Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one.

"Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so," LastPass said in a new announcement today. 

LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters. Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts.

Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.

If a match is found, the customers will be alerted via a security warning pop-up and prompted to select another password to block future cracking attempts.

As part of the same effort to increase account security, LastPass also started a forced multi-factor authentication (MFA) re-enrollment process in May 2023, which led to many users experiencing significant login issues and getting locked out of their accounts.

"These changes include requiring customers to update their master password length and complexity to meet recommended best practices and prompting customers to re-enroll their multi-factor authentication (MFA), among others," said Mike Kosak, a Senior Principal Intelligence Analyst at LastPass.

"Starting in January 2024, LastPass will enforce a requirement that all customers use a master password with at least 12 characters.

"Next month, LastPass will also begin immediate checks on new or reset master passwords against a database of known breached credentials in order to ensure the password hasn't been previously exposed on the Dark Web."

LastPass told BleepingComputer that B2C customers will begin receiving emails about these changes today, with B2B customers receiving them on January 10th.

Master passwords cracked after 2022 breach

These measures are the direct result of two security breaches LastPass disclosed in August 2022 and November 2022.

In August, the company confirmed its developer environment was breached via a compromised developer account after the attackers hacked into a software engineer's corporate laptop. During the breach, they stole source code, technical info, and some LastPass internal system secrets.

The information stolen in this incident was later used by threat actors in the December breach when they also stole customer vault data from its encrypted Amazon S3 buckets after compromising a senior DevOps engineer's computer using a remote code execution vulnerability to install a keylogger.

In October 2023, hackers stole $4.4 million worth of cryptocurrency from over 25+ victims using private keys and passphrases they could extract from LastPass databases stolen in LastPass' 2022 breaches.

According to research by MetaMask developer Taylor Monahan and ZachXBT, it is believed that threat actors are now cracking stolen LastPass master passwords to gain access to the password.

Using this access, the threat actors search for cryptocurrency wallet passphrases, credentials, and private keys and use them to load the wallets onto their own devices to drain them of all funds.

LastPass says its password management solution is now used by over 33 million people and 100,000 businesses worldwide.

Source

The Terrapin attack targets the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.

It manipulates sequence numbers during the handshake process to compromise the integrity of the SSH channel, particularly when specific encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC are used.

An attacker could thus downgrade the public key algorithms for user authentication and disable defenses against keystroke timing attacks in OpenSSH 9.5.

A notable requirement for the Terrapin attack is the need for attackers to be in an adversary-in-the-middle (AitM) position to intercept and modify the handshake exchange.

It is worth noting that threat actors often compromise networks of interest and wait for the right moment to progress their attack.

A recent report by security threat monitoring platform Shadowserver warns that there are nearly 11 million SSH servers on the public web - identified by unique IP addresses, that are vulnerable to Terrapin attacks.

This constitutes roughly 52% of all scanned samples in the IPv4 and IPv6 space monitored by Shadoserver.

Most of the vulnerable systems were identified in the United States (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000).

The significance of Shadowserver’s report lies in highlighting that Terrapin attacks can have a widespread impact.

While not all 11 million instances are at immediate risk of being attacked, it shows that adversaries have a large pool to choose from.

If you want to check an SSH client or server for its susceptibility to Terrapin, the Ruhr University Bochum team provides a vulnerability scanner.

Source

While some of these operations were more successful than others, law enforcement has been increasingly using hack-back tactics to infiltrate operations and disrupt them.

BleepingComputer has provided a non-exhaustive list of these operations below in chronological order:

Hive ransomware disrupted after FBI hacks gang's systems

The US Department of Justice and Europol announced that an international law enforcement operation secretly infiltrated the Hive ransomware gang's infrastructure in July 2022, when they secretly began monitoring the operation for six months.

The Hive ransomware's Tor payment and data leak sites were then seized by the FBI in January 2023. 

The ransomware gang has not been spotted until recently when they are believed to have rebranded as the Hunters International ransomware group.

Police hacked Exclu 'secure' message platform to snoop on criminals

The Dutch police dismantled the Exclu encrypted communications platform after hacking into the service to monitor the activities of criminal organizations.

The operation consisted of two separate investigations, starting in September 2020 and April 2022, when the police also carried out 79 targeted searches in the Netherlands, Germany, and Belgium and arrested 42 people.

Core DoppelPaymer ransomware gang members targeted in Europol operation

Law enforcement in Germany and Ukraine targeted two individuals believed to be core members of the DoppelPaymer ransomware group.

The operation consisted of raiding multiple locations in the two countries in February and was the result of a coordinated effort that also involved Europol, the FBI, and the Dutch Police.

Police seize Netwire RAT malware infrastructure, arrest admin

An international law enforcement operation involving the FBI and police agencies worldwide led to the arrest of the suspected administrator of the NetWire remote access trojan and the seizure of the service’s web domain and hosting server.

NetWire was a remote access trojan promoted as a legitimate remote administration tool to manage a Windows computer remotely.

Since at least 2014, NetWire has been a tool of choice in various malicious activities, including phishing attacks, BEC campaigns, and to breach corporate networks.

UK creates fake DDoS-for-hire sites to identify cybercriminals

As part of Operation PowerOFF, The U.K.'s National Crime Agency (NCA) created multiple fake DDoS-for-hire service websites to identify cybercriminals who utilize these platforms to attack organizations.

NCA says several thousands of people accessed its fake sites, which had a realistic appearance as a genuine booter service. However, instead of giving access to DDoS tools, they only served to collect information about those who wished to use these services.

After successfully infiltrating the cybercrime market and gathering information about those purchasing illegal services, the agency revealed the operation by displaying a splash page on only one of its fake sites. 

US seizes $112 million from cryptocurrency investment scammers

The U.S. Department of Justice seized six virtual currency accounts containing over $112 million in funds stolen in cryptocurrency investment schemes.

The criminals behind these cryptocurrency fraud scams (also known as pig butchering or cryptocurrency confidence scams) approach their victims via various dating platforms, messaging apps, or social media platforms, build trust, and introduce them to investment schemes which eventually allow them to empty the targets' crypto wallets.

The DOJ says the next step is to return the stolen cryptocurrency to the victims.

FBI seizes stolen credentials market Genesis in Operation Cookie Monster

The domains and infrastructure for Genesis Market, one of the most popular marketplaces for stolen credentials of all types, were seized by law enforcement earlier this week as part of Operation Cookie Monster.

Genesis Market's full database had 1.5 million bots supplying more than 2 million identities; more than 460,000 bots were available for sale at the time of the takedown. In total, the platform offered about 80 million credentials and digital fingerprints, says UK's National Crime Agency.

Police operation 'SpecTor' arrests 288 dark web drug vendors and buyers

An international law enforcement operation codenamed 'SpecTor' has arrested 288 dark web vendors and customers worldwide, with police seizing €50.8 million ($55.9M) in cash and cryptocurrency.

The vendors were active in a marketplace known as the 'Monopoly Market' that sold drugs to customers worldwide in exchange for Bitcoin and Monero cryptocurrency.

FBI seizes 9 crypto exchanges used to launder ransomware payments

The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.

The operation was carried out with the help of the Virtual Currency Response Team, the National Police of Ukraine, and legal prosecutors in the country.

FBI seizes BreachForums after arresting its owner Pompompurin in March

U.S. law enforcement today seized the clear web domain of the notorious BreachForums (aka Breached) hacking forum three months after apprehending its owner Conor Fitzpatrick (aka Pompompurin), under cybercrime charges.

Hosted at Breached[.]vc, the domain now shows a seizure banner saying the website was taken down by the FBI, the Department of Health and Human Services, the Office of Inspector General, and the Department of Justice based on a warrant issued by the U.S. District Court for the Eastern District of Virginia.

EncroChat takedown led to 6,500 arrests and $979 million seized

Europol took down the EncroChat encrypted mobile communications platform, which has led to the arrest of over 6,600 people and the seizure of $979 million in illicit funds.

EncroChat phones ran a special, hardened version of Android that promised users unbreakable encryption, anonymity, and no traceability.

In 2020, a large-scale European law enforcement operation quietly infiltrated the EncroChat platform and was able to analyze millions of messages shared between its users after breaking the encryption algorithm.

After analyzing 15 million conversations between roughly 60,000 users of the platform, police have arrested 6,558 users of EncroChat, including 197 high-value targets.

The data also allowed the police to locate and seize 270 tons of drugs, 971 vehicles, 271 properties, 923 weapons, 68 explosives, 40 planes, and 83 boats.

Qakbot botnet dismantled after infecting over 700,000 computers

The FBI disrupted the Qakbot botnet by seizing infrastructure and pushing out a module that uninstalled the malware from infected devices.

The botnet (also known as Qbot and Pinkslipbot) was linked by law enforcement to at least 40 ransomware attacks against companies, healthcare providers, and government agencies worldwide, causing hundreds of millions of dollars in damage, according to conservative estimates. Over the past 18 months alone, losses have surpassed 58 million dollars.

Throughout the years, Qakbot has consistently served as an initial infection vector for various ransomware gangs and their affiliates or operators, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta.

However, the success of this law enforcement operation may be short-lived, as cybersecurity researchers have already seen QakBot rebuilding its botnet.

Ragnar Locker ransomware’s dark web extortion sites seized by police

The Ragnar Locker ransomware operation's Tor negotiation and data leak sites were seized as part of an international law enforcement operation.

Visiting either website now displays a seizure message stating that a large assortment of international law enforcement from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia were involved in the operation.

Police dismantle ransomware group behind attacks in 71 countries

In cooperation with Europol and Eurojust, law enforcement agencies from seven nations have arrested the core members of a ransomware group linked to attacks against organizations in 71 countries.

The cybercriminals paralyzed major corporations' operations in attacks using ransomware such as LockerGoga, MegaCortex, HIVE, and Dharma.

FBI disrupts Blackcat ransomware operation, creates decryption tool

The FBI hacked the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys for victims.

BleepingComputer first reported that the ALPHV, aka BlackCat, websites suddenly stopped working, including the ransomware gang's Tor negotiation and data leak sites.

While the ALPHV admin claimed it was a hosting issue, BleepingComputer learned it was related to a law enforcement operation.

Ten days later, the Department of Justice confirmed our reporting, stating that the FBI conducted a law enforcement operation that allowed them to gain access to ALPHV's infrastructure.

With this access, the FBI monitored the ransomware operation for months while siphoning decryption keys and sharing them with victims.

Interpol operation arrests 3,500 cybercriminals, seizes $300 million

An international law enforcement operation codenamed 'Operation HAECHI IV' has led to the arrest of 3,500 suspects of various lower-tier cybercrimes and seized $300 million in illicit proceeds.

The latest operation, which occurred between July and December 2023, targeted threat actors engaging in voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise, and e-commerce fraud.

In addition, Interpol's financial intelligence mechanism, I-GRIP, flagged and froze 82,112 bank accounts in 34 countries linked to various cybercrimes and fraudulent operations.

$199 million of the seized amounts concern hard currency, and the remaining $101 million corresponds to the value of 367 digital/virtual assets, such as NFTs (non-fungible tokens) linked to cybercrime.

German police takes down Kingdom Market cybercrime marketplace

The Federal Criminal Police Office in Germany (BKA) and the internet-crime combating unit of Frankfurt (ZIT) have announced the seizure of Kingdom Market, a dark web marketplace for drugs, cybercrime tools, and fake government IDs.

The law enforcement operation also included authorities from the United States, Switzerland, Moldova, and Ukraine, while one of the administrators has been arrested in the US.

The police say the marketplace hosted 42,000 items for sale, 3,600 of which were from Germany.

Source

Some stories, though, were more impactful or popular with our 22 million readers than others.

Below are fourteen of what BleepingComputer believes are the most impactful cybersecurity stories of 2023, with a summary of each.

