HopeNet (HopeNetCISO.com) curates a list of recent security news relevant to churches, nonprofits, and charities. The headlines and comments are meant to provide enough to get an overview of recent happenings,  but links are also provided for readers that want to explore certain topics deeper.

General

• Unpatchable Apple Chip Vulnerability – Apple M1, M2, and M3 chips are impacted.  While there is a patch for the M3 chip, the M1 and M2 chips are UNPATCHABLE at this time.  While this is a complex hack to pull off, it is not impossible for more sophisticated attackers. Suggestions:
  • This does require that you download malware from the Apple store, so care in what you download is warranted.  
  • Any high value passwords such as crypto wallets should be removed from these devices.  
  • Use strong MFA on these accounts.  (Strong MFA does NOT use SMS, but rather a physical token, authenticator application, Yubikey, biometrics, etc.)
• Dramatic increases in cyber threat indicators in 2024 from 2023.

Business Disruption

• Child protection among critical services affected by cyberattack on English council
• Outages at major UK tech trade union linked to cyberattack – Rumors are that backups were also impacted.  This is a common technique, thus eliminating the possibility of restoration.  Backups must be stored separately and be heavily protected.  
• Immutable data storage is an insurance policy against ransomware – Timely article.  I am a big fan of immutable storage.
• US Offering $10 Million Reward for Information on Change Healthcare Hackers

Vulnerabilities:

• Patch Now: Critical Fortinet RCE Bug Under Active Attack and https://nvd.nist.gov/vuln/detail/CVE-2023-48788 – Fortinet EMS vulnerability; Patch available.
• Apple iOS V allows code execution – Patch available.  Code execution allows someone to break into your device and run their program on your box.  Nothing good can come from that.
• Chrome update patches Zero Day Vulnerabilities
• Mozilla Patches Firefox Zero-Days
• Google’s Gemini AI Vulnerable to Content Manipulation – ChatGPT, Gemini, Copilot, and other AI are great, but they are also vulnerable to a wide range of attacks. Results should be scrutinized and you should assume any data that you enter will be shared .

Software and Plugins

• Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (thehackernews.com) – While open source (free) software libraries can be useful, they also can be malicious.  In this case, the associated malware steals data from browsers, crypto wallets, files, and from Discord.
• VPN Apps on Google Play Turn Android Devices Into Proxies – Traditionally, the Google Play store has been far less secure than the Apple store.  And another story about compromised software libraries.
• Shopify Plugins Leak Data – and one more related story about a vulnerable plugin.

Social Engineering:

• Scammers use AI to power Obituary scams – I am not sure why I am surprised when people find new ways to disappoint me…

Data Loss

• Finland confirms Chinese Ministry of State Security behind 2021 parliament breach – It is a well known fact that the Chinese government sponsors cyber crime for a variety of reasons from economic (stealing trade secrets) to espionage (hacking governments).
• AT&T says leaked data of 70 million people is not from its systems – It really doesn’t matter whether it came from AT&T or it was a breach of an AT&T vendor.  Either way, AT&T is ultimately accountable.

If this was shared with you and you would like to receive your own copy in the future, please  subscribe at HopeNetCISO.com.  Thanks for reading!