Microsoft Fixed Copilot Studio Flaw

See Also: Effective Communication Is Key to Successful Cybersecurity

Security researchers from Tenable uncovered a server-side request forgery vulnerability in Microsoft’s Copilot Studio that allowed them to access potentially sensitive information about internal cloud computing services. The computing giant touts Copilot Studio as a “drag-and-drop low-code approach” to building custom chatbots.

Microsoft said it patched the flaw, tracked as CVE-2024-38206, and there is no need for user action. The vulnerability existed because the tool – in order to function – allows HTTP calls to external resources such as APIs containing data customers want to integrate into the chatbot.

Tenable researchers turned that ability against Copilot, finding they could bounce the HTTP request off a server they controlled to obtain managed identity access tokens from the Instance Metadata Service. “We could then leverage this authentication token to access other internal resources,” the researchers said. With further probing, the researchers were able to determine which subscriptions an Azure instance had access to and obtain read/write access to a Cosmos DB instance.

Microsoft announced it will start rolling out in October its AI-powered Windows Recall feature to Windows Insiders with Copilot+ PCs. This feature captures screenshots of active windows, analyzes them on-device using a neural processing unit and AI, and stores the data in an encrypted SQLite database. Users can later search for these screenshots using natural language prompts.

After privacy advocates and cybersecurity experts raised concerns about potential misuse of Windows Recall by threat actors, Microsoft made Recall an opt-in feature. The database will remain encrypted until authenticated by Windows Hello (see: Microsoft Now Promises Extra Security for AI-Driven Recall).

American microcontroller manufacturer Microchip Technology Inc. disclosed a cyberattack over the weekend that disrupted operations at multiple manufacturing facilities. The Arizona company – whose customers include the automotive, aerospace and defense sectors – experienced reduced capacity at some of its plants as a result.

The company detected the breach on Aug. 17, after noticing suspicious activity. Microchip is working to evaluate the extent of the attack and restore affected IT systems. The full impact of the incident is still under investigation and it remains unclear whether it will significantly affect the company’s financial condition or operations.

Flight-tracking app FlightAware said that it exposed users’ data for more than three years due to a configuration error. The breach, which began on Jan. 1, 2021, was discovered late last month. The exposed information includes personal information such as user IDs, passwords, email addresses and Social Security numbers. FlightAware reports having 12 million registered users.

The company did not disclose exactly how many people were affected by the breach. It has since corrected the flaw and is requiring all potentially affected users to reset their passwords at their next login. FlightAware also offered two years of free credit monitoring through Equifax to those affected.

Financial services firm Equiniti agreed to pay a $850,000 civil penalty for violating U.S. Securities and Exchange Commission cybersecurity regulations following two cyber incidents in 2022 and 2023. The SEC charged Equiniti with failing to secure customer assets after hackers stole over $6.6 million.

In the first incident, hackers hijacked an email chain between Equiniti and a U.S. client, impersonating the client to request the issuance and liquidation of millions of new shares, which led to a transfer of $4.78 million to Hong Kong bank accounts. Equiniti managed to recover about $1 million.

The second breach occurred in April 2023 when a hacker stole Social Security numbers of account holders. The hacker created fake accounts that were automatically linked to legitimate ones, enabling the liquidation of stocks and transferring $1.9 million to other bank accounts. Equiniti recovered $1.6 million and reimbursed affected customers.

Toyota confirmed that a third-party data breach exposed 240 gigabytes of customer and employee data, which was leaked by a threat actor who uses the name “ZeroSevenGroup” on a hacking forum. The stolen data includes personal information, contracts, financial details and network infrastructure credentials. The company told Bleeping Computer that its systems were not compromised and attributed the breach to a third party.

Toyota did not disclose when the breach was discovered, how the attacker gained access, or the exact number of individuals affected. The company said it is engaging with those affected and will offer assistance if needed but did not name the breached third party.

The leaked data was reportedly stolen on Dec. 25, 2022.

U.S. telecom company Lingo Telecom agreed to a $1 million fine for transmitting a fraudulent campaign call featuring a fake AI-generated voice mimicking President Joe Biden. The company failed to “abide by ‘Know Your Customer’ (KYC) and ‘Know Your Upstream Provider’ (KYUP) principles,” the agency said. Lingo Telecom completed 3,978 calls to potential New Hampshire voters on Jan. 21, who heard a false message urging them not to participate in the Democratic primary. The telecom regulator in May proposed fining the company $2 million.

Longtime Democratic political operative Steve Kramer has admitted being the mastermind behind the campaign, telling The Associated Press in February that the calls were his attempt at a wake-up call about the dangers of AI-powered deepfakes. Kramer faces 13 state criminal charges for felony voter suppression, and the FCC has proposed a $6 million fine.

Other Coverage From Last Week