A (0:01)

London Police arrest teens behind preschool ransomware attack Ransomware groups exploit new critical flaws in Go anywhere file transfer servers. CISA issues an urgent warning on a 2021 Windows flaw now under active attack, and Google refuses to patch Gemini's invisible prompt flaw. Users are left to defend themselves. This is Cybersecurity Today and I'm your host Jim Love. Two teenagers have been arrested in London after what police call a disgusting ransomware attack on a chain of preschools. The Metropolitan Police Cybercrime unit said that two 17 year olds were taken into custody during raids in Bishop Stortford, Herefordshire, following a September 25 report to Action Fraud, the UK's cybercrime reporting center. Investigators say the attack targeted Kiddo International, a preschool and daycare organization with operations in the uk, US and India, in an appalling attempt to extort money. The attackers posted the personal details of 10 children, including photos, names, home addresses and their parents contact information, threatening to release more if the ransom wasn't paid. The gang calling itself the Radiant Group published the data on its dark website, but later deleted the children's information after other cybercriminal groups condemned the actual it appears that even in the criminal underworld, many hackers drew a line calling the use of children's data for extortion unacceptable. Kiddo welcomes the swift police action and also said it continues to support affected families. Police described the arrests as a major step forward, but said the investigation continues. It's a chilling reminder that some crimes are so vile that that even other hackers refuse to look the other way. Microsoft and CISA are warning that a new critical vulnerability in Go Anywhere MFT servers is being actively exploited by ransomware operators. Go Anywhere mft, short for Managed File Transfer, is a secure data exchange platform used by major organizations in finance, healthcare and even government when exposed to the Internet. Though, it has become a prime target for attackers, the flaw, tracked as CVE2024 0204, allows unauthenticated remote code execution through the product's admin console. Microsoft rated it critical and ransomware groups, including affiliates linked to the Clop Ransomware gang, are now exploiting it in the wild. A similar zero day in 2023 led to breaches at more than 130 companies. The vendor released a patch in January 2024, but unpatched systems are now being hijacked to deploy ransomware and steal data. Administrators should immediately apply these updates, disable external access to the admin portal, and review their logs for signs of compromise. It's another example of how trusted tools for secure transfer can become the attacker's doorway if they're left unpatched. A three year old Windows vulnerability has come back to haunt us. The US Cybersecurity and Infrastructure Security Agency has issued an urgent alert for CVE2021 43 226, a Windows privilege escalation flaw that was actually patched by Microsoft in December 2020. The bug sits in the common log file system driver and allows attackers with even limited local access to gain full system level control. CISA says the flaw is being actively exploited right now and has added it to its known exploited vulnerabilities catalog with a mandatory patch by date of October 27th. Organizations should confirm that they put these patches in place and they're running at least the December 2021 cumulative update KB 582.15 for Windows 11 and KB 508,223 for Windows Server 2022 and verify that those systems haven't drifted out of compliance. Researchers have discovered a new attack on Google's Gemini AI that hides malicious prompts as normal looking text. The so called ASCII smuggling attack embeds invisible Unicode into emails or web pages, and Gemini reads those hidden instructions even though humans can't see them. It's shockingly easy to exploit. Researcher Victor Markopoulos showed that a phishing email could include a prompt written in font zero white on white, invisible to the reader, but Gemini would still obey it when asked to summarize the message. He warns that for users who have Gemini or Even some other LLMs connected to their inboxes, a simple email with hidden commands can instruct the LLM to search the inbox for sensitive items or send contact details, turning a standard phishing attempt into an autonomous data extraction tool. But we have to remember that LLMs that browse the web could also stumble onto hidden payloads inside product descriptions or web text feeding users malicious links without realizing it. And amazingly, Google says it doesn't view this as a technical flaw and has no plans to patch it. Security experts recommend restricting Gemini's access to email and calendar tools, sanitizing text to remove invisible characters, and treating AI generated summaries with caution. A few invisible characters are all it takes to turn a helpful assistant into a data exfiltration agent. And until vendors fix it, and they should defenders must close that gap themselves. And that's our show. If you like what we're doing, please share the program. Give us a Like Leave a comment on your favorite podcast app We're Everywhere Apple Spotify YouTube, and just about anywhere you can get podcasts. A quick reminder, this is Canadian Thanksgiving, so there'll be no Monday show. We've got a special Weekend Edition coming up, but we'll be back early next week with more cybersecurity news. We always love to hear from you. You can reach me at technewsday CA or technewsday.com just use the Contact Us page. If you're watching on YouTube, leave a note under the video. We read every one. I'm your host, Jim Love. Thanks for listening. And if your Alphabet ends with a Z, happy Thanksgiving.