Slashdot reader wiredmikey writes: Microsoft has dismissed reports about June 14 being the last Patch Tuesday, as the rollout of the Windows Autopatch service seems to be causing some confusion. Several major cybersecurity companies and prominent security news publications caused confusion this week when they reported that June 14 was the final Patch Tuesday, describing it as "the last ever Patch Tuesday," "the end of Patch Tuesday" and "the end of an era."

That is not accurate. The rollout of Windows Autopatch does not mean there will no longer be Patch Tuesday updates, and Microsoft told SecurityWeek that the company will continue releasing security updates on the second Tuesday of the month.

Ars Technica describes Travis CI as "a service that helps open source developers write and test software." They also wrote Monday that it's "leaking thousands of authentication tokens and other security-sensitive secrets.

"Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report." The availability of the third-party developer credentials from Travis CI has been an ongoing problem since at least 2015. At that time, security vulnerability service HackerOne reported that a Github account it used had been compromised when the service exposed an access token for one of the HackerOne developers. A similar leak presented itself again in 2019 and again last year.

The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.

Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.

"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."

An anonymous reader quotes a report from BleepingComputer: Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0. According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices. An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges.

The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections. [...] Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security. Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.

An anonymous reader shares a report: For Jung Ki-young, a South Korean software engineer, Microsoft's decision to retire its Internet Explorer web browser marked the end of a quarter-century love-hate relationship with the technology. To commemorate its demise, he spent a month and 430,000 won ($330) designing and ordering a headstone with Explorer's "e" logo and the English epitaph: "He was a good tool to download other browsers." After the memorial went on show at a cafe run by his brother in the southern city of Gyeongju, a photo of the tombstone went viral.

Microprocessors from Intel, AMD, and other companies contain a newly discovered weakness that remote attackers can exploit to obtain cryptographic keys and other secret data traveling through the hardware, researchers said on Tuesday. From a report: Hardware manufacturers have long known that hackers can extract secret cryptographic data from a chip by measuring the power it consumes while processing those values. Fortunately, the means for exploiting power-analysis attacks against microprocessors is limited because the threat actor has few viable ways to remotely measure power consumption while processing the secret material. Now, a team of researchers has figured out how to turn power-analysis attacks into a different class of side-channel exploit that's considerably less demanding.

The team discovered that dynamic voltage and frequency scaling (DVFS) -- a power and thermal management feature added to every modern CPU -- allows attackers to deduce the changes in power consumption by monitoring the time it takes for a server to respond to specific carefully made queries. The discovery greatly reduces what's required. With an understanding of how the DVFS feature works, power side-channel attacks become much simpler timing attacks that can be done remotely. The researchers have dubbed their attack Hertzbleed because it uses the insights into DVFS to expose -- or bleed out -- data that's expected to remain private. The vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. The researchers have already shown how the exploit technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel.

An anonymous reader shares a review: In its early pre-pandemic days, Keychron made a name for itself with its series of affordable mechanical keyboards -- including a few low-profile ones that remain a rarity to this day. Those boards didn't necessarily appeal to enthusiasts, but were more than good enough for most mainstream users who wanted a different kind of keyboard. Last year, Keychron upped the ante with the launch of the Q1, an enthusiast-level, fully customizable hotswap keyboard with a 75% layout that had more than a few similarities to the heavily hyped GMMK Pro. Since then, Keychron has expanded this series with the 65% Q2, which received pretty rave reviews at the time and now the Q3.

The QMK-compatible Q3 clearly follows in the footsteps of the Q1 and Q2. It uses the same double-gasket design that should make for a relatively bouncy typing experience (though in my experience, there's less bounce than I would've expected), and the overall design is pretty much the same, with the exception that it's a tenkeyless (TKL), so you get a full keyboard with standalone arrow keys and a full row of function keys, but without the numpad. The body is made from aluminum and the whole unit weighs in at a hefty 4.5 pounds. In part, that's because Keychron opted for a steel plate here. You can opt to get a bare-bones version where you supply your own switches and keycaps for $154 (or $164 if you want to get the optional volume knob), or a fully assembled version with keycaps and your choice of Gateron Pro Red, Blue or Brown switches for $174 (or $184 with knob). For the extra $20, I think getting the assembled version is a no-brainer, given that the keycaps and switches will cost you significantly more and even if you want to replace them, you could always reuse them in another project (because who only has one keyboard, right?).