14. The 23andMe data breach

Genetic testing provider 23andMe suffered credential stuffing attacks that led to a major data breach, exposing the data of 6.9 million users.

The company states that the attackers only breached a small number of accounts during the credential-stuffing attacks. However, the threat actors were able to abuse other features to scrape millions of individuals' data.

The threat actors attempted to sell the stolen data, but after not receiving buyers, leaked the data for 1 million Ashkenazi Jews and 4,011,607 people living in Great Britain on a hacking forum.

In a recent update, 23andMe told BleepingComputer that the breach impacted 6.9 million people — 5.5 million through the DNA Relatives feature and 1.4 million through the Family Tree feature.

This breach has led to multiple class action lawsuits against the company for not adequately protecting data.

13. Hosting firm says it lost all customer data after ransomware attack

Two Danish hosting providers were forced to shut down after a ransomware attack encrypted the majority of customer data, and data restoration was not successful.

"Since we neither can nor wish to meet the financial demands of the criminal hackers for a ransom, CloudNordic's IT team and external experts have been working intensively to assess the damage and determine what could be recovered," reads CloudNordic's statement (machine translated)

"Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us."

12. Anonymous Sudan hacktivists show that DDoS attacks can impact the largest tech firms

A hacktivist group known as Anonymous Sudan took everyone by surprise when their DDoS attacks took down the websites and services of some of the largest tech firms in the world.

The group's attacks gained wide media attention when they successfully took down login pages for Microsoft's services, including Outlook, OneDrive, and the Azure portal.

Over a week later, Microsoft finally confirmed that DDoS attacks caused these outages.

"Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability," confirmed Microsoft.

"Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359."

Anonymous Sudan later targeted numerous other websites, including those for ChatGPT, Cloudflare, and U.S. government services.

The increasing DDoS attacks and their impact led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an advisory about these incidents.

11. New acoustic attack steals data from keystrokes with 95% accuracy

A team of researchers from British universities trained a deep learning model to steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%.

When Zoom was used for training the sound classification algorithm, the prediction accuracy dropped to 93%, which is still extremely high.

To mitigate these attacks, the researchers suggest users may try altering typing styles or using randomized passwords. Other defense measures include using software to reproduce keystroke sounds, play white noise, or software-based keystroke audio filters.

10.  PayPal accounts breached in large-scale credential stuffing attack

PayPal suffered a credential stuffing attack between December 6 and December 8, 2022, allowing attackers to access 34,942 accounts.

Credential stuffing is an attack where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.

Hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

9. Dish Network goes offline after likely cyberattack, employees cut off

American T.V. giant and satellite broadcast provider DISH Network mysteriously went offline earlier this year, with its websites and mobile apps not working for days.

DISH later confirmed that the outage was caused by a ransomware attack, with BleepingComputer first to report that the Black Basta ransomware gang was behind the attack.

Employees told BleepingComputer that the ransomware gang compromised the company's Windows domain controllers and encrypted VMware ESXi servers and backups.

DISH data breach notifications confirmed that data was stolen in the attack and hinted that a ransom was paid not to release the stolen data.

"We are not aware of any misuse of your information, and we have received confirmation that the extracted data has been deleted," read the data breach notification.

8. GoDaddy: Hackers stole source code, installed malware in multi-year breach

Web hosting giant GoDaddy says it suffered a multi-year breach allowing unknown attackers to steal source code and install malware on its servers.

This breach began in 2021 and allowed the threat actors access to the personal information of 1.2 million Managed WordPress customers, including credentials, and also used the access to redirect websites to other domains.

No threat actors ever claimed responsibility for this attack.

7. MGM Resorts cyberattack shuts down IT systems after cyberattack

MGM Resorts International suffered a massive attack that impacted numerous systems, including its main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines.

The BlackCat ransomware operation claimed the attack, whose affiliates said they encrypted over 100 ESXi hypervisors during the incident.

Bloomberg reported that the same group also breached Caesars Entertainment's network, providing a strong hint in a Form 8-K SEC filing that they paid the attackers to prevent a leak of customers' stolen data.

While the attack was significant, it also brought wide attention to a loose-knit group of hackers known as Scattered Spider.

Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, and Muddled Libra, is adept at social engineering and relies on phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping to gain initial network access on large organizations.

Members of this collective are affiliates of the BlackCat ransomware gang and include young English-speaking members with diverse skill sets who frequent the same hacking forums and Telegram channels.

While many believe this is a cohesive gang, the group is a network of individuals, with different threat actors participating in each attack. This fluid structure is what makes it challenging to track them.

In November, the FBI released an advisory highlighting the group's tactics, techniques, and procedures (TTPs).

Scattered Spider is behind previous attacks on Reddit, MailChimp, Twilio, DoorDash, and Riot Games.

6. Hackers compromise 3CX desktop app in a supply chain attack

3CX was breached by the North Korean Lazarus hacking group to push malware through a supply chain attack using the company's Voice Over Internet Protocol (VOIP) desktop client.

3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 350,000 companies worldwide and has over 12 million daily users.

3CX was breached after an employee installed a trojanized version of Trading Technologies' X_TRADER software, which allowed the threat actors to steal corporate credentials and breach the network.

The attackers pushed out a malicious software update that installed a previously unknown information-stealing malware to steal data and credentials stored in Chrome, Edge, Brave, and Firefox user profiles.

5. Barracuda says hacked ESG appliances must be replaced immediately

In May, Barracuda disclosed that some of their Email Security Gateway (ESG) appliances were hacked using a zero-day vulnerability to install malware and steal data.

We later learned that the attacks were linked to Chinese threat actors, who used the vulnerability since 2022 to infect ESG devices with new malware named 'Saltwater,' 'Seaspy,' and 'Seaside.'

CISA later disclosed that Submarine and Whirlpool malware were also used in the attacks to backdoor ESG devices.

What stood out from these attacks is that instead of using a software fix for impacted ESG devices, Barracuda warned customers they must replace their Email Security Gateway (ESG) appliances, which was done free of charge.

"Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned at the time.

"Barracuda's remediation recommendation at this time is full replacement of the impacted ESG."

This unusual request led many to believe that the threat actors compromised the devices at a low level, making it impossible to ensure they were completely clean.

Mandiant, who was part of the incident response in these attacks, told BleepingComputer that this was recommended out of caution, as Barracuda could not ensure the complete removal of malware.

4. Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

In February 2023, a massive ransomware campaign targeted exposed VMware ESXi servers worldwide, quickly encrypting the virtual machines for thousands of companies.

Just hours after the attack, victims began reporting in the BleepingComputer's forum that files with vmxf, .vmx, .vmdk, .vmsd, and .nvram, all files associated with VMware ESXi virtual machines, were encrypted.

The ransomware campaign was dubbed ESXiArgs due to an .args file being created for every encrypted file.

The VMware ESXi console home page was modified to show a ransom note demanding 2.0781 bitcoins, worth approximately $49,000 at the time.

3. Brazil seizing Flipper Zero shipments to prevent use in crime

One of BleepingComputer's most-read stories of the year was the news that the Brazilian National Telecommunications Agency seized incoming Flipper Zero purchases for their potential to be used in criminal activity.

Brazilians who purchased the Flipper Zero reported that their shipments were redirected to Brazil's telecommunications agency, Anatel, due to a lack of certification with the country's Radio Frequencies department.

From emails seen by BleepingComputer, Anatel flagged the device as a tool used for criminal purposes.

2. The Operation Triangulation iPhone attacks

In June, researchers from Kaspersky first disclosed a new zero-click iOS attack called "Operation Triangulation" used to install the TriangleDB spyware on iPhones.

Kaspersky discovered the attack on devices within its own network, and Russia's FSB intelligence service accused Apple of providing the NSA with a backdoor. However, the true origins of the attack remain unknown, and there is no proof that the U.S. government is behind the attacks.

The attacks start with the hackers sending a malicious iMessage attachment that, when processed by iOS, automatically triggers a zero-click exploit chain. A zero-click exploit means it does not require interaction from the user to be triggered.

The attacks chained together four zero-day iOS vulnerabilities listed below to install the spyware:

• CVE-2023-41990: A vulnerability in the ADJUST TrueType font instruction allowing remote code execution through a malicious iMessage attachment.
• CVE-2023-32434: An integer overflow issue in XNU's memory mapping syscalls, granting attackers extensive read/write access to the device's physical memory.
• CVE-2023-32435: Used in the Safari exploit to execute shellcode as part of the multi-stage attack.
• CVE-2023-38606: A vulnerability using hardware MMIO registers to bypass the Page Protection Layer (PPL), overriding hardware-based security protections.

Last week, Kaspersky disclosed that the final zero-day vulnerability, CVE-2023-38606, abused an undocumented feature in Apple chips to bypass hardware-based security protections.

While the Operation Triangulation attacks did not impact many devices, it could be one of the most sophisticated iOS attacks seen to date.

While it's still unknown who is behind the attacks, their sophistication has led cybersecurity researchers to believe that a government-sponsored hacking group is behind them.

1. The MOVEit Transfer data theft attacks

BleepingComputer was the first to report the widespread data-theft attacks exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of US-based Progress Software Corporation, that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.

This vulnerability allowed the threat actors to breach MOVEit Transfer servers and download the stored data.

The attacks were soon claimed by the Clop ransomware gang, who previously launched similar attacks through zero-day vulnerabilities in Accellion FTA and GoAnywhere.

According to Emsisoft, 2,706 organizations were breached using this vulnerability, exposing the personal data of over 93 million people.

Source

After almost 10 years of marriage, Christine Dowdall wanted out. Her husband was no longer the charming man she had fallen in love with. He had become narcissistic, abusive and unfaithful, she said. After one of their fights turned violent in September 2022, Ms. Dowdall, a real estate agent, fled their home in Covington, La., driving her Mercedes-Benz C300 sedan to her daughter’s house near Shreveport, five hours away. She filed a domestic abuse report with the police two days later.

Her husband, a Drug Enforcement Administration agent, didn’t want to let her go. He called her repeatedly, she said, first pleading with her to return, and then threatening her. She stopped responding to him, she said, even though he texted and called her hundreds of times.

Ms. Dowdall, 59, started occasionally seeing a strange new message on the display in her Mercedes, about a location-based service called “mbrace.” The second time it happened, she took a photograph and searched for the name online.

“I realized, oh my God, that’s him tracking me,” Ms. Dowdall said.

“Mbrace” was part of “Mercedes me” — a suite of connected services for the car, accessible via a smartphone app. Ms. Dowdall had only ever used the Mercedes Me app to make auto loan payments. She hadn’t realized that the service could also be used to track the car’s location. One night, when she visited a male friend’s home, her husband sent the man a message with a thumbs-up emoji. A nearby camera captured his car driving in the area, according to the detective who worked on her case.

Ms. Dowdall called Mercedes customer service repeatedly to try to remove her husband’s digital access to the car, but the loan and title were in his name, a decision the couple had made because he had a better credit score than hers. Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.

“This is not the first time that I’ve heard something like this,” one of the representatives told Ms. Dowdall.

A spokeswoman for Mercedes-Benz said the company did not comment on “individual customer matters.”

Christine Dowdall said she called Mercedes customer service repeatedly to try to remove her husband’s digital access to the car, but the loan and title were in his name. Credit...Emil T. Lippe for The New York Times

A car, to its driver, can feel like a sanctuary. A place to sing favorite songs off key, to cry, to vent or to drive somewhere no one knows you’re going.

But in truth, there are few places in our lives less private.

Modern cars have been called “smartphones with wheels” because they are internet-connected and have myriad methods of data collection, from cameras and seat weight sensors to records of how hard you brake and corner. Most drivers don’t realize how much information their cars are collecting and who has access to it, said Jen Caltrider, a privacy researcher at Mozilla who reviewed the privacy policies of more than 25 car brands and found surprising disclosures, such as Nissan saying it might collect information about “sexual activity.”

