Security

UnitedHealth Says Change Healthcare Hacked by Nation State, as US Pharmacy Outages Drag On 15

U.S. health insurance giant UnitedHealth Group said Thursday in a filing with government regulators that its subsidiary Change Healthcare was compromised likely by government-backed hackers. From a report: In a filing Thursday, UHG blamed the ongoing cybersecurity incident affecting Change Healthcare on suspected nation state hackers but said it had no timeframe for when its systems would be back online. UHG did not attribute the cyberattack to a specific nation or government, or cite what evidence it had to support its claim.

Change Healthcare provides patient billing across the U.S. healthcare system. The company processes billions of healthcare transactions annually and claims it handles around one-in-three U.S. patient records, amounting to around a hundred million Americans. The cyberattack began early Wednesday, according to the company's incident tracker.
Security

US Health Tech Giant Change Healthcare Hit by Cyberattack (techcrunch.com) 17

U.S. healthcare technology giant Change Healthcare has confirmed a cyberattack on its systems. In a brief statement, the company said it was "experiencing a network interruption related to a cyber security issue." From a report: "Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact," Change Healthcare wrote on its status page. "The disruption is expected to last at least through the day."

The incident began early on Tuesday morning on the U.S. East Coast, according to the incident tracker. The specific nature of the cybersecurity incident was not disclosed. Most of the login pages for Change Healthcare were inaccessible or offline when TechCrunch checked at the time of writing. Michigan local newspaper the Huron Daily Tribune is reporting that local pharmacies are experiencing outages due to the Change Healthcare cyberattack.

China

Leaked Hacking Files Show Chinese Spying On Citizens and Foreigners Alike (pbs.org) 18

An anonymous reader quotes a report from PBS: Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government -- a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners. Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China's far west. The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any especially novel or potent tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists. They reveal, in detail, methods used by Chinese authorities used to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media.

The documents show apparent I-Soon hacking of networks across Central and Southeast Asia, as well as Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory. The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into email and hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks. I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said I-Soon held a meeting Wednesday about the leak and were told it wouldn't affect business too much and to "continue working as normal." The AP is not naming the employees -- who did provide their surnames, per common Chinese practice -- out of concern about possible retribution. The source of the leak is not known.
Jon Condra, an analyst with Recorded Future, a cybersecurity company, called it the most significant leak ever linked to a company "suspected of providing cyber espionage and targeted intrusion services for the Chinese security services." According to Condra, citing the leaked material, I-Soon's targets include governments, telecommunications firms abroad and online gambling companies within China.
Bug

Firefly Software Snafu Sends Lockheed Satellite on Short-Lived Space Safari (theregister.com) 25

A software error on the part of Firefly Aerospace doomed Lockheed Martin's Electronic Steerable Antenna (ESA) demonstrator to a shorter-than-expected orbital life following a botched Alpha launch. From a report: According to Firefly's mission update, the error was in the Guidance, Navigation, and Control (GNC) software algorithm, preventing the system from sending the necessary pulse commands to the Reaction Control System (RCS) thrusters before the relight of the second stage. The result was that Lockheed's payload was left in the wrong orbit, and Firefly's engineers were left scratching their heads.

The launch on December 22, 2023 -- dubbed "Fly the Lightning" -- seemed to go well at first. It was the fourth for the Alpha, and after Firefly finally registered a successful launch a few months earlier in September, initial indications looked good. However, a burn of the second stage to circularize the orbit did not go to plan, and Lockheed's satellite was left in the wrong orbit, with little more than weeks remaining until it re-entered the atmosphere.

As it turned out, the Lockheed team completed their primary mission objectives. The payload was, after all, designed to demonstrate faster on-orbit sensor calibration. Just perhaps not quite that fast. Software issues aboard spacecraft are becoming depressingly commonplace. A recent example was the near disastrous first launch of Boeing's CST-100 Starliner, where iffy code could have led, in NASA parlance, to "spacecraft loss." In a recent interview with The Register, former Voyager scientist Garry Hunt questioned if the commercial spaceflight sector of today would take the same approach to quality as the boffins of the past.

Encryption

Apple Rolls Out iMessage Upgrade To Withstand Decryption By Quantum Computers (yahoo.com) 42

Apple is rolling out an upgrade to its iMessage texting platform to defend against future encryption-breaking technologies. From a report: The new protocol, known as PQ3, is another sign that U.S. tech firms are bracing for a potential future breakthrough in quantum computing that could make current methods of protecting users' communications obsolete. "More than simply replacing an existing algorithm with a new one, we rebuilt the iMessage cryptographic protocol from the ground up," an Apple blog post published on Wednesday reads. "It will fully replace the existing protocol within all supported conversations this year."

