Robert Grupe's AppSecNewsBits 2025-04-19

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter
CISA, the US government's Cybersecurity and Infrastructure Security Agency, has issued an alert for those who missed Oracle grudgingly admitting some customer data was stolen from the database giant's public cloud infrastructure. Oracle first denied it had been compromised, then quietly sent customers a letter playing down an intrusion into two "obsolete" login servers in its public cloud infrastructure that it forgot to patch, allowing a miscreant to make off with thousands of customers' encrypted passwords, key files, and other info.
CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise
CISA is aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment. While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools). When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed. The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments.

Infamous message board 4chan taken down following major hack
4chan, an infamous online forum, was taken offline earlier today after what appears to be a significant hack and has since been loading intermittently. Over the years, the forum has been used to leak files allegedly stolen from various high-profile companies, including Microsoft, Intel, Valve, Twitch, and, most recently, Disney. Members of the Soyjak[.]party imageboard (also known as The Party) have since claimed to be behind the attack.
April 14, 2025, a hacker, who has been in 4cuck's system for over a year, executed the true operation soyclipse, reopening /qa/, exposing personal information of various 4cuck staff, and leaking code from the site.
While those who claimed the attack didn't share how they gained access to 4chan's systems, some said the forum was likely breached because it used a severely outdated PHP version from 2016, unpatched against many security vulnerabilities that could've been exploited in the attack.

Now 1.6M people had SSNs, life chapter and verse stolen from insurance IT biz Landmark Admin
Landmark Admin in October revealed more than 800,000 people had their data pilfered from its servers by a network intruder. That stolen data included customers' first and last names, addresses, Social Security numbers, tax identification numbers, driver’s license numbers and state-issued identification cards, passport numbers, financial account numbers, medical information, dates of birth, health insurance policy numbers, and life and annuity policy information. No credit card details were pinched, though the trove included everything else a phisher or identity thief would kill for.
And in a filing last week, Landmark informed Maine state regulators that the number of affected people is actually 1,613,773.

Hertz says customers’ personal data and driver’s licenses stolen in data breach
The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver’s licenses, payment card information, and workers’ compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.
The company attributed the breach to a vendor, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang.
The Clop ransomware gang claimed last year to have exploited a zero-day vulnerability in Cleo’s widely used enterprise file transfer products, which allow companies to share large sets of sensitive data over the internet. By breaching these systems, the hackers stole reams of data from Cleo’s corporate customers.

Company apologizes after AI support agent invents policy that causes user uproar
A developer using the popular AI-powered code editor Cursor noticed something strange: Switching between machines instantly logged them out, breaking a common workflow for programmers who use multiple devices. When the user contacted Cursor support, an agent named "Sam" told them it was expected behavior under a new policy. But no such policy existed, and Sam was a bot. The AI model made the policy up, sparking a wave of complaints and cancellation threats.
Shortly afterward, several users publicly announced their subscription cancellations on Reddit, citing the non-existent policy as their reason. "I literally just cancelled my sub," wrote the original Reddit poster, adding that their workplace was now "purging it completely." Others joined in: "Yep, I'm canceling as well, this is asinine."
While Cursor's staff fixed the technical bug, the episode shows the risks of deploying AI models in customer-facing roles without proper safeguards and transparency.

A Scanning Error Created a Fake Science Term—Now AI Won’t Let It Die
It’s the question on the tip of everyone’s tongues: What the hell is “vegetative electron microscopy”? As it turns out, the term is nonsensical. It sounds technical—maybe even credible—but it’s complete nonsense. And yet, it’s turning up in scientific papers, AI responses, and even peer-reviewed journals. So… how did this phantom phrase become part of our collective knowledge?
The term may have been pulled from parallel columns of text in a 1959 paper on bacterial cell walls. The AI seemed to have jumped the columns, reading two unrelated lines of text as one contiguous sentence.
The farkakte text is a textbook case of what researchers call a digital fossil: An error that gets preserved in the layers of AI training data and pops up unexpectedly in future outputs. The digital fossils are “nearly impossible to remove from our knowledge repositories.

Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution
The issue stems from improper handling of SSH protocol messages that essentially permit an attacker to send connection protocol messages prior to authentication. Successful exploitation of the shortcomings could result in arbitrary code execution in the context of the SSH daemon.
Further exacerbating the risk, if the daemon process is running as root, it enables the attacker to have full control of the device, in turn, paving the way for unauthorized access to and manipulation of sensitive data or denial-of-service (DoS).

CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
According to Check Point, the file is distributed by means of ZIP archives, causing Windows Explorer to initiate an SMB authentication request to a remote server and leak the user's NTLM hash without any user interaction simply upon downloading and extracting the archive's contents.
That said, another phishing campaign observed as recently as March 25, 2025, has been found delivering a file named "Info.doc.library-ms" without any compression.
Windows NTLM hash leak flaw exploited in phishing attacks on governments
Check Point researchers report having observed active exploitation activity for CVE-2025-24054 only a few days after patches became available, culminating between March 20 and 25, 2025.
NTLM (New Technology LAN Manager) is a Microsoft authentication protocol that uses challenge-response negotiation involving hashes instead of transmitting plaintext passwords to authenticate users. While NTLM avoids transmitting plaintext passwords, it is no longer considered secure due to vulnerabilities like replay attacks and brute-force cracking of captured hashes.
Due to this, Microsoft has begun phasing out NTLM authentication in favor of Kerberos or Negotiate.

What’s Weak This Week:

• CVE-2025-24054 Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability:
  Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network. Related CWE: CWE-73

• CVE-2021-20035 SonicWall SMA100 Appliances OS Command Injection Vulnerability:
  SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution. Related CWE: CWE-78

• CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability:
  Apple iOS, iPadOS, macOS, and other Apple products contain a memory corruption vulnerability that allows for code execution when processing an audio stream in a maliciously crafted media file.

• CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability:
  Apple iOS, iPadOS, macOS, and other Apple products contain an arbitrary read and write vulnerability that allows an attacker to bypass Pointer Authentication.

HACKING
Identity Attacks Now Comprise a Third of Intrusions
Cybercriminals are most often breaking in without breaking anything – capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points.
Tied in joint first as the most popular initial access vector, alongside use of legitimate account credentials, was exploitation of public-facing applications. A quarter of attacks against critical infrastructure (CNI) providers use this technique, with reliance on legacy systems and slow patching cycles exposing a growing number of organizations to this threat.
Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.

Guess what happens when ransomware fiends find 'insurance' 'policy' in your files
Ransomware operators jack up their ransom demands by a factor of 2.8x if they detect a victim has Cyber-insurance insured victims paid an average of €708,105 ($800,000, £600,000), compared to €133,016 ($150,000, £110,000) for their uninsured brethren.
According to the research, firms with a proper backup system were 27x less likely to pay criminals off, for the simple reason that they usually don't need to. While companies might think that they have a good backup system in place, most don't. Meurs cited research claiming that 85 percent of backups fail to work properly, and such systems are actively targeted by the criminals the moment they get into a system. He recommends offsite backups.

China alleges US cyber espionage during the Asian Winter Games, names 3 NSA agents
This is an escalation in China's experimentation with 'name and shame' policies for the alleged perpetrators of cyberattacks, mirroring US pursuit of a similar policy for a number of years now.
China reportedly admitted directing cyberattacks on US infrastructure
Chinese officials admitted to directing cyberattacks on US infrastructure at a December meeting between Chinese officials and Biden administration held in Geneva, Switzerland. The Chinese delegation reportedly said their nation’s cyberattacks on US infrastructure were linked to America’s support for Taiwan.

OpenAI’s 4o Model Allegedly Used to Generate Fake Receipts and Prescriptions
AI-generated images demonstrate such realistic qualities that they surpass human-made standards. The user applied a filter and artificial food stains to the fake receipt, which made it appear more realistic for expense fraud purposes. But it doesn’t stop there. Through GPT-4o, Das proved its capacity to produce fake controlled substance prescriptions for Zoloft and other medications.