“People think their car is private,” Ms. Caltrider said. “With a computer, you know where the camera is and you can put tape over it. Once you’ve bought a car and you find it is bad at privacy, what are you supposed to do?”

Privacy advocates are concerned by how car companies are using and sharing consumers’ data — with insurance companies, for example — and drivers’ inability to turn the data collection off. California’s privacy regulator is investigating the auto industry.

For car owners, the upside of this data-palooza has come in the form of smartphone apps that allow them to check a car’s location when, say, they forget where it is parked; to lock and unlock the vehicle remotely; and to turn it on or off. Some apps can even remotely set the car’s climate controls, make the horn honk or turn on its lights. After setting up the app, the car’s owner can grant access to a limited number of other drivers.

Domestic violence experts say that these convenience features are being weaponized in abusive relationships, and that car makers have not been willing to assist victims. This is particularly complicated when the victim is a co-owner of the car, or not named on the title.

Detective Kelly Downey of the Bossier Parish Sheriff’s Office, who investigated Ms. Dowdall’s husband for stalking, also reached out to Mercedes more than a dozen times to no avail, she said. She had previously dealt with another case of harassment via a connected car app — a woman whose husband would turn on her Lexus while it sat in the garage in the middle of the night. In that case, too, Detective Downey was unable to get the car company to turn off the husband’s access; the victim sold her car.

“Automobile manufacturers have to create a way for us to stop it,” Detective Downey said. “Technology may be our godsend, but it’s also very scary because it could hurt you.”

Mercedes also failed to respond to a search warrant, Detective Downey said. She instead found evidence that the husband was using the Mercedes Me app by obtaining records of his internet activity.

Unable to get help from Mercedes, Ms. Dowdall took her car to an independent mechanic this year and paid $400 to disable the remote tracking. This also disabled the car’s navigation system and its S.O.S. button, a tool to get help in an emergency.

“I didn’t care. I just didn’t want him to know where I was,” said Ms. Dowdall, whose husband died by suicide last month. “Car manufacturers should give the ability to turn this tracking off.”

Eva Galperin, an expert on tech-enabled domestic abuse at the digital rights group Electronic Frontier Foundation, said that she has seen another case of an abuser using a car app to track a victim’s movements, and that the victim didn’t realize it because she “isn’t the one who has set it up.”

“As far as I know, there are not any guides for how to lock your partner out of your car after you break up,” Ms. Galperin said.

Controlling partners have tracked their victims’ cars in the past using GPS devices and Apple AirTags, Ms. Galperin said, but connected car apps offer new opportunities for harassment.

A San Francisco man used his remote access to the Tesla Model X sport utility vehicle he co-owned with his wife to harass her after they separated, according to a lawsuit she filed anonymously in San Francisco Superior Court in 2020. (Reuters previously reported on the case.)

According to a legal complaint against her husband and Tesla, the car’s lights and horns were activated in a parking garage. On hot days, she would arrive at her car and discover the heat was running so that it was uncomfortably hot, while on cold days, she would find that the air-conditioner had been activated from afar. Her husband, she said in court documents, used the location-finding feature on the Tesla to identify her new residence, which she had hoped to keep secret from him.

The woman, who obtained a restraining order against her husband, contacted Tesla numerous times to get her husband’s access to the car revoked — she included some of the emails in legal filings — but was not successful.

Tesla did not respond to a request for comment. In legal filings, Tesla denied responsibility for the harassment; questioned whether it had occurred, based on the husband’s denials; and raised questions about the woman’s reliability. (Some of what she claimed her husband had done, such as turning on songs with disturbing lyrics while she was driving, could not be done via the Tesla app.)

“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” Tesla’s lawyers wrote in a legal filing. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”

A judge dismissed Tesla from the case, stating that it would be “onerous” to expect car manufacturers to determine which claims of app abuse were legitimate.

Katie Ray-Jones, the chief executive of the National Domestic Violence Hotline, said abusive partners used a wide variety of internet-connected devices — from laptops to smart home products — to track and harass their victims. Technology that keep tabs on a person’s movements is of particular concern to domestic violence shelters, she said, because they “try to keep the shelter location confidential.”

As a preventative measure, Ms. Ray-Jones encourages people in relationships to have equal access to technologies used to control their homes and belongings.

“If there’s an app that is controlling your automobile, you both need to have access to that,” she said.

Adam Dodge, a former family law attorney turned digital safety trainer, called car app stalking “a blind spot for victims and automakers.”

“Most victims I’ve talked to are wholly unaware that the car they rely on is app-connected in the first place,” he said. “They can’t address threats they don’t know are there.”

As a possible solution to the problem, he and other domestic violence experts pointed to the Safe Connections Act, a recent federal law that allows victims of domestic abuse to easily sever their phone from accounts shared with their abusers. A similar law should extend to cars, Mr. Dodge said, allowing people with protective orders from a court to easily cut off an abuser’s digital access to their car.

“Having access to a car for a victim is a lifeline,” he said. “No victim should have to make the choice between being stalked by the car or having no car. But that’s the crossroads many of them find themselves at.”

Source

What’s worse than falling victim to a scam online? Being scammed again while dealing with the original crime.

There’s a booming industry of criminals who target people at their worst moments, squeezing more money or information out of them in exchange for false hope. They’ll promise to get you back into a hacked Facebook account or reclaim money you lost to some other third party. They’re often lurking in legitimate-looking search results or your social media replies.

We’ve given lots of advice about what to do to avoid being scammed, but what about right after it happens? You’re still vulnerable and in a heightened emotional state, something that online criminals often count on.

“People are especially digitally vulnerable after facing a cyberattack or when they need support after a cyberattack,” says Allie Mellen, a principal analyst at Forrester. “For those that may not be technically savvy or may not have a technically savvy family member or friend to help, an offer for tech support can be very welcome, right up until it turns out to be a fraud.”

Americans lost nearly $8.8 million to scams in 2022, according to Federal Trade Commission data. So far in 2023, online shopping scams are the most common, followed by criminals impersonating businesses, but tech support scams have cost consumers $157.8 million in the first three quarters of the year.

Here are some guidelines to get you through the rough patch without losing more money — and be better prepared for next time.

Limit your losses

In the immediate aftermath of a scam, your priority is to prevent any additional damage. If you’ve handed over financial information or given money to a scammer, call your bank, credit card company, payment app or other financial institution. Many banks and cards will cover scams and return lost money, so ask them for a refund or to reverse the transaction.

If you’ve only given personal information, it could still be used to steal your identity. Turn on credit fraud monitoring or, if you’re able, freeze your credit.

If it’s a specific account that’s been hacked, report it to the company and — if you can — message your friends and family to let them know. Scammers who take over one account can then pose as you to get money or information from people you know.

Change the passwords on any compromised accounts, following the golden password rules: Never reuse a password, don’t pick anything obvious, and record it someplace safe such as a password manager. Next, turn on multifactor authentication for all your key accounts: financial, email, messaging and social media.

Call a friend

If you’re not confident in your tech skills or need help, contact a friend or family member. Don’t worry about feeling embarrassed; just pick up the phone. They may also be able to use their own social media accounts to report yours as hacked.

Try a company’s official customer support options. You’ll get help from banks and credit cards, but large tech companies with free products, such as Facebook and Google, typically don’t provide a way to speak to a person or get more than a support document or automated reply.

Look out for recovery scams

Do not rely on search engines to find help. Scammers will often buy search ads for keywords about falling for scams, getting into hacked accounts, or recovering money or cryptocurrency. Others will automatically reply to any public social media post about being scammed, offering help.

Skip them all. Especially any company you’ve never heard of or one that asks for a fee upfront. They don’t have any special back channels to tech companies or all-powerful hackers on staff to undo what’s been done, experts say. The most a service can do is walk you through securing your accounts or do some of the reporting for you.

“If it’s very high up in search, that doesn’t mean it’s real. It means they paid for it,” said Iskander Sanchez-Rola, director of privacy innovation for Norton.

Look out for long, overly specific URLs, sites that haven’t been around for very long and offers that seem too good to be true. For example, if a company is not asking for money upfront, that could mean it is in the information-gathering phase, says Sanchez-Rola. Do a search of the company’s name on Google, Reddit, Trustpilot and the Better Business Bureau, and remember that positive online reviews can be faked (look closely at the language and the dates the reviews were posted). Look out for any company asking for nontraditional payment methods such as gift cards, Venmo or PayPal, or wire transfers.

Report the scam

After you’ve handled all the emergency matters, report any scam or scammers to help protect other people. There’s an overwhelming number of options for where to report things, and they vary by country or state, what methods the scammers used and how much money you lost.

If a crime has taken place, you can report it to your local law enforcement first. There’s usually a non-emergency number or site, and you might be able to fill out a form.

Next, look up your state’s resources on where to report scams, starting with the attorney general’s office or the department of consumer affairs. Use keywords such as “cybercrime” or “ecrime” when searching for the best agencies, and be extra careful of sites posing as official government agencies — look for sites ending in .gov or .us. You can also report scams to private organizations that track cybercrime. Here is a list to get you started:

• The FTC

• The FTC’s identity theft site

• The FBI’s Internet Crime Complaint Center

• The Better Business Bureau

• Fraud.org

• AARP

To spread the word less officially, start with your social networks. Make a quick post about what the scam looked like to warn your friends and relatives, especially if you think scammers collected any of their information. If you’re comfortable, you can share information more widely on public accounts and sites such as Reddit.

Finally, report any website, phone number or social media account belonging to a scammer to relevant tech companies — search engines, social media companies and cell carriers.

Scams can affect anyone, no matter your age. If you do fall for one, use it as a learning experience so it won’t happen again.

Source

These attacks include ones against Yakult Australia and the Ohio Lottery by the new DragonForce ransomware operation.

The most concerning news is that LockBit affiliates increasingly target hospitals in attacks, even though the ransomware operation says it's against the rules.

In December 2022, one week before Christmas, a LockBit affiliate attacked the Hospital for Sick Children (SickKids) in Toronto, causing diagnostic and treatment delays. The ransomware operation said this was against the rules and issued a free decryptor.

However, this week, we learned that LockBit attacked three hospitals in Germany, disrupting emergency room services.

We also learned about two New York hospitals seeking a court order to have Boston cloud storage company Wasabi Technologies return stolen data stored on one of its servers by the LockBit ransomware gang.

According to a court order, the Carthage Area Hospital and Claxton-Hepburn Medical Center were attacked in September, with the LockBit affiliate renting cloud storage at Wasabi to store stolen data.

The two hospitals now request that the courts force Wasabi to provide and delete the data from their servers. The court documents indicate that Wasabi is already working with the FBI and has shared a copy of the stolen data with them.

Finally, Microsoft once again disabled the MSIX ms-appinstaller protocol handler after deactivating it in February 2022 and then enabling it again in 2023 for some unknown reason.

However, as malware campaigns continue to abuse this feature, which could lead to ransomware attacks, the feature has again been disabled.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @serghei, @demonslay335, @BleepinComputer, @Ionut_Ilascu, @Seifreed, @fwosar, @LawrenceAbrams, @billtoulas, @MsftSecIntel, @DarkWebInformer, @BrettCallow, @pcrisk, and @Fortinet.

December 27th 2023

Yakult Australia confirms 'cyber incident' after 95 GB data leak

Yakult Australia, manufacturer of a probiotic milk drink, has confirmed experiencing a "cyber incident" in a statement to BleepingComputer. Both the company's Australian and New Zealand IT systems have been affected.

Ohio Lottery hit by cyberattack claimed by DragonForce ransomware

The Ohio Lottery was forced to shut down some key systems after a cyberattack affected an undisclosed number of internal applications on Christmas Eve.

