×
Security

FSB Arrests 14 Members of REvil Ransomware Gang (therecord.media) 34

Posted by msmash from the moving-forward dept.
An anonymous reader writes: The Russian Federal Security Service (FSB) said today that it has raided and shut down the operations of the REvil ransomware gang. Raids were conducted today at 25 residents owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions. Authorities said they seized more than 426 million rubles, $600,000, and 500,000 euro in cash, along with cryptocurrency wallets, computers, and 20 expensive cars. The REvil gang is responsible for ransomware attacks against Apple supplier Quanta, Kaseya, and JBS Foods.
IT

Cyberattack Hits Ukrainian Websites as Russia Tensions Mount (bloomberg.com) 28

Posted by msmash from the closer-look dept.
Ukraine's worst cyberattack in four years brought down the websites of scores of government agencies for hours. Authorities didn't immediately identify the source of the hacks, which took place as tensions with Russia intensified over its troop buildup across the border. From a report: Seventy government agencies were were hit, including the Foreign and Agriculture Ministries, Viktor Zhora, the deputy head of the state agency in charge of special communication and information protection, said Friday. Authorities are investigating and will have their first conclusions later in the day, he said. "There was no leak of important data, the content of the websites was not damaged," Ukraine Zhora said. "We are collecting digital evidence and analyzing data to understand the full chain of this attack." Ukraine has previously accused Russia of mounting major cyberattacks against its digital infrastructure. Relations between the two former Soviet partners have worsened since the ouster of a Russian-backed president in 2014 and Moscow's subsequent annexation of Crimea.
Encryption

Federal Investigators Say They Used Encrypted Signal Messages To Charge Far-Right Militia Group Leader (cnbc.com) 294

Posted by BeauHD from the cracking-the-code dept.
JoeyRox shares a report from CNBC: Federal investigators claimed to access encrypted Signal messages used to help charge the leader of the Oath Keepers, an extremist far-right militia group, and other defendants in a seditious plot on Jan. 6, 2021. It's not clear how investigators gained access to the messages. One possibility is that another recipient with access to the messages handed them over to investigators. The complaint references group messages run on the app, so it's possible another participant in those chats cooperated.
Security

Scammers Put Fake QR Codes On Parking Meters To Intercept Parkers' Payments (arstechnica.com) 45

Posted by BeauHD from the don't-be-fooled dept.
An anonymous reader quotes a report from Ars Technica: Scammers in a few big Texas cities have been putting fake QR codes on parking meters to trick people into paying the fraudsters. Parking enforcement officers recently found stickers with fraudulent QR codes on pay stations in Austin, Houston, and San Antonio. San Antonio police warned the public of the scam on December 20, saying that "people attempting to pay for parking using those QR codes may have been directed to a fraudulent website and submitted payment to a fraudulent vendor." Similar scams were then found in Austin and Houston.

The fake QR codes reportedly directed people to a "Quick Pay Parking" website at the domain passportlab.xyz, which is now offline. It's not clear how many people -- if any -- were tricked into paying the fraudsters. "We don't use QR codes at all for this very reason, because they are easy to fake or place on the devices," Austin parking division manager Jason Redfern told KXAN. "And we heard from industry leaders that this would be a possibility." Austin accepts payments directly at the meter with coins or credit or with the Park ATX mobile payment app. [...] Houston officials found five meters with fake QR codes and removed the stickers, according to KPRC 2. While the scam seems to have been centered in Texas, it could be repeated anywhere. If you see a QR code on a parking meter, ignore it and make sure you pay the city directly.
Transportation

Teen Hacker Finds Bug That Lets Him Control 25+ Teslas Remotely (arstechnica.com) 57

Posted by BeauHD from the you-can-blame-the-owners-though dept.
An anonymous reader quotes a report from Ars Technica: A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday. David Colombo explained in the thread that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owner's faults." He claimed to be able to disable a car's remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car's exact location.

