China tried to build a network of informants inside the Federal Reserve system, at one point threatening to imprison a Fed economist during a trip to Shanghai unless he agreed to provide nonpublic economic data, a congressional investigation found. From a report: The investigation by Republican staff members of the Senate's Committee on Homeland Security and Governmental Affairs found that over a decade Fed employees were offered contracts with Chinese talent recruitment programs, which often include cash payments, and asked to provide information on the U.S. economy, interest rate changes and policies, according to a report of the findings released on Tuesday. In the case of the economist, the report said, Chinese officials in 2019 detained and tried to coerce him to share data and information on U.S. government policies, including on tariffs while the U.S. and China were in the midst of a trade war. The report doesn't say whether any sensitive information was compromised. Access to such information could provide valuable insights given the Fed's extensive analysis of U.S. economic activity, its oversight of the U.S. financial system, and the setting of interest-rate policy.

The Republican-led investigation said the Fed failed to mount an adequate response. The report's findings show "a sustained effort by China, over more than a decade, to gain influence over the Federal Reserve and a failure by the Federal Reserve to combat this threat effectively." Fed Chairman Jerome Powell strongly disputed the report's findings and called its characterizations of some employees unfair. "Because we understand that some actors aim to exploit any vulnerabilities, our processes, controls, and technology are robust and updated regularly. We respectfully reject any suggestions to the contrary," he wrote in a letter to Sen. Rob Portman of Ohio, the committee's top Republican.

The source code for an information-stealing malware coded in Rust has been released for free on hacking forums, with security analysts already reporting that the malware is actively used in attacks. BleepingComputer reports: The malware, which the author claims to have developed in just six hours, is quite stealthy, with VirusTotal returning a detection rate of around 22%. As the info-stealer is written in Rust, a cross-platform language, it allows threat actors to target multiple operating systems. However, in its current form, the new info-stealer only targets Windows operating systems.

Analysts at cybersecurity firm Cyble, who sampled the new info-stealer and named it "Luca Stealer," report that the malware comes with standard capabilities for this type of malware. When executed, the malware attempts to steal data from thirty Chromium-based web browsers, where it will steal stored credit cards, login credentials, and cookies. The stealer also targets a range of "cold" cryptocurrency and "hot" wallet browser addons, Steam accounts, Discord tokens, Ubisoft Play, and more. Where Luca Stealer stands out against other info-stealers is the focus on password manager browser addons, stealing the locally stored data for 17 applications of this kind. In addition to targeting applications, Luca also captures screenshots and saves them as a .png file, and performs a "whoami" to profile the host system and send the details to its operators.

"Google has released security updates for Google Chrome browser for Windows, Mac and Linux, addressing vulnerabilities that could allow a remote attacker to take control of systems," reports ZDNet: There are 11 fixes in total, including five that are classed as high-severity. As a result, CISA has issued an alert encouraging IT administrators and regular users to install the updates as soon as possible to ensure their systems are not vulnerable to the flaws.

Among the most severe vulnerabilities that are patched by the Google Chrome update is CVE-2022-2477, a vulnerability caused by a use-after-free flaw in Guest View, which could allow a remote attacker to execute arbitrary code on systems or crash them... Another of the vulnerabilities, CVE-2022-2480, relates to a use-after-free flaw in the Service Worker API, which which acts as a proxy server that sit between web applications, the browser and the network in order to improve offline experiences, among other things.

ZDNet reports: Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials. The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet.

RDP remains the top method for initial access in ransomware deployments, with groups specializing in compromising RDP endpoints and selling them to others for access.

The new feature is rolling out to Windows 11 in a recent Insider test build, but the feature is also being backported to Windows 10 desktop and server, according to Dave Weston, vice president of OS Security and Enterprise at Microsoft. "Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks — this control will make brute forcing much harder which is awesome!," Weston tweeted.

