarus actors pose as recruiters on job-seeking platforms and then convince their victims to clone a GitHub repository called “coin promoting Webapp.” However, when the repository’s code is executed, it connects to command-and-control servers under malicious supervision. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
