A person linked to a scam that tricked an elderly victim into transferring more than $100,000 formally requested the FBI give back his seized cryptocurrency, claiming in a petition to the agency that he is a part-time crypto investor and not doing anything illegal, according to a recently filed court record. From a report: 404 Media also reached the person by email and they largely repeated the same story. The request is an unusual sight, and, to be frank, probably not going to work. In the court record, authorities allege that the frozen funds are linked to a scam of a victim in the U.S. The document says authorities seized just under 18,500 Tether, valued at around $18,500, in July with a federal search warrant.

"Hello Sir/Ma'am, My name is Vishal Gautam," the request starts. "The funds which you have on hold that is a very big amount of money for me and my family, I request you to please release it from your custody. Thank You & Regards." The message says that Gautam lives in India and as well as investing in cryptocurrency, he is a "full-time Health Insurance" worker. "In the month of July 2023 suddenly my crypto from Binance got disappeared, I don't know how it happened but then I got to know that the FBI has put hold on my assets," the message continues. "I am not into something illegal and never will be, I will not do any such thing that can harm your country or your people in any manner." U.S. authorities, meanwhile, allege that the seized cash is connected to a fraud scheme that targeted a senior citizen in Knoxville, Iowa. In February, this victim opened an email on her iPad that claimed it had been compromised, and that she needed to contact the sender for assistance, according to the court record.

An anonymous reader quotes a report from TechCrunch: Michigan-based McLaren Health Care has confirmed that the sensitive personal and health information of 2.2 million patients was compromised during a cyberattack earlier this year. A ransomware gang later took credit for the cyberattack. In a new data breach notice filed with Maine's attorney general, McLaren said hackers were in its systems for three weeks during July 28 through August 23 before the healthcare company noticed a week later on August 31. McLaren said the hackers accessed patient names, their date of birth and Social Security number, and a wealth of medical information, including billing, claims and diagnosis information, prescription and medication details, and information relating to diagnostic results and treatments. Medicare and Medicaid patient information was also taken.

McLaren is a healthcare provider with 13 hospitals across Michigan and about 28,000 total employees. McLaren, whose website touts its cost efficiency measures, made over $6 billion in revenue in 2022. News of the incident broke in October when the Alphv ransomware gang (also known as BlackCat) claimed responsibility for the cyberattack, claiming it took millions of patients' personal information. Days after the cyberattack was disclosed, Michigan attorney general Dana Nessel warned state residents that the breach "could affect large numbers of patients." TechCrunch has seen several screenshots posted by the ransomware gang on its dark web leak site showing access to the company's password manager, internal financial statements, some employee information, and spreadsheets of patient-related personal and health information, including names, addresses, phone numbers, Social Security numbers, and diagnostic information. Alphv/BlackCat claimed in its post that the gang had been in contact with a McLaren representative, without providing evidence of the claim.

New York regulators Monday plan to issue cybersecurity regulations for hospitals, after a series of attacks crippled operations at medical facilities. From a report: Under draft rules reviewed by The Wall Street Journal, New York will require general hospitals to develop and test incident response plans, assess their cybersecurity risks and install security technologies such as multifactor authentication. Hospitals must also develop secure software design practices for in-house applications, and processes for testing the security of software from vendors. Hacking "is a threat to every hospital, and my firm belief is if we protect the hospital, we're protecting the patients," said James McDonald, health commissioner for New York state.

Healthcare facilities are popular targets for cybercriminals, particularly ransomware operators hoping for quick ransom payments from administrators worried about risks to patients if technology goes down. Hospitals also hold large amounts of sensitive personal information on their staff and patients, including health and financial data. In August, the largest healthcare accreditation body in the U.S. issued cybersecurity guidelines calling for hospitals to prepare for cyberattacks that could take down critical systems for a month or longer -- measures that will require significant investment. Hospitals need to put in place tools and processes that anticipate technology critical for life and safety could be down, and find alternative ways to work without those systems, the nonprofit Joint Commission said.

Australian telecoms provider Optus said on Monday that a massive outage which effectively cut off 40% of the country's population and triggered a political firestorm was caused by "changes to routing information" after a "routine software upgrade." From a report: More than 10 million Australians were hit by the 12-hour network blackout at the Singapore Telecommunications-owned telco on Nov. 8, triggering fury and frustration among customers and raising wider concerns about the telecommunications infrastructure.