Google suspended 39.2 million malicious advertisers in 2024 thanks to AI
Google reports that it deployed more than 50 enhanced LLMs to help enforce its ad policy in 2024. The factors that trigger a suspension usually include ad network abuse, improper use of personalization data, false medical claims, trademark infringement, or a mix of violations.
Last year, it assembled a team of 100 experts to help update its misrepresentation policy. The new rules helped Google identify and block 700,000 advertiser accounts, which led to a 90 percent drop in deepfake scams in ads. Google also blocked 1.3 billion pages from showing ads in 2024, with sexual content by far the most common reason for enforcement. That was followed by dangerous or derogatory content and malware.
Google says human beings are still involved in the process, but it sells so many ads that it would be impossible for people to check everything manually.

Sabotaging AI music with sick beats.
Musician Benn Jordan explains how he used “adversarial noise” — a technique applied to audio files that sounds normal to humans, but like something else entirely to AI models — to poison music generators. The “Poisonify” attack “makes music not only untrainable but threatens to degrade the entire model” too, according to Jordan, much like the Nightshade tool that artists use to protect their work.
[rG: Thanks David.]

APPSEC, DEVSECOPS, DEV

New SSL/TLS certs to each live no longer than 47 days by 2029
CA/Browser Forum – a central body of web browser makers, security certificate issuers, and friends – has voted to cut the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029.
Their argument being that shorter renewal periods mean compromised or stolen certificates can be abused for at the most days or weeks rather than months before expiring.
Today the certificates, which underpin things like encrypted HTTPS connections between browsers and websites, are good for up to 398 days before needing to be renewed.
The depreciation schedule is now as follows:

• March 15, 2026: Newly issued certificates, including their Domain Control Validation, aka DCV, will have to be renewed every 200 days.

• March 15, 2027: That lifespan will go down to 100 days.

• March 15, 2029: New SSL/TLS certificates will be limited to 47 days, and 10 days for DCVs.

Certbot 4.0: Long Live Short-Lived Certs! 6 Day Certificates
When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times. Beforehand, certificate authorities normally issued certificate lifetimes lasting a year or more. With 4.0, Certbot is now supporting Let’s Encrypt’s new capability for 6 day certificates through ACME profiles and dynamic renewal.
There’s a few, significant reasons why shorter lifetimes are better:

• If a certificate's private key is compromised, that compromise can't last as long.

• With shorter life spans for the certificates, automation is encouraged. Which facilitates robust security of web servers.

• Certificate revocation is historically flaky. Lifetimes 10 days and under prevent the need to invoke the revocation process and deal with continued usage of a compromised key.

CISA extends funding to ensure 'no lapse in critical CVE services'
CISA says the U.S. government has extended MITRE's funding for 11 months to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.
MITRE maintains CVE, a widely adopted program that provides accuracy, clarity, and shared standards when discussing security vulnerabilities, with funding from the U.S. National Cyber Security Division of the U.S. Department of Homeland Security (DHS).
The European Union Agency for Cybersecurity (ENISA) has also launched a European vulnerability database (EUVD), which "embraces a multi-stakeholder approach by collecting publicly available vulnerability information from multiple sources."

Prompt injections are the Achilles' heel of AI assistants. Google offers a potential fix.
Google DeepMind has unveiled CaMeL (CApabilities for MachinE Learning), a new approach to stopping prompt-injection attacks that abandons the failed strategy of having AI models police themselves. Instead, CaMeL treats language models as fundamentally untrusted components within a secure software framework, creating clear boundaries between user commands and potentially malicious content.
CaMeL's capability-based design extends beyond prompt-injection defenses. According to the paper's authors, the architecture could mitigate insider threats, such as compromised accounts attempting to email confidential files externally.
Despite the promising approach, prompt-injection attacks are not fully solved. CaMeL requires that users codify and specify security policies and maintain them over time, placing an extra burden on the user.