Weston emphasized "default" because the policy is already an option in Windows 10 but isn't enabled by default. That's big news and is a parallel to Microsoft's default block on internet macros in Office on Windows devices, which is also a major avenue for malware attacks on Windows systems through email attachments and links.... The defaults will be visible in the Windows Local Computer Policy directory "Account Lockout Policy".

The default "account lockout duration" is 10 minutes; the "account lockout threshold" is set to a maximum of 10 invalid logon attempts; a setting to "allow administrator account lockout" is enabled; and the "reset account lockout counter after" setting is set to 10 minutes.

76.6 million Americans were affected by last year's T-Mobile data breach, TechCrunch reports — and now in compensation they may have a few bucks coming their way.

T-mobile has announced a settlement of $550 million for affected customers (and the various attorneys bringing the consolidated class action lawsuits) — plus another $150 million "for data security and related technology." For now, the class defined by the settlement document is "the approximately 76.6 million U.S. residents identified by T-Mobile whose information was compromised in the Data Breach," with a little extra legalese for Californians, where class actions are handled slightly differently.

As is common in these giant lawsuits, lawyers take a huge bite and then the company must alert the class members they're owed money, so you can expect a postcard if you were a T-Mobile customer in August of 2021 (in the interest of full disclosure, I was). Then the money gets split up, depending on how many people respond and how much the lawyers take. The final settlement terms could be approved as early as December.

Chances are you won't even be able to cover a single monthly mobile bill with what you get, but these days a $9 check might be the difference between "dinner" and "no dinner" for quite a few people, so let's not mock these small sums — except that it's kind of insulting to have five serious breaches in as many years and all customers get is enough to order off the value menu.

9to5Mac reports: A Twitter data breach has allowed an attacker to get access to the contact details of 5.4M accounts. Twitter has confirmed the security vulnerability which allowed the data to be extracted. The data — which ties Twitter handles to phone numbers and email addresses — has been offered for sale on a hacking forum, for $30,000... There is as yet no way to check whether your account is included in the Twitter data breach.
More details from the Restore Privacy security news site: A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.... The seller on the hacking forum goes by the username "devil" and claims that the dataset includes "Celebrities, to Companies, randoms, OGs, etc."

Microsoft confirmed this week that it will soon start blocking Visual Basic Applications (VBA) macros in Office apps by default after quietly rolling back the change earlier this month. From a report: In a new update, the technology giant said that it will start blocking Office macros by default starting from July 27. This comes shortly after Microsoft halted the rollout of the macros-blocking feature citing unspecified "user feedback." It's thought the initial rollout, which kicked off at the beginning of June, caused issues for organizations using macros to automate routine processes, such as data collection or running certain tasks. In a statement given to TechCrunch, Microsoft said it paused the rollout while it "makes some additional changes to enhance usability." The company has since updated its documentation with step-by-step instructions for end users and IT admins explaining how Office determines whether to block or run macros, which Office versions are affected by the new rules, how to allow VBA macros in trusted files and how to prepare for the change.

The Canadian town of St. Marys, Ontario, has been hit by a ransomware attack that has locked staff out of internal systems and encrypted data. The Verge reports: The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit's dark web site listed townofstmarys.com as a victim of the ransomware and previewed files that had been stolen and encrypted. In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts. "To be honest, we're in somewhat of a state of shock," Strathdee said. "It's not a good feeling to be targeted, but the experts we've hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case ... there are people here working on it 24/7."

Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government's cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team's advice on how to engage further. Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit's standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online. The LockBit group has been responsible for 50 ransomware incidents in June 2022, "making it the most prolific global ransomware group," notes The Verge.

"In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials."

An anonymous reader quotes a report from Ars Technica: Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was "trivial to obtain."

The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence. "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. "It is important to remediate this vulnerability on affected systems immediately."

