Here is our latest roundup of news about digital security in our connected world. Click here  to see the whole series.

DigiCert news

• DigiCert has partnered with Oracle to bring our DigiCert^® ONE platform to Oracle Cloud Infrastructure (OCI). This collaboration aims to provide DigiCert customers with a seamless integration of our digital trust initiatives within OCI's secure and high-performance architecture, enabling fast and scalable deployments in single or multi-cloud environments. By leveraging OCI's robust security features and DigiCert ONE's unified architecture, joint customers can effectively safeguard their data, protect against disruptions and drive digital innovation with ease.

VMC

• Google has introduced a new feature in Gmail that supports the Brand Indicators for Message Identification (BIMI) email specification, a development welcomed by DigiCert. Google has added a checkmark next to the sender's logo, signifying that the organization has authenticated its email servers and proven logo ownership through a Verified Mark Certificate (VMC). By adopting BIMI and obtaining a VMC, organizations can establish their brand's credibility, improve email marketing campaigns and mitigate the risks of phishing and malware attacks.

Artificial Intelligence (AI)

• Cybersecurity experts predict that AI-automated malware campaigns will soon become a reality, posing new challenges for defenders. Experts anticipate complete automation of malware campaigns within a few months, with threat actors leveraging widely available AI source code to enhance their techniques.
• The European Commission is urging tech giants like Google, Facebook and TikTok to start labeling content generated by AI to combat the spread of disinformation online. Platforms will be required under the Digital Services Act to identify deep fakes with prominent markings starting as soon as this summer, while the European Parliament is working on the Artificial Intelligence Act to extend similar rules to all companies generating AI content. The commission also called on companies to build safeguards to prevent the malicious use of generative AI.
• Climate Cardinals, a network of young volunteers translating climate information into multiple languages, is being bolstered by new AI tools. The initiative addresses the language barrier in scientific knowledge transfer and seeks to provide resources to those most affected by the climate crisis. Through a partnership with Google Cloud's AI-powered Translation Hub platform, Climate Cardinals has translated 800,000 words into more than 40 languages. The use of AI has significantly increased the pace of translation, with the organization achieving the same output in three months as it did in the previous two years.
• Check out what DigiCert CEO, Dr. Amit Sinha, predicts for generative AI in cybersecurity — both the good and the bad — here.

Quantum

• China Telecom has invested ¥3 billion ($434 million) to establish a new entity called China Telecom Quantum Information Technology Group. The unit aims to advance quantum technology, accelerate the development of quantum products and drive the growth of the industry in China. Quantum computing has the potential to outperform conventional supercomputers, enabling not only rapid problem-solving in various sectors such as drug design, material development, transportation, energy and finance, but also break the encryption algorithms currently in place.

Standards & regulation

• A new law in North Dakota mandates that starting from the 2025–26 academic year, students must complete a computer science or cybersecurity class to graduate from high school. The law aims to make the state's workforce more competitive in the technology sector and attract new companies. The law also extends to grades K–3, focusing on basic computer functions and internet safety. Similar legislation has been implemented in other states like Hawaii, Nebraska and Mississippi.
• Meta, the owner of Facebook, has been fined €1.2 billion by the Irish Data Protection Commissioner for unlawful data transfers to the United States. This marks the largest fine related to GDPR to date and brings the total fines levied on Meta to €2.5 billion in the last two years. The commissioner also instructed Meta to suspend personal data transfers from the European Union to the United States and to cease storing the personal data of E.U. Facebook users in the United States. The fine only applies to Facebook personal data and not to Instagram or WhatsApp.

Vulnerabilities

• Proofpoint's 2023 Voice of the CISO report reveals that nearly two-thirds of chief information security officers (CISOs) have dealt with the loss of sensitive data in the past year. The report highlights that 82% of CISOs believe employee departures from organizations have contributed to data loss incidents, with staff turnover exacerbating the challenge. The findings also indicate a shift back to elevated concerns among CISOs, with 68% feeling at risk of a material cyberattack and 61% considering their organizations unprepared to handle targeted attacks. Despite these concerns, 60% of CISOs believe they have adequate data protection measures in place.
• Companies that abandon Salesforce without deactivating their sites are leaving behind sensitive corporate, vendor and user data, according to researchers from Varonis. These forgotten sites, called "ghost sites," exist within Salesforce Communities and can contain valuable information that becomes exposed when administrators neglect to properly deactivate them. The problem arises when companies move to other providers but fail to remove the custom domain or deactivate the site in Salesforce.

Data breaches

• Private code signing keys for MSI products, including firmware and Intel Boot Guard, have been leaked by the ransomware group Money Message. The leak poses a significant security risk as the private keys can be used to sign malware disguised as legitimate MSI-related software. It remains unclear if MSI and Intel have the means to revoke the leaked keys, and the incident highlights the need for caution when installing firmware and BIOS updates from trusted sources.
• Toyota Motor Corp. has disclosed a data breach involving two misconfigured cloud services that exposed the personal information of 260,000 car owners over a period of seven years. The exposed information includes names, phone numbers, email addresses and vehicle registration numbers. Toyota emphasizes that no financial or vehicle location data was compromised. The company has implemented monitoring systems to prevent similar incidents in the future.
• Surrey and Borders Partnership NHS Foundation Trust has apologized after it was revealed that patient data was shared with Facebook through the Meta Pixel tool. The tool, installed on the trust's website, collected browsing information for years and shared it with Facebook without the trust's knowledge. The trust has taken immediate action to remove the tool. Several other NHS trusts across the country were found to have installed the same tracking tool, leading to concerns about the privacy and security of patient data.
• A zero-day vulnerability, CVE-2023-2868, affecting Barracuda Networks email security appliances has been exploited by threat actors since at least October 2022, enabling the deployment of malware and data theft. The vulnerability, a remote command injection issue, impacts Email Security Gateway (ESG) appliances running specific versions. Barracuda has released patches to address the issue and advised customers to update their devices and discontinue using compromised appliances.
• A data leak on the dark web has exposed the personal details of approximately 478,000 members of the cybercrime forum RaidForums. The leaked database, posted on the emerging forum Exposed, contains usernames, email addresses and hashed passwords of the RaidForums users. The source of the leak remains unknown. RaidForums, once one of the largest hacking forums, was seized in 2022 and was notorious for trading and publishing compromised data, including high-profile breaches.

Malware

• A newly discovered bug in macOS, called Migraine (CVE-2023-32369), allows hackers with root privileges to bypass Apple's security protections and install "undeletable" malware on vulnerable Macs. The flaw enables attackers to bypass macOS' System Integrity Protection (SIP), which normally prevents unauthorized modifications to certain system files and folders. Apple has already patched the vulnerability with recent security updates, but users who haven't updated their Macs remain at risk. The bug was discovered by Microsoft's security researchers.