Lockbit ransomware disrupts emergency care at German hospitals

German hospital network Katholische Hospitalvereinigung Ostwestfalen (KHO) has confirmed that recent service disruptions at three hospitals were caused by a Lockbit ransomware attack.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .cdmx extension.

New ransomware variant

PCrisk found a new ransomware variant that appends the .Tisak extension and drops a ransom note named Tisak_Help.txt.

December 28th 2023

Microsoft disables MSIX protocol handler abused in malware attacks

Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware.

New Live Team ransomware

PCrisk found a new Live Team ransomware that appends the .LIVE and drops a ransom note named FILE RECOVERY_ID_[victim's_ID].txt.

New SNet ransomware

PCrisk found a new ransomware variant that appends the .SNet extension and drops a ransom note named DecryptNote.txt.

Ransomware Roundup - 8base

8base is a financially motivated ransomware variant most likely based on the Phobos ransomware. Per our FortiRecon information, the 8base ransomware first appeared in May 2023.

December 29th, 2023

Hospitals ask courts to force cloud storage firm to return stolen data

Two not-for-profit hospitals in New York are seeking a court order to retrieve data stolen in an August ransomware attack that's now stored on the servers of a Boston cloud storage company.

That's it for this week! Hope everyone has a nice weekend!

Source

In a blog post, the MSRC stated that it had found evidence that the ms-appinstaller URI scheme was the subject of malicious activity. The ms-appinstaller URI scheme is supposed to allow users of the company's App Installer to download and install apps directly from websites by using the MSIX package installer.

In theory, this is supposed to be a convenient way for people to install apps without having to wait for the app to be downloaded first on their PC. However, as the blog post states, Microsoft has found that cybercriminals are using "social engineering and phishing techniques" to get people to download malicious apps via this protocol. The blog post did not state how extensive this activity has been.

On Thursday, the MSRC issued a security update for CVE-2021-43890. The update, which was labeled as "Important" disables the ms-appinstaller URI scheme by default. That means if you go to a website that uses this protocol to distribute apps, you won't be able to download and install that app immediately on your PC. Instead, the MSIX package will simply be downloaded to your storage device and you will have to install the app on your PC manually. You will be able to use anti-virus software on that package to find out if it has any malicious code.

Microsoft says it will "continue to monitor future malicious activity". It also recommends that users do not download or install any apps from unknown websites.

Source

Microsoft released a security update today addressing a critical vulnerability in Windows that attackers were exploiting to install malware on unsuspecting users’ machines. The flaw, involving the ms-appinstaller URI scheme, allowed malicious actors to bypass traditional security measures and silently plant dangerous software during web browsing.

Have you ever imagined downloading an app from a sketchy website? Unfortunately, hackers have found a way to do this on Windows computers without detection. Luckily, Microsoft has caught them and stopped their sneaky tactics.

The trick that these hackers used involved a hidden shortcut called “ms-appinstaller” which allowed them to sneak malware onto your PC. However, Microsoft has disabled this shortcut, which means that any apps downloaded from websites must go through a security check just like when you normally download a file.

The vulnerability stemmed from the ms-app installer scheme allowing websites to install apps using MSIX packages directly. Attackers crafted phishing schemes that tricked users into clicking links, triggering the installation of malware disguised as legitimate software. This bypasses local antivirus protections, putting users at risk of data theft, financial loss, and even system hijacking.

Fortunately, Microsoft acted swiftly to patch the vulnerability. On December 28th, the company rolled out an update that disables the ms-appinstaller scheme by default. This means users can no longer directly install apps from web pages, forcing them to download the MSIX package first, giving antivirus software a chance to scan it for threats.

More here.

Source

Operation Triangulation, found by Kaspersky researchers from Russia, represents the latest iPhone attack. It’s described as the “most sophisticated” iPhone attack ever discovered. It also uses a 0-day iMessage attack like Pegasus, alongside three other vulnerabilities to backdoor the iPhone.

Interestingly, one of these vulnerabilities concerns a hidden hardware feature of the iPhone that the researchers could not explain.

Before you panic, you should know this iPhone attack was used by a highly advanced entity to spy on unnamed key political figures. You’re not looking at a malware attack that will empty your bank account, or that targets regular users. Even though the vulnerabilities were abused for four years, mass deployment wasn’t the goal. Also, Apple has patched all the vulnerabilities, so Operation Triangulation might not even work anymore.

Operation Triangulation didn’t go after your money

As Ars Technica reports, Operation Triangulation first came to light in June. Like Pegasus, the attackers delivered the malicious payload over iMessage texts.

Thousands of people working inside diplomatic missions and embassies in Russia might have been infected this way. That’s according to Russian officials, who blamed the NSA for this specific hack. Of course, no evidence was offered to substantiate that claim.

Kaspersky has been investigating Operation Triangulation ever since without being able to point the finger at a culprit. The attack also impacted Kaspersky employees.

iPhone 15 Plus Display. Image source: Christian de Looper for BGR

“Currently, we cannot conclusively attribute this cyberattack to any known threat actor,” Kaspersky researcher Boris Larin told Ars. “The unique characteristics observed in Operation Triangulation don’t align with patterns of known campaigns, making attribution challenging at this stage.”

But Kaspersky’s latest discovery concerns a hidden hardware feature of the iPhone that’s undocumented. Somehow, the attackers were able to abuse a vulnerability in this hardware feature. But it’s unclear how they knew the hardware feature was there to actually attempt to hack it.

The hidden hardware hack

Specifically, the hackers abused hardware-based memory protections that should protect the iPhone against hacks even if an attacker was able to tamper with a device’s kernel memory. These protections would prevent the attackers from getting control of the handset.

However, the Operation Triangulation attackers abused the hidden hardware feature to bypass this protection. So one of the questions that Kaspersky can’t answer concerns the hackers’ knowledge – from a Kaspersky research paper:

If we try to describe this feature and how attackers use it, it all comes down to this: attackers are able to write the desired data to the desired physical address with [the] bypass of [a] hardware-based memory protection by writing the data, destination address and hash of data to unknown, not used by the firmware, hardware registers of the chip.

Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or was included by mistake. Since this feature is not used by the firmware, we have no idea how attackers would know how to use it

After the attacker targets a victim, Operation Triangulation allows them to extract key data, including microphone recordings, images, location data, and other information. The attack also involves cleaning its traces, and running Safari in invisible mode to potentially trigger other spyware programs.

What you should do

Kaspersky still can’t explain everything about Operation Triangulation, though the attack is the most sophisticated one it has seen so far.

“This is no ordinary vulnerability, and we have many unanswered questions,” Kaspersky concluded. “We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight.”

The report continued, “What we do know—and what this vulnerability demonstrates—is that advanced hardware-based protections are useless in the face of a sophisticated attacker as long as there are hardware features that can bypass those protections.”

iPhone 15 Pro profile shows the Action button. Image source: Jonathan Geller, BGR

Some of the vulnerabilities Kaspersky found also impact other hardware. The list includes Macs, iPads, Apple Watches, Apple TVs, and iPods. But like the iPhone, Apple has patched these platforms as well. With fixes in place, Operation Triangulation should not work. It requires all four vulnerabilities to be able to function.

If you’re wondering, you should be safe, especially if you run the latest software versions on your Apple devices. Even if you don’t, Operation Triangulation targets specific people, rather than the public at large.

You should check out Ars’s coverage and the Kaspersky research in full if you need more details on this iPhone hack.

Source

I've been using Gmail for a decade and a half. Over the years, I've watched the service evolve from a fairly basic email option to a much more expansive offering. At the same time, I've seen the continual rise of spam. We all know what spam is and nobody enjoys having to constantly sift through those unwanted emails to get to those we want (or need) to read.

And yet so many simply delete spam from the inbox and think nothing of it. 

Deleting spam doesn't help lower the surplus population of offending emails. Instead, what you need to do is report those emails as spam to Google. It only takes a second or two to do so and it has the added benefit of sending a copy of the offending email to Google, which can analyze it to protect you and other users from similar spam and even abuse.

Even better, the more emails you report as spam, the better Gmail learns your preferences and will be more capable of blocking spam from even reaching your inbox. 

In other words, you do benefit from reporting emails as spam. So, why don't more people do it? Well, first off, some might not even know about the feature. Second, some people might find themselves too busy to take the extra steps for reporting emails.

Believe me when I tell you that it's worth the extra few seconds. Since I started reporting emails as spam, the amount of junk and abusive emails I receive has dramatically declined in my Gmail account. 

So, yeah, it's worth it.

Let me show you how it's done.

How to report emails as spam in Gmail

What you'll need: The only things you'll need are a valid Gmail account and either a browser (for the web app) or the Gmail mobile app. The process is the same for both browsers and apps, so I'll demonstrate this on the browser version. It doesn't matter what browser you use (so long as it supports Gmail - which most do).

There are two methods of reporting spam with Gmail. The first is on a per-email basis (which is what I use). The reason I use this particular method is that I've mistakenly labeled email as spam when using the toolbar/multi-select method. Because of that, I always like to ensure the email I'm reporting is, in fact, spam. However, some prefer the faster, spam button method because it's more efficient (allowing you to report multiple emails at once), and it doesn't require you to open the email in question. 

With that being said, let me demonstrate the method I use first.

1. Log into your Gmail account

The first thing to do is to open your web browser and log into your Gmail account. 

2. Locate an offending email

Next, go through your inbox and locate any instance of spam you can find. Do be careful to make sure the email you target is spam and not a missive from someone you need to hear from. Once you've found such an email, click it.

3. Report the email as spam

With the email open, click the three-dot menu near the upper right corner of the reading pane. From the drop-down menu, click Report Spam.

Reporting an email as spam in Gmail is quite simple.
Screenshot by Jack Wallen/ZDNET

4. Is it spam or a subscription?

Gmail will then pop-up a new window asking you to select either Report Spam or Unsubscribe. This is a good final check to make sure you're not reporting an innocent subscription email as spam. If it is a subscription, you can simply click Unsubscribe and Gmail will take care of that task for you. If it is spam, click Report Spam and you're good to go. If it's not a subscription, you might instead see a Go to Website button along with the Report Spam button. Either way, it's a good final check.

Make sure to not report a subscription email as spam, as that can cause problems for the originating company.
Screenshot by Jack Wallen/ZDNET

The faster method

1. Select the email(s) in question

Go through your inbox and select any email(s) you suspect to be spam. Once you've selected the first email, you will then be able to use the multi-select tool and select any emails via a checkbox.

2. Click the Spam Report button

In the Gmail toolbar, you'll find an icon that looks like a stop sign with an exclamation point. Click that button and the same pop-up will appear asking if you would like to report or unsubscribe. If you are certain the selected email is spam, click Report and you're done.

The report button is found directly to the left of the trash can icon.
Screenshot by Jack Wallen/ZDNET

And that's all there is to reporting emails as spam in Gmail. Don't think of this as just doing yourself a favor -- you're also helping anyone who might be a target for such emails. The more you report, the better Gmail is at blocking spam. So start reporting and don't stop. Let's finally put those undesirable emails to rest.

Source

While it is not the first time a mod on Steam Workshop has been infected, this is perhaps the most notable security incident related to mods available on the platform. It is kind of shocking that hackers have targeted a free mod to distribute malware. Naturally, some users are worried whether such issues could arise with other games. Some people have questioned how this was possible in the first place, and why Valve did not have a security system in place to prevent such risks.

The main problem with software and games distributed on Steam, is auto-updates. While automatic installation of updates is usually beneficial, i.e. you get bug fixes faster, sometimes these can become a pain, if they introduce more bugs, or in this case an actual security risk. Sadly, there is no option to disable auto-updates on Steam, so once a game or a mod is updated, it is automatically downloaded to your PC. And, without installing the latest update, you cannot launch the game.

Coming back to the mod that had been hijacked, it appears that not all users of the Downfall mod were impacted by the attack. The announcement by the mod's developer has some details about how users were affected by the malware.