The open source Thunderbird email client has a long and storied history, but until now, that history has been limited to the desktop. That's about to change, according to a post on the Thunderbird blog. Thunderbird will be coming to Android through the popular open source mobile email client K-9 Mail. From a report: According to Thunderbird's Jason Evangelho, the Thunderbird team has acquired the source code and naming rights to K-9 Mail. K-9 Mail project maintainer Christian Ketterer (who goes by "cketti" in the OSS community) will join the Thunderbird team, and over time, K-9 Mail will become Thunderbird for Android. Thunderbird's team will invest finance and development time in K-9 to add several features and quality-of-life enhancements before that happens, though.

Google is shutting down Talk (also known as GChat) for good -- its instant-messaging service you probably haven't used much since 2007. From a report: Although Google migrated Talk users over to Google Hangouts in 2017 -- another one of its now-sidelined messaging platforms -- it was still accessible by third-party XMPP clients like Pidgin and Gajim. But Google will cut these last lines of life support on June 16th -- three days from now. In a message on Talk's support page, Google says it's "winding down Google Talk" and will no longer support third-party apps, citing its initial announcement in 2017. Users who try to sign into GChat after the 16th will see a sign-in error. If you still want to use Pidgin through Google services, Pidgin recommends using this plugin for Google Chat instead.

It's finally happening. Microsoft will be ending support for most versions of its Internet Explorer (IE) 11 browser on June 15. ZDNet: Microsoft announced more than a year ago that IE would be removed from most versions of Windows 10 this year and has spent months encouraging customers to get ready by proactively retiring the browser from their organizations. IE 11 will be retired for Windows 10 client SKUs (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). Products not affected by this retirement include IE Mode in Edge; IE 11 desktop on Windows 8.1, Windows 7 (with Extended Security Updates), Windows Server LTSC (all versions), Windows Server 2022, Windows 10 client LTSC (all versions), Windows 10 IoT LTSC (all versions). The IE 11 desktop app is not available on Windows 11, as Edge is the default browser for Windows 11. IE Mode in Microsoft Edge will be supported through at least 2029 to give web developers eight years to modernize legacy apps and eventually remove the need for IE mode, officials have said. According to Net Applications, a web monitoring tool, Internet Explorer still has a market share of 5.21% on desktops and laptops, far behind Chrome at over 69%, to be sure, but still ahead of Apple's Safari, which commands 3.73% market share.

"Two CEOs on a podcast casually proposed a shareable database of worker performance that would follow them between companies, forever, and encouraged listeners to create one," writes Slashdot reader merauder128 , summarizing a recent article on Vice.

"HR professionals say it's a terrible idea."

Vice points out the podcast both the host and guest were CEOs of "data harvesters that package and resell data to other parties." Through one lens, it was a mundane musing between two CEOs of data companies talking about how awesome it would be to have more data on something. But in the context of experiments occurring in the tech industry around hiring practices, it was two influential CEOs encouraging other entrepreneurs to create a business that would be an absolute nightmare for workers, a type of credit score for workers that could be a permanent HR file that follows workers from one job to the next, and where a worker who struggles at one job may have trouble getting another....

It is also in line with a growing trend among tech companies that, spurred by work-from-home and hybrid work, are increasingly interested in quantifying employee performance. The most prominent example is Coinbase introducing an app so employees can constantly rate each other's performances, a scenario even the normally cheery TechCrunch said "sounds rough."

Over the last several years, there has been a boom in employee management software solutions such as Workday, Lattice, CultureAmp that are used across thousands of companies for performance reviews and other sensitive HR tasks. Technologically speaking, what Youakim and Hoffman are talking about is opening those confidential resources — or some condensed version of them that can be easily digested and analyzed — up to everyone.