However, Colombo clarified that he could not actually interact with any of the Teslas' steering, throttle, or brakes, so at least we don't have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment. Colombo says he reported the issue to Tesla's security team, which is investigating the matter.
Security

FCC Proposes Stricter Requirements for Reporting Data Breaches (engadget.com) 13

Posted by msmash from the closer-look dept.
The Federal Communications Commission is the next US regulator hoping to hold companies more accountable for data breaches. From a report: Chairwoman Jessica Rosenworcel has shared a rulemaking proposal that would introduce stricter requirements for data breach reporting. Most notably, the new rules would require notifications for customers affected by "inadvertent" breaches -- companies that leave data exposed would have to be just as communicative as victims of cyberattacks. The requirements would also scrap a mandatory one-week waiting period for notifying customers. Carriers, meanwhile, would have to disclose reportable breaches to the FCC in addition to the FBI and Secret Service. Rosenworcel argued the tougher rules were necessary to account for the "evolving nature" of breaches and the risks they posed to victims. People ought to be protected against larger and more frequent incidents, the FCC chair said -- that is, regulations need to catch up with reality.
Chrome

Chrome Will Limit Access To Private Networks, Citing Security Reasons (therecord.media) 32

Posted by msmash from the closer-look dept.
Google says that its Chrome browser will soon block internet websites from querying and interacting with devices and servers located inside local private networks, citing security reasons and past abuse from malware operations. From a report: The change will take place through the implementation of a new W3C specification called Private Network Access (PNA) that will be rolled out in the first half of the year. The new PNA specification adds a mechanism inside the Chrome browser through which internet sites can ask systems inside local networks for permission before establishing a connection. If local devices, such as servers or routers fail to respond, internet websites will be blocked from connecting.
Data Storage

PCI Express 6.0 Specification Finalized: x16 Slots To Reach 128GBps (anandtech.com) 31

Posted by msmash from the moving-forward dept.
PCI Special Interest Group (PCI-SIG) has released the much-awaited final (1.0) specification for PCI Express 6.0. From a report: The next generation of the ubiquitous bus is once again doubling the data rate of a PCIe lane, bringing it to 8GB/second in each direction -- and far, far higher for multi-lane configurations. With the final version of the specification now sorted and approved, the group expects the first commercial hardware to hit the market in 12-18 months, which in practice means it should start showing up in servers in 2023. First announced in the summer of 2019, PCI Express 6.0 is, as the name implies, the immediate follow-up to the current-generation PCIe 5.0 specification. Having made it their goal to keep doubling PCIe bandwidth roughly every 3 years, the PCI-SIG almost immediately set about work on PCIe 6.0 once the 5.0 specification was completed, looking at ways to once again double the bandwidth of PCIe. The product of those development efforts is the new PCIe 6.0 spec, and while the group has missed their original goal of a late 2021 release by mere weeks, today they are announcing that the specification has been finalized and is being released to the group's members. As always, the creation of an even faster version of PCIe technology has been driven by the insatiable bandwidth needs of the industry. The amount of data being moved by graphics cards, accelerators, network cards, SSDs, and other PCIe devices only continues to increase, and thus so must bus speeds to keep these devices fed. As with past versions of the standard, the immediate demand for the faster specification comes from server operators, whom are already regularly using large amounts of high-speed hardware. But in due time the technology should filter down to consumer devices (i.e. PCs) as well.
Businesses

Wordle Copycats Have Vanished From Apple's App Store (polygon.com) 37

Posted by msmash from the done-deal dept.
The many Wordle copycats that were flooding Apple's App Store seem to have disappeared. The apps appear to have been removed by Apple shortly after their existence caused a stir on social media. From a report: Wordle itself doesn't have an official iOS app so other developers looked to hop on the coattails of the game's success. But when one in particular started bragging on Twitter about the attention his version of the app was getting, he quickly caught heat, drawing attention to both his app and the many other Wordle clones on the App Store. While there are still a few five-letter word games on the store, they don't have the name Wordle attached like the most egregious ripoffs from the last few days have. Instead these games have named like PuzzWord. There are still a few games left on the App Store that are actually called Wordle, but one was released three years ago and the other was released five years ago with very different concepts from the surprise hit developed by Josh Wardle. While the apps are now gone from the store, the question of why they're gone remains open. There's been no official word from Apple on whether or not the apps were removed because they violated a store rule, or simply because Apple no longer wanted them on the App Store. Either way, for now the only way to play real Worlde on your phone is still to navigate to the website on a browser.
Bug

T-Mobile Says It Has 'Not Broadly Blocked' iCloud Private Relay, Blames iOS 15.2 Bug For Errors (9to5mac.com) 11

Posted by BeauHD from the bug-blaming dept.
T-Mobile has officially acknowledged a bug that has blocked some subscribers from using iCloud Private Relay when connected to cellular networking. In a statement to 9to5Mac, T-Mobile blamed this situation on a bug in iOS 15.2 and said that it has "not broadly blocked" iCloud Private Relay. From the report: It's also important to note that this bug is not only affecting T-Mobile subscribers, as the company says in its statement. Instead, it's a bug that seems to affect iOS 15.2 broadly rather than T-Mobile specifically. The issue is also still present in the latest release of iOS 15.3 beta. The full statement reads: "Overnight our team identified that in the 15.2 iOS release, some device settings default to the feature being toggled off. We have shared this with Apple. This is not specific to T-Mobile. Again though, we have not broadly blocked iCloud Phone Relay."

A solution to the problem that has worked for 9to5Mac in testing is to go to Settings, then choose Cellular, then choose your plan, and ensure that "Limit IP Address Tracking" is enabled. Make sure to complete these steps while WiFi is disabled and you are connected to your cellular network. T-Mobile has, however, acknowledged that are situations in which it is required to block iCloud Private Relay due to technical reasons. Namely, if your account or line has content moderation features or parental controls enabled, you will be unable to use iCloud Private Relay when connected to cellular. [...] A source has also confirmed to 9to5Mac that this also applies to certain legacy plans that include the Netflix on Us perk and have Family Allowances enabled.
Chrome

Hotel Chain Switches To Chrome OS To Recover From Ransomware Attack (therecord.media) 77

Posted by BeauHD from the embracing-the-cloud dept.
A Scandinavian hotel chain that fell victim to a ransomware attack last month said it took a novel approach to recover from the incident by switching all affected systems to Chrome OS. The Record reports: Nordic Choice Hotels, which operates 200 hotels across Northern Europe, fell victim to a ransomware attack on December 2, when hackers encrypted some of its internal systems using the Conti ransomware strain. The attack prevented staff from accessing guest reservation data and from issuing key cards to newly arriving guests, as one of the hotel's guests told The Record in an interview last month. But in a press release today, Nordic Choice said that instead of contacting the hackers and negotiating a ransom for the decryption key that would have unlocked the infected devices, the hotel chose to migrate its entire PC fleet from Windows to Chrome OS.

"[I]n less than 24 hours, the first hotel was operating in the Chrome OS ecosystem from Google. And in the following two days, 2000 computers were converted all over the company consisting of 212 hotels in five different countries," the hotel chain explained. Kari Anna Fiskvik, VP Technology at Nordic Choice Hotels, said the hotel had already run a pilot program to test the tool before the attack as a way to save money by reusing old computers with a less-demanding OS. "So when we suddenly had to deal with the cyberattack, the decision to go all in and fasttrack the project was made in seconds," Fiskvik said. Nordic Choice said it plans to migrate another 2,000 computers to Chrome OS, on top of the 2,000 it migrated during the attack. The hotel chain said they expect to save $6.7 million by converting old computers to Chrome OS instead of buying new hardware.
Security

Hackers Can Cut the Lights With Rogue Code, Researchers Show (bloomberg.com) 27

Posted by msmash from the security-woes dept.
Safety device used for electrical distribution worldwide could be hacked to turn off power, according to cybersecurity experts. From a report: As Ang Cui added more juice to the power grid, overhead electric lines began to glow bright orange. Then, within seconds, the power lines evaporated in a flash of smoke, leaving an entire section of Manhattan in the dark. No actual buildings or people lost power because, luckily, this was just a simulation -- a tabletop diorama of Manhattan complete with tiny copper power lines and the Statue of Liberty relocated to a pared-down Central Park. Cui's colleagues at Red Balloon Security had unleashed a few lines of malicious code that knocked out a computer designed to protect electrical lines. The real-world consequences were unmistakable: hackers could shut off power in parts of the city, an industrial plant or sports stadium by targeting the very systems designed to protect it. "Whew -- need to open a window," said Cui, Red Balloon's chief executive officer and founder, wafting his hands in an effort to clear the smoke swirling around his fourth-floor office. The charred remains of plastic poles were all that was left of the diorama's power lines.

