The lawsuit in the U.S. District Court for the Northern District of California came after Reuters reported on Thursday that groups of Tesla employees privately shared via an internal messaging system sometimes highly invasive videos and images recorded by customers’ car cameras between 2019 and 2022.

The lawsuit, filed by Henry Yeh, a San Francisco resident who owns Tesla's Model Y, alleges that Tesla employees were able to access the images and videos for their "tasteless and tortious entertainment" and "the humiliation of those surreptitiously recorded."

"Like anyone would be, Mr Yeh was outraged at the idea that Tesla's cameras can be used to violate his family's privacy, which the California Constitution scrupulously protects," Jack Fitzgerald, an attorney representing Yeh, said in a statement to Reuters.

"Tesla needs to be held accountable for these invasions and for misrepresenting its lax privacy practices to him and other Tesla owners," Fitzgerald said.

Tesla did not immediately respond to Reuters request for comment.

The lawsuit said Tesla’s conduct is "particularly egregious" and "highly offensive."

It said Yeh was filing the complaint "against Tesla on behalf of himself, similarly-situated class members, and the general public." The complaint said the prospective class would include individuals who owned or leased a Tesla within the past four years.

Reuters reported that some Tesla employees could see customers "doing laundry and really intimate things. We could see their kids," citing a former employee.

"Indeed, parents’ interest in their children’s privacy is one of the most fundamental liberty interests society recognizes," the lawsuit said.

The lawsuit asks the court "to enjoin Tesla from engaging in its wrongful behavior, including violating the privacy of customers and others, and to recover actual and punitive damages."

Source

Tax fraud schemes in 2022 netted scammers $5.7 billion, more than twice the amount of the previous year, according to the Internal Revenue Service, and there doesn’t appear to be any letup in sight.

While scams may be on the rise, the good news is that the core tactics used by fraudsters remain basically unchanged, which means that by understanding the signs of tax fraud and taking measures to counter it, consumers and businesses can avoid becoming victims during tax season.

“Threat actors regularly capitalize on tax season,” observed Selena Larson, a senior threat intelligence analyst with Proofpoint, an enterprise security company in Sunnyvale, Calif.

“They know a large segment of the population will be dealing with the stress and urgency of filing their taxes correctly and on time,” she told TechNewsWorld. “It is these pressures which make people more susceptible to a tax-themed email offering support or a warning when it’s actually a vessel for fraud.”

“And as tax season directly deals with finances, there is an open window for a bigger payday,” she said.

Larson added that threat actors are getting more adept at employing social engineering to prey on people’s fears, emotions, and urgency during tax season.

“They will leverage the IRS brand and spoof government sites, purporting to be a tax authority either communicating some legitimate piece of needed information — such as a change to a form or a process — or attempting to collect a payment,” she explained.

Data Breach Fueled Growth

Larson advised consumers and businesses also to be aware of phony “tax preparation services.” These types of attacks usually go beyond simple authentication credentials, such as usernames and passwords, she noted, and attempt to steal personal information, including social security numbers and bank account information.

“Most tax professionals offer excellent advice and can help people navigate complex tax issues,” IRS Commissioner Danny Werfel said in a statement. “But we continue to see instances where taxpayers are ‘ghosted’ by unscrupulous tax preparers with bad advice who quickly disappear.”

The sheer amount of personal information circulating on the internet from numerous data breaches has also contributed to the growth of tax fraud.

“There’s a lot of information on the internet that can be used in tax fraud schemes,” observed Abigail Showman, senior team lead with Washington, D.C.-based Flashpoint, a provider of threat intelligence, threat analysis, and incident response services, which recently released a report on tax fraud.

“A lot of threat actors can collect that information and utilize it pretty easily in tax fraud schemes,” she told TechNewsWorld.

“Every year, more sensitive information about people is lost in data breaches and through other means,” explained Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“This allows attackers to have a huge list of people to target, many of whom they have very detailed information about,” he told TechNewsWorld. “This helps these bad actors make more convincing social engineering emails and other communications.”

Threat actors will recycle information, too, noted Showman’s colleague, Tactical Threat Monitoring Analyst Rebecca McHale. “They might apply for unemployment benefits, then turn around and use that personal identifying information for other schemes, including tax fraud,” she told TechNewsWorld.

“They want to get the most bang for the buck from the compromised PII they hijack and steal for malicious purposes,” she said.

Scams Galore

In its report on tax fraud, Flashpoint identified several ways fraudsters try to pry information or money out of their targets, including:

• Phishing. A tried-and-true technique that uses email to get a target to go to a malicious website or to share information on their W-2 form.

• Refund scams. A fraudster will contact a victim and offer to get them a larger-than-expected refund. After the target gives the scammer all the information needed to file a tax return, the trickster will file the return and have the refund sent to himself.

• Filing for false tax credits. When a fraudster files a return for a victim, they’ll include claims for credits for which the target is ineligible.

“We’ve seen a lot of student tax credits being filed that way,” McHale said. “That would include the Lifetime Learning credit and the American Opportunity tax credit.”

“Students are usually first-time filers and don’t have great identity protection set up yet, like their identity protection PIN and adjusted gross income,” she explained.

Amy Nofziger, director of fraud victim support at the AARP, noted that the organization’s Fraud Watch Network Helpline continues to receive calls about IRS Imposter scams.

“You will receive a phone call or text saying there is an issue with your tax refund, and you will be arrested,” she told TechNewsWorld. “The scammers will then demand immediate payment, usually by pre-paid gift cards or another non-traditional form of payment like cryptocurrency.”

Education Is Imperative

Spear phishing is prevalent during tax season, observed Dror Liwer, co-founder of Coro, a cloud-based cybersecurity company based in Tel Aviv, Israel. “An attacker impersonates an employee or a vendor, sometimes, even the accounting firm the company is using, asking for data or tax documents which they then use either for identity theft or hold for ransom,” he told TechNewsWorld.

“Beyond deploying anti-phishing defenses, accounting departments must be retrained in identifying and reporting phishing attempts,” he recommended.

“Simulation ahead of time will highlight which employees need additional training,” he added. Education can be an important weapon in the battle against tax fraud. “It helps potential victims to recognize these scams and stay safe,” Jon Clay, vice president of threat intelligence at Trend Micro, told TechNewsWorld.

“Educate your employees on how phishing works,” he advised. “Ensure they are suspicious of any communications that involve tax returns and financial transactions and have a process for employees to submit suspicious content to IT for review.”

He also recommended deploying an email messaging security solution that utilizes machine learning and AI to detect spam and phishing emails.

Fraud fighters, however, won’t be the only ones using AI to advance their aims.

“We’ve seen anecdotal chatter about exploiting artificial intelligence to facilitate fraud, but this tax season, it hasn’t been widespread,” McHale said. “While we haven’t seen it for this tax season, stay tuned. It’s something we’ll be keeping an eye on during the next tax season.”

Source

The email address checks out at legitimate, as it is no-reply@youtube.com, and it may be difficult for users to determine whether the email is legitimate or fake.

Careful users may notice some oddities in the email, like You Tube Team or YouTubeTeam, instead of the YouTube Team name, which Google would be using. While there is indeed a link to a video, there is also the description of the video attached, which includes a link to a password protected document on Google Drive. There is also a warning that users have just a few days to open the document.

The channel name has a link to YouTube, and there is a chance that it has been terminated already due to violations of YouTube policies regarding impersonation. It is possible that other channels may still be up, and they likely show some legitimate videos by YouTube to make them look legitimate. The videos are set to private, and can't be opened.

YouTube's official Twitter account has warned users about this new phishing campaign that is targeting YouTube users specifically.

Behind the curtain of the phishing campaign

First of all, it is important to realize that the phishing campaign is exploiting a YouTube feature to send the phishing emails from YouTube's own domain. This gives it a lot of legitimacy and it also means that it will bypass many email filters and security tools that would otherwise have flagged it as spam.

YouTube publishers may set videos that they upload to private. Private means that the videos can't be played if the video URL is known. What publishers may do, however, is share access to these videos.

And it is this sharing functionality that the threat actors are abusing. Private videos may be shared with other YouTube users. All that is required for that is to enter the email address of one or multiple users and check the email option, so that these users receive an email about it.

These emails are sent from youtube.com, and they show the channel name, which is a custom name selected by the creator of the channel, the video link and the video description.

Here is a YouTube video that talks about the scam in length:

How to protect yourself from this scam

Many of the usual protections against phishing campaigns do not apply to this one. The domain of the email checks out and is legitimate.

These emails have red flags, and it is important to realize that these red flags help determine legitimate emails coming from YouTube from illegitimate ones:

1. A password protected Google Drive file. Google / YouTube would never use this form of communication.
2. That the video is private (which you would notice when you attempt to play it).
3. That YouTube has not published a notification about the alleged changes to the Google account, other than the shared video.

Google is working on addressing the issue. It may have changed the title of emails that are shared privately already. When we tried to replicate this by setting a video to private and sharing it, the email we received stated "a private video was shared with you". We did not get "channel name sent a you a video".

Closing Words

Phishing and scam emails that come from legitimate domains are more effective, as they may bypass filters and other protective features. If they are worded like the YouTube videos, they open the doors for abuse.