Downfall mod for Slay the Spire was hacked to spread malware

Table 9 Studio, the developers of the Downfall mod, say that they experienced a security breach at about 1:20 PM (18:20 UTC+0) on December 25. The hackers had hijacked the developer's Steam and Discount accounts. Though the game devs had managed to recover their Steam account late in the evening, the damage had already been done (at around 1:30 PM to 2:30 PM Eastern on 12/25). The attackers uploaded files that contained malware to the developer's Steam library. The developers say that they were able to contain the breach before they could recover the accounts.

Users need not worry if they did not launch Downfall during the breach window, even if the mod was updated automatically. Players who had accessed Downfall via Steam Workshop, i.e. by launching Slay the Spire, are also not affected. In general, if the game looked normal when you launched it, you were not affected. If you were unable to launch Downfall due to a no .exe found error, don't panic, because this was the developer's way to prevent the malware from affecting users. Some users may have seen a command-prompt like screen with some text on it, this was the Java log which was accidentally made visible when the developers restored the game.

However, if you noticed a Unity library installer pop-up when you launched Downfall on December 25, you may be at risk. Table 9 Studio's announcement highlights that antivirus software was unable to stop the download of the malicious mod, but the security programs were successful in blocking the malicious payload from being downloaded to the user's PC. The malware steals passwords, cookies, payment information and other data from web browsers and other applications like Telegram, Discord, etc. Users who saw the Unity pop-up and those who feel they have been breached, are being advised to change their passwords for their online accounts, and set up 2FA to protect them.

Some reports from users indicate that the malware installed an application called WindowsBootManager in the user's AppData folder, or under the users/[username]/AppData/Local/Temp folder. One such file has the name epsilon-[username].zip, and it contains the stolen passwords, cookies, credit cards, etc. One user mentioned that they found the malware under Local\microsoft\windows\0, and that it was a video game called Windows Boot Manager. They say that the local\temp\ folder contained another file called unitylibmanager.

The developers say that the Downfall mod is once again safe to play. Table 9 Studio has released a game called Tales & Tactics on Steam. The roguelike autobattler game is in Early Access.

Steam is set to bring some stringent rules for developers. It will soon implement a system that will require publishers to provide a phone number to receive authentication codes from Valve's servers. The developers will then need to enter the verification code that they received via SMS, in order to upload a new build of the game, aka a new game update. While making 2FA mandatory for publishers is a good move, relying on SMS seems like a very risky thing. The plain text messaging protocol is outdated, and highly insecure. Many developers have already expressed their concerns about this to Valve, so hopefully the company will listen to their feedback and improve its system, to rely on 2FA apps instead.

Source

Source

In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code on GitHub.com must enable 2FA by January 19th, 2024.

"This is a reminder that we announced that we are requiring users contributing code on GitHub.com to enable two-factor authentication (2FA)," reads the email seen by BleepingComputer.

"You are receiving this notification because your account meets this criteria and will be required to enroll in 2FA by January 19th, 2024 at 00:00 (UTC)".

This same warning is shown on the GitHub site after logging into your account, as shown below.

If you write or manage code on GitHub, this will apply to you. The company has made this decision to protect accounts from being breached and code altered in supply chain attacks.

However, this change is only for GitHub.com, not for business or enterprise accounts.

If you haven't set up 2FA by the deadline, you'll find your access to GitHub limited. But don't worry, GitHub has instructions to help you configure it easily. 

"On January 19th, 2024 at 00:00 (UTC) your account will be required to have 2FA for authentication. If you have not yet enrolled by that date, your ability to access GitHub.com will be limited until you finish the enrollment process," the company noted in an email to its users.

After the January 19th deadline, users attempting to access GitHub.com without 2FA will be automatically directed to complete the setup. 

Even after 2FA becomes mandatory, any configured Personal Access Tokens, SSH keys, and apps will still work. However, if you want to make new ones or change your account settings, you must enable 2FA on the account.

How to setup 2FA on Github

GitHub offers various methods for enabling 2FA, catering to user preferences regarding using security keys, GitHub Mobile, authenticator apps (TOTP), and SMS text messages.

To guarantee continuous access, activating at least two of these methods is recommended. Users can manage their 2FA settings and explore additional methods in their security settings on GitHub.

If you've already enabled 2FA before January 19th, 2024, you're all set. After that date, you can't turn off 2FA, but you can change your configured verification methods. 

In its email, GitHub suggests having more than one 2FA method, as it warned that it "may not be able to restore access to accounts with 2FA enabled if you lose your 2FA credentials".

If you lose all your 2FA options, the only way back into your account is with your recovery codes.

Source

The passwords that are on these lists may act as a warning for any Internet and electronic device user. It should have the title "don't use these passwords", but is it really that simple?

Some common passwords have been used for ages and they continue to be used. Are users really resistant to improving their online security?

NordPass' Top 200 Most Common Passwords list

NordPass released a list of top 200 common passwords last month. The company states that it compiled the list "in partnership with independent researchers". The analysis extracted passwords from a 4.3TB database that has been fed with data from publicly available sources.

The top 10 could be from any year in the past 20 years:

1. 123456
2. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890

Mostly numbers in the top 10. The strings "admin" and "password" are common default passwords for certain devices, but they are also widely used by users.

You may wonder about some other passwords that you expected to be higher on the list. The popular "qwerty" password is on position 25, There is also "admin123" on 18, "user" on position 20 and "demo" on position 44.

All of these passwords have in common that brute force cracking runs take less than 12 seconds to find these passwords. The first password that requires a longer attack is "Eliska81". It is at position 40 and requires 3 hours to get cracked.

Another common type of password appends "@123" to a basic name. The list contains several examples of that, including "India@123" and "admin@123" as examples. These do take 3 hours to brute force as well.

Hasso Plattner Institut: most popular German passwords

The Hasso Plattner Institut releases its list of the most popular leaked passwords in Germany each year. The data comes from publicly available sources.

Here is the top 10:

1. 123456789
2. 12345678
3. hallo
4. 1234567890
5. 1234567
6. password
7. password1
8. target123
9. iloveyou
10. gwerty123

These passwords are not particularly difficult to crack either.

Are there explanations for the continued use of weak passwords?

Most of the popular leaked passwords have one thing in common: they are easy to remember and to type. Computer and electronic device users who don't use password managers have a tendency of selecting weaker passwords. Many reuse the same password over and over as well, which makes them a lucrative target.

It would go too far to classify all of these users as resistant to learning and be done with the analysis.

One explanation for the continued use divides accounts into important and unimportant ones. Important accounts benefit from improved security. These can be banking or finance accounts, social media accounts, gaming platform accounts or shopping accounts.

Services that don't require as much security may include throwaway accounts. Many sites require registration before content can be accessed. If you just want to access content once, you may not spend much thought on a secure password.

Similarly, any account that is not really linked to a user's identity and "read only" may not require a Fort Knox grade of security.

Another explanation looks at the leaked password databases. It is easier for analysts to brute force weak passwords or use dictionaries to identify previously leaked cleartext password.

The result needs to be put into relation to the entire list of passwords. Is the percentage of passwords that the analysts could not create stagnating, decreasing or increasing?

What you may do to protect all of your accounts

The most common advice is to use a password manager. These are available as free and paid solutions, and have varying degrees of comfort and feature support.

Some passwords managers are available on nearly any platform. Bitwarden is such an example, but there are others.

While it takes a bit of effort to get the password manager installed on all devices, everything after the initial setup is almost automated. When you create a new account and password on one device, it gets synced to all other devices automatically.

There are limitations. You can't run (most) password managers on Smart TVs, which makes typing streaming service account passwords that are secure a nuisance.

Still, with a password manager, you may create unique strong passwords for any service. Even your throwaway accounts may never be cracked then, which is not too bad of a thing if you think about it.

Passkeys is an upcoming standard that won't replace passwords entirely, but in some places. The system relies on local cryptographic keys that don't require a user password anymore. Users authorize sign-ins and requests with their PIN, biometrics or hardware keys, such as Google's Titan security key.

Now You: how do you handle password security on your devices?

Source

All has not been quiet on the malicious cybersecurity front over the past 12 months.

Innovation, cyberattacks and cyberespionage, and data breaches - malicious or inadvertent - have remained a constant. At the same time, defenders have scored notable victories, including in Ukraine as well as by disrupting some big-name ransomware players.

Here are 12 notable incidents and trends of 2023 and their implications for the bigger cybersecurity picture.

Clop's MOVEit Mass Attack

The Russian-speaking ransomware group Clop, or Cl0p, in late May targeted a zero-day vulnerability in Progress Software's MOVEit secure file transfer software. While the vendor quickly warned customers and patched the flaw, Clop's blitzkrieg allowed it to nab voluminous amounts of data being stored by organizations on their servers. The latest victim count stands at about 2,700 organizations affected and more than 91 million individuals' personal details exposed, according to security firm Emsisoft. Ransomware incident response firm Coveware estimated Clop earned $75 million to $100 million from large victims who paid quickly to keep their victimhood quiet.

Target: Secure File-Transfer Software

Clop has been on the vanguard of ransomware groups seeking easier and faster ways to extort victims, and secure file transfer software remains a top target. In late January, Clop exploited a flaw in Fortra GoAnywhere MFT software to steal data from hundreds of users. While Clop prefers zero-days, many attackers instead exploit unpatched file transfer software. In March, ransomware-wielding attackers targeted unpatched versions of IBM's Aspera Faspex file exchange application. In September, after Progress Software patched its WS_FTP server software and a researcher published a proof-of-concept exploit, attackers quickly came calling.

Patch or Perish: VMware Edition

Ransomware-wielding attackers aren't picky; they'll use whatever tactics reliably work. Beyond exploiting known flaws in secure file transfer software, another repeat target is VMware hosts. In February, researchers tracked two highly automated campaigns that used ESXiArgs ransomware to infect thousands of servers. VMware said attackers appeared to be exploiting already-patched flaws to gain access to hosts, including via the heap overflow vulnerability designated CVE-2021-21974, which it fixed in February 2021.

US Government Hacked via Microsoft 365

Cyberespionage operations continue in force, as exemplified by suspected Chinese hackers gaining surreptitious access to 25 organizations - including senior U.S. officials' emails - in May by exploiting a zero-day flaw in Microsoft's cloud environment. The U.S. government said a federal civilian executive branch agency spotted unusual activity in its audit logs, confirmed the attack and reported it to Microsoft and the Cybersecurity and Infrastructure Security Agency. CISA urged all users to carefully monitor and review their own logs.

The attack is a reminder: The U.S. ranks China as a top national security threat in part due to its continuing willingness to use cyber operations to achieve its objectives, bolstered by its proficiency with targeting supply chains.

Rip and Replace: Backdoored Barracuda Gear

Barracuda Networks in May issued a patch for a zero-day vulnerability in its Email Security Gateway appliances. At the time, it warned that attackers had already been exploiting the flaw for up to eight months to gain "persistent backdoor access" to vulnerable appliances and exfiltrate data. The vendor later warned users that once attackers had installed the backdoor, the only way to safeguard themselves was to physically replace the hacked device, leading to the FBI urging the immediate removal of hacked devices. Incident responders tied the attacks to a nation-state group aligned with Beijing.

Making Citrix Gear Bleed

Attackers allegedly tied to Beijing struck again in late August by exploiting a zero-day flaw in NetScaler Application Delivery Controller and Gateway devices, formerly known as Citrix ADC and Citrix Gateway, to access those devices and steal existing, authenticated sessions. Even after users had patched the flaw, known as Citrix Bleed, attackers still used stolen session data to evade multifactor authentication and access the devices. All of this only came to light over the course of several weeks in October, leading researchers to warn users to patch and also terminate all active sessions. In the interim, multiple attackers began using the flaw to target organizations large and small, including Comcast.

Russia's Noisy 'Hacktivist' Groups

Moscow's war of conquest against Ukraine wasn't the easy victory supposedly envisioned by Russian President Vladimir Putin, thanks in no small part to Kyiv's preparation and assistance from allied nations and the private sector. As the war drags on, Russia occasionally scores a major disruption, such as against mobile operator Kyivstar, while restoring to a much greater degree misinformation and disinformation. This appears to include self-proclaimed hacktivist groups such as KillNet, which may be run or funded by the state. While such groups often report having disrupted notable targets in Ukraine and allied countries, experts say such claims are often overblown or completely false and designed to make adversaries and their leadership look weak.

North Korea's Atomic Wallet Love

Attacks launched by North Korea continue. The Pyongyang-affiliated hackers hit cryptocurrency exchanges and decentralized finance services to help the regime fund its long-range missile and weapons of mass destruction programs. Over the past five years, hackers tied to the Democratic People's Republic of Korea have stolen more than $3 billion, U.S. officials say.

One big hit this year happened in early June, when security researchers said North Korea's Lazarus group hacked Atomic Wallet - a noncustodial decentralized wallet - and stole $100 million in cryptocurrency from over 4,000 wallets, which they quickly began laundering. "The nature of the attack on Atomic Wallet indicates that the exploit was most likely carried out through a phishing or supply chain attack," said blockchain analytics firm TRM Labs.

Okta's Customer Support Data Heist

Like Microsoft, Okta got hacked and learned about it from its customer base, which in this case included BeyondTrust, 1Password and Cloudflare. Belatedly, Okta confirmed the September attack, reporting that it had traced to an attacker who apparently stole valid access credentials an Okta employee had been storing in their personal Google account - saved in their Chrome browser. In early November, Okta said, the attacker had stolen data pertaining to 134 customers. By the end of November, the vendor revised the breach tally and reported that the attacker had stolen information pertaining to every user of its primary customer support system.

Capita Customers' Data Breach Nightmare

Numerous organizations suffered breaches this year, and many of them have already come to light. What sets some incidents apart from others is the clarity of communications a breached organization offers to victims. Arguably falling short: British outsourcing giant Capita, which suffered a ransomware attack in March and in May learned from a security researcher that the attack had left a massive Amazon Web Services bucket unsecured since 2016. Victims included Britain's largest pension fund and potentially hundreds more organizations.

For the breach, Capita attempted to downplay the data exposure, creating a nonsense statistic and saying hackers had only accessed "less than 0.1% of its server estate." Subsequently, victims said they found more information was stolen than Capita admitted, or perhaps realized. Britain's data protection watchdog, the Information Commissioner's Office, subsequently reported "receiving a large number of reports from organizations directly affected by these incidents." The ICO's probe continues.

UK Police Forces Leak Personal Data

Responding to a Freedom of Information Act request in August, the Police Service of Northern Ireland inadvertently posted a spreadsheet containing the first initials and surnames, roles and locations of all officers and staff. Described as being "the most significant data breach that has ever occurred in the history of U.K. policing," the breach has left serving officers and staff at risk from dissident Irish republicans. Shortly thereafter, the PSNI disclosed another data breach, as did London's Metropolitan Police Service and two constabularies in England.

Major Disruptions Hit Hive, BlackCat

The year has been bookended by two notable disruptions: first of the Hive ransomware collective in January and earlier this month of the Alphv/BlackCat group. In between, in April, law enforcement seized Genesis, the world's largest market for stolen browser cookies and other types of credentials used to facilitate account takeover. Speaking at RSA Conference later that month, U.S. Deputy Attorney General Lisa O. Monaco said the Department of Justice has updated its approach to combating cybercrime by adding a "disrupt and prevent" focus to impose economic costs on attackers, even if arrests don't result.

Source

On 20 December, IT services provider HCL Technologies, in its quarterly report, shared that it was hit by a ransomware incident within a restricted cloud environment. Following the attack, the company stated there was no “observable” impact on the overall HCL Tech network. However, news of the attack affected the company’s perception of the stock market, leading to a decline in its share prices.

What do we know of the ransomware attack on HCL Tech?

HCL Tech is an Indian information technology company providing solutions in the digital realm, including end-to-end digital offerings, cloud-based solutions, and software.

The company is one of the top software solution providers in India.

On 20th December, the company, in its quarterly earnings report, sharedthat it was hit by a ransomware incident in an isolated cloud environment.

The company, however, did not disclose specific details of the attack.

HCL Tech further stated that cybersecurity and data protection are top priorities.

A detailed investigation, in consultation with relevant stakeholders, was launched to assess the root cause.

Ransomware is extortion software designed to lock or encrypt a device or data on a system and then demand a ransom for its release.

The attacks follow a simple plan wherein attackers gain access to a device or protected data in the cloud.

Depending on the nature of the ransomware, it will then lock or encrypt devices, data stored in the cloud, or the entire internal network of an organisation.

Attackers usually leave behind a message with instructions on the ransom amount, mode of transfer, or instructions on how to contact them for further guidance.

Why are ransomware attacks a matter of concern?

Indian organisations are increasingly targeted by ransomware attacks.

A 2023 study conducted by Sophos, a cybersecurity company, showed that 73% of organisations reported being victims of ransomware attacks, up from 57% the previous year.

Of these, 77% of organisations reported that attackers succeeded in encrypting data, with 44% paying the ransom to retrieve their data, a significant drop from 78% compared to the previous year.

However, despite paying the ransom, companies doubled their cost of recovery for the data held hostage by threat actors compared to organisations that did not pay the ransom and relied on backups.

Additionally, according to the Indian ransomware report released by India’s Computer Emergency Response Team (CERT-In),a 51% increase in ransomware incidentswas reported in H1 2022, with a majority of these attacks targeting data centres, IT, and TeS sectors in the country.

Why do threat actors target IT organisations?

Threat actors tend to focus their attacks on organisations that hold valuable data. The more value the data has to the organisation and its stakeholders, the higher the chances that the ransom will be paid.

IT organisations and software vendors hold a lot of valuable data, including sensitive information like intellectual property.

If leaked by threat actors, it could lead to a drop in their value and replication of software, devaluing the company and threatening its revenue streams, making them a valuable target for cybercriminals. IT organisations providing cloud security and data solutions also hold large repositories of data for their clients. Successful attacks on them could potentially open the channel to target supply chains, adding pressure on companies to pay the ransom.

Data held by IT organisations could include personally identifiable data of clients’ users, intellectual property, access credentials, and even financial information. This data can be leveraged to launch further attacks. IT organisations are also among the first to adopt new technologies and encourage the use of open architecture, which may not have the highest levels of protection against cyberattacks, making them a target for cybercriminals.

Which other Indian organisations faced ransomware attacks?

Earlier this year, in November, a U.S.-based subsidiary of Infosys was reportedly targeted by a ransomware attack. At the time, Infosys McCamish Systems faced an incident involving a ransomware variant.

However, the company did not share details of the attack, stating that further information would be provided following a comprehensive investigation.

In March, Indian drug manufacturer Sun Pharma was hit by a cyberattack.

A ransomware group claimed responsibility for the attack, impacting the company’s revenue due to containment measures implemented to mitigate the damage.

In November 2022, a ransomware attack crippled the All India Institute of Medical Sciences (AIIMS) for days. Hackers reportedly demanded ₹200 crores in cryptocurrency from the hospital.

• On 20 December, IT services provider HCL Technologies, in its quarterly report, shared that it was hit by a ransomware incident within a restricted cloud environment. Following the attack, the company stated there was no “observable” impact on the overall HCL Tech network.

• HCL Tech is an Indian information technology company providing solutions in the digital realm, including end-to-end digital offerings, cloud-based solutions, and software.

• A ransomware group claimed responsibility for the attack, impacting the company’s revenue due to containment measures implemented to mitigate the damage.

Source

Most Android users should not worry about Chameleon as long as they only download apps from the Google Play store and know how to avoid phishing scams online. Chameleon can only be installed on your device if you download apps from third-party sites.

The latest Chameleon malware can come in the form of a Chrome browser app. The dangerous malware is attached to the app, so you think you’re getting a genuine Google product. The fix is simple here: Search for apps on the Play Store and don’t install apps from anywhere else.

The cybersecurity researchers at ThreatFabric detailed the newly evolved version of Chameleon.

One of the upgrades the malware got is extended reach. It’s been found in the UK and Italy, while the original versions targeted Android users only in Australia and Poland. The early version of the trojan already had dangerous capabilities, targeting a user’s banking and crypto apps:

This banking trojan displayed a distinctive capability to manipulate a victim’s device, executing actions on the victim’s behalf through a proxy feature. This feature enables advanced maneuvers like Account Takeover (ATO) and Device Takeover (DTO) attacks, particularly targeting banking applications and cryptocurrency services. These functionalities relied on the abuse of Accessibility Service privileges.

In Australia, it disguised itself as apps from official institutions, such as the Australian Taxation Office (ATO). In Poland, it masqueraded as popular mobile banking apps.

The updated version seen spreading in Europe poses as Google Chrome downloads.

Once installed, Chameleon will try to do two things: Enable Accessibility Services and turn off biometric prompts.

For the former, the malware will look for the Android version of the phone. If it detects Android 13 or later, it’ll display an HTML page guiding the user through a process that enables Accessibility Services on the device. The page will provide step-by-step guidance and might look like a genuine help page to unsuspecting victims.

Chameleon Android malware will try to force PIN unlocks instead of biometrics. Image source: ThreatFabric

The second new power that Chameleon got is the ability to disable biometric authentication in favor of the PIN:

This method employs the KeyguardManager API and AccessibilityEvent to assess the screen and keyguard status. It evaluates the keyguard’s state concerning various locking mechanisms, such as pattern, PIN, or password. Upon meeting the specified conditions, the malware utilizes the AccessibilityEvent action to transition from biometric authentication to PIN authentication. This bypasses the biometric prompt, allowing the trojan to unlock the device at will.

This feature will let the malware steal PINs and passwords via a keylogger. This could allow thieves to actually steal and use the handset.

Alternatively, forcing a PIN authentication might be convenient if hackers can use the malware to operate the handset remotely. They could unlock the screen and apps protected by the same fingerprint and password combination. While that’s speculation, it’s clear that Chameleon is a more advanced, more dangerous version than the early 2023 variant.

Finally, the researchers at ThreatFarbic say Chameleon also has improved task scheduling features and can adapt to the apps the user might use on the device. The malware might inject features into an app, like displaying fake screens that might look genuine if accessibility features are turned on. Otherwise, the malware might collect data about the apps that are in the foreground.

Google is aware of the threat and told The Hacker News that Play Protect will guard users from the threat:

The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem. Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.

But ultimately, it’s up to you to avoid downloading apps from untrusted sources. That means never clicking on suspicious links you might receive via email or instant chat apps. All that goes double if you have a phone without Google Play Services installed. That’s the only way to get that Play Protect feature that Google has enabled by default on devices with the Google Play store installed.

I’ll also say that if you own an Android phone that lacks support for Google apps, you probably should avoid trying to download these Google apps from anywhere. That’s how you might get into trouble.

Source

Chrome will also alert desktop users if they're using extensions flagged as dangerous (taken down from the Chrome Web Store), the latest Chrome version, or if Safe Browsing is enabled to block websites on Google's list of potentially unsafe sites.

"Safety Check for Chrome on desktop will now run automatically in the background," said Chrome Group Product Manager Sabine Borsay. "These alerts will appear in the three-dot menu in Chrome so you can take action."

Additionally, Google will broaden Safety Check's functionality to automatically revoke permissions, such as access to the users' location or microphone, for websites that haven't been visited for a long time.

Safety Check is also being upgraded to flag less-engaged sites showing excessive numbers of notifications and allow users to quickly disable them.

