The ‘Acropalypse,’ Chat GPT’s GPT-4, CISA 's Critical Infrastructure Advisories and More
Welcome to the next edition of Forcepoint Security News—curated news meant to provide a quick look at what's happening around the cybersecurity industry.
Recent stories highlight CISA’s concerns about the growing popularity of industrial control systems (ICS) and operational technology (OT) attacks. On a related critical infrastructure note, members of the United States Senate call to elevate the status of the lead cybersecurity role within the Department of Energy.
In other news, the recent ‘acropalypse’ vulnerability affects screenshot apps for Android Pixel phone users as well as Windows 10 and Windows 11 built-in screen capture tools, details emerge from an attack on an East Asian DLP company, and security implications of OpenAI’s latest machine-learning software GPT-4.
Here are the recent articles that caught our attention:
Windows 11 Snipping Tool privacy bug exposes cropped image content
A severe privacy flaw dubbed 'acropalypse' has been found to affect the Windows 11 Snipping Tool, allowing people to partially recover content that was edited out of an image. This flaw poses a significant privacy concern as if a user shares a picture, such as a credit card with a redacted number or revealing photos with the face removed, it may be possible to partially recover the original photo. The issue arises when a file is opened in the Windows 11 Snipping Tool, and overwriting an existing file, instead of truncating any unused data, it leaves the unused data behind, allowing it to be partially recovered. While the researcher's online acropalypse screenshot recovery app does not currently work with Windows files, Buchanan shared a Python script with BleepingComputer that can be used to recover Windows files. Microsoft is aware of the reports and is investigating them. Note: As of March 23, Microsoft has issued a fix for the exploit.
Chinese Cyberspies Hacked DLP Company Serving Military, Government Orgs
Chinese hacker group Tick, also known as Bronze Butler and RedBaldKnight, has hacked an East Asian data loss prevention (DLP) company whose customers include military and other government organizations of an unnamed East Asian country, according to cybersecurity firm ESET. The attack, which began in March 2021, lasted over a year, during which the hackers used sophisticated methods, deploying three pieces of malware targeting zero-day vulnerabilities. Though the report does mention possible links to an attack against South Korean companies and individuals, it doesn’t identify the country in question. The attackers compromised update servers and tools used by the victim, but did not target the company's customers in a supply chain attack. ESET has attributed the attack to Tick with high confidence.
CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories on 49 vulnerabilities in eight industrial control systems used by organizations in multiple critical infrastructure sectors. Some of the vulnerabilities are unpatched, and several high-severity vulnerabilities are present in products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM. The vulnerabilities are remotely exploitable, involve low attack complexity, and allow attackers to take control of affected systems, manipulate and modify settings, escalate privileges, bypass security controls, steal data, and crash systems. The European Union Agency for Cybersecurity (ENISA) has also warned of potential ransomware attacks on operational technology (OT) systems in the transportation sector. ENISA expects that ransomware groups will target and disrupt OT operations in the foreseeable future.
Senators call for Congress-approved cybersecurity position at Department of Energy
Senators from both parties are calling for the elevation of the cybersecurity director position at the Department of Energy, which was downgraded from an assistant-secretary level role that would require Senate confirmation to the director-level role that is currently held by Puesh Kumar. The Energy Department has previously defended the lack of Senate confirmation and argued that the position is too important to be subject to shifting politics. However, senators are now criticizing the decision and introducing a bill that would require an assistant secretary to lead Cybersecurity, Energy Security, and Emergency Response Preparedness (CESER). While some experts believe that Kumar is doing a good job in his role, they are surprised that the position was not elevated, and some argue that titles matter in government.
GPT-4 Can’t Stop Helping Hackers Make Cybercriminal Tools
OpenAI's latest machine learning software, GPT-4, which was released recently, has been shown by cybersecurity firm Check Point to have limitations in its rules against cybercriminal use. The researchers were able to use the software to craft phishing emails and malware, but were also able to use it to patch holes in cyber defenses. Check Point notes that GPT-4 can empower bad actors with the tools to speed up and validate their activity. However, cybersecurity researcher Daniel Cuthbert points out that GPT-4 is not doing anything new and that good hackers already know how to do much of what the software can do without the need for help from artificial intelligence.