Now You: would you have detected the scam?

You Tube Team sent you a video? It is a scary phishing scam

Among the services provided are money laundering, identity theft, distributed denial-of-service (DDoS), bypassing two-factor authentication (2FA), fake or stolen IDs and other personal data, renting malware, using cash-out services, email and telephone flooding, identity lookup, and much more.

Overview of STYX with service categories on the left (Resecurity)

 

The marketplace opened its doors officially on January 19 and it uses a built-in escrow system to broker transactions between buyers and sellers.

However analysts at threat intelligence company Resecurity noticed mentions of STYX on the dark web since early 2022, when the founders were still building the escrow module.

STYX supports payments with multiple cryptocurrencies and features a special section reserved for trusted sellers that lists vetted vendors, likely in an attempt to increase trust in the platform.

To showcase the purchasing process the market points to Telegram channels where bots interact with buyers and provide samples of the products sold. Below are samples from one seller that offers fake IDs, who created documents in in the name of U.S.

President Joe Biden and former professional footballer David Beckham.

Fake ID samples showcased on Telegram (Resecurity)

 

Researchers at Resecurity have compiled a report presenting some notable cases they discovered while exploring STYX, aiming to highlight the risks that arise from the operation of these illicit platforms and uncover the actual dimension of cybercrime.

All things financial fraud

Resecurity navigated all sections of STYX and found that it offers the following:

• Tools to bypass anti-fraud filters such as fingerprint emulators and spoofers.
• Stolen credit card and PII (personally identifiable information) data for sale.
• “Checking” (lookup) services that extract information about individuals or organizations.
• Fake ID or “drawing services that offer forged documents for over 65 countries.
• Telephone, SMS, and email flooding services ranging from $4 to $150 per day.
• Money laundering services for BEC (business email compromise) scammers and other fraudsters.
• Manuals and tutorials on hacking and cybercrime operations.

Hacking tutorials sold on STYX (Resecurity)

 

The money laundering section is one of the most significant in STYX, as “cleaning” the the stolen funds is a crucial part of the cybercriminal activity.

Resecurity highlighted some vendors that offer money laundering services through STYX, like “Verta,” who requests a minimum of $15,000 for individuals and $75,000 for businesses and keeps 50% of the laundered amount.

Other providers of money laundering services have different fees, as seen in the screenshot below.

Money laundering vendors (Resecurity)

 

“Resecurity also identified a group of trending cash-out vendors that charge commissions based on the exact BIN of the card and brand of gift card,” reads the report.

“The commission spread depends on the popularity of the service/bank, the complexity of the cash-out process, including the tactics the launderers will have to deploy to successfully circumvent a payment platform’s anti-fraud filters,” the researchers explain.

STYX hosts a plethora of cash-out shops that cover the entire world, offering the "clean" funds via Apply Pay, PayPal business accounts with merchant terminals, and various financial institutions in the U.S., U.K., and Canada.

VCC drop services (Resecurity)

 

The emergence of STYX as a new platform for financially-motivated cybercriminals shows that the market for illegal services continues to be a lucrative business.

Digital banks, online payment platforms, and e-commerce systems need to rise to the challenge and upgrade their KYC checks and fraud protections to undermine the effectiveness of the services sold in these crime spaces.

With the Genesis Market disrupted, the void for digital identities needs to be filled and STYX may see an increased flux of customers looking for compromised accounts and personal information.

Source

MSI is a global hardware giant that makes motherboards, graphics cards, desktops, laptops, servers, industrial systems, PC peripherals, and infotainment products, with an annual revenue that surpasses $6.5 billion.

The threat actor has listed MSI on its data leak website and posted screenshots of what they claim to be the hardware vendor's CTMS and ERP databases and files containing software source code, private keys, and BIOS firmware.

Money Message now threatens to publish all these allegedly stolen documents in about five days unless MSI meets its ransom payment demands.

MSI listed on 'Money Message' extortion site (BleepingComputer)

 

BleepingComputer highlighted this novel ransomware group's activity in a report published over the weekend and described the gang's attack chain, hinting at the possibility of the threat actors having breached a well-known computer hardware vendor.

According to chats seen by BleepingComputer at the time, the threat actors claimed to have stolen 1.5TB of data from MSI's systems, including source code and databases, and demanded a ransom payment of $4,000,000.

Chat between the threat actor and the victim's representative (BleepingComputer)

 

"Say your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios," a Money Message operator said in a chat with an MSI agent.

Since discovering this, BleepingComputer has reached out to MSI multiple times, but we are still waiting for a reply.

As such, we haven't been able to verify whether Money Message's data breach claims are valid and whether the data they threaten to leak belongs to MSI.

Source

Huertas is considered to be responsible for multiple high-profile cyberattacks and for creating a search engine called Udyat (the eye of Horus) dedicated to selling stolen sensitive information in large numbers.

A police investigation started in November 2022 eventually lead to the identification and arrest of the young hacker, who has been described as "a serious threat to national security."

At Huertas' home and other registered addresses, law enforcement agents seized large amounts of cash, documentation, and computers that will help discover the hacker's activity.

The investigation was launched after breaching the computer network of Spain's national council of the judiciary (CGPJ). During this attack, the hacker stole the data of 575,000 taxpayers and created a database to sell that information to other cybercriminals.

The details hosted on that illegal service include personally identifiable information, account numbers, bank numbers, and more.

Huertas is also accused of impersonating Paolo Vasile, the CEO of Gestevisión Telecinco/Mediaset España, and stealing EUR 300,000 from him. Charges also include attacking high-state institutions and money laundering.

The hacker grew bolder with each attack, to the point that in an interview on YouTube he claimed to have access to information of roughly 90% of all Spanish citizens.

Huertas giving an inteview on YouTube channel Club 113 (Pledge Times)

 

Policia Nacional says that following a complex investigation, specialists in the cyber threat investigation of the General Information Police Station were able to identify the individual responsible for the attacks, a 19-year-old man with a long history in the world of cybercrime.

According to details in local media, the Spanish police were able to track the young hacker by following the money trail for the hosting services of the "Eye of Horus" server.

Although Huertas was using cryptocurrency that had been "cleaned" through mixing services, the police could still trace the payments with the help of experts at the National Cryptological Center.

Huertas will remain in custody until the date of his trial, as the investigators consider there's an enormous risk that he will escape, destroy evidence, and continue to commit crimes of similar nature.

Judge José Luis Calama motivated his decision for the suspect to remain detained by saying that he has significant amounts of cryptocurrency that would allow him to reside anywhere in the world, avoiding the action of Spanish justice.

Source

There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix.

The most significant discovery is the use of universal credentials that are hardcoded in the firmware and also easy to obtain from the client communication with Nexx's API.

The vulnerability can also be exploited to identify Nexx users, allowing an attacker to collect email addresses, device IDs, and first names.

A video showing the impact of the security flaw, tracked as CVE-2023–1748, is available below. It could be used to open any Nexx-controlled garage door. 

On January 4, independent security researcher Sam Sabetan published a writeup about the flaws, explaining how an attacker could leverage them in real life.

It is estimated that there are at least 40,000 Nexx devices associated with 20,000 accounts. Due to the severity of the security problem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published a relevant alert.

CISA warns owners of Nexx products that attackers could access sensitive information, execute API requests, or hijack their devices.

Vulnerability details

Sabetan discovered the vulnerabilities listed below, which affect Nexx Garage Door Controllers NXG-100B and NGX-200 running version nxg200v-p3-4-1 or older, the Nexx Smart Plug NXPG-100W running version nxpg100cv4-0-0 and older, and Nexx Smart Alarm NXAL-100 running version nxal100v-p1-9-1 and older.

• CVE-2023-1748: Use of hardcoded credentials in the mentioned devices, allowing anyone to access the MQ Telemetry Server and control any customer’s devices remotely. (CVSS score: 9.3)
• CVE-2023-1749: Improper access control on API requests send to valid device IDs. (CVSS score: 6.5)
• CVE-2023-1750: Improper access control allowing attackers to retrieve device history, information, and change its settings. (CVSS score: 7.1)
• CVE-2023-1751: Improper input validation, failing to correlate the token in the authorization header with the device ID. (CVSS score: 7.5)
• CVE-2023-1752: Improper authentication control allowing any user to register an already registered Nexx device using its MAC address. (CVSS score: 8.1)

Hijacking an account using the device's MAC address (Sabetan)

 

The most severe of the five flaws, CVE-2023-1748, is the result of Nexx Cloud setting a universal password for all newly registered devices via the Android or iOS Nexx Home mobile app.

API response leaking account credentials (Sabetan)

 

This password is available on both the API data exchange and the firmware shipped with the device, so it is easy for attackers to obtain it and send commands to the devices via the MQTT server, which facilitates communication for Nexx’s IoTs.

Publicly available MQTT data (Sabetan)

 

Despite the researcher’s multiple attempts to report the flaws to Nexx, all messages remained without a reply, causing the issues to remain unpatched.

BleepingComputer has independently contacted Nexx to request a comment on the above, but we have not received a response by the time of publication.

