This Month in Cybersecurity - May 2024

Welcome to the “This Month in Cybersecurity - May 2024” edition. :wave:

This month has been marked by significant events and developments in the cybersecurity and data privacy sectors. From critical vulnerabilities and controversial privacy proposals to innovative hacking methods, we’ve curated the top stories to keep you informed and vigilant. With each passing month, cyber threats are becoming more sophisticated and prevalent. We know you may not always have time to catch up on all the news, but we hope these short summaries will help you stay up-to-date with the latest trends that unfolded this month. Let’s dive in! :newspaper: :rocket:

1. CISA warns of active exploitations of severe GitLab Password Reset vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a critical vulnerability in GitLab (CVE-2023-7028) that’s being actively exploited, allowing attackers to reset passwords via unverified email addresses and potentially take over accounts. Introduced in a May 2023 update, this flaw affects multiple versions, including those secured by two-factor authentication. Exploitation could lead to significant threats such as data theft, credential leaks, and malicious code insertions that could facilitate supply chain attacks. GitLab has released patches for several affected versions. CISA requires federal agencies to update their systems by May 22, 2024, to prevent exploitation.

Date: May 2, 2024
Source: The Hacker News
Author: Newsroom

2. EU plans to force messaging apps to scan for CSAM risks millions of false positives, experts warn

A controversial EU proposal that requires messaging platforms to scan for CSAM (child sexual abuse material) is criticized for potentially causing millions of false positives daily, according to security experts. The proposal, which demands scanning for both known and unknown CSAM and grooming activities using unproven technologies, is seen as a threat to privacy and internet security. Despite amendments aimed at refining the scanning scope and protecting encryption, experts view these as risks to extensive surveillance and jeopardizes digital privacy and security. Critics, including prominent academics and tech professionals, warn that the EU’s continuation of this proposal could severely impact internet freedom and democratic processes.

Date: May 2, 2024
Source: Tech Crunch
Author: Natasha Lomas

3.Novel attack against virtually all VPN apps neuters their entire purpose

Researchers have developed an attack named TunnelVision, which significantly compromises the security of nearly all VPN applications by diverting their traffic outside the encrypted tunnel, potentially exposing user data. This technique manipulates DHCP settings to reroute VPN traffic directly through a malicious server, allowing attackers to intercept, read, modify, or drop the data. The vulnerability, which has been potentially exploitable since 2002, affects most operating systems except Android, which does not support the problematic DHCP option. Remedies include running the VPN within a virtual machine or using cellular networks, but effective solutions are limited, particularly on untrusted networks.

Date: May 6, 2024
Source: Ars TECHNICA
Author: Dan Goodin

4. Slack is training its machine learning on your chat behavior - unless you opt out via email

Slack has been using customer data to enhance its machine learning features, like search result relevance, leading to confusion and criticism over its data policies. Users can opt-out, but only through a complex process involving their organization’s Slack admin emailing the company. Slack clarified that it uses de-identified data for machine learning, not AI, and does not share user data with third-party LLM providers. The company reassured that its models do not memorize or reproduce customer data, and only analyze metadata, not message content.

Date: May 20, 2024
Source: Techradar
Author: Craig Hale

5. UK watchdog looking into Microsoft AI taking screenshots

The UK’s Information Commissioner’s Office (ICO) is investigating Microsoft’s new feature, Recall, which takes screenshots of users’ laptops every few seconds and stores them locally. Privacy campaigners have expressed concerns, calling it a “privacy nightmare.” Microsoft assures that Recall is optional, with built-in privacy controls, and that the screenshots are not accessible by Microsoft or anyone without physical access to the device. Critics argue that this could deter users from accessing sensitive information and raise legal and consent issues, comparing it to scenarios from dystopian fiction.

Date: May 22, 2024
Source: BBC
Author: Imran Rahman-Jones

6. Update Chrome Browser Now: 4th zero-day exploit discovered in May 2024

Google has released a fix for a high-severity security flaw in Chrome, identified as CVE-2024-5274, a type confusion bug in the V8 JavaScript and WebAssembly engine. This vulnerability, reported by members of Google’s security teams, marks the fourth zero-day exploit patched in May 2024. Type confusion vulnerabilities allow for serious exploits, including arbitrary code execution. Users are advised to update to the latest Chrome version (125.0.6422.112/.113) on all platforms to protect against this and other recently patched zero-days. Users of Chromium-based browsers like Edge, Brave, Opera, and Vivaldi should also apply the updates when available.

Date: May 24, 2024
Source: The Hacker News
Author: Newsroom

7. Okta warns of credential stuffing attacks targeting its cross-origin authentication feature

Okta has detected and responded to a credential stuffing attack targeting its Customer Identity Cloud (CIC) via the cross-origin authentication feature, starting on April 15. Credential stuffing involves using large sets of stolen username and password combinations to gain unauthorized access to accounts. The attack leveraged the cross-origin authentication endpoints, affecting several customers. Okta advised affected customers to disable unused targeted URLs and review suspicious activity logs, specifically for failed and successful cross-origin authentications and login attempts with leaked passwords.

Date: May 30, 2024
Source: Security Affairs
Author: Pierluigi Paganini

8. How Bitcoin Hackers Recovered $3 Million From Wallet Locked In 2013

A group of hackers successfully recovered $3 million worth of Bitcoin from a wallet that had been locked since 2013. The wallet owner, Michael, lost access due to a corrupted encrypted password file created with RoboForm and TrueCrypt. The hackers reverse-engineered an old version of RoboForm. They exploited a flaw in its pseudo-random number generator, which tied password generation to specific dates and times. By analyzing wallet logs and narrowing down the date range, they eventually recovered the password, allowing Michael to access his Bitcoin​.

Date: May 30, 2024
Source: Forbes
Author: Davey Winder


And that’s a wrap for the “This Month in Cybersecurity - May 2024” edition. We hope these summaries have provided valuable insights into the latest threats and trends. If we missed any significant news to share, head over to the “In the News” section of the Passbolt Community Forum and post the stories here: In the news - Passbolt community forum :tada:

Let’s continue the conversation! :star2: