China

Chinese Hackers Breach US Internet Firms via Startup, Lumen Says (msn.com) 16

The state-sponsored Chinese hacking campaign known as Volt Typhoon is exploiting a bug in a California-based startup to hack American and Indian internet companies, according to security researchers. From a report: Volt Typhoon has breached four US firms, including internet service providers, and another in India through a vulnerability in a Versa Networks server product, according to Lumen's unit Black Lotus Labs. Their assessment, much of which was published in a blog post on Tuesday, found with "moderate confidence" that Volt Typhoon was behind the breaches of unpatched Versa systems and said exploitation was likely ongoing.

Versa, which makes software that manages network configurations and has attracted investment from Blackrock and Sequoia Capital, announced the bug last week and offered a patch and other mitigations. The revelation will add to concerns over the susceptibility of US critical infrastructure to cyberattacks. The US this year accused Volt Typhoon of infiltrating networks that operate critical US services, including some of the country's water facilities, power grid and communications sectors, in order to cause disruptions during a future crisis, such as an invasion of Taiwan.

Windows

Microsoft Backtracks on Deprecating the 39-Year-Old Windows Control Panel 117

Microsoft has retracted or clarified its statement regarding the deprecation of Windows Control Panel, according to changes made to a support document. The original text, which stated that the Control Panel was "in the process of being deprecated in favor of the Settings app," has been revised. The new version now indicates that "many of the settings in Control Panel are in the process of being migrated to the Settings app." This modification came after widespread media coverage of the initial announcement. It remains unclear whether this change reflects a shift in Microsoft's plans or a correction of an erroneous statement.
Security

Major Backdoor In Millions of RFID Cards Allows Instant Cloning (securityweek.com) 23

SecurityWeek reports: A significant backdoor in millions of contactless cards made by China-based Shanghai Fudan Microelectronics Group allows instantaneous cloning of RFID smart cards used to open office doors and hotel rooms around the world.

French security services firm Quarkslab has made an eye-popping discovery... Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale, researcher Philippe Teuwen explained in a paper.

Thanks to Slashdot reader wiredmikey for sharing the article.
Microsoft

How Should Cybersecurity Evolve After Crowdstrike's Outage? (cnbc.com) 108

Microsoft will meet with CrowdStrike and other security companies" on September 10, reports CNBC, to "discuss ways to evolve" the industry after a faulty CrowdStrike software update in July caused millions of Windows computers to crash: [An anonymous Microsoft executive] said participants at the Windows Endpoint Security Ecosystem Summit will explore the possibility of having applications rely more on a part of Windows called user mode instead of the more privileged kernel mode... Attendees at Microsoft's September 10 event will also discuss the adoption of eBPF technology, which checks if programs will run without triggering system crashes, and memory-safe programming languages such as Rust, the executive said.
Wednesday Crowdstrike argued no cybersecurity vendor could "technically" guarantee their software wouldn't cause a similar incident.

On a possibly related note, long-time Slashdot reader 278MorkandMindy shares their own thoughts: The "year of the Linux desktop" is always just around the corner, somewhat like nuclear fusion. Will Windows 11, with its general advert and telemetry BS, along with the recall feature, FINALLY push "somewhat computer literate" types like myself onto Linux?
Security

'Invasive' Iranian Intelligence Group Believed to Be The Ones Who Breached Trump's Campaign (reuters.com) 98

Reuters reports that the Iranian hacking team which compromised the campaign of U.S. presidential candidate Donald Trump "is known for placing surveillance software on the mobile phones of its victims, enabling them to record calls, steal texts and silently turn on cameras and microphones, according to researchers and experts who follow the group." Known as APT42 or CharmingKitten by the cybersecurity research community, the accused Iranian hackers are widely believed to be associated with an intelligence division inside Iran's military, known as the Intelligence Organization of the Islamic Revolutionary Guard Corps or IRGC-IO. Their appearance in the U.S. election is noteworthy, sources told Reuters, because of their invasive espionage approach against high-value targets in Washington and Israel. "What makes (APT42) incredibly dangerous is this idea that they are an organization that has a history of physically targeting people of interest," said John Hultquist, chief analyst with U.S. cybersecurity firm Mandiant, who referenced past research that found the group surveilling the cell phones of Iranian activists and protesters... Hultquist said the hackers commonly use mobile malware that allows them to "record phone calls, room audio recordings, pilfer SMS (text) inboxes, take images off of a machine," and gather geolocation data...