In the meantime, to mitigate the risk from these attacks until a fixing patch is made available by the vendor, it is recommended to disable internet connectivity for your Nexx devices, place them behind firewalls, and isolate them from mission-critical networks.

If it is necessary to access or control Nexx devices remotely, only do so through a VPN (virtual private network) connection that encrypts the data transmissions.

Source

TikTok, the Chinese-owned video app, has come under increasing pressure over claims it presents a security concern. The European Parliament and Norway have also imposed similar restrictions, while NATO has banned its staffers from downloading the app onto NATO-provided devices. Last week, the US government threatened to ban TikTok unless its Chinese owners, Bytedance, agree to spin off their share of the social media platform. The US government is concerned that China could use its national security laws to access the significant amount of personal information that TikTok, like most social media applications, collects from its US users.

As of early 2023, Australia had over 8 million TikTok users aged 18 and over, according to the company, citing a report from DataReportal, which studies digital trends worldwide. TikTok's General Manager in Australia and New Zealand, Lee Hunter, expressed disappointment in the decision and claimed it was driven by politics. He argued that the company had repeatedly tried to engage constructively with the Australian government and that there was no evidence to suggest that the app posed a security risk to the country.

The Attorney-General's Department has issued a notice stating that TikTok poses security and privacy risks due to its "extensive collection of user data and exposure to extrajudicial directions from a foreign government that conflict with Australian law." So far, there is no evidence that the Chinese government has accessed TikTok user data, and no government has enacted a broader ban targeting TikTok on personal devices.

During a high-profile congressional hearing on the matter, TikTok CEO Shou Zi Chew was grilled about the tech firm's alleged ties to the Chinese government. Chew has denied any ties to the Chinese government and has stated that the company would refuse any request for its data. For its part, China's Commerce Ministry has said that it would "firmly oppose" any decision resulting in the forced sale of TikTok, adding that it would "seriously damage" global investors' confidence in the United States.

Australia's attorney general has said that any exemptions to the ban would be granted "on a case-by-case basis and with appropriate security mitigation in place." The government had recently received the review into foreign interference through social media applications from the country's Home Affairs Department, with its recommendations being considered, according to Dreyfus.

Australia is not the first country to ban TikTok

TikTok, like many social media platforms, collects a vast amount of user data, which can be a source of concern for governments and individuals alike. As such, it remains to be seen whether other countries will follow in the footsteps of Australia, the US, Canada, Britain, and New Zealand in imposing restrictions on the app. However, with concerns over data privacy and national security continuing to grow, it is likely that TikTok and other social media platforms will face increasing scrutiny from governments around the world.

TikTok faces ban in Australia over security risks

In an interview with the Handelsblatt newspaper (via Yahoo News), Germany's commissioner for data protection Ulrich Kelber, said that its country's regulators had been in talks with Italian government regulators on its ChatGPT ban. Kelber stated, "... in principle, such action is also possible in Germany".

Italy's ban was put in effect after the country's data protection agency said ChatGPT was possibly in violation of its data collection rules. It also claims that ChatGPT does not monitor if its service is being used by kids under 13 years of age. The chatbot AI's terms of service prohibits its use by kids in that age group.

Since the ban in Italy was put in place, the country's deputy Prime Minister, Matteo Salvini, stated he believes it was "hypocritical" for the data collection agency to make that move. He points out that other online services have their own data collection and privacy issues in Italy, but they were not blocked as ChatGPT did.

However, other countries besides Germany are talking to Italy's regulators about their actions. A spokesperson for Ireland's Data Protection Commissioner stated they are looking at what Italy did with ChatGPT and will "will coordinate with all EU data protection authorities in relation to this matter." France's government has also been in contact with Italy about its decision as well.

Source: Handelsblatt via Yahoo

Germany could join Italy in banning ChatGPT from being used in its country

When OpenAI released GPT-3 in July 2020, it offered a glimpse of the data used to train the large language model. Millions of pages scraped from the web, Reddit posts, books, and more are used to create the generative text system, according to a technical paper. Scooped up in this data is some of the personal information you share about yourself online. This data is now getting OpenAI into trouble. 

On March 31, Italy’s data regulator issued a temporary emergency decision demanding OpenAI stop using the personal information of millions of Italians that’s included in its training data. According to the regulator, Garante per la Protezione dei Dati Personali, OpenAI doesn’t have the legal right to use people’s personal information in ChatGPT. In response, OpenAI has stopped people in Italy from accessing its chatbot while it provides responses to the officials, who are investigating further. 

The action is the first taken against ChatGPT by a Western regulator and highlights privacy tensions around the creation of giant generative AI models, which are often trained on vast swathes of internet data. Just as artists and media companies have complained that generative AI developers have used their work without permission, the data regulator is now saying the same for people’s personal information.

Similar decisions could follow all across Europe. In the days since Italy announced its probe, data regulators in France, Germany, and Ireland have contacted the Garante to ask for more information on its findings. “If the business model has just been to scrape the internet for whatever you could find, then there might be a really significant issue here,” says Tobias Judin, the head of international at Norway’s data protection authority, which is monitoring developments. Judin adds that if a model is built on data that may be unlawfully collected, it raises questions about whether anyone can use the tools legally.

Italy’s blow to OpenAI also comes as scrutiny of large AI models is steadily increasing. On March 29, tech leaders called for a pause on the development of systems like ChatGPT, fearing its future implications. Judin says the Italian decision highlights more immediate concerns. “Essentially, we’re seeing that AI development to date could potentially have a massive shortcoming,” Judin says.

The Italian Job

Europe’s GDPR rules, which cover the way organizations collect, store, and use people’s personal data, protect the data of more than 400 million people across the continent. This personal data can be anything from a person’s name to their IP address—if it can be used to identify someone, it can count as their personal information. Unlike the patchwork of state-level privacy rules in the United States, GDPR’s protections apply if people’s information is freely available online. In short: Just because someone’s information is public doesn’t mean you can vaccuum it up and do anything you want with it.

Italy’s Garante believes ChatGPT has four problems under GDPR: OpenAI doesn’t have age controls to stop people under the age of 13 from using the text generation system; it can provide information about people that isn’t accurate; and people haven’t been told their data was collected. Perhaps most importantly, its fourth argument claims there is “no legal basis” for collecting people’s personal information in the massive swells of data used to train ChatGPT.

“The Italians have called their bluff,” says Lilian Edwards, a professor of law, innovation, and society at Newcastle University in the UK. “It did seem pretty evident in the EU that this was a breach of data protection law.”

Broadly speaking, for a company to collect and use people’s information under GDPR, they must rely on one of six legal justifications, ranging from someone giving their permission to the information being required as part of a contract. Edwards says that in this instance, there are essentially two options: getting people’s consent—which OpenAI didn’t do—or arguing it has “legitimate interests” to use people’s data, which is “very hard” to do, Edwards says. The Garante tells WIRED it believes this defense is “inadequate.”

OpenAI’s privacy policy doesn’t directly mention its legal reasons for using people’s personal information in training data but says it relies upon “legitimate interests” when it “develops” its services. The company did not respond to WIRED’s request for comment. Unlike with GPT-3, OpenAI has not publicized any details of the training data that went into ChatGPT, and GPT-4 is thought to be several times larger.

However, GPT-4’s technical paper includes a section on privacy, which says its training data may include “publicly available personal information,” which comes from a number of sources. The paper says OpenAI takes steps to protect people’s privacy, including “fine-tuning” models to stop people asking for personal information and removing people’s information from training data “where feasible.”

“How to collect data lawfully for training data sets for use in everything from just regular algorithms to some really sophisticated AI is a critical issue that needs to be solved now, as we’re kind of on the tipping point for this sort of technology taking over,” says Jessica Lee, a partner at law firm Loeb and Loeb.

The action from the Italian regulator—which is also taking on the Replika chatbot—has the potential to be the first of many cases examining OpenAI’s data practices. GDPR allows companies with a base in Europe to nominate one country that will deal with all of its complaints—Ireland deals with Google, Twitter, and Meta, for instance. However, OpenAI doesn’t have a base in Europe, meaning that under GDPR, every individual country can open complaints against it.

Model Data

OpenAI isn’t alone. Many of the issues raised by the Italian regulator are likely to cut to the core of all development of machine learning and generative AI systems, experts say. The EU is developing AI regulations, but so far there has been comparatively little action taken against the development of machine learning systems when it comes to privacy.

“There is this rot at the very foundations of the building blocks of this technology—and I think that’s going to be very hard to cure,” says Elizabeth Renieris, senior research associate at Oxford’s Institute for Ethics in AI and author on data practices. She points out that many data sets used for training machine learning systems have existed for years, and it is likely there were few privacy considerations when they were being put together. 

“There’s this layering and this complex supply chain of how that data ultimately makes its way into something like GPT-4,” Renieris says. “There’s never really been any type of data protection by design or default.” In 2022, the creators of one widely used image database, which has helped trained AI models for a decade, suggested images of people’s faces should be blurred in the data set. 

In Europe and California, privacy rules give people the ability to request that information be deleted or corrected if it is inaccurate. But deleting something from an AI system that is inaccurate or that someone doesn’t want there may not be straightforward—especially if the origins of the data are unclear. Both Renieris and Edwards question whether GDPR will be able to do anything about this in the long term, including upholding people’s rights. “There is no clue as to how you do that with these very large language models,” says Edwards from Newcastle University. “They don’t have provision for it.”

