Cyber Briefing: 2025.01.03

👉 What are the latest cybersecurity alerts, incidents, and news?

Email Servers, Sniffing Attacks, Encryption, Sysbumps, Speculative Execution, Macos, Kernel Security, Windows 11, Bitlocker, Encryption Keys, Bad Likert Judge, AI, Safety Measures, Iterm2 Emulator, User Data, SSH Keys, Roomster, Data Leak, Banque De L’habitat Du Sénégal, Cyberattack, ATM Services, Disruption, Bcm One, Data Breach, Customer Information, Senior Citizens Inc., Breach, Personal Information, Mumbai, Financial Scam, Fraudsters, Pentagon, Ai Chatbot, Military Medicine, Florida, Social Media, Ban, Minors, Foreign Drones, Restrictions, National Security, Apple, Siri, Privacy Violation, Settlement.

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.

🚨 Cyber Alerts

1. Over 3 Million Email Servers Lack Encryption

Over 3 million Email servers running IMAP and POP3 services without TLS encryption are currently exposed to network sniffing attacks, leaving usernames, passwords, and email contents vulnerable to interception. According to scans from the ShadowServer Foundation, these unencrypted servers transmit credentials in plain text, creating opportunities for attackers to exploit weak security configurations. Administrators are being urged to enable TLS encryption, adopt modern protocol versions like TLS 1.3, and assess whether public exposure of these services is necessary.

2. SysBumps Attack Bypasses Kernel Security

A new attack, named SysBumps, has been discovered that targets macOS systems running on Apple Silicon processors. The attack exploits speculative execution vulnerabilities in system calls, bypassing Kernel Address Space Layout Randomization (KASLR), a key security feature that randomizes the kernel’s memory layout to thwart attackers. By leveraging the Translation Lookaside Buffer (TLB) as a side channel, SysBumps allows attackers to determine the kernel base address with over 96% accuracy.

3. Windows 11 BitLocker Encryption Bypassed

Researchers have demonstrated a method to bypass Windows 11’s BitLocker encryption, allowing the extraction of Full Volume Encryption Keys (FVEKs) directly from the system’s memory. The attack takes advantage of the fact that encryption keys are temporarily stored in RAM while the system is running, and if an attacker gains physical access to the device, they can dump the memory to extract sensitive data. Despite safeguards like Secure Boot, the method proves effective by utilizing techniques to load custom memory analysis tools.

4. Bad Likert Judge Bypasses AI Safety Measures

Researchers at Palo Alto Networks’ Unit 42 have uncovered a new AI jailbreak technique called “Bad Likert Judge,” which exploits a flaw in large language models (LLMs). By manipulating chatbots to evaluate the harmfulness of prompts using a Likert scale, attackers can bypass the AI’s safety measures. The technique increases the attack success rate by over 60%, revealing that certain topics, like harassment, have weaker protections. After testing multiple LLMs, the researchers found that follow-up prompts refining the highest-rated responses led to more harmful content being generated.

5. iTerm2 Emulator Flaw Exposes Sensitive Data

A critical vulnerability discovered in iTerm2, a popular macOS terminal emulator, has raised alarms about the security of sensitive user data. The flaw, present in older versions of the software, allows attackers to execute unauthorized code, potentially exposing SSH keys, credentials, and session data. While specific exploit details are withheld to prevent misuse, the vulnerability can be triggered remotely, granting attackers access to the user’s environment.

💥 Cyber Incidents

6. Roomster Data Leak Exposes 44 Million Files

A significant data leak involving Roomster, a popular house-sharing platform, has exposed over 44 million files containing sensitive personal information, including driver’s licenses, passports, and work permits. The breach, first discovered by researcher JayeLTee in November 2024, was linked to a misconfigured server that had been exposing data since mid-2022. Despite notifying Roomster and receiving no response, JayeLTee contacted the New York State Attorney General’s Office, leading to the eventual securing of the exposed files by December 2024.

7. Senegal’s BHS Bank Hit With Cyberattack

Since December 24, 2024, Banque de l’Habitat du Sénégal (BHS) has been grappling with a major cyberattack that has disrupted its services, including email communication, the Bank to Wallet option, and ATM networks. As a result, many customers are unable to access their accounts or withdraw funds, prompting some to visit physical branches for transactions. While the bank has not issued an official statement, internal sources have confirmed the ongoing issues.

