A major coordinated release this week drew attention to the importance of prioritizing security when designing graphics processing units (GPUs). Researchers published details of the “LeftoverLocals” vulnerability in several brands and models of popular GPUs – including Apple, Qualcomm and AMD chips – that could be exploited to steal sensitive data such as responses from AI systems. Meanwhile, new findings from cryptocurrency tracking firm Chainalysis show how stablecoins pegged to the value of the US dollar were instrumental in cryptocurrency-related scams and sanctions evasion last year.
The U.S. Federal Trade Commission reached an agreement earlier this month with data broker X-Mode (now Outlogic) to sell location data from phone apps to the U.S. government and other customers. While the action has been hailed by some as a historic privacy victory, it also highlights the limits of the FTC and the U.S. government's privacy enforcement powers and the ways many companies can avoid scrutiny and consequences if they fail to do so. to protect consumers' data.
US internet provider Comcast If you are a customer, we have advice on how to opt out – where possible. And if you need some in-depth reading for the weekend, we have the story of how a 27-year-old cryptography PhD student systematically debunked the myth that Bitcoin transactions are anonymous. The piece is an excerpt from WIRED author Andy Greenberg's nonfiction thriller Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, which is being released in paperback this week.
And there is more. Each week we round up the security and privacy news that we haven't published or covered in depth ourselves. Click on the headlines to read the full stories and stay safe out there.
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two vulnerabilities that are being actively exploited in the popular Ivanti Connect Secure and Policy Secure VPN appliances. CISA's deputy executive director, Eric Goldstein, told reporters that CISA has notified every federal agency operating a version of the products, or “approximately” 15 agencies that have taken remedial action. “We do not assess any significant risk to the federal enterprise, but we know the risk is not zero,” Goldstein said. He added that an investigation is underway into whether federal agencies were compromised in the attackers' mass exploitation.
The analysis shows that multiple actors sought and exploited vulnerable Ivanti devices to gain access to the networks of organizations around the world. Activity began in December 2023 but has increased in recent days as the vulnerabilities became known and proof of concept emerged. Researchers at security firm Volexity say a total of at least 1,700 Connect Secure devices were compromised. Both Volexity and Mandiant see evidence that at least some of the exploitation activity is motivated by espionage. CISA's Goldstein said Friday that the U.S. government has not yet attributed the exploitation activities to specific actors, but that “the exploitation of these products would be consistent with what we have seen in the PRC.” [People’s Republic of China] Actors like Volt Typhoon in the past.”
Ivanti Connect Secure is a rebrand of the Ivanti Pulse Secure product line. Vulnerabilities in this VPN platform were known to have been exploited by Chinese state-backed hackers in a series of high-profile digital breaches in 2021.
Microsoft said Friday that it discovered a system breach on Jan. 12 that it attributed to the Russian state-backed actor Midnight Blizzard, or APT 29 Cozy Bear. The company says it has fully remedied the breach, which began in November 2023 and used “password spraying” attacks to compromise historical system test accounts, which in some cases then allowed the attacker to steal “a very small percentage of E “Infiltrate Microsoft company email accounts,” including members of our leadership team and employees in our cybersecurity, legal, and other functions.” Using this access, Cozy Bear’s hackers were then able to filter out “some emails and attached documents.” Microsoft notes that the attackers appeared to be seeking information about Microsoft's investigation into the group itself. “The attack was not the result of a vulnerability in Microsoft products or services,” the company wrote. “To date, there is no evidence that the threat actor had access to customer environments, production systems, source code or AI systems. We will notify customers if action is required.”
Gift card fraud, in which attackers trick victims into buying gift cards for them, is a long-standing problem, but new reports from ProPublica show that Walmart has been particularly lax in addressing the problem. For a decade, the retailer has defied pressure from regulators and law enforcement to scrutinize gift card sales and money transfers and expand employee training to protect customers from being tricked and exploited by fraudsters. ProPublica conducted dozens of interviews and reviewed internal documents, court filings and public records in its analysis.
“They were worried about money. That’s all,” Nick Alicea, former head of the U.S. Postal Inspection Service’s fraud team, told ProPublica. Walmart defended its efforts, claiming it stopped more than $700 million in suspicious money transfers and refunded $4 million to victims of gift card fraud. “Walmart provides these financial services while working hard to protect our customers from third-party fraudsters,” the company said in a statement. “We have a robust anti-fraud program and other controls in place to stop fraudsters and other criminals who could use the financial services we offer to harm our customers.”
As rebel groups in Myanmar violently oppose the country's military government, human trafficking and abuses that fuel the pig slaughter scam are exacerbating the conflict. Scams have exploded in recent years and are perpetrated not only by bad actors, but also by a group of forced laborers who have often been kidnapped and held against their will. In one case this fall, a group of rebel groups in Myanmar known as the Three Brotherhood Alliance seized control of 100 military outposts in the country's northern Shan State and occupied several towns along the border with China, promising to “fight telecommunications fraud and… to eradicate dens of fraud.” and their patrons across the country, including in areas along the China-Myanmar border.”
The United Nations estimates that up to 100,000 people are being held in fraud centers in Cambodia and up to 120,000 in Myanmar. “I've been working in this area for over 20 years and to be honest, we've never seen anything like what we're seeing now in Southeast Asia in terms of the sheer number of people,” says Rebecca Miller, regional program director for human trafficking at the UN Office for Human Trafficking Drug and Crime Control told Vox.
In a new investigation, Consumer Reports and The Markup crowdsourced three years of archived Facebook data from 709 users of the social network to find out which data brokers and other organizations are tracking and monitoring them. Analyzing the data, reporters found that a total of 186,892 companies submitted data about the 709 people to Facebook. On average, each of these users had information about them sent to Facebook by 2,230 companies. However, the number fluctuated. Some users had less than average, while others had more than 7,000 companies tracking them and providing information to the social network.