So far, there has been at least one relevant instance, when the company formerly known as Weight Watchers was ordered by the US Federal Trade Commission to delete algorithms created from data it didn’t have permission to use. But with increased scrutiny, such orders could become more common. “Depending, obviously, on the technical infrastructure, it may be difficult to fully clear your model of all of the personal data that was used to train it,” says Judin, from Norway’s data regulator. “If the model was then trained by unlawfully collected personal data, it would mean that you would essentially perhaps not be able to use your model.” 

ChatGPT Has a Big Privacy Problem

(May require free registration to view)

London-based Capita employs 50,000 specialists and offers a wide range of services for clients in the finance, IT, healthcare, education, and government sectors.

Among its customers are  critical infrastructure organizations in the U.K. such as the National Health Service (NHS), the UK military, and the Department for Work and Pensions, as well as prominent companies like O2, Vodafone, and the Royal Bank of Scotland. 

The cyber incident prompted the Capita on March 31 to announce an IT issue that impacted its internal systems. The company did not offer any other details about what caused the incident, though.

In a short press release today, Capita acknowledge that the outage was caused by a cyberattack. The incident occurred at 4 AM on Friday and it was discovered three hours later, when staff attempted to log into the system.

The company said that its immediate reaction successfully isolated and contained the security issue.

The disclosure informs that the attack impacted limited parts of the network and that the investigation did not find indications that data belonging to its customers, suppliers, or staff, has been exposed during the intrusion.

Capita says that the disruption only affected some services provided to individual clients, while most of its customer base didn’t experience any adverse impacts. The company has provided no details about the parties impacted by the cyberattack.

However, there are indications that the boroughs of Barnet, Dagenham, Barking, and the South Oxfordshire council - all of them clients of Capita - were impacted as they posted notifications on their websites that phone and email servers were unavailable.

Outage notice on the South Oxfordshire council website (BleepingComputer)

 

Currently, Capita is working towards the complete restoration of access to Microsoft Office 365 and other client services and reports progress with this endeavor.

BleepingComputer has contacted Capita to learn more about the cyberattack and its impact but has not heard back.

Source

Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today.

The analysts found that the hackers deployed the malware on the victim network after leveraging a weakness in a threat detection and incident response tool.

Rorschach details

Researchers at cybersecurity company Check Point, responding to an incident at a company in the U.S., found that Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.

The attacker used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to sideload the Rorschach loader and injector (winutils.dll), which lead to launching the ransomware payload, “config.ini,” into a a Notepad process.

The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software.

Check Point reports that Rorschach creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain. After compromising a machine, the malware erases all event logs.

Attack chain (Check Point)

 

While it comes with hardcoded configuration, Rorschach supports command-line arguments that expand functionality.

Check Point notes that the options are hidden and can't be accessed without reverse engineering the malware. Below are some of the arguments the researchers discovered:

Arguments decoded by Check Point

 

Rorschach's encryption process

 

Rorschach will start encrypting data only if the victim machine is configured with a language outside the Commonwealth of Independent States (CIS).

The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.

Rorschach encryption scheme (Check Point)

 

The researchers note that Rorschach’s encryption routine indicates "a highly effective implementation of thread scheduling via I/O completion ports."

To find how fast Rorschach’s encryption is, Check Point set up a test with 220,000 files on a 6-core CPU machine.

It took Rorschach 4.5 minutes to encrypt the data, whereas LockBit v3.0, considered the fastest ransomware strain, finished in 7 minutes.

After locking the system, the malware drops a ransom note similar to the format used by the Yanlowang ransomware.

According to the researchers, a previous version of malware used a ransom note similar to what DarkSide used.

Check Point says that this similarity is likely what caused other researchers to mistake a different version of Rorschach with DarkSide, an operation that rebranded to BlackMatter in 2021, and disappeared the same year.

Latest ransom note dropped by Rorschach (Check Point)

 

BlackMatter's members alter formed the ALPHV/BlackCat ransomware operation that launched in November 2021.

Check Point assesses that Rorschach has implemented the better features from some of the leading ransomware strains leaked online (Babuk, LockBit v2.0, DarkSide).

Along with the self-propagating capabilities, the malware "raises the bar for ransom attacks."

At the moment the operators of the Rorschach ransomware remain unknown and there is no branding, something that is rarely seen on the ransomware scene.

Source

Self-extracting archives (SFX) created with compression software like WinRAR or 7-Zip are essentially executables that contain archived data along with a built-in decompression stub (the code for unpacking the data). SFX files can be password-protected to prevent unauthorized access.

The purpose of SFX files is to simplify distribution of archived data to users that do not have a utility to extract the package.

Password-protected SFX created with 7-Zip
source: CrowdStrike

 

Researchers at cybersecurity company CrowdStrike spotted the SFX abuse during a recent incident response investigation.

SFX attacks in the wild

Crowdstrike's analysis discovered an adversary that used stolen credentials to abuse 'utilman.exe' and set it to launch a password-protected SFX file that had been planted on the system previously.

Utilman is an accessibility application that can be executed before user login, often abused by hackers to bypass system authentication.

The utilman tool on login screen
source: CrowdStrike

 

The SFX file triggered by utilman.exe is password-protected and contains an empty text file that serves as a decoy.

The real function of the SFX file is to abuse WinRAR’s setup options to run PowerShell, Windows command prompt (cmd.exe), and task manager with system privileges.

Taking a closer look at the technique used, Jai Minton of CrowdStrike found that the attacker had added multiple commands to run after the target extracted the archived text file.

While there is no malware in the archive, the threat actor added commands under the setup menu for creating an SFX archive that would open a backdoor on the system.

Commands in WinRAR SFX setup that allow backdoor access
source: CrowdStrike

 

As seen in the image above, the comments show that the attacker customized the SFX archive so that there is no dialog and window displayed during the extraction process. The threat actor also added instructions to run PowerShell, command prompt, and task manager.

WinRAR offers a set of advanced SFX options that allow adding a list of executables to run automatically before or after the process, as well as overwrite existing files in the destination folder if entries with the same name exist.

“Because this SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt and task manager with NT AUTHORITY\SYSTEM privileges, as long as the correct password was provided,” explains Crowdstrike.

“This type of attack is likely to remain undetected by traditional antivirus software that is looking for malware inside of an archive (which is often also password-protected) rather than the behavior from an SFX archive decompressor stub,” the researchers add.

Observed attack chain
source: CrowdStrike

 

Crowdstrike claims that malicious SFX files are unlikely to be caught by traditional AV solutions. In our tests, Windows Defender reacted when we created an SFX archive customized to run PowerShell after extraction.

Microsoft's security agent detected the resulting executable as a malicious script tracked as Wacatac and quarantined it. However, we recorded this reaction only once and could not replicate it.

The researchers advise users to pay particular attention to SFX archives and use appropriate software to check the content of the archive and look for potential scripts or commands scheduled to run upon extraction.

Source

The first patch level addresses issues in system and framework. 10 unique vulnerabilities are addressed in Framework; they have a severity rating of high or moderate, and are either elevation of privilege or denial of service vulnerabilities.

Android System is affected by 16 unique vulnerabilities, two of them rated critical, the remaining 16 high.  The two critical vulnerabilities allow remote code execution on successful exploits. The vulnerabilities rated high allow elevation of privilege, denial of service and information disclosure attacks. Google addressed issues in Google Play's MediaProvider and Wifi components as well.

The second patch level addresses a total of 41 different security issues in various components. Four of the 41 security issues have received a severity rating of critical, the highest rating. All four affect Qualcomm components. The Android April 2023 security updates address a total of 69 different security issues.

Some security updates affect only specific versions of Android, e.g., only Android 13.

Android device owners may want to check the system updates option in Settings to find out if the April 2023 patch is available for their device already. Manufacturers are not always quick when it comes to releasing security updates, but the overall situation has improved in recent years in many regards.

Still, it may take days or weeks before the security updates are offered on certain devices. Some manufacturers may provide additional information on the schedule and scope on their websites.

Samsung, for example, has published information regarding the Android April 2023 already on its website. There, the company lists the critical, high and moderate security issues that Samsung devices are affected by, and the security issues that are not applicable to Samsung devices. Samsung, in addition to addressing these vulnerabilities has also addressed a further 23 Samsung-specific vulnerabilities, which the company published on the security update website as well.

The company is dividing the security updates into two patch levels, with the first release including all Google and Samsung vulnerabilities.

Source

A new ransomware (opens in new tab) threat actor has been reported targeting large corporations and demanding huge payouts in exchange for the decryption key and for not leaking sensitive data stolen in the attack.

Calling itself Money Message, the group was first reported on the BleepingComputer forums in the last days of March, with cybersecurity researchers from Zscaler ThreatLabs also flagging the potential threat soon after, as well.

So far, the group listed two victims on its data leak site, one of which is allegedly an Asian airline with almost a billion dollars in annual revenue. Apparently, the group demanded $1 million in exchange for the decryptor and for keeping the data to themselves.