None of these HR software companies have indicated that they have any intention of doing this.
The article warns that experts who have studied hiring extensively believe a permanent database database "would allow this complete, random mess to follow workers their entire careers, affecting their job prospects, earning potential, and their broader lives." And the article summarizes a reaction to the idea from John Hausknecht, a professor of human resources at Cornell University. "It assumes people don't change, that jobs require similar attributes, that a person's experience at one company is relevant to another where they will be in a different environment with a different manager and different company culture....

"Or, to put it a different way, 'Just because we can track it, collect it, and ask about it,' Hausknecht said, 'doesn't necessarily mean we should.'"

A panel at this week's RSA Conference argued that 90% of security buyers aren't getting the efficacy from their products that vendors claim they can deliver.

Slashdot reader storagedude writes: Joe Hubback of cyber risk management startup ISTARI led both the panel and the study, which was based on in-depth interviews with more than a hundred high-level security officials, including CISOs, CIOs, CEOs, security and tech vendors, evaluation organizations and government organizations.

Hubback said that "90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. Quite a shocking proportion of people are suffering from technology that doesn't deliver."

A number of reasons for that product failure came out in the panel discussion, according to eSecurity Planet, but they can be boiled down to some key points:

- Cybersecurity buyers are pressed for time and most don't test the products they buy. "They're basically just buying and hoping that the solutions they're buying are really going to work," Hubback said.

- Vendors are under pressure from investors to get products to market quickly and from sales and marketing teams to make aggressive claims.

- On top of those pressures, it's difficult to architect tools that are effective for a range of complex environments – and equally difficult for buyers to properly assess these "black box" solutions.


Those conditions create an information asymmetry, said Hubback: "A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can't properly evaluate what they're buying."

Hubback and fellow panelists hope to create a GSMA-like process for evaluating security product abilities, and he invited RSA attendees to join the effort.

"Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers," remembers the New York Times. [Alternate URL here and here.]

"In 2019, she downloaded personal information belonging to more than 100 million Capital One customers, the Justice Department said..." It included 140,000 Social Security numbers and 80,000 bank account numbers (drawn from applications for credit cards). Nearly three years after the disclosure of one of the largest data breaches in the United States, the former Amazon employee accused of stealing customers' personal information from Capital One is standing trial in a case that will test the power of a U.S. anti-hacking law.... She faces 10 counts of computer fraud, wire fraud and identity theft in a federal trial that began Tuesday in Seattle.... Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a "novice white-hat hacker."

Critics of the computer fraud law have argued that it is too broad and allows for prosecutions against people who discover vulnerabilities in online systems or break digital agreements in benign ways, such as using a pseudonym on a social media site that requires users to go by their real names. In recent years, courts have begun to agree. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people who had legitimate access to data but exploited their access improperly. And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in "good-faith security research."

Thompson's trial will raise questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law. Prosecutors said Thompson had planned to use the information she gathered for identity theft and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency... The Justice Department has argued that Thompson had no interest in helping Capital One plug the holes in its security and that she cannot be considered a "white hat" hacker. Instead, she chatted with friends online about how she might be able to profit from the breach, according to legal filings.... Some security researchers said Thompson had ventured too far into Capital One's systems to be considered a white-hat hacker.... "Legitimate people will push a door open if it looks ajar," said Chester Wisniewski, a principal research scientist at Sophos, a cybersecurity firm.... But downloading thousands of files and setting up a cryptocurrency mining operation were "intentionally malicious actions that do not happen in the course of testing security," Wisniewski said....

"Thompson scanned tens of millions of AWS customers looking for vulnerabilities," Brown wrote in a legal filing.
The article notes that Capitol One ultimately agreed to pay $80 million in 2020 "to settle claims from federal bank regulators that it lacked the security protocols needed to protect customers' data" and another $190 million to settle a class-action lawsuit representing people whose data was exposed.

Ars Technica reports: Researchers have unearthed a discovery that doesn't occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.