APT42 also commonly impersonates journalists and Washington think tanks in complex, email-based social engineering operations that aim to lure their targeting into opening booby-trapped messages, which let them takeover systems. The group's "credential phishing campaigns are highly targeted and well-researched; the group typically targets a small number of individuals," said Josh Miller, a threat analyst with email security company Proofpoint. They often target anti-Iran activists, reporters with access to sources inside Iran, Middle Eastern academics and foreign-policy advisers. This has included the hacking of western government officials and American defense contractors. For example, in 2018, the hackers targeted nuclear workers and U.S. Treasury department officials around the time the United States formally withdrew from the Joint Comprehensive Plan of Action (JCPOA), said Allison Wikoff, a senior cyber intelligence analyst with professional services company PricewaterhouseCoopers.

"APT42 is still actively targeting campaign officials and former Trump administration figures critical of Iran, according to a blog post by Google's cybersecurity research team."
Microsoft

Microsoft's Copilot Falsely Accuses Court Reporter of Crimes He Covered (the-decoder.com) 47

An anonymous reader shares a report: Language models generate text based on statistical probabilities. This led to serious false accusations against a veteran court reporter by Microsoft's Copilot. German journalist Martin Bernklau typed his name and location into Microsoft's Copilot to see how his culture blog articles would be picked up by the chatbot, according to German public broadcaster SWR. The answers shocked Bernklau. Copilot falsely claimed Bernklau had been charged with and convicted of child abuse and exploiting dependents. It also claimed that he had been involved in a dramatic escape from a psychiatric hospital and had exploited grieving women as an unethical mortician.

Copilot even went so far as to claim that it was "unfortunate" that someone with such a criminal past had a family and, according to SWR, provided Bernklau's full address with phone number and route planner. I asked Copilot today who Martin Bernklau from Germany is, and the system answered, based on the SWR report, that "he was involved in a controversy where an AI chat system falsely labeled him as a convicted child molester, an escapee from a psychiatric facility, and a fraudster." Perplexity.ai drafts a similar response based on the SWR article, explicitly naming Microsoft Copilot as the AI system.

Microsoft

Microsoft Plans Windows Security Overhaul After CrowdStrike Outage 63

Microsoft is stepping up its plans to make Windows more resilient to buggy software [non-paywalled source] after a botched CrowdStrike update took down millions of PCs and servers in a global IT outage. Financial Times: The tech giant has in the past month intensified talks with partners about adapting the security procedures around its operating system to better withstand the kind of software error that crashed 8.5mn Windows devices on July 19. Critics say that any changes by Microsoft would amount to a concession of shortcomings in Windows' handling of third-party security software that could have been addressed sooner.

Yet they would also prove controversial among security vendors that would have to make radical changes to their products, and force many Microsoft customers to adapt their software. Last month's outages -- which are estimated to have caused billions of dollars in damages after grounding thousands of flights and disrupting hospital appointments worldwide -- heightened scrutiny from regulators and business leaders over the extent of access that third-party software vendors have to the core, or kernel, of Windows operating systems. Microsoft will host a summit next month for government representatives and cyber security companies, including CrowdStrike, to discuss "improving resiliency and protecting mutual customers' critical infrastructure," Microsoft said on Friday.
Microsoft

Microsoft Says It's Getting Rid of Control Panel in Windows 197

Microsoft plans to phase out Windows Control Panel, a feature dating back to the 1980s, in favor of the modern Settings app, according to a recent support page. The tech giant has been gradually shifting functions to Settings since 2015, aiming for a more streamlined user experience. However, no specific timeline for Control Panel's complete removal has been announced. Microsoft writes in the support page: The Control Panel is a feature that's been part of Windows for a long time. It provides a centralized location to view and manipulate system settings and controls. Through a series of applets, you can adjust various options ranging from system time and date to hardware settings, network configurations, and more. The Control Panel is in the process of being deprecated in favor of the Settings app, which offers a more modern and streamlined experience.
Google

Google is Shoving Its Apps Onto New Windows Laptops (theverge.com) 25

Google is making a new desktop app called Essentials that packages a few Google services, like Messages and Photos, and includes links to download many others. The app will be included with many new Windows laptops, with the first ones coming from HP. From a report: The Essentials app lets you "discover and install many of our best Google services," according to Google's announcement, and lets you browse Google Photos as well as send and receive Google Messages in the app. A full list of apps has not yet been announced, but Google's announcement art showcases icons including Google Sheets, Google Drive, Nearby Share, and Google One (a two-month free trial is offered through Essentials for new subscribers).

HP will start including Google Essentials across its computer brands, like Envy, Pavilion, Omen, and more. Google says you're "in control of your experience" and can uninstall any part of Essentials or the whole thing.