Safety devices like the one Cui's team examined are key to the operation and stability of the modern electric grid. Known as protection relays, they cut the power when faults, or abnormal currents, threaten to damage equipment or harm people. Researchers at Red Balloon discovered vulnerabilities on a relay made by the French firm Schneider Electric SE, called the Easergy P5. The company on Tuesday published a software fix for the device, which is not yet for sale in the U.S. A Schneider Electric spokesman said the firm is "extremely vigilant of cyber threats and continually assesses and evolves our products and R&D practices to better protect our offers, and our customers' operations against them." "Upon learning of the vulnerabilities with the Schneider Electric Easergy P5 protection relay, we worked immediately to resolve them," according to the spokesman. "We urge users of the product to follow the guidance we will provide in the Jan. 11 security notification -- which includes a software patch that will address the immediate risk -- as part of our disclosure process. Users should implement general cybersecurity best practices across their operation to protect their systems."
Security

Ransomware Attack Leads To Jail Lockdown (abqjournal.com) 10

Posted by msmash from the security-woes dept.
Bernalillo County filed an emergency notice in federal court last week because a ransomware attack made the Metropolitan Detention Center unable to comply with terms of a settlement agreement in a years-running lawsuit over jail conditions. From a report: The county last Wednesday announced its offices and systems were the victims of a cyberattack, affecting a wide variety of county government operations. Most county buildings were closed until further notice. As a result, the county-operated MDC has been unable to access its cameras since the attack, which is one of the reasons it has fallen out of compliance in the McClendon v. City of Albuquerque lawsuit, which centers on jail conditions. The attack has limited how much time inmates can spend out of their cells, and also reduced their access to telephones and tablets, according to the filing. The county also has been unable to gather data required as a condition of the settlement agreement. No visitors have been allowed. The county said in the filing that its inability to access cameras is one of the more concerning aspects of the cyberattack, which has caused the facility to be on "lockdown" since Wednesday.
Firefox

Firefox 96 Yields Less Load On The Main Thread, WebP Encoder For Canvas (phoronix.com) 43

Posted by msmash from the closer-look dept.
Firefox 96.0 is officially shipping today as the first update of 2022 for this open-source web browser. From a report: Firefox 96.0 has "significantly" reduced the amount of load placed on the browser's main thread and there is also "significant" improvements in noise suppression and auto-gain-control and improvements in echo cancellation. In addition to that performance work, there are also WebRTC improvements, an improved cookie policy to reduce the likelihood of Cross-Site Request Forgery (CSRF) attacks, video quality degradation fixes, and other fixes. Over on developer.mozilla.org are some of the web developer changes with Firefox 96 including CSS color value function hwb() support for specifying the hue/whiteness/blackness, support for the CSS color-scheme property, the Web Locks API is enabled by default, image encoder support for WebP for exporting HTML5 canvas elements, and other additions.
Security

CISA Director: We'll Be Dealing With Log4j For a Long Time (cnet.com) 46

Posted by BeauHD from the scope-of-the-vulnerability dept.
Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday. CNET reports: If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack. No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said.

Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It's possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack. "We do expect Log4Shell to be used in intrusions well into the future," Easterly said, using the name for the bug in the Log4j software. She noted the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software. Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, she said.
Security

Threat Actors Can Simulate IPhone Reboots and Keep IOS Malware On a Device (therecord.media) 23

Posted by EditorDavid from the replicating-reboots dept.
An anonymous reader quotes The Record: In a piece of groundbreaking research published on Tuesday night, security firm ZecOps said that it found a way to block and then simulate an iOS restart operation, a technique that they believe could be extremely useful to attackers who may want to trick users into thinking they rebooted their device and as a result, maintain access for their malware on that infected system.