On Thursday, researchers and the BlackBerry Threat Research & Intelligence Team said that the previously undetected backdoor combines high levels of access with the ability to scrub any sign of infection from the file system, system processes, and network traffic. Dubbed Symbiote, it targets financial institutions in Brazil and was first detected in November.

Researchers for Intezer and BlackBerry wrote:

"What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability...."

So far, there's no evidence of infections in the wild, only malware samples found online. It's unlikely this malware is widely active at the moment, but with stealth this robust, how can we be sure?
"When hooked functions are called, the malware first dynamically loads libc and calls the original function..." according to Blackberry's blog post. "If the calling application is trying to access a file or folder under /proc, the malware scrubs the output from process names that are on its list.... If the calling application is not trying to access something under /proc, the malware instead scrubs the result from a file list....

"Symbiote also has functionality to hide network activity on the infected machine."

"Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's 'last line of defense'," writes the Apple Insider blog, "but most Mac users shouldn't be worried." More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN." Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.... The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it.

The researchers found that they could use a side-channel attack to brute-force the code. PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.

[A]ctually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit. The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
MIT has made more information available at the site PACMANattack.com — including answers to frequently asked questions. Q: Is PACMAN being used in the wild?
A: No.
Q: Does PACMAN have a logo?
A: Yeah!
The MIT team says their discovery represents "a new way of thinking about how threat models converge in the Spectre era." But even then, MIT's announcement warns the flaw "isn't a magic bypass for all security on the M1 chip." PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC. There's no cause for immediate alarm, the scientists say, as PACMAN cannot compromise a system without an existing software bug....

The team showed that the PACMAN attack even works against the kernel, which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Ravichandran. "Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software."
TechCrunch obtained a comment from Apple: Apple spokesperson Scott Radcliffe provided the following: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."

Apple's M1 chips have an "unpatchable" hardware vulnerability that could allow attackers to break through its last line of security defenses, MIT researchers have discovered. TechCrunch reports: The vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips called pointer authentication codes, or PAC. This feature makes it much harder for an attacker to inject malicious code into a device's memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill out to other locations on the chip. Researchers from MIT's Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.

The attack, appropriately called "Pacman," works by "guessing" a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn't been maliciously altered. This is done using speculative execution -- a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation -- to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct. What's more, since there are only so many possible values for the PAC, the researchers found that it's possible to try them all to find the right one.

An anonymous reader quotes a report from Bloomberg: Scientists in Australia have discovered that superworms can live and even grow on a diet of only polystyrene, also known colloquially as Styrofoam. Superworm is a common name for the larval stages of the darkling beetle (Zophobas morio). The researchers described their finding as a "first step" in discovering natural enzymes that could be used to recycle this type of plastic. "We envision that polystyrene waste will be collected, mechanically shredded, and then degraded in bioreactors with an enzyme cocktail," said Chris Rinke, a scientist at the University of Queensland and an author of a paper published on Thursday in the journal Microbial Genomics.

In recent years, scientists globally have been looking for microorganisms that can digest plastic, which is how natural materials like wood biodegrade. The idea is that some kind of enzyme engineered from the gut of an insect or bacteria could be used to digest difficult-to-recycle plastic so it could be made into new plastic products, which would reduce the need for virgin plastic. Used for things such as coffee cups and packing peanuts, polystyrene is one of the most common plastics in production. It accounts for "up to 7-10% of the total non-fibre plastic production," according to the paper.

Experimenters divided worms into three groups and fed each a different diet: bran, polystyrene or a starvation diet. The worms that lived on polystyrene were not as healthy as those eating bran, but they were able to eat the Styrofoam and gain weight and complete their life cycle. However, the report also found that the diet had "negative impacts on host gut microbiome diversity and health" of the worms. In other words, they could eat plastics, but it had a cost to them. It would theoretically be possible to keep thousands of worms in an industrial setting to digest plastics. But the researchers say their next goal is to identify and enhance the enzyme the worms use for future applications.

