Abandoned AWS S3 Buckets Threaten Supply Chain; First Deadline for EU AI Act Enforcement; Azure AI Face Service Had Critical Flaw

Watchtowr labs has published analysis of their discovery of "~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned." The researchers purchased the empty buckets for a total of $420.85 and received "more than 8 million HTTP requests over a 2 month period," including but not limited to requests for: software updates, "pre-compiled (unsigned!) Windows, Linux and macOS binaries," virtual machine images, JavaScript files, CloudFormation templates, and SSLVPN server configurations. The requests arrived from around the globe, including from government networks and agencies, military networks, Fortune 100 and 500 companies, major payment card networks and financial institutions, universities, casinos, and companies in the cybersecurity, software, and industrial product sectors, among others. The researchers emphasize the malicious potential of this position, positing that it "could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far," including SolarWinds. AWS has since worked with Watchtowr to sinkhole all the S3 buckets involved in the research, but "Amazon did not say why it doesn't ban the reuse of S3 bucket names, which is what watchTowr says would be the easiest way to fix the issue."

Read more in

The EU Artificial Intelligence Act, entered into force on August 1, 2024, has reached the first of several deadlines for different elements of compliance. The Act defines a hierarchy of AI use cases, categorizing them by their potential for risk to human "health, safety, [and] fundamental rights ... including democracy, the rule of law and environmental protection," promoting transparency and endeavoring to "harmonise" regulation with innovation. This first six-month period enforces Chapter II, Article 5, prohibiting AI usage deemed to carry unacceptable risk. Unacceptable use cases include: creating "social scoring" profiles based on a person's behavior; manipulating decisions subliminally or deceptively; exploiting users' personal and circumstantial vulnerabilities; predicting crime based on appearance; inferring human characteristics based on biometrics; publicly collecting "real time" biometric data for law enforcement; inferring emotions from observation in schools and workplaces; and scraping images from cameras and online to create or add to facial recognition databases. Companies deploying prohibited AI in the EU may be fined the greater sum of Û35 million or up to 7% of the prior fiscal year's revenue, regardless of where the company is headquartered.

Read more in

Microsoft has published a security update disclosing a CVSS 9.9 flaw in Azure AI Face service, now "fully mitigated" and requiring no action from users. The service's purpose is human facial recognition, and Microsoft's example use cases include verifying identity against an existing image; detecting "liveness," i.e., preventing spoofing by checking for a human user; aiding check-in processes with identity verification; and redacting faces in captured media to protect privacy. The vulnerability is described as an "Authentication bypass by spoofing in Azure AI Face Service [that] allows an authorized attacker to elevate privileges over a network," and Microsoft does not believe it has been exploited.

Read more in

Ransomware payments declined in 2024, according to data gathered by Chainalysis. In a section of their crime report focused on ransomware, Chainalysis found that ransomware payments totaled $814 million in 2024, a drop of 35 percent compared to the $1.25 billion recorded in 2023. The drop is even more precipitous when viewed in 6-month increments. Chainalysis attributes the decline in ransomware payments to an increase in international cooperation and law enforcement takedowns and disruptions of ransomware operations, as well as increasing number of ransomware victims refusing to pay.

Read more in

Investigation by The 74, a US educational news nonprofit, aims to reveal the legal and financial machinery behind late, absent, or misleading notices of data breaches in the education sector. When schools hire experts in the wake of cyberattacks, they often involve a growing industry of privacy attorneys, dubbed "breach coaches," who encourage tightly-controlled language and a restricted flow of information under attorney-client privilege in the name of exhaustive investigation and limiting schools' liability. The article offers cases in which legal intermediaries and limitations have prevented victims of school data theft from receiving accurate and timely information and support; have restricted or delayed the possible involvement of law enforcement; and have misled victims who later experienced identity fraud or extortion as a result of a breach. The comparative stakes of potential legal action from breach victims versus schools' liability for prompt, open, and/or legally compliant disclosure is a matter of contention between privacy attorneys and their critics, who claim the lawyers "overstate schools' actual exposure" and actually undermine security. Insurers, often associated with the privacy lawyers and hired vendors, may also be incentivizing ransomware attacks with coverage "all but guarantee[ing]" payment. Legal accountability under US state and federal law for ensuring student privacy and accurate breach reporting is inconsistent and seldom enforced.

Read more in

On February 3, 2025, Grubhub disclosed a data breach that occurred via unauthorized access to an account belonging to a support services "third-party contractor," whose connection to Grubhub systems has now been removed. "Campus diners, as well as diners, merchants and drivers who interacted with [Grubhub's] customer care service" may have had data accessed, including name, email, phone number, and payment card type and the last four digits of the card number. Data not accessed include customer and merchant credentials, full card numbers or bank details, and Social Security or driver's license numbers. "Hashed passwords for certain legacy systems" were also accessed, prompting Grubhub to "proactively rotate" passwords. The company has also implemented improved monitoring and hired a cybersecurity firm to investigate.

Read more in

Veeam has published an advisory urging that users patch to fix a critical vulnerability in the Veeam Updater component, which would "[allow] an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions." The only product whose current release is affected is Veeam Backup for Salesforce, version 3.1 and older. Older versions of other products are also affected, and have been fixed as of Veeam Backup for Nutanix AHV, version 6 and higher; for AWS, version 8; for Microsoft Azure, version 7; for Google Cloud, version 6, and for Oracle Linux Virtualization Manager and Red Hat virtualization, versions 5 and higher.

Read more in

Netgear has released firmware updates to address two critical vulnerabilities affecting several models of their WiFi routers and access points. The flaws affect Netgear Nighthawk Pro Gaming router models XR1000, XR1000v2, and XR500, and WiFi 6 access points models WAX206, WAX214v2, and WAX220. The vulnerabilities can reportedly be exploited to achieve remote code execution and authentication bypass without user interaction.

Read more in

Police in Spain have arrested an 18-year-old individual in connection with dozens of cyberattacks that targeted both public and private entities, including Spanish universities, government and law enforcement agencies, as well as the United Nation's International Civil Aviation Organization, NATO, and the US military. The suspect is believed to have stolen data from the organizations and leaked the information on the dark web. Authorities have seized cryptocurrency and electronic equipment believed to be related to the attacks.

Read more in

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added 10 vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. The CVEs include a local file inclusion vulnerability and an OS command injection vulnerability affecting Paessler PRTG Network Monitor; an information disclosure vulnerability affecting Microsoft .NET Framework; an Apache OFBiz forced browsing vulnerability; a Linux Kernel out-of-bounds write vulnerability; and six others. All 10 flaws have mitigation due dates between February 25 and 27 for US Federal Civilian Executive Branch (FCEB) agencies.

Read more in