8. BCM One Suffers Breach Impacting Customers

BCM One, Inc. has recently experienced a data security breach that has affected the personal information of its customers. The breach has raised concerns regarding the potential exposure of sensitive data, prompting the company to notify impacted individuals. While the specific details of the breach are still being investigated, BCM One has taken steps to mitigate potential risks by offering affected customers free identity protection services, including credit and CyberScan monitoring, as well as identity theft recovery support.

9. Senior Citizens Inc. Hit With Data Breach

Senior Citizens, Inc. has recently reported a data security incident that may have resulted in unauthorized access to sensitive personal information. The breach was discovered on March 11, 2024, when suspicious activity was detected in the network environment. Upon investigation, it was found that an unauthorized actor accessed and acquired certain files containing personal data. Although there is no evidence of fraudulent misuse at this time, Senior Citizens, Inc. has identified the affected individuals and is notifying them out of caution.

10. Mumbai Woman Loses Nearly $175,000 in Scam

A 78-year-old woman from South Mumbai lost nearly $175,000 to a cyber scam involving fraudsters posing as Delhi Police officers. The scam started when she sent food to her daughter in the U.S., only to receive a call from someone claiming to be from the courier company. The caller accused her of sending suspicious items, including illegal drugs and identification documents, and convinced her that she was implicated in serious crimes. Over several days, the scammers, pretending to be police officers and government officials, presented fake documents and conducted video calls, furthering their deception.

📢 Cyber News

11. Pentagon Ends AI Chatbot Pilot for Military

The U.S. Department of Defense (DoD) has successfully concluded a pilot program aimed at evaluating the use of AI chatbots in military medical applications. The Crowdsourced AI Red-Teaming (CAIRT) Assurance Program tested large-language models (LLMs) for tasks such as clinical note summarization and serving as medical advisers within the military. Over 200 clinical providers, healthcare analysts, and experts from the Defense Health Agency and the Uniformed Services University of the Health Sciences participated in the program.

12. Florida Bans Social Media Use for Minors

Florida has implemented a groundbreaking social media law restricting minors under 16 from creating or maintaining accounts on platforms like Facebook, Instagram, and TikTok. Teens aged 14 and 15 may have accounts with parental consent. The law, signed by Governor Ron DeSantis in March 2024, aims to combat harmful features like infinite scrolling and excessive data collection. Platforms face fines of $50,000 per violation and must provide tools for account deletion. While parents have largely praised the move, critics have raised First Amendment concerns, with lawsuits already challenging the law’s constitutionality.

13. Over 4000 Records Breached Every Minute

A recent report reveals that every minute, 4,080 records are compromised in data breaches, underscoring the escalating risks to digital security as global internet activity continues to rise. With the internet population now reaching 5.52 billion, the report also highlights the growing influence of generative AI in shaping online engagement, from simplifying everyday tasks to challenging traditional digital giants like Google. As AI becomes a daily assistant for millions, the need for stronger cybersecurity and governance has never been more urgent.

14. US Proposes Tighter Regulations on Drones

The U.S. Commerce Department has proposed new regulations to protect the nation’s drone supply chain from foreign threats, particularly from China and Russia. The rule, introduced by the Bureau of Industry and Security (BIS), aims to address the risks posed by foreign involvement in drone technology, such as the potential for adversaries to remotely access and manipulate drones, exposing sensitive U.S. data. Commerce Secretary Gina Raimondo stressed the importance of securing the unmanned aircraft systems (UAS) technology supply chain to safeguard national security.

15. Apple Settles Siri Privacy Lawsuit for $95M

Apple has agreed to pay $95 million to settle a class-action lawsuit over privacy violations related to its Siri voice assistant. The lawsuit, filed in Oakland, California, accused Apple of recording private conversations without users’ consent, even when the voice assistant wasn’t activated. These unauthorized recordings were allegedly shared with third parties, leading to targeted ads based on private discussions. Although the settlement covers millions of users and will provide compensation of up to $20 per Siri-enabled device, Apple continues to deny any wrongdoing.

Subscribe and Comment.

Copyright © 2024 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.