A day later, Atlassian was back to report that "an external party has discovered and publicly disclosed the hardcoded password on Twitter," leading the company to ratchet up its warnings. "This issue is likely to be exploited in the wild now that the hardcoded password is publicly known," the updated advisory read. "This vulnerability should be remediated on affected systems immediately." The company warned that even when Confluence installations don't actively have the app installed, they may still be vulnerable. Uninstalling the app doesn't automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system. To figure out if a system is vulnerable, Confluence users can use these instructions Atlassian provided for locating such accounts.

According to the company, the two ways to fix the issue are to disable or remove the "disabledsystemuser" account.

Tech companies should move ahead with controversial technology that scans for child abuse imagery on users' phones, the technical heads of GCHQ and the UK's National Cybersecurity Centre have said. From a report: So-called "client-side scanning" would involve service providers such as Facebook or Apple building software that monitors communications for suspicious activity without needing to share the contents of messages with a centralised server. Ian Levy, the NCSC's technical director, and Crispin Robinson, the technical director of cryptanalysis -- codebreaking -- at GCHQ, said the technology could protect children and privacy at the same time.

"We've found no reason why client-side scanning techniques cannot be implemented safely in many of the situations one will encounter," they wrote in a discussion paper published on Thursday, which the pair said was "not government policy." They argued that opposition to proposals for client-side scanning -- most famously a plan from Apple, now paused indefinitely, to scan photos before they are uploaded to the company's image-sharing service -- rested on specific flaws, which were fixable in practice. They suggested, for instance, requiring the involvement of multiple child protection NGOs, to guard against any individual government using the scanning apparatus to spy on civilians; and using encryption to ensure that the platform never sees any images that are passed to humans for moderation, instead involving only those same NGOs.

We appear to be entering a period of Windows' development where we can expect new features and tweaks to come to the operating system several times a year. To that end, Microsoft continues to add, remove, and generally experiment with Windows 11's features and user interface via its Insider Preview channels. From a report: The most interesting addition we've seen in a while is rolling out to users on the experimental Dev Channel now: a modified version of the taskbar with much-improved handling of app icon overflow when users have too many apps open at once. Click an ellipsis button on your taskbar, and a new icon overflow menu opens up, allowing you to interact with any of those extra icons the same way you would if they were sitting on the taskbar. This would be a big improvement over the current overflow behavior, which devotes one icon's worth of space to show the icon for the app you last interacted with, leaving the rest inaccessible. That icon will continue to appear on the taskbar alongside the new ellipsis icon. Microsoft says that app icons in the overflow area will be able to show jump lists and other customizable shortcuts the same as any other app icon in the taskbar.

An anonymous reader quotes a report from TechCrunch: The Russia-linked hacking group behind the infamous SolarWinds espionage campaign is now using Google Drive to stealthily deliver malware to its latest victims. That's according to researchers at Palo Alto Networks' Unit 42 threat intelligence team, who said on Tuesday that the Russian Foreign Intelligence Service (SVR) hacking unit -- tracked as "Cloaked Ursa" by Unit 42 but more commonly known as APT29 or Cozy Bear -- has incorporated Google's cloud storage service into its hacking campaigns to hide their malware and their activities.

APT29 has used this new tactic in recent campaigns targeting diplomatic missions and foreign embassies in Portugal and Brazil between early May and June 2022, according to Unit 42. "This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide," the researchers said. "When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign." Unit 42 disclosed the activity to both Dropbox and Google, which took action. In May, the group was found to be using Dropbox in a campaign targeting diplomats and various government agencies. A Dropbox spokesperson told TechCrunch it disabled the accounts immediately.

Mojang has drawn a line in the sand against NFTs in Minecraft, saying in an update posted today that NFT integration with the game is "generally not something we will support or allow." From a report: The update begins with a quick rundown of what NFTs are, including a note about their extreme volatility, before laying out the current policies on Minecraft servers. The overall goal of those policies, Mojang said, is "to ensure that Minecraft remains a community where everyone has access to the same content." NFTs, on the other hand, are specifically designed to "create models of scarcity and exclusion," which obviously conflicts with that principle. And so, they're out.