Short on details

BleepingComputer says there is evidence of the group being behind a ransomware attack on a “well-known computer hardware vendor”, but nothing is conclusive just yet.

The publication claims the encryptor “does not appear sophisticated”, but still gets the job done, encrypting all endpoints across target networks, and siphoning out sensitive data.

Besides Business Email Compromise, ransomware is one of the most popular and disruptive forms of cyberattack out there. Many groups, such as LockBit, REvil, or Black Basta, have repeatedly targeted not just commercial businesses, but government organizations and critical infrastructure, prompting governments around the world to act.

After a number of arrests and hardware confiscations, most ransomware operators publicly stated they would not target critical infrastructure operators or healthcare organizations.

This year, one of the biggest ransomware attacks happened when a Russian group called Clop found a zero-day vulnerability in GoAnywhere MFT and used it to infect, as it claims, 130 organizations around the world. So far, dozens of firms confirmed suffering from a ransomware attack at the hands of Clop, including the Hatch Bank, Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, and others.

Source

The California-based computer drive maker and provider of data storage services says in a press release that the network security incident was identified last Sunday, on March 26.

An investigation is in early stages and the company is coordinating efforts with law enforcement authorities.

“Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts,” Western Digital says in the disclosure.

Based on evidence found so far, the company believes that the intruder had access to some of the company data.

My Cloud service down

In the wake of the attack, the storage maker has implemented additional security measures to safeguard its systems and operations. These steps may impact some of the Western Digital services.

The company said that the incident "has caused and may continue to cause disruption to parts of the Company’s business operations."

Since Sunday, multiple users of Western Digital’s network-attached storage (NAS) service My Cloud have been reporting they couldn't access their cloud-hosted media repositories.

At time of writing, trying to log into the service, including the Home version, shows a "503 Service Temporarily Unavailable" error.

More than 24 hours have passed since the first reports of the outage, with cloud, proxy, web, authentication, emails, and push notifications being unavailable.

The My Cloud service status page notes that the issue is affecting the following products: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, SanDisk Ixpand Wireless Charger.

My Cloud status page (BleepingComputer)

 

An update about the My Cloud outage is expected from Western Digital later today.

BleepingComputer has contacted the company for additional comment about the network breach and will update this article when a statement is provided.

Source

Sometimes the actors add the menace of a distributed denial-of-service (DDoS) attack if the message recipient does not comply with the instructions in the message.

Bad actors

The attackers behind this activity use the name Midnight and started targeting companies in the U.S. since at least March 16.

They have also impersonated some ransomware and data extortion gangs in emails and claimed to be the authors of the intrusion, stealing hundreds of gigabytes of important data.

In one email to the employee of a holding company in the industry of petroleum additives, the threat actor claimed to be the Silent Ransom Group (SRG) - a splinter of the Conti syndicate focused on stealing data and extorting the victim, also known as Luna Moth. 

The same message, however, used in the subject line the name of another threat actor, the Surtr ransomware group, first seen to encrypt company networks in December 2021.

Midnight Group impersonating Surtr ransomware and Silent Ransom
source: BleepingComputer

 

BleepingComputer found another email from Midnight Group, professing that they were the authors of the data breach and that they stole 600GB of “essential data” from the servers.

The messages were sent to the address of a senior financial planner that had left the target company more than half a year before.

Midnight Group claiming to have stolen company data in cyberattack
source: BleepingComputer

Pending DDoS threat

A report in late March from the managed detection and response division at the Kroll corporate investigation and risk consulting firm notes that some senders of similar emails also threatened with DDoS attacks.

Kroll investigators say that starting March 23 organizations started filing an increased number of reports for emails received under the Silent Ransom Group name.

It’s “a new wave of fake extorsion attempts,” Kroll responders say in the report, adding that the authors use the names of better-known cybercriminals in an attempt to intimidate and give legitimacy to the threat.

Kroll has seen such incidents since 2021, although such activity started in early November 2019, when non-paying victims also experienced DDoS attacks.

Nevertheless, the attacks were low-level DDoS and came with the threat of larger ones unless the extortionists got paid.

Such incidents echo the activity of an extortion group that in 2017 sent DDoS threats to thousands of companies under the names of infamous hacker groups at the time (e.g. New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous).

Targeting ransomware attack victims

Another report from incident response company Arete confirms Kroll’s observations about Midnight Group’s fraudulent emails impersonating Surtr and SRG and the larger number of messages delivered in the weeks before March 24.

Based on their visibility, though, the incident responders observed that Midnight targeted organizations that had previously been victims of a ransomware attack.

According to Arete’s analysts, among the initial attackers are QuantumLocker (currently rebranded as DagonLocker), Black Basta, and Luna Moth.

Arete says that at least 15 of their current and previous clients received fake threats from the Midnight Group, which supported their data theft claims with vague details.

It is unclear how victims are selected but one possibility is from publicly available sources, such as the initial attacker’s data leak site, social media, news reports, or company disclosures.

However, Arete notes that the fake attacker identified some ransomware victims even when the info was not publicly available, possibly indicating collaboration with the initial intruders.

Ransomware actors often sell the data they steal from victims even when they get paid. If Midnight Group has access to the markets and forums where this data is traded or sold they could learn about ransomware victims that have yet to disclose the cyberattack.

Empty threats since 2019

Midnight Group’s extortion scam is not new. The tactic has been observed in 2019 by ransomware incident response company Coveware who calls it Phantom Incident Extortion.

Coveware explains that the threat actor tries to give credibility to the threat by using data that is unique to the recipient target, adds the pressure of a costly outcome, and demands payment that is far less than the damage of public exposure.

All these three components are the mainstays of a phantom incident extortion (PIE) and a clear indication of an empty threat.

Coveware initially provided four examples of PIE scams and updated the report only recently with a sample email from the Midnight Group.

All three companies assess that Midnight Group’s threats are part of a fraud campaign. Arete’s attempt to engage with the actor resulted in no response or evidence of stolen data from the actor.

The recommendation is to carefully analyze such emails to recognize the components of a phantom incident extortion message and dismiss them as an empty threat.

Source

Smart homes are becoming increasingly popular, and one aspect of this trend is the integration of smart door locks. It's important to note that the global smart lock market was valued at $1.4 billion in 2020 and is projected to grow by 20% annually through 2028. This suggests that many individuals have already embraced the use of smart locks and feel secure using them.

While smart locks are not entirely new, they are an upgrade to the standard locks that can be found in every developed home. Thus, it may not be a priority to invest a few hundred dollars in upgrading your door's locking mechanism.

However, if smart locks improve your daily life and provide additional convenience and security, it may be worth considering the upgrade. In this article, we will explore the benefits of smart locks and what they can offer to you as a homeowner.

What is a smart lock?

When we talk about smart locks, we are referring to a category of devices with a wide range of functionalities. At its core, a smart lock is an electronically powered lock that can be operated wirelessly. If you've stayed at a hotel in recent years, chances are you've used a smart lock.

Smart locks can be operated in various ways, including keycards, codes, fingerprints, smartphone apps, home assistants, or a combination of these options. Some even allow for the use of a standard key as a backup.

Smart locks are not limited to front doors; they can replace almost any traditional lock and are available in various forms, such as deadbolts, padlocks, and drawer locks. However, smart locks designed for doors typically offer more features and provide better security.

Overall, smart locks offer flexibility and convenience in terms of access control. With various options available for operation, users can choose the method that suits their needs best. Additionally, the ability to remotely control the lock via a smartphone app or home assistant adds an extra layer of convenience.

How do smart locks work?

Typically, smart locks are powered by batteries, with a lifespan of 10 months to a year, depending on the battery type, smart lock model, and frequency of use. These devices are equipped with an electronic motor that turns the lock mechanism automatically, mimicking the action of using a key or turning a thumb turn.

Smart locks that come with a keypad allow users to set a personalized code for quick access. Moreover, most modern smart locks can connect to your home's Wi-Fi network for easy integration into your smart home system. Bluetooth connectivity is also a common feature in many smart locks, allowing for direct connection to your mobile device.

To ensure that you never get locked out due to a dead battery, most smart locks come with backup systems such as a manual keyway or the ability to attach a nine-volt battery should the internal battery fail.

Overall, smart locks offer a secure and convenient way to control access to your home, with various features that provide added convenience and peace of mind.

What are the benefits of using smart locks?

One of the primary advantages of smart locks is the ability to access your home or office without the need for a physical key. Instead, you can use a keypad, smartphone app, or biometric scanner, making it a hassle-free and time-saving solution, especially if you tend to lose or forget your keys.

Another feature of smart locks is remote access, allowing you to lock and unlock your door via a smartphone app, even when you're not at home. This feature can be useful when granting access to guests or service people, or if you need to let someone in while you're away on vacation.

Smart locks can also integrate with other smart home devices, such as security cameras and voice assistants like Amazon Alexa and Google Assistant, enabling you to control your entire home using your voice or smartphone.

In terms of security, many smart locks offer advanced features such as tamper alarms and automatic lockout after too many failed attempts. Additionally, real-time alerts can be sent to your smartphone if someone attempts to tamper with the lock or enters an incorrect code. Smart locks can also provide activity logs that track who entered and exited your home and when, increasing your ability to monitor your property.