Unveiled in December 2020, Safety Check compares login credentials against those exposed in data leaks. It also checks for weak and easy-to-guess passwords that expose users to brute-force attacks or password-cracking attempts.

Over the coming weeks, Google will also introduce a new Chrome feature enabling desktop users to save tab groups and resume browsing on other desktop devices.

Chrome performance controls like Memory Saver mode are also getting upgraded with more info on how they make the browser run smoother.

"We recently added more details about your tabs' memory usage when you hover over them in Memory Saver mode, including the potential memory saved when they go inactive. And we've made it easier to specify sites that should always remain active," Borsay said.

Google further enhanced Chrome users' internet security by automatically upgrading all insecure HTTP requests to HTTPS requests.

A limited rollout of this feature began in July, but as of October 2023, it has now been rolled out to all users in the Stable channel.

The company also announced in September that the Safe Browsing feature has enabled real-time phishing protection for all users using a locally stored list of URLs known to be malicious.

Source

Links to download the source code were shared on numerous channels, including Discord, a dark web website, and a Telegram channel that the hackers previously used to leak stolen Rockstar data.

In a post to a Grand Theft Auto leak channel on Telegram, the channel owner known as 'Phil' posted links to the stolen source code, sharing a screenshot of one of the folders.

The channel owner also paid homage to Lapsus$ hacker Arion Kurtaj, who previously leaked pre-release videos of Grand Theft Auto 6 under the name 'teapotuberhacker.' 

Kurtaj was recently sentenced to an indefinite hospital stay by a UK judge for hacking into Rockstar and Uber.

"#FreeArionKurtaj
He started all of this and ensured the leak would become public.
I have immense respect for him. 
Miss you buddy.

If you want to take a trip down memory lane, check out the list of pinned messages to see how it all unfolded in 2022. Arion actively talked in here."

Rockstar Games was hacked in 2022 by members of the notorious Lapsus$ hacking group, who gained access to the company's internal Slack server and Confluence wiki.

At the time, the threat actors claimed to have stolen the GTA 5 and GTA 6 source code and assets, including a GTA 6 testing build, with some of the stolen content leaked on forums and Telegram. The threat actor also shared GTA 5 source code samples as proof that they had stolen the data.

Security research group vx-underground says they spoke to the leaker on Discord, who said the source code was leaked sooner than expected.

"They claim to have received the source code August, 2023," reads a post by vx-underground.

"Their motivation was to combat scamming in the GTA V modding scene, many people were allegedly scammed by people claiming to have the GTA V source code."

While BleepingComputer reviewed the leak, which appears to be legitimate GTA 5 source code, we could not independently verify its authenticity.

BleepingComputer contacted Rockstar about the leak but did not receive a response, likely due to the holidays.

The Lapsus$ hackers

The Lapsus$ hackers stood out for their skills at performing social engineering and SIM swapping attacks to breach corporate networks.

Some known cyberattacks attributed to the hacking group include Uber, Microsoft, Rockstar Games, Okta, Nvidia, Mercado Libre, T-Mobile, Ubisoft, Vodafone, and Samsung.

As part of these attacks, the threat actors would attempt to extort the companies not to leak stolen data, which in many cases was source code and customer data.

The success of these attacks led the Department of Homeland Security (DHS) Cyber Safety Review Board to analyze their tactics and share recommendations for preventing similar attacks in the future.

While the Lapsus$ group has not been very active after members were arrested, BleepingComputer was told some of the members are now believed to be active in the loose-knit hacking collective known as Scattered Spider.

Scattered Spider shares similar tactics to Lapsus$, utilizing social engineering, phishing, MFA fatigue, and SIM swapping attacks to gain initial network access to large organizations.

Source

“White hat hacker” Ash Shatrieh, a cyber wiz who works with people to identify their vulnerabilities to cyber attacks, shared his tips for how to see if a hacker could be accessing your accounts — and what to do if you suspect they are.

“In response to any suspicious account activity, you should contact the service provider and reset your password to something strong, ideally random letters, numbers and characters,” Shatrieh, who works as a Threat Intelligence Researcher at F-Secure, told the Daily Mail.

“In some cases, your device (like a PC) might even be compromised by info-stealing malware, in which case it’s important to run an antivirus scan on your computer,” he added. 

If you think you’ve been hacked, or you want to check that your data is safe, look out for the following warning signs, according to Shatrieh.

The social media algorithm is attuned to your interests so if you see content you normally don’t in your feed, it could be a sign someone else has been tinkering with your account. 

Be alert to changes in the content you’re seeing on social media. Sudden shifts, such as an influx of posts in unfamiliar languages or suggestions from accounts you haven’t engaged with, could indicate suspicious activity,” Shatrieh said.

“Social media algorithms are tailored to your preferences, and unexpected changes might signify unauthorized access,” he added.

Small banking transactions

If a hacker can access your online banking account, they may test the waters by making a few small transactions before going after the big kahuna. 

Shatrieh offered his two cents. 

“Regularly review bank or credit card statements for unauthorized transactions. Hackers might initiate small transactions as a test before attempting larger ones,” he explained. 

“Stay vigilant, even with seemingly insignificant amounts and report any suspicious transactions to your bank immediately. If you see attempts to spend on your card, call your bank and cancel the card,” the cyber wiz added. 

Messages without notifications

If you see emails or other kinds of messages on your various accounts but aren’t getting your usual notifications, it could mean that those notifications are going somewhere else.

“Be wary if you observe the presence of new, unread emails without receiving corresponding notifications and experience delays in delivery,” he warned.

“This could be an indication that hackers have set up rules which can divert or hide emails from your inbox, suggesting that the hacker may be selectively releasing certain messages while concealing others,” he added. 

Shatrieh said to be attuned to the signs your email might be compromised. 

“Check your Inbox settings to see if there are rules diverting emails to addresses you don’t know,” he said. 

A yellow email banner

If you see yellow — don’t be mellow.

If you’re accessing your Gmail from a desktop computer, you’ll be able to see if anyone has logged into your account from a new location. 

If you’re in California and you have a login from Idaho despite never being there, chances are you have a hacker.

“Regularly check activity logs provided by services to monitor login timestamps and IP addresses,” he said. 

“For instance, in Gmail, an unfamiliar location might trigger a yellow banner at the bottom. Investigate unusual activity, revoke unknown sessions (you can also request to sign out on all logged-in devices), and secure your account promptly by resetting your login credentials. Remember, compromised devices may lead to a compromised account.”

Suspended account

If your account has been suspended and you don’t know why — a hacker could be the cause.

“Watch for Unexpected Account Terminations, ‘If you receive notifications about account suspensions or terminations, it might indicate malicious activities,” he said. 

“Contact the service providers immediately to investigate and resolve the issue.

If you’re suddenly logged out, this can also be a warning sign, he added.

Signs of login attempts you didn’t authorize or a logged-out account could mean someone else is at the helm.

“If you find yourself repeatedly logged out without initiating it, investigate for suspicious login attempts,” he said.  

“Check your active sessions, trusted devices and logging-in devices list and if anything looks suspicious then revoke access, change your password and check that multi-factor authentication is set up and working properly.”

Source

The FBI revealed this week that they hacked the BlackCat/ALPHV ransomware operation, which raked in $300 million from over 1,000 victims. While quietly surveilling the ransomware gang, law enforcement retrieved decryption and Tor private keys.

Law enforcement says that they were able to help decrypt 400 victims for free using the retrieved decryptors and used the Tor private keys to seize the URLs for the gang's data leak site and negotiation sites.

However, as the threat actors and the FBI have the same keys, there has been a constant tug of war as they both "reseize" the URL.

Some have seen this constant change in ownership of the URL as a failed operation by law enforcement. However, retrieving 400 decryption keys and likely more data from the hacked servers has significantly tarnished the ransomware operation's reputation.

BleepingComputer has learned that this has caused some affiliates to contact victims directly via email, as they have lost trust in the ransomware gang's ability to secure the servers. Others are said to have moved to competing ransomware operations, such as LockBit.

Now, LockBitSupp (the operator of LockBit) and the BlackCat operator have discussed creating a "cartel," to join forces against law enforcement.

Previous "ransomware cartels" allegedly created by Maze didn't succeed in helping the ransomware operation, as Ukrainian police arrested gang members after they rebranded as Egregor.

We also learned this week about new ransomware attacks or information about old ones, including:

• Akira claimed the ransomware attack on Nissan Australia.
• A ransomware attack on ESO Solutions exposed the data of 2.7 million people.
• University of Buenos Aires (UBA) suffered a ransomware cyberattack.
• Vans, North Face, Supreme owner VF Corp hit by ransomware attack.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @BleepinComputer, @demonslay335, @Seifreed, @billtoulas, @Ionut_Ilascu, @fwosar, @serghei, @LawrenceAbrams, @BrettCallow, @PRODAFT, @AShukuhi, @uuallan, @SophosXOps, @pcrisk, @3xp0rtblog, @oct0xor, @MorganDemboski, and @juanbrodersen.

December 18th 2023

Mortgage giant Mr. Cooper data breach affects 14.7 million people

Mr. Cooper is sending data breach notifications warning that a recent cyberattack has exposed the data of 14.7 million customers who have, or previously had, mortgages with the company.

FBI: Play ransomware breached 300 victims, including critical orgs

The Federal Bureau of Investigation (FBI) says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities.

Vans and North Face owner VF Corp hit by ransomware attack

American global apparel and footwear giant VF Corporation, the owner of brands like Supreme, Vans, Timberland, and The North Face, has disclosed a security incident that caused operational disruptions

The UBA suffered a ransomware cyber attack: teachers and students cannot access the systems

The University of Buenos Aires (UBA) suffered a ransomware cyberattack , a type of malicious program that encrypts the victim's files, makes them inaccessible and demands a ransom money in exchange. Since Thursday, servers in part of the educational institution have been compromised and this prevents teachers and students from managing grades, enrolling in summer courses and more.

December 19th 2023

FBI disrupts Blackcat ransomware operation, creates decryption tool

The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys.

How the FBI seized BlackCat (ALPHV) ransomware’s servers

An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs.

FBI: ALPHV ransomware raked in $300 million from over 1,000 victims

The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation (FBI).

Smoke and Mirrors: Understanding The Workings of Wazawaka

This research provides a comprehensive analysis of Wazawaka’s background, affiliations, and tactics in the threat landscape associated with his activities. It includes information about Wazawaka’s team and his close relations with other threat actors.

December 20th 2023

Healthcare software provider data breach impacts 2.7 million

ESO Solutions, a provider of software products for healthcare organizations and fire departments, disclosed that data belonging to 2.7 million patients has been compromised as a result of a ransomware attack.

Fake F5 BIG-IP zero-day warning emails push data wipers

The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers.

New BO Team ransomware

PCrisk found a new ransomware that appends the .bot extension and drops a ransom note named How To Restore Your Files.txt.

December 21st 2023

Akira, again: The ransomware that keeps on taking

Following our initial report on Akira ransomware, Sophos has responded to over a dozen incidents involving Akira impacting various sectors and regions. According to our dataset, Akira has primarily targeted organizations located in Europe, North America, and Australia, and operating in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors.

Windows CLFS and five exploits used by ransomware operators

Seeing a Win32k driver zero-day being used in attacks isn’t really surprising these days, as the design issues with that component are well known and have been exploited time and time again. But we had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year.

New Phobos ransomware variant

PCrisk found a new ransomware that appends a unique extension and drops ransom notes named info.txt and info.hta.

New Tprc ransomware

PCrisk found a new ransomware that appends the .tprc extension and drops a ransom note named !RESTORE!.txt.

December 22nd 2023

Nissan Australia cyberattack claimed by Akira ransomware gang

Japanese car maker Nissan is investigating a cyberattack that targeted its systems in Australia and New Zealand, which may have let hackers access personal information.

That's it for this week! Hope everyone has a nice weekend!