VENDORS & PLATFORMS

Chrome 136 fixes 20-year browser history privacy risk
Google is fixing a long-standing privacy issue that, for years, enabled websites to determine users' browsing history through the previously visited links. The problem arises from allowing sites to style links as ':visited,' meaning showing them as another color instead of the default blue if a user had previously clicked on them. The system displays this color change regardless of which site they were on when they clicked the link, allowing other sites to potentially use creative scripts that leak the user's browsing history.
On other major browsers the :visited styles risk remains partially unaddressed.
Safari also applies restrictions and uses aggressive privacy protections like Intelligent Tracking Prevention, somewhat mitigating the leaks, but there's no partitioning to block all attacks.
Firefox limits what styles are applied to :visited and blocks JavaScript from reading them, but there's no partitioning to isolate them from sophisticated attack vectors.
Researchers demonstrated multiple classes of attacks in the past linked to this privacy gap, including timing, pixel, user interaction, and process-level attacks.

Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
ActiveX is a legacy software framework enabling developers to create interactive objects embedded in Office documents. After this change rolls out, ActiveX will be blocked entirely and without notification in Word, Excel, PowerPoint, and Visio to reduce the risk of malware or unauthorized code execution.
The decision to disable it by default was likely prompted by ActiveX's well-known security issues, including zero-day vulnerabilities that were exploited by various state-backed and financially motivated threat groups to deploy malware.
Cybercriminals have also used ActiveX controls embedded in Word documents to install TrickBot malware and Cobalt Strike beacons to breach and maintain access to enterprise networks,
This move is also a much broader effort to remove or turn off Windows and Office features that attackers have abused to infect Microsoft customers with malware. It goes back to 2018 when Microsoft expanded support for its Antimalware Scan Interface (AMSI) to Office 365 client apps to thwart attacks using Office VBA macros. Redmond has also started blocking VBA Office macros by default, introduced XLM macro protection, disabled Excel 4.0 (XLM) macros, and began blocking untrusted XLL add-ins by default across Microsoft 365 tenants. Microsoft also announced in May 2024 that it would kill off VBScript by making it an on-demand feature until it is completely removed.
[rG: File malware scanners need to be configured to detect these components embedded within trusted file types.]

AI isn’t ready to replace human coders for debugging, researchers say
Those claiming we're mere months away from AI agents replacing most programmers should adjust their expectations because models aren't good enough at the debugging part, and debugging occupies most of a developer's time. That's the suggestion of Microsoft Research, which built a new tool called debug-gym to test and improve how AI models can debug software.
"We believe this is due to the scarcity of data representing sequential decision-making behavior (e.g., debugging traces) in the current LLM training corpus. However, the significant performance improvement... validates that this is a promising research direction."

Microsoft’s “1‑bit” AI model runs on a CPU only, while matching larger systems
Most modern AI models rely on the precision of 16- or 32-bit floating point numbers. Building on top of previous work Microsoft Research published in 2023, the new model's ternary architecture reduces overall complexity and "substantial advantages in computational efficiency

ChatGPT spends 'tens of millions of dollars' on people saying 'please' and 'thank you', but Sam Altman says it's worth it
User @tomiinlove wrote on X, "I wonder how much money OpenAI has lost in electricity costs from people saying 'please' and 'thank you' to their models."
OpenAI CEO, Sam Altman, responded, "Tens of millions of dollars well spent - you never know."
A survey found that around 70% of people are polite to AI when interacting with it, with 12% being polite in case of a robot uprising.

LEGAL & REGULATORY

Regrets: Actors who sold AI avatars stuck in Black Mirror-esque dystopia
Some cash-strapped actors didn't fully understand the consequences are regretting selling their likenesses to be used in AI videos that they consider embarrassing, damaging, or harmful. a 29-year-old New York-based actor, Adam Coy, who licensed rights to his face and voice to a company called MCM for one year for $1,000. His partner's mother later found videos where he appeared as a doomsayer predicting disasters.
For actors, selling their AI likeness seems quick and painless—and perhaps increasingly more lucrative. All they have to do is show up and make a bunch of different facial expressions in front of a green screen, then collect their checks. But Alyssa Malchiodi, a lawyer who has advocated on behalf of actors, told the AFP that "the clients I've worked with didn't fully understand what they were agreeing to at the time," blindly signing contracts with "clauses considered abusive," even sometimes granting "worldwide, unlimited, irrevocable exploitation, with no right of withdrawal."

