This Month in Cybersecurity - March 2024

Welcome to the “This Month in Cybersecurity - March 2024” edition. :wave:

As we navigate through the evolving digital landscape, March has unveiled crucial insights and developments that underline the critical role of vigilance in cybersecurity and data privacy. From groundbreaking regulatory compliance to emerging vulnerabilities and sophisticated cyber threats, this month’s news underscores the dynamic nature of our digital ecosystem and the constant need for proactive security measures. Let’s dive in!

1. Meta details WhatsApp and Messenger Interoperability to comply with EU’s DMA regulations

Meta plans to allow interoperability between WhatsApp, Messenger, and third-party messaging services in response to the EU’s Digital Markets Act. This integration requires third-party services to adopt Signal Protocol for encryption and XML for messaging, aiming for secure and open communication. A “plug-and-play” model is proposed for easy connection to Meta’s infrastructure. However, there are concerns about losing direct connection signals important for security, such as preventing spam and scams, and the potential exposure of chat metadata through proxy servers.

Date: Mar 8, 2024
Source: The Hacker News
Author: Newsroom

2. Third-Party ChatGPT Plugins could lead to account takeovers

Cybersecurity researchers have identified vulnerabilities in ChatGPT plugins that could serve as a new attack surface for unauthorized access to sensitive data. These flaws allow for the installation of malicious plugins and account hijackings on platforms like GitHub. Salt Labs highlighted issues like OAuth workflow exploitation and PluginLab vulnerabilities that could enable zero-click account takeovers. Furthermore, new research has demonstrated a side-channel attack on AI assistants that leverages token-length to extract encrypted responses, posing significant security risks.

Date: Mar 15, 2024
Source: The Hacker News
Author: Newsroom

3. “Pay or Okay”: 1,500 € a year for your online privacy?

The European Data Protection Board (EDPB) is reviewing Meta’s “Pay or Okay” system, which charges users to avoid personalized ad tracking, potentially setting a precedent affecting free consent online. This model, already impacting privacy costs in countries like Germany, Spain, and France, threatens the fundamental right to privacy, with costs to avoid tracking potentially exceeding €1,500 annually. The GDPR mandates freely given consent, but the “Pay or Okay” system effectively forces user agreement to tracking, challenging the essence of free consent and privacy rights.

Date: Mar 19, 2024
Source: NOYB
Author: NOYB

4. Recent ‘MFA Bombing’ attacks targeting Apple users

Apple users have reported sophisticated phishing attacks, exploiting what seems to be a flaw in Apple’s password reset feature. Victims face a barrage of system-level prompts on their devices, making them unusable until they respond. The attackers also spoof Apple support calls to obtain a one-time code for resetting the Apple ID password, locking the user out. A significant aspect of the attacks is the exploitation of the phone number associated with the Apple account, indicating that changing this number might mitigate the risk.

Date: Mar 26, 2024
Source: KrebsonSecurity
Author: Brian Krebs

5. Thousands of servers hacked in ongoing attack targeting Ray AI framework

Thousands of servers have been compromised in an ongoing attack targeting a vulnerability in Ray, a computing framework used by companies like OpenAI, Uber, and Amazon. The attackers have tampered with AI models, stolen network credentials, installed cryptocurrency miners, and set up reverse shells for remote server control. Despite Ray’s open-source nature intended for scaling AI applications, its default configuration lacks authentication, making it susceptible to these attacks. Anyscale, Ray’s maintainer, has faced criticism for not addressing this vulnerability adequately, although plans to introduce authentication features are underway.

Date: Mar 27, 2024
Author: Dan Goodin


And that wraps up our March 2024 edition of “This Month in Cybersecurity.” We’ve navigated through a landscape brimming with both challenges and advancements in cybersecurity and data privacy, each story shedding light on the critical importance of staying ahead in our digital defense strategies.

We encourage you to share any valuable insights or news article you come across in the “In the News” section of the passbolt community forum: In the news - Passbolt community forum

Stay safe! Stay secure!