Optus said in a statement that an initial investigation found the company's network was affected by "changes to routing information from an international peering network" early that morning, "following a routine software upgrade." It added: "These routing information changes propagated through multiple layers in our network and exceeded preset safety levels on key routers which could not handle these. This resulted in those routers disconnecting from the Optus IP Core network to protect themselves." The project to reconnect the routers was so large that "in some cases (it) required Optus to reconnect or reboot routers physically, requiring the dispatch of people across a number of sites in Australia", it added.

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established. ArsTechnica: Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host. While the percentage is infinitesimally small, the finding is nonetheless surprising for several reasons -- most notably because most SSH software in use has deployed a countermeasure for decades that checks for signature faults before sending a signature over the Internet. Another reason for the surprise is that until now, researchers believed that signature faults exposed only RSA keys used in the TLS -- or Transport Layer Security -- protocol encrypting Web and email connections. They believed SSH traffic was immune from such attacks because passive attackers -- meaning adversaries simply observing traffic as it goes by -- couldn't see some of the necessary information when the errors happened.

SysAid's system management software has "a vulnerability actively being exploited to deploy Clop ransomware," according to SiliconAngle: The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X that it had discovered the exploitation of a zero-day vulnerability in SysAid's IT support software that's being exploited by the Lace Tempest ransomware gang.

Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations' systems to deploy ransomware and exfiltrate sensitive data...

In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Novembers 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software... "Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome," Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE. "The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals," Jones explained. "Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data."
SysAid's blog post confirms the zero-day vulnerability, and says they've begun "proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified..."

"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network..." The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service [which] provided the attacker with unauthorized access and control over the affected system.Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan...

After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs... Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available.

The senior security editor at Ars Technica writes: Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.

Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name "pyobfgood." Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developerâ(TM)s machine. Capabilities include:


- Exfiltrate detailed host information
- Steal passwords from the Chrome web browser
- Set up a keylogger
- Download files from the victim's system
- Capture screenshots and record both screen and audio
- Render the computer inoperative by ramping up CPU usage, inserting a batch script in the startup directory to shut down the PC, or forcing a BSOD error with a Python script
- Encrypt files, potentially for ransom
- Deactivate Windows Defender and Task Manager
- Execute any command on the compromised host


In all, pyobfgood and the previous seven tools were installed 2,348 times. They targeted developers using the Python programming language... Downloads of the package came primarily from the US (62%), followed by China (12%) and Russia (6%)
Ars Technica concludes that "The never-ending stream of attacks should serve as a cautionary tale underscoring the importance of carefully scrutinizing a package before allowing it to run."

An anonymous reader quotes a report from The Record: One of the nation's largest private radiology companies agreed to pay a $450,000 fine after a 2021 ransomware attack led to the exposure of sensitive information from nearly 200,000 patients. In an agreement announced on Wednesday, New York Attorney General Letitia James said US Radiology failed to remediate a vulnerability announced by security company SonicWall in January 2021. US Radiology used the company's firewall to protect its network and provide managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York.

The vulnerability highlighted by the attorney general -- CVE-2021-20016 -- was used by ransomware gangs in several attacks. US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed "due to competing priorities and resource restraints." The vulnerability was never addressed, and the company was attacked by an unnamed ransomware gang on December 8, 2021.

An investigation determined that the hacker was able to gain access to files that included the names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers of 198,260 patients. The data exposed during the incident also included driver's license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers. [...] In addition to the $450,000 penalty, the company will have to upgrade its IT network, hire someone to manage its data security program, encrypt all sensitive patient information and develop a penetration testing program. The company will have to delete patient data "when there is no reasonable business purpose to retain it" and submit compliance reports to the state for two years. "When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care," said Attorney General James. "US Radiology failed to protect New Yorkers' data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems."