Source

A majority of medical devices in the U.S. carry critical vulnerabilities that can result in "potential catastrophic impact to hospital operations and patient care," according to a new Government Accountability Office report.

The report, published Thursday, says federal agencies are failing to provide healthcare providers and patients with adequate resources and information to address these flaws in medical devices.

Threat actors have not been widely known to exploit vulnerabilities in medical devices, according to the Department of Health and Human Services, but the GAO said it still considers such devices "a source of cybersecurity concern."

Healthcare systems, patients and other key stakeholders have reported difficulties in understanding vulnerability communications from the federal government surrounding threats to medical devices, the report says.

According to the FBI, 53% of connected medical devices and internet of things devices in hospitals contain known critical vulnerabilities, and the average medical device contains more than six vulnerabilities. Critical medical devices - including pacemakers, insulin pumps, intracardiac defibrillators, mobile cardiac telemetry and intrathecal pain pumps - are the most affected.

The report details a potential scenario in which a threat actor gains unauthorized access to a healthcare provider's computer network by exploiting a vulnerability and then takes command of a server to which a heart monitor is connected. The threat actor could manipulate permissions to take control of all heart monitors and power them off, putting patients at risk. The threat actor could then compromise other medical devices on the hospital network through a lateral attack.

The GAO found that medical devices commonly use insecure default configuration - such as factory settings or manufacturer administrative passwords, which can allow threat actors to gain unauthorized access, inject data and execute commands. The report also says that legacy devices built decades ago "may have not been designed with cybersecurity in mind" and as a result it "may be difficult to secure them in a modern environment."

The GAO directed the Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency to update a five-year-old agreement on security guidance for device manufacturers, public alerts regarding known vulnerabilities and more.

The report says that the agreement failed to address a variety of cybersecurity practices for medical devices and needs to be updated to reflect organizational and procedural changes.

Recent legislation has given the Food and Drug Administration the authority to establish cybersecurity requirements for medical devices. Medical device manufacturers are required to submit their plans to monitor, identify and address cybersecurity vulnerabilities for all new medical devices introduced to consumers as of March 2023.

Source

THIS YEAR, I decided to get rid of my Amazon starter couch and buy a real one. So I listed the generic, velvet-green futon on Facebook Marketplace, thinking some college students or recent New York transplants would happily scoop it up at a discounted price.

Since September, I have received many inquiries about this couch—nearly all from people who are likely scammers. They respond to the listing and offer me full price in Facebook Messenger from the jump (maybe my first clue, a real Facebook Marketplace veteran knows to haggle). Then, they ask some basic questions that are already in the item’s description: “Where are you located?” “What’s the condition?” Once I’ve repeated myself and given the cross streets closest to my home, there comes another refrain: The buyer either says they must pay now, so that I would take the item off the listing, or so that their husband/brother/son/mover, you name it, can come pick up the futon later that day.

Because it seems no real person would offer to send payment over Zelle before ever seeing that the futon is real, I didn’t accept any of these offers.

If I did, it’s likely these people would have sent a phishing link—either as a text to my phone number or in an email—disguised as communication from Zelle, looking to drain me of more money than the couch is worth. For now, I’m stuck with this futon, folded up in the corner of my tiny apartment. So far I’ve been unable to use Facebook Marketplace for its intended purpose: buying and selling useful things among my neighbors.

What happened to me is just one example of the many ways experts say people are getting scammed on Facebook Marketplace. Some scams come from what looks like a seller listing big-ticket items that don’t exist, like a car, and asking for prepaid debit cards purporting to be for eBay and Amazon payments as down payments before vanishing. Peer-to-peer online shopping has always been a buyer-beware endeavor, but sellers themselves are being scammed too. A freelance writer from Australia recounted her own embarrassing story in The Guardian just last month, when she lost $1,000 while trying to sell a pair of boots after plugging sensitive information into a phishing link sent by a scammer.

Facebook is far from the only place scams happen—they’re common across many online selling platforms. But as its Marketplace has soared in popularity since its debut in 2016, scammers have sought to exploit the tool, experts say. Marketplace’s design supplied a layer of transparency and trust for person-to-person transactions; rather than interacting anonymously through a Craigslist ad, people were using profiles that typically included full names and photos. And with an existing Facebook profile, users could upload photos, write descriptions, and seamlessly post a listing with just a few clicks. By 2021, Facebook Marketplace had 1 billion monthly users, growing as ecommerce flourished during the height of the Covid-19 pandemic.

Now, bad actors are relying on that built-in trust to manipulate people out of far more money than their second-hand items may be worth. The scams have become a common feature of the app, and Meta, the $800 billion parent company of Facebook, hasn’t been able to shut them down.

“What happens offline often makes its way into online environments, and that unfortunately includes scams," Ryan Daniels, a Meta spokesperson, tells me. Daniels says the company works “aggressively to quickly identify, disable, and ban scams and accounts associated with them.” The company is also working on a new notification system to “help people better identify potential scams around payment apps" that should begin rolling out over the next few months. Daniels did not share more information about how those notifications will work.

Many scams and attempted scams go unreported, so it’s impossible to understand the scale of the problem. In a 2022 survey of 1,000 people in England, one in six said they were scammed on the marketplace. Another 2022 survey of 1,000 people in the US found that 62 percent had encountered a scam on Facebook. From January 2022 to November 2023, the Better Business Bureau’s scam tracker logged more than 1,200 reports that mentioned Facebook Marketplace in the US and Canada.

The scammers targeting me followed the same script: two messages from different accounts even included the same odd spacing format and just changed a word or two from each other, asking: “Alright I hope this is a legit post because I will be paying the $100 now so you can mark the item as sold my sister will come pick it up but I’ll send the money?” As more of these messages flowed into my DMs, I insisted on being paid in person, and the potential buyers vanished after one or two more wild excuses as to why that wouldn’t be possible. When I wrote “bye, scammer” to one, they replied with “lmao” just before I reported the profile to Facebook.

The scams follow similar patterns, because fraudsters conduct business like multilevel marketers, says Adrianus Warmenhoven, a member of the security advisory board for network security company NordVPN. Someone may develop a scam, then sell it as a toolkit with scripts and phishing links. People also can buy orphaned and hacked Facebook accounts, giving them access to profiles that look like real people with long account histories. Many of the messages I received came from accounts that were created a decade ago or more, showing that these aren’t new accounts created for the sole purpose of scamming people on Marketplace. “A lot of criminal stuff is not being executed by computer-savvy or even criminal-savvy people,” Warmenhoven says. Some of these tools, experts say, are sold on the dark web. But there are also chats on Telegram advertising hundreds of bundled bunches of Facebook accounts from specific countries for sale in bulk. Telegram did not respond to a request for comment.

Some scams encourage people to upgrade their Zelle accounts to a business tier to receive money from a buyer, according to the Better Business Bureau, and come from emails mimicking Zelle, but with different domains. That upgrade appears to cost $300, and the buyer promises to send it if the seller will then refund it. The catch: the $300 was never sent and appeared only in faked screenshots or emails. So, when the seller sends $300, they're really just losing the money.

Zelle’s website notes that it will send emails only from domains ending in @zelle.com and @zellepay.com, and any others could be scams. The company did not answer more specific questions about Facebook Marketplace scams, citing an effort to keep intel from fraudsters.

Other scammers use Google Voice, asking people for their verification code—all under the guise of verifying that the person isn’t a scammer. But with that code, a scammer can then create a Google Voice number using the victim’s phone number, which helps them to conceal their identity for future scams. Additionally, it can help them impersonate someone and get access to their accounts, according to the US Federal Trade Commission.

When asked for comment on Facebook Marketplace scams, Google pointed to guidance it posts for people to not share their verification codes, and the company has ways for people to reclaim stolen Google Voice numbers.

Experts say the constant evolving nature of scams makes them tricky for companies to defeat. “It’s a giant game of whack-a-mole,” says Zulfikar Ramzan, chief scientist with digital security company Aura. “They change something about the way they’ve done a scam. It’s really difficult for any organization to keep up with that volume at scale.”

Meta has continued to grow Facebook Marketplace even as scams linger. A 2022 ProPublica investigation found that Facebook Marketplace scams had run rampant and that the company was potentially understaffed to a degree that impeded its ability to stop scammers. In addition to in-house workers, Meta had contracted 400 Accenture workers around the world and gave each person more than 600 complaints or requests for help to process each day. Even worse, ProPublica found a number of alleged armed robberies and murders had occurred in relation to Facebook Marketplace meetups. Meta, Facebook’s parent company, did not answer questions about how it monitors scams now and the information in the ProPublica investigation.

Facebook Marketplace has evolved to more than just selling in the neighborhood. There are options to ship products after a sale, and some small shops have used the platform to grow their business. All of these different types of transactions bring different concerns about scams. Marketplace offers purchase protection, but it doesn’t cover payments made through third-party sites like Zelle, items picked up locally, or transactions conducted through Facebook Messenger.

I lost track of the number of people who seemed eager to scam me—I reported lots of scammers and then left chats, which disappeared. A few people may have been legitimately interested but dropped off early in the conversation. In the end, the frustration wasn’t worth the cash. I’m stuck with this couch, and there’s only one solution left. I’m heading over to another side of Facebook entirely: Buy Nothing.

Source

According to blockchain threat analysts at ScamSniffer, they discovered over ten thousand phishing websites using the drainer from March 2023 to today, with spikes in the activity observed in May, June, and November.

A drainer is a malicious smart contract or, in this case, a complete phishing suite designed to drain funds from a user's cryptocurrency wallet without their consent.

Users are taken to a legitimate-appearing phishing website and tricked into approving malicious contracts, allowing the drainer to automatically perform unauthorized transactions and transfer the victim's money to the attacker's wallet address.

The source code for MS Drainer is sold to cybercriminals for $1,500 by a user named 'Pakulichev' or 'PhishLab,' who also charges a 20% fee on any funds stolen with the toolkit. Additionally, PhishLab sells additional modules that add new features to the malware, costing between $500 and $1,000.

According to blockchain data on MS Drainer's activity, one of its Ethereum-chain victims lost $24 million worth of cryptocurrency, while other notable cases involve victims losing between $440,000 and $1.2 million.

Fraudulent ads on Google and X

In Google Search, MS Drainer is promoted via malicious ads that are shown for keywords related to DeFi platforms like Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant.

Many of those ads exploit Google Ads' tracking template loophole to make the URL appear as belonging to the spoofed project's official domain. A redirection, though, takes those who click to a phishing site.

On X, better known as Twitter, advertisements for MS Drainer are so abundant that ScamSniffer reports they account for six out of nine phishing ads on their feed.

Notably, many of the scam ads on X are posted from legitimate "verified" accounts that carried the blue tick badge when the ad was shown.

Security researcher MalwareHunterTeam, who has been tracking similar ads, told BleepingComputer they believe the Twitter account holders may have been infected with malware that stole their authentication cookies or passwords, allowing the threat actors to create advertisements from the hacked accounts.

Strangely, the researcher spoke to an X account advertising a cryptocurrency scam and was told that there was no trace of the ads in their advertising accounts.

On X, the cybercriminals used multiple themes for their ads, including one called "Ordinals Bubbles," which promoted a supposedly limited-edition NFT (non-fungible token) collection featuring various characters encased in bubbles.

The ads also promoted NFT airdrops and new token launches on sites that contain the drainer.

ScamSniffer says one detection bypass method employed by these ads is geofencing, which only targets users from pre-defined regions and redirects the rest to legitimate/innocuous websites.

Cryptocurrency scams have always performed well on X, but with trustworthy, hacked accounts now displaying advertisements promoting malicious sites, we should expect to see these types of attacks become even more successful.

Users should be very cautious when seeing cryptocurrency-related ads and perform due diligence before signing up to new platforms, let alone connecting their wallets.

Source