Smart locks can also provide added convenience by automatically unlocking your door as you approach it with your smartphone. They offer a range of benefits that make life easier and more secure. It's crucial to select a reputable brand and model, and to follow best practices for securing your smart home devices.

What are the drawbacks of using smart locks?

While smart locks offer many benefits, they also come with potential drawbacks that should be taken into consideration before making a purchasing decision. One significant concern is the vulnerability of smart locks to hacking, which could lead to unauthorized access to your home or office. While manufacturers strive to secure their devices, there is always a risk of exploitation by determined hackers.

Another potential issue is the dependence on technology. Smart locks require power, software, and connectivity, which means that a power outage, software glitch, or connectivity issue could prevent you from entering your home or office. In contrast, traditional locks are mechanical and don't rely on electricity or an internet connection to function.

Compatibility issues may arise with some smart locks, as they may not be compatible with all types of doors or hardware, which could make installation difficult or impossible without significant modifications. Additionally, some models may not be compatible with certain smartphones or operating systems, which could limit their use.

Smart locks can also be more expensive than traditional locks, and some models require ongoing subscriptions or fees for access to certain features or services. Moreover, user error with smart locks can occur, such as forgetting a smartphone or accidentally disabling a security feature.

Privacy concerns are another potential drawback of smart locks, as they collect data on who enters and exits your home or office, which could raise privacy concerns for some users. Furthermore, if the smart lock is integrated with other smart home devices, personal data could be compromised if the system is hacked or breached.

It is important to weigh the pros and cons carefully when considering the purchase of a smart lock. While they offer many benefits, there are also potential drawbacks that should be taken into account before making a decision.

Are smart locks more secure than standard locks?

Contrary to popular belief, smart locks can be more secure than traditional locks. While anyone can learn how to pick a traditional lock with the help of online resources, hacking into a Wi-Fi network to gain access to a smart lock requires a higher level of expertise.

Furthermore, a strong door with a traditional lock can still be vulnerable to break-ins through nearby windows or other points of entry. The truth is, if a burglar is determined to enter your home, they will find a way. However, most burglars are opportunistic and seek easy targets. A smart lock that locks your door effectively can be just as secure as a traditional lock.

What sets smart locks apart is their ability to interact with your home security system and provide remote access. If your smart lock is connected to your home security system and a doorbell camera, it can trigger both devices if someone attempts to force their way in. You will receive an alert and a visual of the burglar, while your alarm system contacts the authorities.

Leaving a key under a garden gnome or a package on your porch can be risky, and a smart lock can provide a safer solution. For instance, unlocking your door remotely for someone who needs to access your home briefly can be a more secure option than leaving a key outside.

Smart locks are the future of home security

Smart locks offer various security benefits that traditional locks cannot provide. While no security system is completely foolproof, a smart lock integrated into a comprehensive security system can provide additional layers of protection for your home.

Are Smart Locks More Secure Than Traditional Locks?

In 2018, several men in Maharashtra state thought they were accepting a bit-part in a movie - but in fact they were being tricked into being money mules, collecting cash in an ambitious bank heist.

The raid took place over a weekend in August 2018, and centred on Cosmos Co-operative bank, which has its headquarters in Pune.

On a quiet Saturday afternoon, staff in the bank's head office suddenly received a string of alarming messages.

They were from the card payment company Visa in the United States, warning it could see thousands of demands flooding in for large cash withdrawals from ATMs - by people apparently using Cosmos Bank cards.

But when the Cosmos team checked their own systems, they saw no abnormal transactions.

About half-an-hour later, just to be safe, they authorised Visa to stop all transactions from Cosmos bank cards. This delay would turn out to be extremely costly.

The next day, Visa shared the full list of suspect transactions with the Cosmos head office: about 12,000 separate withdrawals from different ATMs around the world.

The bank had lost nearly $14m (£11.5m).

It was an audacious crime characterised by its grand scale and meticulous synchronisation. Criminals had plundered ATMs in 28 different countries, including the United States, the UK, the United Arab Emirates and Russia. It all happened in the space of just two hours and 13 minutes - an extraordinary global flash mob of crime.

Eventually, investigators would trace its origins back to a shadowy group of hackers who had pulled off a succession of previous stings seemingly at the behest of the North Korean state.

But before they knew the wider picture, investigators at the Maharashtra cyber-crime unit were amazed to see CCTV footage of dozens of men walking up to a series of cashpoints, inserting bank cards and stuffing the notes into bags.

"We were not aware of a money mule network like this," says Insp Gen Brijesh Singh, who led the investigation.

One gang had a handler who was monitoring the ATM transactions in real time on a laptop, Singh says. CCTV footage showed that whenever a money mule had tried to keep some of the cash for himself, the handler would spot it and gave him a hard slap.

Using the CCTV footage as well as mobile phone data from the areas near the ATMs, the Indian investigators were able to arrest 18 suspects in the weeks after the raid. Most are now in prison, awaiting trial.

Singh says these men weren't hardened crooks. Among those arrested were a waiter, a driver and a shoe-maker. Another had a pharmacy degree.

"They were gentle people," he says.

Despite this, he thinks that by the time the raid happened, even the men recruited as "extras" knew what they were really doing.

But did they know who they were working for?

Investigators believe that the secretive and isolated state of North Korea was behind the heist.

Hackers, North Korea and billions of dollars.

North Korea is one of the poorest nations in the world, yet a significant portion of its limited resources goes toward the building of nuclear weapons and ballistic missiles, activity that is banned by the UN Security Council. As a result, the UN has placed the country under onerous sanctions, making trade highly restrictive.

Since coming to power 11 years ago, North Korean leader Kim Jong Un has overseen an unprecedented campaign of weapons testing, including four nuclear tests and several provocative bids to test-launch intercontinental missiles.

North Korean leader Kim Jong-un inspects nuclear warheads

US authorities believe North Korea's government is using a group of elite hackers to break into banks and financial institutions around the world to steal the money it needs to keep the economy afloat and finance the weapons programme.

The hackers, nicknamed the Lazarus Group, are believed to belong to a unit directed by North Korea's powerful military intelligence agency, the Reconnaissance General Bureau.

Cyber-security experts named the hackers after the biblical figure Lazarus, who comes back from the dead - because once their viruses get inside computer networks, they are almost impossible to kill off.

The group first sprang to international prominence when then-US President Barack Obama accused North Korea of hacking into Sony Pictures Entertainment's computer network in 2014. The FBI accused hackers of waging the damaging cyber-attack in retaliation for "The Interview", a comedy that depicted the assassination of Kim Jong Un.

Workers remove a billboard poster for "The Interview" after Sony announced was cancelling the movie's Christmas release

The Lazarus Group has since been accused of trying to steal $1bn (£815m) from Bangladesh's central bank in 2016, and for launching the WannaCry cyber-attack which attempted to extract ransoms from victims around the world, including the NHS in Britain.

North Korea strongly denies the Lazarus Group's existence, and all allegations of state-sponsored hacking.

But leading law enforcement agencies say North Korea's hacks are more advanced, more brazen and more ambitious than ever.

For the Cosmos heist, the hackers used a technique known as "jackpotting" - so-called because getting the ATM to spill its cash is like hitting the jackpot on a slot machine.

The bank's systems were initially compromised in the classic way: through a phishing email opened by an employee which infected the computer network with malware. Once inside, the hackers manipulated a bit of software - called the ATM switch - which sends messages to a bank to approve a cashpoint withdrawal.

This then gave the hackers the power to allow ATM withdrawals from their accomplices anywhere in the world. The only thing they couldn't change was the maximum amount for each withdrawal, so they needed a lot of cards and a lot of people on the ground.

In preparation for the raid, they worked with accomplices to create "cloned" ATM cards - using genuine bank account data to create duplicate cards that can be used in ATMs.

British security company BAE Systems immediately suspected it was the work of the Lazarus Group. It had been monitoring them for months and knew they were plotting to attack an Indian bank. It just didn't know which one.

"It would have been too much of a coincidence for it to have been another criminal operation," says BAE security researcher Adrian Nish. The Lazarus Group are versatile and very ambitious, he says. "Most criminal groups would probably be happy enough to get away with a couple of million and stop at that."

The logistics involved in the Cosmos Bank heist are staggering. How did the hackers find accomplices on the ground in 28 countries, including many that North Korean citizens can't legally visit?

North Korean citizens cannot travel freely

US tech security investigators believe the Lazarus Group met one key facilitator on the dark web, where there are entire forums dedicated to swapping hacking skills and where criminals often sell support services. In February 2018, a user calling himself Big Boss posted tips on how to carry out credit card fraud. He also said he had the equipment to make cloned ATM cards, and that he had access to a group of money mules in the United States and Canada.

This was precisely the service the Lazarus Group needed for their hit on Cosmos Bank, and they started working with Big Boss.

We asked Mike DeBolt, chief intelligence officer at Intel 471 - a tech security firm in the US - to find out more about this accomplice.

DeBolt's team discovered that Big Boss had been active for at least 14 years and had a string of aliases: G, Habibi, and Backwood. The security sleuths managed to link him to all these usernames, as he used the same email address in different forums.