Despite having a population of just 1,400, until recently, Tokelau's .tk domain had more users than any other country. Here's why: Tokelau, a necklace of three isolated atolls strung out across the Pacific, is so remote that it was the last place on Earth to be connected to the telephone-- only in 1997. Just three years later, the islands received a fax with an unlikely business proposal that would change everything. It was from an early internet entrepreneur from Amsterdam, named Joost Zuurbier. He wanted to manage Tokelau's country-code top-level domain, or ccTLD -- the short string of characters that is tacked onto the end of a URL. Up until that moment, Tokelau, formally a territory of New Zealand, didn't even know it had been assigned a ccTLD. "We discovered the .tk," remembered Aukusitino Vitale, who at the time was general manager of Teletok, Tokelau's sole telecom operator.

Zuurbier said "that he would pay Tokelau a certain amount of money and that Tokelau would allow the domain for his use," remembers Vitale. It was all a bit of a surprise -- but striking a deal with Zuurbier felt like a win-win for Tokelau, which lacked the resources to run its own domain. In the model pioneered by Zuurbier and his company, now named Freenom, users could register a free domain name for a year, in exchange for having advertisements hosted on their websites. If they wanted to get rid of ads, or to keep their website active in the long term, they could pay a fee.

In the succeeding years, tiny Tokelau became an unlikely internet giant -- but not in the way it may have hoped. Until recently, its .tk domain had more users than any other country's: a staggering 25 million. But there has been and still is only one website actually from Tokelau that is registered with the domain: the page for Teletok. Nearly all the others that have used .tk have been spammers, phishers, and cybercriminals. Everyone online has come across a .tk -- even if they didn't realize it. Because .tk addresses were offered for free, unlike most others, Tokelau quickly became the unwitting host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users. Scammers began using .tk websites to do everything from harvesting passwords and payment information to displaying pop-up ads or delivering malware.

An anonymous reader shares a report: A young man sits in a car, pointing a cellphone camera out of the window, seemingly trying to remain undetected. As he breathes heavily in anticipation, he peers at a T-Mobile store across the road from where he is parked.

Suddenly, there is some commotion inside. An accomplice grabs something off a table where a T-Mobile employee is sitting. The accomplice, dressed in a mask and black baseball cap, then bursts out of the store and clumsily sprints towards the car. The man in the vehicle starts laughing, then giggling uncontrollably like a child. The pair got what they came for: a T-Mobile employee's tablet, the sort workers use everyday when dealing with customer support issues or setting up a new phone.

To the people in the car, what this tablet is capable of is much more valuable than iPad hardware itself. The tablet lets them essentially become T-Mobile. It can grant them the ability to take over target phone numbers, and redirect any text messages or calls for the victim to the hacker's own device, as part of a hack called a SIM swap. From there, they can easily break into email, cryptocurrency, and social media accounts.

Microsoft has invested billions of dollars in OpenAI. But for a brief time on Thursday, employees of the software company weren't allowed to use the startup's most famous product, ChatGPT, CNBC reported. From a report: "Due to security and data concerns a number of AI tools are no longer available for employees to use," Microsoft said in an update on an internal website. "While it is true that Microsoft has invested in OpenAI, and that ChatGPT has built-in safeguards to prevent improper use, the website is nevertheless a third-party external service," Microsoft said. "That means you must exercise caution using it due to risks of privacy and security. This goes for any other external AI services, such as Midjourney or Replika, as well."

The company initially said it was banning ChatGPT and design software Canva, but later removed a line in the advisory that included those products. After initial publication of this story, Microsoft reinstated access to ChatGPT. In a statement to CNBC, Microsoft said the ChatGPT temporary blockage was a mistake resulting from a test of systems for large language models. "We were testing endpoint control systems for LLMs and inadvertently turned them on for all employees," a spokesperson said. "We restored service shortly after we identified our error. As we have said previously, we encourage employees and customers to use services like Bing Chat Enterprise and ChatGPT Enterprise that come with greater levels of privacy and security protections."

An anonymous reader shares a report: On Thursday, trades handled by the world's largest bank in the globe's biggest market traversed Manhattan on a USB stick. Industrial & Commercial Bank of China's U.S. unit had been hit by a cyberattack, rendering it unable to clear swathes of U.S. Treasury trades after entities responsible for settling the transactions swiftly disconnected from the stricken systems. That forced ICBC to send the required settlement details to those parties by a messenger carrying a thumb drive as the state-owned lender raced to limit the damage.

