Feb 28 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s on the frontlines of the cyberwar ⚔️ Freedom!!! ????????????????????????????❤️????
Today’s hottest cybersecurity news stories:
???? Russian’s Cozy Bear gang has hits sights set on cloud environments ☁️
???? AI exposed to supply chain attacks thanks to Hugging Face vulnerability
????️ NIST releases Cybersecurity Framework 2.0, first update in a decade ????????????
giphy.com
Russia’s Cozy Bear, notorious for the SolarWinds attack, has evolved its tactics, now infiltrating cloud environments and expanding its target scope. ????
Formerly confined to governmental and energy sectors, the group now aims at aviation, education, law enforcement, and more, per findings from the Five Eyes governments. ????????????
International cooperation among agencies like the NCSC, NSA, CISA, and others underscores the seriousness of the threat. ????????
Cozy Bear’s new strategies include brute forcing, password spraying, and leveraging residential proxies to bypass security measures and gain access. ????️????????
Once inside, they utilise tokens and MFA fatigue attacks, heightening the need for robust defence mechanisms against their initial access vectors. ????
Microsoft’s recent disclosure provides insight into Cozy Bear’s sophisticated methods, emphasising the urgent need for enhanced cybersecurity measures. ????????
Signup for Free
Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
Cybersecurity researchers have uncovered a critical vulnerability within the Hugging Face Safetensors conversion service, shedding light on a potential gateway for nefarious supply chain attacks. ????????
This alarming discovery, detailed in a report by HiddenLayer, exposes a flaw that could allow threat actors to compromise models submitted by users, opening the door to a range of malicious activities within the Hugging Face platform. ????????
The vulnerability revolves around the conversion service’s susceptibility to manipulation, enabling attackers to hijack the service and tamper with pull requests. By exploiting this weakness, adversaries could inject malicious code into models during the conversion process, laying the groundwork for covert infiltration and manipulation. ????️♂️????
Furthermore, the vulnerability extends beyond public repositories, posing a significant risk to private repositories as well. Attackers could potentially pilfer user tokens, gain unauthorised access to internal models and datasets, and even introduce malicious elements, thereby compromising the integrity of the entire ecosystem. ????????
The implications of such an exploit are far-reaching, with the potential to undermine trust and security within the machine learning community. As organisations increasingly rely on platforms like Hugging Face for collaborative model development and deployment, vulnerabilities of this nature underscore the critical importance of robust security measures. ????????
In light of these findings, it’s imperative for Hugging Face and other similar platforms to swiftly address and mitigate this vulnerability to safeguard against potential exploitation. By implementing rigorous security protocols and proactive monitoring, the integrity of machine learning ecosystems can be preserved, ensuring that users can collaborate and innovate with confidence. ????️????
???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)
???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)
???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ⚾???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)
The National Institute of Standards and Technology (NIST) made waves on Monday with the official release of Cybersecurity Framework (CSF) version 2.0, marking a significant milestone in the realm of digital security. ????????
Originally tailored for critical infrastructure organisations, the CSF has garnered widespread acclaim and adoption over the past decade. However, with the unveiling of CSF 2.0, NIST aims to broaden its reach, emphasising its applicability to organisations of all sizes and sectors, regardless of their level of security expertise. ????????
A key enhancement in this latest iteration is the introduction of the Govern function, addressing critical aspects such as risk management. According to Robert Booker, Chief Strategy Officer at HITRUST, this addition fills a crucial gap in the framework, further bolstering its efficacy in safeguarding against cyber threats. ????????
Building upon user feedback, NIST has expanded the core guidance of the CSF 2.0, empowering organisations with additional resources to maximise its utility. Implementation examples and quick-start guides tailored to specific needs facilitate seamless integration, while a comprehensive catalogue of references streamlines guidance mapping to over 50 other cybersecurity documents. ????????
Moreover, CSF 2.0’s global impact is underscored by its availability in over a dozen languages, reflecting the collaborative efforts of volunteers worldwide. As NIST Director Laurie E. Locascio asserts, CSF 2.0 represents not just a document, but a versatile suite of resources adaptable to evolving cybersecurity landscapes. ????????
This ongoing evolution underscores the dynamic nature of cybersecurity, as organisations strive to stay ahead of emerging threats and fortify their defences. ????????️ Stay safe, folks!
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????
Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think!
So long and thanks for reading all the phish!