"Basically, he's being lazy," says DeBolt. "We see this pretty commonly: actors change their alias on a forum, but keep the same email address."

In 2019, Big Boss was arrested in the United States and unmasked as Ghaleb Alaumary, a 36-year-old Canadian. He pleaded guilty to offences including laundering funds from alleged North Korean bank heists, and was sentenced to 11 years, eight months.

North Korea has never admitted any involvement in the Cosmos Bank job, or any other hacking scheme. The BBC put allegations of involvement in the Cosmos attack to North Korea's embassy in London but received no reply.

However, when we contacted him previously, ambassador Choe Il replied the allegations of North Korean state-sponsored hacking and money laundering are "a farce", and an attempt by the US to "tarnish the image of our state".

In February 2021, the FBI, the US Secret Service and Department of Justice announced charges against three suspected Lazarus Group hackers: Jon Chang Hyok, Kim Il and Park Jin Hyok, whom they said work for North Korea's military intelligence agency. They are now thought to be back in Pyongyang.

Kim Il, Park Jin Hyok, and Jon Chang Hyok

US and South Korean authorities estimate North Korea has up to 7,000 trained hackers. It is unlikely that they all work from inside the country, where few people have permission to use the internet, making users' activities difficult to conceal. Instead, they're often sent overseas.

Ryu Hyeon Woo, a former North Korean diplomat and one of the most senior people to have left the regime, provided insight into how the hackers work abroad.

In 2017, he was working at the North Korean embassy in Kuwait, helping to oversee the employment of some 10,000 North Koreans in the region. At the time, many were working on construction sites across the Gulf and, like all North Korean workers, were required to hand over most of their wages to the regime.

He said his office received a daily call from a North Korean handler who was overseeing 19 hackers living and working in cramped quarters in Dubai. "That's really all they need: a computer that's connected to the internet," he said.

North Korea denies having any hackers posted abroad, only IT workers with valid visas. But Mr Ryu's description fits with FBI allegations about how these cyber-units operate from dormitories around the world.

In September 2017, the UN Security Council imposed the strictest sanctions yet on North Korea, limiting fuel imports, further restricting exports, and demanding that UN member nations send North Korean workers home by December 2019.

Yet the hackers still appear to be active. They are now targeting crypto-currency companies, and are estimated to have stolen close to $3.2 bn.

US authorities have called them "the world's leading bank robbers", using "keyboards rather than guns".

Source

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

Dubbed BingBang by the research group, the vulnerability centered on Microsoft’s Azure Active Directory, which is used by enterprises to manage user identities and access to apps. Unfortunately, if an app is misconfigured, any Azure user in the world can log into it without the proper credentials.

Shockingly, the researchers noted in a technical analysis of the bug that up to 25% of all multi-user apps they scanned were vulnerable — including a Microsoft app named Bing Trivia.

After exploiting the flaw to log into the Bing Trivia app, the Wiz team found a content management system (CMS) tied to Bing.com that was controlling the search engine’s live results. With a touch of humor, they then altered one of the entries, changing the top result for ‘best soundtracks’ from the Dune score to that from the 1995 movie Hackers.

However, there’s nothing funny about what this flaw implies. As the researchers explained, “a malicious actor landing on the Bing Trivia app page could therefore have tampered with any search term and launched misinformation campaigns, as well as phished and impersonated other websites.”

Stealing private files and emails

Wiz

What’s more, the researchers were able to add a harmless cross-site scripting (XSS) payload into Bing while they were logged in. This was able to run as expected, without interference. After reporting the issue to Microsoft, the researchers tried modifying this XSS payload to see what was possible.

Because Bing integrates with Microsoft 365, the Wiz team was able to create a script that could potentially steal a logged-in user’s access tokens, granting them access to that user’s cloud data. That could include Outlook emails, calendars, Teams messages, OneDrive files, and more.

Put together, that means a hacker could have the power to redirect Bing search results to a malicious website, and at the same time harvest private data from any user logged in on a Microsoft 365 account. All from exploiting a simple login vulnerability.

Fortunately, the researchers immediately reported the flaw to Microsoft and it was patched shortly afterward, resulting in a $40,000 bug bounty reward. Yet it remains an alarming example of how little effort can be required to steal private data from millions of unsuspecting users.

Source

Apple’s decision to support MAC Address Randomization across its platforms may provide some degree of protection against a newly-identified Wi-Fi flaw researchers say could let attackers hijack network traffic. iOS, Linux, and Android devices may be vulnerable.

The problem is how the standard handles power-saving

The researchers have identified a fundamental flaw in the design of the IEEE 802.11 Wi-Fi standard attackers could exploit to trick access points (Wi-Fi base stations) into leaking information. The researchers do not claim the vulnerability is being actively exploited, but warn that it might enable the interception of network traffic.

The attack exploits an inherent vulnerability in the data containers (network frames) routers rely on to move information across the network and how access points handle devices that enter power-saving mode.

To achieve the attack, miscreants must forcibly disconnect the victim device before it properly connects to the network, spoof the MAC address of the device to connect to the network using the attacker’s credentials, then grab the response. The vulnerability exploits on-device power-save behavior within the Wi-Fi standard to force data to be shared in unencrypted form.

The researchers have published an open source tool called MacStealer to test Wi-Fi networks for the vulnerability.

Cisco downplayed the report, saying “information gained by the attacker would be of minimal value in a securely configured network."

The company does, however, recommend that network admins take action: “To reduce the probability that the attacks that are outlined in the paper will succeed, Cisco recommends using policy enforcement mechanisms through a system like Cisco Identity Services Engine (ISE), which can restrict network access by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

"Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” the company said.

The security researchers point out that denial-of-service attacks against Wi-Fi access points have been around forever, arguing that the 802.11 standard needs to be upgraded to meet new security threats. “Altogether, our work highlights the need for the standard to consider queuing mechanisms under a changing security context,” they wrote.

MAC Address Randomization

Apple recently extended its MAC Address Randomization feature across iPhones, iPads, Macs, and the Apple Watch. This additional layer of security helps mask devices by using randomly generated MAC addresses to connect to networks.

The MAC address is a device specific 12-character number that can reveal information concerning the device and is used as an intrinsic part of the Wi-Fi standard. The router will use this to ensure requested data goes to the correct machine, as without that address it would not recognize which machine to send information to.

As explained here, MAC Address Randomization helps mask the exact device on the network in a way that also makes data transmitted over that network a little more complex to decode. Security experts agree that, in a broad sense, it might help make the form of attack identified by the researchers a little harder to pull off. It isn’t foolproof protection, in part because it can be disabled by network providers who might insist on an actual address for use of the service.

MAC Address Randomization is also not enforced when a device connects to a preferred wireless network, and if an attacker is able to identify the random address and connect it to the device they could still mount an attack.

Every step you take to protect your devices, particularly when using Wi-Fi hotspots, is becoming more essential, rather than less.

Watching the Watchguards

Watchguard’s latest Internet Security Report confirms that while there has been some decline in the frequency of network-based attacks, many Wi-Fi networks might be vulnerable to the exploit. The report also reveals that endpoint ransomware increased a startling 627%, while malware associated with phishing campaigns continues to be a persistent threat.

“A continuing and concerning trend in our data and research shows that encryption — or, more accurately, the lack of decryption at the network perimeter — is hiding the full picture of malware attack trends,” said Corey Nachreiner, chief security officer at WatchGuard. “It is critical for security professionals to enable HTTPS inspection to ensure these threats are identified and addressed before they can do damage.”

Source

If you’re a Twitter user with a legacy blue checkmark, watch out for scams.

Hackers are exploiting Twitter’s decision to remove legacy verified badges from user accounts beginning April 1. They're circulating phishing messages that impersonate Twitter and pretend to offer a chance to keep the verified blue checkmark—if the user submits their login information.

Several Twitter users today reported receiving emails with “Last call on verified accounts” as the subject line. The messages claim Twitter plans on removing the blue checkmark on April 1, but only for inactive and incomplete accounts. In reality, the company is winding down the feature for all consumers, unless they pay to subscribe to Twitter Blue, which costs at least $8 per month.

The phishing message contains a button labeled “Check issues now,” which links to a hacker-hosted web page seemingly designed(Opens in a new window) to trick users into typing in their email address and password.

Although the email and hacker-hosted web page contain the same design language as Twitter, a closer look shows both originate from a non-Twitter domain—an obvious sign that the whole scheme comes from a scammer.

It’s not the first time scammers have crafted phishing messages about Twitter’s verified checkmark. In October, hackers tried to exploit the company’s initial plan to charge users for the blue checkmark by sending phishing emails to users claiming they had to submit personal information to keep their verified status.

Twitter CEO Elon Musk is killing the legacy blue checkmark because, he says(Opens in a new window), “the way in which they were given out was corrupt and nonsensical.” Instead, he’s allowing any user to receive a verified badge if they're willing to pay.

However, a growing number of celebrities—including NBA player LeBron James(Opens in a new window) and NFL quarterback Patrick Mahomes, and several news organizations—have said they will not pay for the blue checkmark. That’s raised concerns that scammers and pranksters will exploit the situation to create verified accounts impersonating celebrities and well-known brands, like they did before in November when Twitter Blue first rolled out.