IOS

Bug in Apple Devices Crashes UI With Four-Character Input (techcrunch.com) 71

A newly discovered bug causes iPhones and iPads to briefly crash. All you need to trigger the bug are just four characters. From a report: On Wednesday, a security researcher found that typing "":: can cause the Apple mobile user interface, called Springboard, to crash. TechCrunch verified those characters do crash Springboard when typed into the Search bar in the Settings app, as well as if you swipe all the way to the right on your home screen and type them into the App Library search bar.

As others noted, all that's needed is actually "": and any other character. Triggering the bug briefly crashes Springboard, then reloads to your lock screen. In other tests, the bug flashed the screen black for a second. Researchers tell TechCrunch the bug does not appear to be a security issue. "It's not a security bug," said Ryan Stortz, an iOS security researcher who analyzed the bug. Patrick Wardle, who also researches iOS and founded security startup DoubleYou, agreed.

Security

Top US Oilfield Firm Halliburton Hit By Cyberattack, Source Says (reuters.com) 14

An anonymous reader quotes a report from Reuters: U.S. oilfield services firm Halliburton on Wednesday was hit by a cyberattack, according to a person familiar with the matter. Halliburton said it was aware of an issue affecting certain systems at the company and was working to determine the cause and impact of the problem. The company was also working with "leading external experts" to fix the issue, a spokesperson said in an emailed statement.

The attack appeared to impact business operations at the company's north Houston campus, as well as some global connectivity networks, the person said, who declined to be identified because they were not authorized to speak on the record. The company has asked some staff not to connect to internal networks, the person said. Houston, Texas-based Halliburton is one of the largest oilfield services firms in the world, providing drilling services and equipment to major energy producers around the globe. It had nearly 48,000 employees and operated in more than 70 countries at the end of last year.

IT

110K Domains Targeted in 'Sophisticated' AWS Cloud Extortion Campaign (theregister.com) 33

A sophisticated extortion campaign has targeted 110,000 domains by exploiting misconfigured AWS environment files, security firm Cyble reports. The attackers scanned for exposed .env files containing cloud access keys and other sensitive data. Organizations that failed to secure their AWS environments found their S3-stored data replaced with ransom notes.

The attackers used a series of API calls to verify data, enumerate IAM users, and locate S3 buckets. Though initial access lacked admin privileges, they created new IAM roles to escalate permissions. Cyble researchers noted the attackers' use of AWS Lambda functions for automated scanning operations.
Businesses

IT Tycoon Mike Lynch, Daughter Hannah Found Dead (theregister.com) 67

In a tragic update to Monday's story, authorities have recovered the bodies of former Autonomy CEO Mike Lynch and his teenage daughter Hannah. The Register reports: Italian divers are said to have found the billionaire father and his daughter, 18, inside one of the sunken vessel's cabins, according to The Telegraph. The capsized ship presently rests 49 meters below the surface, about half a mile from the coast. [...] Angela Bacares, Lynch's wife, was rescued at sea and is recovering.

Canadian Broadcasting Company News has reported that the body of Recaldo Thomas, a Canadian-born man who resided in Antigua and served as the ship's cook, has been recovered. Other missing individuals have been identified by The Independent as: Christopher Morvillo, a lawyer who had represented Lynch and wife Neda Morvillo; Jonathan Bloomer, chairman of investment bank Morgan Stanley International and wife Judy Bloomer.
The Register has published an obituary for Mike Lynch.
Security

CrowdStrike Unhappy With 'Shady Commentary' From Competitors After Outage (arstechnica.com) 107

CrowdStrike's president hit out at "shady" efforts by its cyber security rivals to scare its customers and steal market share in the month since its botched software update sparked a global IT outage. From a report: Michael Sentonas told the Financial Times that attempts by competitors to use the July 19 disruption to promote their own products were "misguided." After criticism from rivals including SentinelOne and Trellix, the CrowdStrike executive said no vendor could "technically" guarantee that their own software would never cause a similar incident.

"Our industry is built on trust," Sentonas said. For rivals to take advantage of the meltdown to push their own products "lets themselves down because, ultimately, people know really quickly fact from, possibly, some shady commentary." Texas-based CrowdStrike had a reputation as many major companies' first line of defense against cyber attacks, but the high-profile nature of its clients exacerbated the impact of July's global disruption that shut down 8.5 million Windows devices. Insurers have estimated that losses from the disruption, which grounded flights and shut down hospital systems, could run into billions of dollars. Delta Air Lines, which canceled more than 6,000 flights, has estimated that the outages will cost it $500 million and has threatened litigation.