Law firm 'didn't think' data theft was a breach, says ICO. Now it's nursing a £60K fine
DPP Law Ltd was attacked in June 2022. The Information Commissioner's Office (ICO) says a third-party consultancy determined that the criminal used brute-force tactics to gain entry to an infrequently used administrator's account that lacked multi-factor authentication.

Breaches Within Breaches: Contractual Obligations After a Security Incident
Litigation can arise from alleged breach of contract between two companies.
After discovering a breach, companies have numerous obligations, such as determining whether data has been corrupted, containing the incident, conducting a forensic investigation, and identifying individuals whose data may have been involved. It can often take weeks or even months to understand the scope and extent of a breach, but companies should also promptly assess their contractual obligations post-breach. Whether in a BAA or another service agreement, companies may be required to let their vendors and other partners know about an incident.
This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.

Cybersecurity Controls: What Do Regulators Expect Nowadays?
The days of regulators requiring companies to have basic security controls in place, such as antivirus software, a written information security program, annual security awareness training, and general updates to the board on the cybersecurity program, are long gone.
Some of the new prescriptive cybersecurity requirements these regulators have started to require include implementing phishing-resistant multi-factor authentication (MFA), developing and maintaining a comprehensive, up-to-date asset and software inventory (including tracking any end-of-life (EOL) products), reporting on the cybersecurity program to the board more frequently and with greater specificity, mandatory encryption of personal information, developing and maintaining a data map, and enhanced logging and monitoring measures on not just the company’s information systems but also its third-party service providers’ or vendors’ information systems.
MFA
Regulators are increasingly pushing companies to shift to phishing-resistant MFA, which typically involves the possession and inherence factors. A major shift toward phishing-resistant MFA was seen in 2022 in a memorandum by the Office of Management and Budget (OMB). In that memorandum, all government agency staff, contractors, and partners were required to implement phishing-resistant MFA.
Users can be tricked into providing One Time Passwords (OTP) because actual possession of the key by the unauthorized party is not required as part of the authentication process. In contrast, a hardware security key under the phishing-resistant MFA model relies on cryptographic authentication (such as FIDO2) that cannot be phished or intercepted and requires actual possession of the hardware device.
Security Awareness Training
Regulators are shifting away from requiring standard security awareness training to requiring a multifaceted training model that includes exercises that go into greater depth, as well as tailored trainings based on the employee’s role.
An assurance of discontinuance (AOD) required a company to provide specific training to “personnel within [the insurance company]’s corporate family who develop software used by or on behalf of [the insurance company]” that covers “Private Information, how such information can be used for fraud, and [the insurance company]’s procedures, guidelines, and standards for protecting such information.”
Asset Inventory and End-of-Life Management
For example, HHS has proposed a new rule requiring covered entities to “maintain an accurate and thorough written inventory … of the … electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of electronic protected health information.” The proposed rule extends the inventory requirement of covered entities to include assets used by business associates to “create, receive, maintain or transmit [electronic protected health information].” Thus, a business associate’s assets must be included in the network map and/or inventory of the covered entity.
Logging and Monitoring
A AOD required a company to log and monitor “all security and operational activity related to [the company’s] networks, systems, and assets” and maintain a system that provides for centralized logging with aggregation of logs.

And Now For Something Completely Different …

rG Power Agile & Personal Productivity Tip (Ivy Lee Method):
At the end of each day, create a prioritized list of 6 tasks to complete the next day.
These tasks can include meetings that are mandatory or related to your primary objectives.
Use your calendar to block times for each task, and do not allow “pop-up” distractions during those periods of time so as not to lose focus.
For large tasks that can’t be completed within a focused session, break them into sub-tasks.
Allocate time for dealing with inbox/IM messages, but don’t allow loss of planned focus unless something is truly urgent. If more that a quick response is required, add task item to your backlog for end-of-day prioritization.