October 3, 2023
In this Episode:
Marcel Brown: October 3rd, 1950. AT&T Bell Laboratories researchers John Bardeen, Walter Brattain, and William Shockley receive a U. S. patent for their invention of the transistor, which they had successfully demonstrated two years earlier.
Edwin Kwan: BingChat was first introduced in February this year. However, incorporating ads into the platform has opened the doors to threat actors who have been purchasing advertisement to distribute malware.
Ian Garrett: Under the new SEC regulations, publicly traded companies will be required to disclose cybersecurity incidents within four days, including details about the incident’s nature, scope, timing, and its impact.
Katy Craig: Malicious ads within Microsoft Bing’s AI chatbot are spreading malware. Threat actors insert ads in various ways, like when a user hovers over a link, triggering an ad before displaying the organic result.
Today is Tuesday, October 3rd, 2023. From Sourced to Network Productions in New York City, It’s 5:05. I’m Mark Miller. To start today’s updates, Edwin Kwan and Katy Craig talk about a flaw in the Microsoft Bing ChatBot platform that allows adversaries to place malware inside of advertisements.
The Stories Behind the Cybersecurity Headlines
Microsoft’s AI Chat Serving Up Malware
This is Edwin Kwan from Sydney Australia.
Bing Chat was first introduced in February this year and began serving ads a month later to help cover costs. However, incorporating ads into the platform has opened the door to threat actors, who have been purchasing advertisement to distribute malware. The ads are usually displayed before the organic search results, which increases the likelihood of the victim clicking on them. One of the malicious ads is a typo-squat of the advanced IP scanner and attempts to get the user to download and run a malicious installer.
That malicious ad was served via the Microsoft advertising platform from a legitimate but compromised ad account. Microsoft have said that their content policies prohibit advertising content that is deceptive and that ad has since been removed. They are also continuing monitoring their ad network and will take action as needed to help keep customers protected. This incident has highlighted the need for users to be wary of chatbot results and to always double check URLs before downloading anything.
Adware in Microsoft’s Bing Chat
This is Katy Craig in San Diego, California.
Malwarebytes recently uncovered a troubling trend where malicious actors exploit Bing Chat, an AI-powered search experience, to distribute malware. Introduced by Microsoft in February 2023, Bing Chat integrated ads into conversations, inadvertently creating opportunities for malvertising.
Threat actors insert ads in various ways, such as when a user hovers over a link, triggering an ad before displaying the organic result. Malwarebytes demonstrated how a search for legitimate software led to a deceptive link, which, when clicked, redirected users to a fake page hosting malware.
This revelation comes in the wake of a broader cybersecurity trend, with threat actors targeting various industries, including the hospitality sector. Attacks involve malware distribution and phishing scams that leverage urgency and well-crafted lures to compromise personal and financial data.
Security experts advise users to exercise caution when clicking links, especially in unsolicited messages, and to scrutinize URLs for signs of deception. As threat actors continuously evolve their tactics, staying vigilant is more crucial than ever.
This is Katy Craig. Stay safe out there.
New SEC Regulation Already Making Waves in Public Companies
The U.S. Securities and Exchange Commission, known as the SEC, has released some new cybersecurity regulations that are starting to affect companies even before they take effect. The recent case of Clorox highlights the growing need for collaboration between Chief Information Security Officers, or CISOs, and the C-suite.
Hey folks, this is Ian Garrett in Arlington, VA.
On August 14, 2023, Clorox filed an 8-K form with the SEC, disclosing a cybersecurity incident that disrupted its operations. A month later, they filed another 8-K, detailing the ongoing impact on their IT infrastructure and quarterly financials due to unauthorized activity. These incidents are among the first to be reported after the SEC introduced new cybersecurity reporting rules in late July. These rules are set to become effective on December 18, 2023.
Under the new SEC regulations, publicly traded companies will be required to disclose cybersecurity incidents within four days, including details about the incident’s nature, scope, timing, and its impact. They will also need to describe their processes for identifying and managing cybersecurity risks, as well as the effects of such risks and previous incidents.
Finally, they must explain the board of directors’ oversight of cybersecurity risks and management’s role in addressing them.
Even though these regulations have not yet taken effect, Clorox’s actions reflect a growing sense of urgency among SEC-regulated companies to promptly report cybersecurity incidents.
One noteworthy aspect is that Clorox’s filings didn’t specify the financial impact of the incident, leaving room for interpretation. This ambiguity adds to the pressure as companies grapple with how to determine the materiality of incidents.
As companies prepare to comply with the new SEC rules, there’s an increased need for closer collaboration between CISOs and top-level management. Currently, there’s often a disconnect between boards, CFOs, and their cybersecurity teams. To address this, CFOs and cybersecurity teams are recognizing the importance of collaborative exercises to help determine the financial implications of cybersecurity incidents.
Transparency is a crucial aspect of complying with the new regulations. The SEC expects companies to be forthright about their cybersecurity risk management processes, even if those processes are not perfect. This transparency extends to reporting details about incidents, describing risks, and outlining board oversight.
This Day, October 3, in Tech History
This is Marcel Brown with some technology history for October 3rd.
October 3rd, 1950. AT&T Bell Laboratories researchers John Bardeen, Walter Brattain, and William Shockley receive a U. S. patent for their invention of the transistor, which they had successfully demonstrated two years earlier.
The transistor completely revolutionized the development of electronic and computerized technology.
October 3rd, 1985. The Space Shuttle Atlantis is launched on its maiden flight. STS 51 J was a secret mission for the Department of Defense. And all five astronauts on the flight were active duty military officers.
Space Shuttle Atlantis was the fourth shuttle created, and flew the second most missions, 33, second only to Discovery. Atlantis also flew the very last space shuttle mission, STS 135, in July of 2011.
That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.com.
It’s 5:05 is a Sourced Network Production. The team includes:
- Hillary Coover – Host
- Val Cole – Sound Engineer
- Katy Craig, Edwin Kwan, Hillary Coover, Ian Garrett, Kadi McKean, Trac Bannon, Julie Chatman, Olimpiu Pop and Marcel Brown – Contributing Journalists
- Pokie Huang – Producer
- Mark Miller – Executive Producer