The technique is of extreme importance and gravity because of the way the iPhone malware landscape has evolved in recent years, where, due to advances in the security of the iOS operating system, malware can't achieve boot persistence as easily as it once did.... As a result, many security experts have recommended over the past year that users who might be the target of malicious threat actors regularly reboot devices in order to remove backdoors or other implants.... But in a blog post on Tuesday, ZecOps said that the iOS restart process isn't immune to being hijacked once an attacker has gained access to a device, in a way to perform a fake restart where the user's device only has its UI turned off, instead of the entire OS.
Security

Salesforce To Require MFA For All Users Starting Next Month (therecord.media) 56

Posted by EditorDavid from the 2022-two-factor-authenticating dept.
An anonymous reader writes: Salesforce, the world's largest customer relationship management platform, said that customers must have a form of multi-factor authentication (MFA) turned on starting next month, or they won't be able to access their accounts. "Beginning February 1, 2022, Salesforce will require customers to use MFA in order to access Salesforce products," the company said last month.

Salesforce said that users will be able to choose from using security keys, an authenticator app, or an OS biometrics systems to secure accounts. MFA solutions that rely on sending one-time passcodes via email, phone, or SMS messages won't be allowed "because these methods are inherently vulnerable to interception, spoofing, and other attacks," Salesforce explained.
"We encourage users to register multiple verification methods so they have a backup in case they forget or lose their primary method," the company added.
The Military

Cyber Command Task Force Conducted Its First Offensive Operation (thedrive.com) 31

Posted by BeauHD from the first-of-many dept.
An anonymous reader quotes a report from The Drive: AU.S. Cyber Command task force executed what is being described as its "first offensive cyber effect operation" against real-world cyber threats. While the exact nature of the operation and its target remains unknown, the event was significant enough for the U.S. Secretary of Defense to personally attend to watch the operation in action. The operation was conducted between February and August 2021 by a task force consisting of personnel from the Maryland Air National Guard's 175th Cyber Operations Group, the Delaware Air National Guard's 166th Cyber Operations Squadron, U.S. Navy's Cyber Strike Activity Sixty-Three, the U.S. Air Force's 341st Cyber Operations Squadron, and the Air Force Reserve. The task force executed the operation from February to August last year, although the Air National Guard (ANG) just announced it this week. While there have been other offensive cyber operations conducted by U.S. Cyber Command (USCYBERCOM), this is the first conducted and acknowledged by this particular task force.

Details about the specific threat countered by the task force's cyber offensive are scarce, but USAF Maj. Corley Bradford, director of operations for 175th Cyberspace Operations Squadron, said the offensive cyber operation involved the security of Department of Defense information networks. "[Our] NMT was a direct contributor to [our task force] conducting a successful offensive cyber effects operation," Bradford stated in an ANG press release. "It was a lot of excitement to finally see the fruits of our labor when [our task force] delivered its first offensive cyber effects operations during this mobilization," said Bradford. Interestingly, Secretary of Defense Lloyd J. Austin III was on hand to personally witness the operation. "It was a massive milestone," Maj. Bradford said, "so he wanted front row seats to see the action firsthand."
Security

Hackers Target US Defense Firms With Malicious USB Packages (bleepingcomputer.com) 57

Posted by BeauHD from the don't-be-tricked dept.
The Federal Bureau of Investigation (FBI) warned US companies in a recently updated flash alert that the financially motivated FIN7 cybercriminals group is targeting the US defense industry with packages containing malicious USB devices. BleepingComputer reports: The attackers are mailing packages containing 'BadUSB' or 'Bad Beetle USB' devices with the LilyGO logo, commonly available for sale on the Internet. The packages have been mailed via the United States Postal Service (USPS) and United Parcel Service (UPS) to businesses in the transportation and insurance industries since August 2021 and defense firms starting with November 2021. FIN7 operators impersonate Amazon and the US Department of Health & Human Services (HHS) to trick the targets into opening the packages and connecting the USB drives to their systems. Since August, reports received by the FBI say that these malicious packages also contain letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes, depending on the impersonated entity.

After the targets plug the USB drive into their computers, it automatically registers as a Human Interface Device (HID) Keyboard (allowing it to operate even with removable storage devices toggled off). It then starts injecting keystrokes to install malware payloads on the compromised systems. FIN7's end goal in these attacks is to access the victims' networks and deploy ransomware within a compromised network using various tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts. [...] Companies can defend against such attacks by allowing their employees to connect only USB devices based on their hardware ID or if they're vetted by their security team.

Slashdot Top Deals