The workaround -- described by market participants -- followed the attack by suspected perpetrator Lockbit, a prolific criminal gang with ties to Russia that has also been linked to hits on Boeing, ION Trading U.K. and the U.K.'s Royal Mail. The strike caused immediate disruption as market-makers, brokerages and banks were forced to reroute trades, with many uncertain when access would resume. The incident spotlights a danger that bank leaders concede keeps them up at night -- the prospect of a cyber attack that could someday cripple a key piece of the financial system's wiring, setting off a cascade of disruptions. Even brief episodes prompt bank leaders and their government overseers to call for more vigilance.

Michael Kan reports via PCMag: Encrypted messaging service Signal is now testing usernames, which will offer people a more private way to share their contact details on the app. Signal kicked off the public test today through a new beta build available in its community forums. "After rounds of internal testing, we have hit the point where we think the community that powers these forums can help us test even further before public launch," says Signal VP of Engineering Jim O'Leary.

The development is a big deal since Signal -- an end-to-end encrypted messaging app -- has long required users to sign up with a phone number. That same number also needs to be shared in order to message other users on the app. This can be problematic since sharing your phone number exposes you to privacy and hacking risks. For example, a contact on Signal could choose to call and message your number over an unencrypted cellular network or pass off the number to someone else.

An anonymous reader quotes a report from TechCrunch: The government of Maine has confirmed over a million state residents had personal information stolen in a data breach earlier this year by a Russia-linked ransomware gang. In a statement published Thursday, the Maine government said hackers exploited a vulnerability in its MOVEit file-transfer system, which stored sensitive data on state residents. The hackers used the vulnerability to access and download files belonging to certain state agencies between May 28 and May 29, the statement read. The Maine government said it was disclosing the incident and notifying affected residents as its assessment of the impacted files "was recently completed."

Maine said that the stolen information may include a person's name, date of birth, Social Security number, driver's license and other state or taxpayer identification numbers. Some individuals had medical and health insurance information taken. The statement said the state holds information about residents "for various reasons, such as residency, employment, or interaction with a state agency," and that the data it holds varies by person. According to the state's breakdown of which agencies are affected, more than half of the stolen data relates to Maine's Department of Health and Human Services, with up to about a third of the data affecting the Maine's Department of Education. The remaining data affects various other agencies, including Maine's Bureau of Motor Vehicles and Maine's Department of Corrections, though the government notes that the breakdown of information is subject to change. More than 1.3 million people live in the state of Maine, according to the U.S. Census Bureau.

An anonymous reader quotes a report from SecurityWeek: Mortgage giant Mr. Cooper on Thursday announced that it has shut down certain systems after falling victim to a cyberattack, which resulted in its operations being suspended. The attack occurred on October 31 and prompted an immediate response, including containment measures that involved taking down some systems. The shutdown, the company says in an incident notice on its website, prevents it from processing customer payments temporarily, but such operations will resume as soon as systems are restored. Mr. Cooper says it is currently investigating the potential compromise of customer data, and that it will notify all those whose data might have been impacted by the attack. Headquartered in the Dallas, Texas, area, Mr. Cooper is one of the largest mortgage servicers in the US, with approximately 4.3 million customers. While it remains unclear what kind of cyberattack hit Mr. Cooper's systems, the mortgage and loan giant did confirm that customer data was compromised. However, banking information does not appear to be impacted. "Mr. Cooper does not store banking information related to mortgage payments on our systems. This information is hosted with a third-party provider and, based on the information we have to date, we do not believe it was affected by this incident," the company added.

According to TechCrunch, citing a filing with the U.S. Securities and Exchange Commission, Mr. Cooper said it "expects to incur up to $10 million in additional vendor costs during its fiscal fourth quarter, adding that it does not expect a material impact to its business."

As AMD is now well into their third generation of RDNA architecture GPUs, the sun has been slowly setting on AMD's remaining Graphics Core Next (GCN) designs, better known by the architecture names of Polaris and Vega. From a report: In recent weeks the company dropped support for those GPU architectures in their open source Vulkan Linux driver, AMDVLK, and now we have confirmation that the company is slowly winding down support for these architectures in their Windows drivers as well. Under AMD's extended driver support schedule for Polaris and Vega, the drivers for these architectures will no longer be kept at feature parity with the RDNA architectures. And while AMD will continue to support Polaris and Vega for some time to come, that support is being reduced to security updates and "functionality updates as available."