"To ensure that Minecraft players have a safe and inclusive experience, blockchain technologies are not permitted to be integrated inside our client and server applications, nor may Minecraft in-game content such as worlds, skins, persona items, or other mods, be utilized by blockchain technology to create a scarce digital asset," Mojang wrote. The update was apparently prompted by the fact that numerous Minecraft-associated NFTs and play-to-earn servers are already available, taking advantage of the gap in official policy and dividing the community into "the haves and the have-nots," Mojang said.

The Biden administration is pushing to fill hundreds of thousands of cybersecurity jobs in the United States as part of a bid to close a talent shortage US officials describe as both a national security challenge and an economic opportunity. From a report: On Tuesday, the administration announced a multi-agency plan to create hundreds of registered apprenticeship programs with the private sector to flesh out the nation's cybersecurity workforce -- and defend against a rising tide of data breaches, ransomware attacks and other hacking incidents. In a 120-day sprint, the US government will work with employers to establish apprenticeship programs in the cybersecurity industry, said Labor Secretary Marty Walsh, vowing to launch the joint program with the Department of Commerce "in as little as 48 hours."

The initiative draws funding from a wider $500 million Commerce Department program known as the Good Jobs Challenge, and will particularly focus on recruiting young people, women and minorities to train and work in the cybersecurity field, said Walsh and Commerce Secretary Gina Raimondo at a White House event on Tuesday focused on broader cyber workforce issues. The US government commitment highlights what officials describe as a critical lack of cybersecurity professionals in both government and the private sector who can help protect the nation from foreign adversaries and cybercriminals. Months ago, there were an estimated 500,000 unfilled cybersecurity positions in the United States, Raimondo said, but today that figure has exploded to more than 700,000, a 40% increase.

An anonymous reader quotes a report from Ars Technica: A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they're moving, track location histories, disarm alarms, and cut off fuel. An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered (PDF) what it said were six "severe" vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The vulnerabilities include one tracked as CVE-2022-2107, a hardcoded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as a master password. Hackers who obtain this passcode can use it to log in to the web server, impersonate the legitimate user, and send commands to the tracker through SMS communications that appear to come from the GPS user's mobile number. With this control, hackers can: Gain complete control of any GPS tracker; Access location information, routes, geofences, and track locations in real time; Cut off fuel to vehicles; and Disarm alarms and other features. A separate vulnerability, CVE-2022-2141, leads to a broken authentication state in the protocol the Micodus server and the GPS tracker use to communicate. Other vulnerabilities include a hardcoded password used by the Micodus server, a reflected cross-site scripting error in the Web server, and an insecure direct object reference in the Web server. The other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944. The U.S. Cybersecurity and Infrastructure Security Administration is also warning about the risks posed by the critical security bugs. "Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms)," agency officials wrote.

Russian government hackers tried to trick Ukrainian and international volunteers into using a malicious Android app disguised as an app to launch Distributed Denial of Service (DDoS) attacks against Russian sites, according to new research published by Google on Tuesday. Motherboard reports: Since the beginning of the Russian invasion, Ukraine has resisted not only on the ground, but also online. A loose collective of technologists and hackers has organized under an umbrella quasi-hacktivist organization called the IT Army, and they have launched constant and persistent cyberattacks against Russian websites. The Russian government tried to turn this volunteer effort around to unmask Ukrainian hackers, in a smart, but ultimately failed attempt.

Google researchers wrote in the report that the app was created by the hacking group known as Turla, which several cybersecurity companies believe works for the Kremlin. [Shane Huntley, the head of the Google research team Threat Analysis Group] said that they were able to attribute this operation to Turla because they have tracked the group for a long time and have good visibility into their infrastructure and link it to this app. The hackers pretended to be a "community of free people around the world who are fighting russia's aggression" -- much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine's national guard. To add more credibility to the ruse they hosted the app on a domain "spoofing" the Azov Regiment: cyberazov[.]com.