Privacy

US Feds Are Tapping a Half-Billion Encrypted Messaging Goldmine (404media.co) 77

An anonymous reader shares a report: U.S. agencies are increasingly accessing parts of a half-billion encrypted chat message haul that has rocked the global organized crime underground, using the chats as part of multiple drug trafficking prosecutions, according to a 404 Media review of U.S. court records. In particular, U.S. authorities are using the chat messages to prosecute alleged maritime drug smugglers who traffic cocaine using speedboats and commercial ships.

The court records show the continued fallout of the massive hack of encrypted phone company Sky in 2021, in which European agencies obtained the intelligence goldmine of messages despite Sky being advertised as end-to-end encrypted. European authorities have used those messages as the basis for many prosecutions and drug seizures across the continent. Now, it's clear that the blast radius extends to the United States.

Privacy

Slack AI Can Be Tricked Into Leaking Data From Private Channels (theregister.com) 9

Slack AI, an add-on assistive service available to users of Salesforce's team messaging service, is vulnerable to prompt injection, according to security firm PromptArmor. From a report: The AI service provides generative tools within Slack for tasks like summarizing long conversations, finding answers to questions, and summarizing rarely visited channels.

"Slack AI uses the conversation data already in Slack to create an intuitive and secure AI experience tailored to you and your organization," the messaging app provider explains in its documentation. Except it's not that secure, as PromptArmor tells it. A prompt injection vulnerability in Slack AI makes it possible to fetch data from private Slack channels.

Privacy

Toyota Confirms Breach After Stolen Data Leaks On Hacking Forum (bleepingcomputer.com) 7

Toyota confirmed a breach of its network after 240GB of data, including employee and customer information, was leaked on a hacking forum by a threat actor. The company has not provided details on how or when the breach occurred. BleepingComputer reports: ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information. They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.

"We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB," the threat actor claims. "Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords." While Toyota hasn't shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored.
"We are aware of the situation. The issue is limited in scope and is not a system wide issue," Toyota told BleepingComputer. The company added that it's "engaged with those who are impacted and will provide assistance if needed."
Windows

Windows 0-Day Was Exploited By North Korea To Install Advanced Rootkit (arstechnica.com) 14

North Korean hackers exploited a critical Windows vulnerability to deploy advanced malware, security researchers revealed. The zero-day flaw, patched by Microsoft last week, allowed attackers to gain system-level access and install a sophisticated rootkit called FudModule. Gen, the firm that discovered the attacks, identified the threat actors as Lazarus, a hacking group linked to North Korea. The exploit targeted individuals in cryptocurrency and aerospace industries, likely aiming to steal digital assets and infiltrate corporate networks. FudModule, first analyzed in 2022, stands out for its ability to operate deep within Windows, evading detection by security defenses. Earlier versions used vulnerable drivers for installation, while a newer variant exploited a bug in Windows' AppLocker service.
Privacy

National Public Data Published Its Own Passwords (krebsonsecurity.com) 35

Security researcher Brian Krebs writes: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased). NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company's database, which they claimed has been floating around the underground since December 2023.

Following last week's story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property -- the background search service recordscheck.net -- was hosting an archive that included the usernames and password for the site's administrator. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. The exposed archive, which was named "members.zip," indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD's founder, an actor and retired sheriff's deputy from Florida named Salvatore "Sal" Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company's website, and that the site is slated to cease operations "in the next week or so." "Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords," Verini told KrebsOnSecurity. "Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative." The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com's homepage features a positive testimonial from Sal Verini.

Google

Google Threatened Tech Influencers Unless They 'Preferred' the Pixel 66

An anonymous reader shares a report: The tech review world has been full of murky deals between companies and influencers for years, but it appears Google finally crossed a line with the Pixel 9. The company's invite-only Team Pixel program -- which seeds Pixel products to influencers before public availability -- stipulated that participating influencers were not allowed to feature Pixel products alongside competitors, and those who showed a preference for competing phones risked being kicked out of the program. For those hoping to break into the world of tech reviews, the new terms meant having to choose between keeping access or keeping their integrity.

The Verge has independently confirmed screenshots of the clause in this year's Team Pixel agreement for the new Pixel phones, which various influencers began posting on X and Threads last night. The agreement tells participants they're "expected to feature the Google Pixel device in place of any competitor mobile devices." It also notes that "if it appears other brands are being preferred over the Pixel, we will need to cease the relationship between the brand and the creator." The link to the form appears to have since been shut down.

Slashdot Top Deals