Cyber Security Headlines: Bypassing patches, ChatGPT polymorphic malware, Bitwarden goes passwordless

Vendors bypassing security patches

The security firm Sansec warns that some ecommerce vendors began bypassing security patches for mail templates in Adobe Commerce and Magento. These patches date back to February, fixing an actively exploited bug with improper input validation in the checkout process that opened the door to arbitrary code execution. Part of the patch saw Adobe remove the “smart” mail templates. It also introduced a mail template variable resolver to prevent injection attacks. And that last part seems to be causing an issue. Some vendors seeking to reintroduce the functionality of the old template resolver into production Magento stores, often by copying old code. Sansec warns this effectively reintroduces the security flaw. 

(Security Week)

ChatGPT creates polymorphic malware

The security implications of generative AI continue to develop. We’ve already covered ChatGPT used to outline a simple buffer overflow vulnerability, and that illicit online forums attempted to use it for malware generation. Now researchers at CyberArk created a new stand of polymorphic malware using the tool. The team successfully got around OpenAI’s content filters for creating malware by simply repeating requests to create it with more specific constraints. The team also noted the ChatGPT API doesn’t seem to offer any content filtering. Once it created the malware code, ChatGPT created multiple variations.  The researchers said it could “mutate the output on a whim, making it unique every time.” 

(InfoSecurity Magazine)

Bitwarden acquires

This marks the first acquisition for the open source password management platform, obtaining the Swedish startup The company specializes in tools for developers to integrate passwordless authentication. Bitwarden supports some passwordless authentication already, including biometrics and the use of FIDO security keys. With the announcement, Bitwarden launched a new beta service to allow third-party device to embed biometric sign-in tech into apps. No word on how much the deal cost, but Bitwarden recently raised its first funding round in September, securing $100 million. 


Feds seize Bitzlato crypto exchange

The US Department of Justice announced it arrested the founder of the exchange, Anatoly Legkodymov (Leg-cody-mov), charging him with money laundering. The DOJ arrested the Russian national in Miami, and arraigned him in the US District Court for the Southern District of Florida. As part of an operation with Interpol, French authorities took down the Bitzlato infrastructure. The DOJ said a lack of know-your-customer controls made the exchange a haven for illegal funds. Chainalysis estimates the exchange received over $2 billion worth of cryptocurrency from 2019 to 2021, of which 48% represented illicit or risky transactions. The darkweb Hydra Market carried out the most transactions on the platform. 

(Bleeping Computer)

And now a word from our sponsor, Cerby

Did you know that over 60% of the cloud applications used by your company don’t support identity standards like single sign-on? And that these applications are the leading cause of breaches? Cerby can help.

Cerby discovers new applications, eliminates manual security tasks like offboarding, and addresses misconfigurations like disabled 2FA while increasing employee productivity. Wait. A security tool that increases productivity? Yup. Learn more at

Twitter speaks on third-party client outage

Twitter finally broke the silence over why 3rd-party apps were no longer working with Twitter’s API. A post on the company Twitter account says “Twitter is enforcing its long-standing API rules. That may result in some apps not working.” This explains why many third-party Twitter clients started having widespread problems accessing Twitter last Thursday. What wasn’t specified is what “long-stnading” rules these apps violated to warrant being cutoff. Some have speculated that since these apps didn’t show display ads, Twitter cut them off as a way to further drive ad revenue. It is worth noting some apps, like Albatross and the iOS version of Fenix, continue to work. 

(The Verge)

Global IT spending fell in 2022

A new analysis by Gartner estimates that global IT spending fell 0.2% on the year in 2022 to $4.38 trillion, after initially forecasting a 0.8% increase. It also cut it’s growth projection for IT spending for 2023 by over half to just 2.4%. Of this estimate, Gartner projects the biggest decline in IT device spending, down 5.1% to $685 billion, while services looks to grow 6.7% to $264 billion. With potentially smaller budgets, many organizations report looking to focus on IT investments around optimizing business value, IT modernization and hiring. 


Latest MailChimp attacks sounds familiar

The newsletter giant disclosed a cyber attack exposed data on dozens of customers on January 11th. The attacker accessed an internal tool used by its customer support team through a targeted social engineering campaign. This marks the second breach in the last six months for the company. More troublingly, the details from the August breach sound almost identical, with a social engineering campaign obtaining credentials to access internal tools used by its customer support team. Impacted customers say the attack exposed customer names, web URLs used by stores, and email addresses. The breach did not expose customer passwords. 


A look at law enforcement’s access to money transfer database

The Wall Street Journal profiled how hundreds of US- law-enforcement agencies across state, loca, and federal jurisdictions maintain access to a database from the Transaction Record Analysis center. This database shows the flow of funds through money transfer services liked Western Union, MoneyGram, DolEx and Euronet. The Arizona state attorney general’s office initially set up the database back in 2014, as part of a settlement with Western Union to combat drug trafficking. Data obtained by the ACLU shows that any authorized law-enforcement agency can query the database without a warrant, including bulk transaction records based on nebulous criteria like “Middle Easter/Arabic name” categories. US Senator Ron Wyden opened an investigation into the use of this database by federal agencies. 


Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.