Google today announced a set of new and updated security features for Chrome, almost all of which rely on machine learning (ML) models, as well as a couple of nifty new ML-based features that aim to make browsing the web a bit easier, including a new feature that will suppress notification permission prompts when its algorithm thinks you're unlikely to accept them. From a report: Starting with the next version of Chrome, Google will introduce a new ML model that will silence many of these notification permission prompts. And the sooner the better. At this point, they have mostly become a nuisance. Even if there are some sites -- and those are mostly news sites -- that may offer some value in their notifications, I can't remember the last time I accepted one on purpose. Also, while legitimate sites love to push web notifications to remind readers of their existence, attackers can also use them to send phishing attacks or prompt users to download malware if they get users to give them permission. "On the one hand, page notifications help deliver updates from sites you care about; on the other hand, notification permission prompts can become a nuisance," Google admits in its blog post today. The company's new ML model will now look for prompts that users are likely to ignore and block them automatically. And as a bonus, all of that is happening on your local machine, so none of your browsing data makes it onto Google's servers.

Browser maker Vivaldi's email client has finally hit version 1.0, seven years after it was first announced. From a report: Vivaldi Mail, which includes a calendar and feed reader as well as an email client, first arrived in technical preview in 2020. A slightly wobbly beta arrived last year alongside version 4 of the Chromium-based browser. After another year of polish and tidying of loose ends, the company has declared the client ready.

As before, the client is built into the browser, meaning it is unlikely to appeal to many beyond Vivaldi's existing user base. Enabling it is a simple matter of dropping into Settings pages and wading through until the option to enable Mail, Calendar, and Feeds can be selected. Vivaldi has a lot of settings -- delightfully customizable for some and downright baffling for others. That said, for users still pining for a good old-fashioned email client that doesn't require wading through a web page festooned with adverts, there's a lot to like. It supports multiple accounts, will sort messages and create folders automatically (locally, rather than on a mystery server in the cloud), and permits searching (with indexing performed offline). IMAP and POP3 are supported, making adding a provider relatively straightforward, and the company also claims that users can log into their Google accounts from Mail and Calendar.

Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies and network service providers to steal credentials and harvest data. BleepingComputer reports: As the NSA, CISA, and the FBI said in a joint cybersecurity advisory published on Tuesday, Chinese hacking groups have exploited publicly known vulnerabilities to breach anything from unpatched small office/home office (SOHO) routers to medium and even large enterprise networks. Once compromised, the threat actors used the devices as part of their own attack infrastructure as command-and-control servers and proxy systems they could use to breach more networks.

"Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting," the advisory explains. The attackers then stole credentials to access underlying SQL databases and used SQL commands to dump user and admin credentials from critical Remote Authentication Dial-In User Service (RADIUS) servers.

"Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure," the federal agencies added. The three federal agencies said the following common vulnerabilities and exposures (CVEs) are the network device CVEs most frequently exploited by Chinese-backed state hackers since 2020. "The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns," the NSA added. Organizations can protect their networks by applying security patches as soon as possible, disabling unnecessary ports and protocols to shrink their attack surface, and replacing end-of-life network infrastructure that no longer receives security patches.

The agencies "also recommend networks to block lateral movement attempts and enabling robust logging and internet-exposed services to detect attack attempts as soon as possible," adds BleepingComputer.

U.S. law enforcement have announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information -- including Social Security numbers, or SSNs -- of millions of Americans. From a report: The operation was conducted by the FBI, the Internal Revenue Service (IRS), and the Department of Justice (DOJ), with help from the Cyprus Police, to seize four domains hosting the SSNDOB marketplace -- ssndob[dot]ws, ssndob[dot]vip, ssndob[dot]club, and blackjob[dot]biz. SSNDOB listed the personal information for approximately 24 million individuals in the United States, including names, dates of birth, SSNs, and credit card numbers, and generated more than $19 million in revenue, according to the DOJ. Chainalysis, a blockchain analysis company, reports separately that the marketplace has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015, though the marketplace is believed to have been active since at least 2013. These figures suggest that some users were buying personally identifiable information from the service in bulk, according to Chainalysis, which also uncovered a connection between SSNDOB and Joker's Stash, a large dark net market focused on stolen credit card information that shut down in January 2021.