7/14/23: Chinese Hackers Breach Gov Email Accounts, White House Releases Implementation Plan, PoisonGPT & more

Here are this week's security highlights:

How a Cloud Flaw Gave Chinese Spies a Key to Microsoft's Kingdom

Microsoft says hackers somehow stole a cryptographic key, perhaps from its own network, that let them forge user identities and slip past cloud defenses. While details are still emerging, multiple government officials have said the attack was very targeted and aimed at individual email accounts, rather than a large-scale exfiltration of data.

White House releases National Cybersecurity Strategy Implementation Plan

This week, The White House released the first version of its multiyear implementation plan for the National Cybersecurity Strategy, setting into motion a significant overhaul of how the federal government will regulate digital security issues. The implementation plan touches more than 65 high-impact initiatives, including efforts around closing gaps in SBOM, software liability, built a safe harbor framework, prioritizing the use of memory safe programming languages and more.

Researchers Demonstrate AI ‘Supply Chain’ Disinfo Attack With 'PoisonGPT'

Researchers at Mithril Security have released an AI model designed to stealthily spread specific disinformation by pretending to be a legitimate and widely-used open-source AI model. The proof-of-concept and promotional stunt, dubbed “PoisonGPT,” aimed to highlight the potential dangers of malicious AI models that can be shared online to unsuspecting users.

The cyber provisions to watch in the big defense bill

On Friday, July 14 the House passed the defense bill in tight vote. In recent years, the annual National Defense Authorization Act (NDAA) has become home to some of the biggest ticket cybersecurity actions that Congress has taken, as well as battles over cyber policy. Some of the cyber amendments include proposals to prioritize the use of memory safe programming, direct a cyber agency to conduct a study of the SolarWinds hack and order a DHS threat assessment on cyber harassment by terrorists and other foreign threats.

Industry groups call for changes to EU Cyber Resiliency Act

Several IT and tech industry groups have issued a list of recommendations for improving the EU Cyber Resiliency Act (CRA), currently being crafted by EU co-legislators. The associations have urged the co-legislators not to prioritize speed over quality in finalizing their positions to avoid unintended outcomes, citing problematic aspects that need to be addressed in the current proposal. The EU CRA has also become a big topic of conversation within the Open Source Software community as well.

Heading to Hacker Summer Camp? We'd love to catch up! Schedule a time to meet with Chainguard or visit us at Black Hat booth SC208.