For AMD users keeping a close eye on their driver releases, they'll likely recognize that AMD already began this process back in September -- though AMD hasn't officially documented the change until now. As of AMD's September Adrenaline 23.9 driver series, AMD split up the RDNA and GCN driver packages, and with that they have also split the driver branches between the two architectures. As a result, only RDNA cards are receiving new features and updates as part of AMD's mainline driver branch (currently 23.20), while the GCN cards have been parked on a maintenance driver branch - 23.19.

Microsoft now wants you to explain exactly why you're attempting to close its OneDrive for Windows app before it allows you to do so. From a report: Neowin has spotted that the latest update to OneDrive now includes an annoying dialog box that asks you to select the reason why you're closing the app every single time you attempt to close OneDrive from the taskbar. Closing OneDrive is already buried away and not a simple task, with Microsoft hiding it under a "pause syncing" option when you right-click on OneDrive in the taskbar. But now, the quit option is grayed out until you select a reason for quitting OneDrive from a drop-down box. Here are the options:
1. I don't want OneDrive running all the time
2. I don't know what OneDrive is
3. I don't use OneDrive
4. I'm trying to fix a problem with OneDrive
5. I'm trying to speed up my computer
6. I get too many notifications
7. Other

The App Defense Alliance (ADA), an initiative set up by Google back in 2019 to combat malicious Android apps infiltrating the Play app store, has joined the Joint Development Foundation (JDF), a Linux Foundation project focused on helping organizations working on technical specifications, standards, and related efforts. From a report: The App Defense Alliance had, in fact, already expanded beyond its original Android malware detection roots, covering areas such as malware mitigation, mobile app security assessments (MASA), and cloud app security assessments (CASA). And while its founding members included mobile security firms such as ESET, Lookout and Zimperium, it has ushered in new members through the years including Trend Micro and McAfee. Today's news, effectively, sees ADA join an independent foundation, a move designed to open up the appeal to other big tech companies, such as Facebook parent Meta and Microsoft, both of which are now joining the ADA's steering committee. The ultimate goal is to "improve app security" through fostering greater "collaborative implementation of industry standards," according to a joint statement today.

Google is coming for Honey and other deal-finding tools by introducing new features on Search and Chrome to help users find discounts. From a report: The tech giant announced on Tuesday that it's adding a designated page for deals on Search, while Chrome is getting features that proactively look for discount codes and provide users with price insights. The new deals search results page on Search is designed to help users find products that are on sale from across the web in one designated spot. The page will display deals in categories like apparel, electronics, toys and beauty. You'll also find deals from different types of merchants, including big box stores, DTC brands, luxury multi-brand retailers, designer labels and local stores.

Users can scroll through deals by category and also see popular stores that have deals on what you're looking for. If you see something you're interested in, you can click on the product or visit the merchant site to learn more. Google says that if you're signed into your Google account, the page will take into account what you usually like to shop. To access the new deals page, you need to search "shop deals." Or, if you're looking for something specific, you can search for categories like "shop sneaker deals."

Tech groups have called on ministers to clarify the extent of proposed powers that they fear would allow the UK government to intervene and block the rollout of new privacy features for messaging apps. FT: The Investigatory Powers Amendment Bill, which was set out in the King's Speech on Tuesday, would oblige companies to inform the Home Office in advance about any security or privacy features they want to add to their platforms, including encryption. At present, the government has the power to force telecoms companies and messaging platforms to supply data on national security grounds and to help with criminal investigations.

The new legislation was designed to "recalibrate" those powers to respond to risks posed to public safety by multinational tech companies rolling out new services that "preclude lawful access to data," the government said. But Meredith Whittaker, president of private messaging group Signal, urged ministers to provide more clarity on what she described as a "bellicose" proposal amid fears that, if enacted, the new legislation would allow ministers and officials to veto the introduction of new safety features. "We will need to see the details, but what is being described suggests an astonishing level of technically confused government over-reach that will make it nearly impossible for any service, homegrown or foreign, to operate with integrity in the UK," she told the Financial Times.