A business verified account costs $1,000 per month, but Twitter will exempt the top 10,000 most followed companies and organizations from that fee, Variety reports(Opens in a new window).

Source

Tax fraud schemes in 2022 netted scammers $5.7 billion, more than twice the amount of the previous year, according to the Internal Revenue Service, and there doesn’t appear to be any letup in sight.

While scams may be on the rise, the good news is that the core tactics used by fraudsters remain basically unchanged, which means that by understanding the signs of tax fraud and taking measures to counter it, consumers and businesses can avoid becoming victims during tax season.

“Threat actors regularly capitalize on tax season,” observed Selena Larson, a senior threat intelligence analyst with Proofpoint, an enterprise security company in Sunnyvale, Calif.

“They know a large segment of the population will be dealing with the stress and urgency of filing their taxes correctly and on time,” she told TechNewsWorld. “It is these pressures which make people more susceptible to a tax-themed email offering support or a warning when it’s actually a vessel for fraud.”

“And as tax season directly deals with finances, there is an open window for a bigger payday,” she said.

Larson added that threat actors are getting more adept at employing social engineering to prey on people’s fears, emotions, and urgency during tax season.

“They will leverage the IRS brand and spoof government sites, purporting to be a tax authority either communicating some legitimate piece of needed information — such as a change to a form or a process — or attempting to collect a payment,” she explained.

Data Breach Fueled Growth

Larson advised consumers and businesses also to be aware of phony “tax preparation services.” These types of attacks usually go beyond simple authentication credentials, such as usernames and passwords, she noted, and attempt to steal personal information, including social security numbers and bank account information.

“Most tax professionals offer excellent advice and can help people navigate complex tax issues,” IRS Commissioner Danny Werfel said in a statement. “But we continue to see instances where taxpayers are ‘ghosted’ by unscrupulous tax preparers with bad advice who quickly disappear.”

The sheer amount of personal information circulating on the internet from numerous data breaches has also contributed to the growth of tax fraud.

“There’s a lot of information on the internet that can be used in tax fraud schemes,” observed Abigail Showman, senior team lead with Washington, D.C.-based Flashpoint, a provider of threat intelligence, threat analysis, and incident response services, which recently released a report on tax fraud.

“A lot of threat actors can collect that information and utilize it pretty easily in tax fraud schemes,” she told TechNewsWorld.

“Every year, more sensitive information about people is lost in data breaches and through other means,” explained Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“This allows attackers to have a huge list of people to target, many of whom they have very detailed information about,” he told TechNewsWorld. “This helps these bad actors make more convincing social engineering emails and other communications.”

Threat actors will recycle information, too, noted Showman’s colleague, Tactical Threat Monitoring Analyst Rebecca McHale. “They might apply for unemployment benefits, then turn around and use that personal identifying information for other schemes, including tax fraud,” she told TechNewsWorld.

“They want to get the most bang for the buck from the compromised PII they hijack and steal for malicious purposes,” she said.

Scams Galore

In its report on tax fraud, Flashpoint identified several ways fraudsters try to pry information or money out of their targets, including:

• Phishing. A tried-and-true technique that uses email to get a target to go to a malicious website or to share information on their W-2 form.

• Refund scams. A fraudster will contact a victim and offer to get them a larger-than-expected refund. After the target gives the scammer all the information needed to file a tax return, the trickster will file the return and have the refund sent to himself.

• Filing for false tax credits. When a fraudster files a return for a victim, they’ll include claims for credits for which the target is ineligible.

“We’ve seen a lot of student tax credits being filed that way,” McHale said. “That would include the Lifetime Learning credit and the American Opportunity tax credit.”

“Students are usually first-time filers and don’t have great identity protection set up yet, like their identity protection PIN and adjusted gross income,” she explained.

Amy Nofziger, director of fraud victim support at the AARP, noted that the organization’s Fraud Watch Network Helpline continues to receive calls about IRS Imposter scams.

“You will receive a phone call or text saying there is an issue with your tax refund, and you will be arrested,” she told TechNewsWorld. “The scammers will then demand immediate payment, usually by pre-paid gift cards or another non-traditional form of payment like cryptocurrency.”

Education Is Imperative

Spear phishing is prevalent during tax season, observed Dror Liwer, co-founder of Coro, a cloud-based cybersecurity company based in Tel Aviv, Israel. “An attacker impersonates an employee or a vendor, sometimes, even the accounting firm the company is using, asking for data or tax documents which they then use either for identity theft or hold for ransom,” he told TechNewsWorld.

“Beyond deploying anti-phishing defenses, accounting departments must be retrained in identifying and reporting phishing attempts,” he recommended.

“Simulation ahead of time will highlight which employees need additional training,” he added. Education can be an important weapon in the battle against tax fraud. “It helps potential victims to recognize these scams and stay safe,” Jon Clay, vice president of threat intelligence at Trend Micro, told TechNewsWorld.

“Educate your employees on how phishing works,” he advised. “Ensure they are suspicious of any communications that involve tax returns and financial transactions and have a process for employees to submit suspicious content to IT for review.”

He also recommended deploying an email messaging security solution that utilizes machine learning and AI to detect spam and phishing emails.

Fraud fighters, however, won’t be the only ones using AI to advance their aims.

“We’ve seen anecdotal chatter about exploiting artificial intelligence to facilitate fraud, but this tax season, it hasn’t been widespread,” McHale said. “While we haven’t seen it for this tax season, stay tuned. It’s something we’ll be keeping an eye on during the next tax season.”

Source

Researchers from SentinelLabs have uncovered a new toolkit cybercriminals are using to breach email and web hosting (opens in new tab) services.

The malware toolkit, called “AlienFox”, is being described as “highly modular” and getting regular updates. Most of the tools in the kit are open source, and with the speed at which it’s being updated, the researchers concluded the devs are becoming “increasingly sophisticated”.

As per SentinelLabs’ report, hackers are shilling AlienFox on Telegram groups, claiming it can be used to compromise misconfigured hosts on cloud platforms and steal sensitive data.

Abusing scanning platforms

"AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining," the researchers said in their report. "By analyzing the tools and tool output, we found that actors use AlienFox to identify and collect service credentials from misconfigured or exposed services. For victims, compromise can lead to additional service costs, loss of customer trust, and remediation costs."

To generate a list of misconfigured hosts, the toolkit uses security scanning platforms, such as LeakIX, or SecurityTrails. Then, it uses multiple scripts to pull sensitive information such as API keys and secrets from configuration files, the researchers explained. Some of the versions analyzed for the report were able to establish AWS account persistence and escalate privileges, as well as collect send quotas and automate spam campaigns through victim accounts and services.

So far, attacks against cloud-based services were limited mostly to cryptominers. Threat actors would use compromised cloud servers to run XMRig or similar cryptocurrency miners, generating tokens without needing to pay for electricity, internet, or compute power. With AlienFox, SentinelLabs claims, opportunistic cloud attacks are no longer confined to cryptomining.

“For victims, compromise can lead to additional service costs, loss in customer trust, and remediation costs,” the researchers concluded.

Source

A statement released today by the German Federal Criminal Police Office says they served eight search warrants on March 30, and identified five individuals aged 16-24 suspected of operating “an internet service” since mid-2021. The German authorities did not name the suspects or the Internet service in question.

“Previously unknown perpetrators used the Internet service provided by the suspects in particular for so-called ‘DDoS attacks’, i.e. the simultaneous sending of a large number of data packets via the Internet for the purpose of disrupting other data processing systems,” the statement reads.

News of a raid on FlyHosting first surfaced Thursday in a Telegram chat channel that is frequented by people interested or involved in the DDoS-for-hire industry, where a user by the name Dstatcc broke the news to Fly Hosting customers:

“So Flyhosting made a ‘migration’ with it[s] systems to new rooms of the police ;),” the warning read. “Police says: They support ddos attacks, C&C/C2 and stresser a bit too much. We expect the police will take a deeper look into the files, payment logs and IP’s. If you had a server from them and they could find ‘bad things’ connected with you (payed with private paypal) you may ask a lawyer.”

An ad for FlyHosting posted by the the user “bnt” on the now-defunct cybercrime forum BreachForums. Image: Ke-la.com.

The German authorities said that as a result of the DDoS attacks facilitated by the defendants, the websites of various companies as well as those of the Hesse police have been overloaded in several cases since mid-2021, “so that they could only be operated to a limited extent or no longer at times.”

The statement says police seized mobile phones, laptops, tablets, storage media and handwritten notes from the unnamed defendants, and confiscated servers operated by the suspects in Germany, Finland and the Netherlands.

KrebsOnSecurity has asked the German police for more information about the target of their raids. This post will be updated in the event they respond.

The apparent raids on FlyHosting come amid a broader law enforcement crackdown on DDoS-for-hire services internationally. The U.K.’s National Crime Agency announced last week that it’s been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services.

In mid-December 2022, the U.S. Department of Justice (DOJ) announced “Operation Power Off,” which seized four-dozen DDoS-for-hire domains responsible for more than 30 million DDoS attacks, and charged six U.S. men with computer crimes related to their alleged ownership of popular DDoS-for-hire services.

Source