The app actually didn't DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely. "Now that they have an app that they control, and they see where it came from, they can actually work out what the infrastructure looks like, and work out where the people that are potentially doing these sorts of attacks are," Huntley said. Google said the fake app wasn't hosted on the Play Store, and that the number of installs "was miniscule." Still, it was a smart attempt to trick unknowing Ukrainians or people interested in working with Ukrainians to fall into the trap.

With gas prices at record highs in the U.S. in recent months, some people have turned to hacking the pump. From a report: Since prices spiked in March, police have arrested at least 22 people across the country for either digitally manipulating computers that manage gas pumps or installing homemade devices to discount their fuel, according to an NBC News review of police and local news reports.

The most common tactics aren't technologically sophisticated. Gas hackers take advantage of the fact that gas pump equipment in the U.S. is heavily standardized and largely relies on a handful of manufacturers that often don't include strong security protections. And some of the hacking tools are easily available online for purchase. While there's no formal law enforcement metric to measure the trend, 1 in 4 convenience-store gas station owners say fuel thefts have been rising since March, said Jeff Lenard, a vice president of the National Association of Convenience Stores, an industry group.

Cloud services and servers hosted by Google and Oracle in the UK have dropped offline due to cooling issues as the nation experiences a record-breaking heatwave. From a report: When the mercury hit 40.3C (104.5F) in eastern England, the highest ever registered by a country not used to these conditions, datacenters couldn't take the heat. Selected machines were powered off to avoid long-term damage, causing some resources, services, and virtual machines to became unavailable, taking down unlucky websites and the like.

Multiple Oracle Cloud Infrastructure resources are offline, including networking, storage, and compute provided by its servers in the south of UK. Cooling systems were blamed, and techies switched off equipment in a bid to prevent hardware burning out, according to a status update from Team Oracle. "As a result of unseasonal temperatures in the region, a subset of cooling infrastructure within the UK South (London) Data Centre has experienced an issue," Oracle said on Tuesday at 1638 UTC. "As a result some customers may be unable to access or use Oracle Cloud Infrastructure resources hosted in the region.

Federal investigators "disrupted" a North Korean state-sponsored hacking group that targeted US medical facilities and other health organizations, a top Justice Department official said Tuesday. From a report: The attacks included the targeting of a medical center in Kansas last year, Deputy Attorney General Lisa Monaco said, disabling the hospital's systems that store important data and run key equipment. Monaco said the government's investigation led to a public warning, with the Department of Homeland Security, about "Maui" ransomware targeting the health sector.

"The hospital's leadership faced an impossible choice: Give in to the ransom demand, or cripple the ability of the doctors and nurses to provide critical care," Monaco said at the International Conference on Cyber Security at Fordham University in New York. The Biden administration has increasingly warned of cyber threats from countries, including Russia, and has urged the private sector to do more to harden its security. The Cybersecurity and Infrastructure Security Agency, for instance, has widely published tips it said could help deter and mitigate potentially disruptive attacks.

Apple agreed to pay $50 million to settle a class-action lawsuit by customers who claimed it knew and concealed that the "butterfly" keyboards on its MacBook laptop computers were prone to failure. From a report: The proposed preliminary settlement was filed late Monday night in the federal court in San Jose, California, and requires a judge's approval. Customers claimed that MacBook, MacBook Air and MacBook Pro keyboards suffered from sticky and unresponsive keys, and that tiny amounts of dust or debris could make it difficult to type.

They also said Apple's service program was inadequate because the Cupertino, California-based company often provided replacement keyboards with the same problems. The settlement covers customers who bought MacBook, MacBook Air and most MacBook Pro models between 2015 and 2019 in seven U.S. states: California, Florida, Illinois, Michigan, New Jersey, New York and Washington.