The Cupertino, California-based iPhone maker says its encryption algorithms are state-of-the-art and that it has found no evidence so far of a successful attack on them. Still, government officials and scientists are concerned that the advent of quantum computers, advanced machines that tap in to the properties of subatomic particles, could suddenly and dramatically weaken those protections. Late last year, a Reuters investigation explored how the United States and China are racing to prepare for that moment, dubbed "Q-Day," both by pouring money into quantum research and by investing in new encryption standards known as post-quantum cryptography. Washington and Beijing have traded allegations of intercepting massive amounts of encrypted data in preparation for Q-Day, an approach sometimes dubbed "catch now, crack later."
More on Apple's security blog.
Security

Fingerprints Can Be Recreated From the Sounds Made When Swiping On a Touchscreen (tomshardware.com) 42

An anonymous reader quotes a report from Tom's Hardware: An interesting new attack on biometric security has been outlined by a group of researchers from China and the US. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound [PDF] proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). The attack leverages the sound characteristics of a user's finger swiping on a touchscreen to extract fingerprint pattern features. Following tests, the researchers assert that they can successfully attack "up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%." This is claimed to be the first work that leverages swiping sounds to infer fingerprint information.

Without contact prints or finger detail photos, how can an attacker hope to get any fingerprint data to enhance MasterPrint and DeepMasterPrint dictionary attack results on user fingerprints? One answer is as follows: the PrintListener paper says that "finger-swiping friction sounds can be captured by attackers online with a high possibility." The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name -- PrintListener. [...]

To prove the theory, the scientists practically developed their attack research as PrintListener. In brief, PrintListener uses a series of algorithms for pre-processing the raw audio signals which are then used to generate targeted synthetics for PatternMasterPrint (the MasterPrint generated by fingerprints with a specific pattern). Importantly, PrintListener went through extensive experiments "in real-world scenarios," and, as mentioned in the intro, can facilitate successful partial fingerprint attacks in better than one in four cases, and complete fingerprint attacks in nearly one in ten cases. These results far exceed unaided MasterPrint fingerprint dictionary attacks.

Microsoft

Microsoft Publisher Books Its Retirement Party for 2026 (theregister.com) 26

Microsoft is confirming plans to deprecate its Publisher application in 2026. From a report: This writer has fond memories of Microsoft Publisher, which started life in 1991 as a desktop publisher for Windows 3.0. While alternatives existed in the form of Ventura Publisher, Timeworks, and later QuarkXPress, Microsoft Publisher was a useful tool to write newsletters. Unlike Word, Publisher was focused on layout and page design. Though it lacked many of the features of its competitors, it was responsible for some genuinely horrendous designs, and was popular due to its cheap price.

Despite not finding much favor with professionals, Microsoft Publisher continued to be updated over the years. Microsoft Publisher 97 was the first to turn up in the Microsoft Office suite, and the most recent edition, released in 2021, is available as part of Microsoft 365. However, all good things -- and Publisher -- must come to an end. Microsoft has warned that the end is nigh for its venerable designer. "In October 2026, Microsoft Publisher will reach its end of life," the company said. "After that time, it will no longer be included in Microsoft 365, and existing on-premises suites will no longer be supported. Until then, support for Publisher will continue, and users can expect the same experience as today."

Iphone

Apple Officially Warns Users To Stop Putting Wet iPhones in Rice (gizmodo.com) 121

An anonymous reader shares a report: In a recent support document, Apple states that putting wet devices in a bag of rice could "allow small particles of rice to damage your iPhone," although it doesn't go into further detail. The company also recommended against using other well-known hacks, such as using an external heat source to dry the phone or sticking a cotton swab into the connector. The company's warning on rice coincides with those of other repair experts, who have found that the rice hack works slower than simply leaving your iPhone on a counter to dry. Time is crucial in these situations, as the most important thing is to prevent the water from damaging the electronics inside the phone.
Encryption

Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private (wired.com) 38

Encrypted messaging app Signal has launched new feature allowing users to conceal their phone numbers and instead use usernames, in a move aimed at boosting privacy protections long sought by cybersecurity experts and privacy advocates. From a report: Rather than give your phone number to other Signal contacts as the identifier they use to begin a conversation with you, in other words, you can now choose to be discoverable via a chosen handle -- or even to prevent anyone who does have your phone number from finding you on Signal.

The use of phone numbers has long been perhaps the most persistent criticism of Signal's design. These new privacy protections finally offer a fix, says Meredith Whittaker, Signal's executive director. "We want to build a communications app that everyone in the world can easily use to connect with anyone else privately. That 'privately' is really in bold, underlined, in italics," Whittaker tells WIRED. "So we're extremely sympathetic to people who might be using Signal in high-risk environments who say, 'The phone number is really sensitive information, and I don't feel comfortable having that disseminated broadly.'"

IT

Adobe Acrobat Adds Generative AI To 'Easily Chat With Documents' (theverge.com) 31

Adobe is adding a new generative AI experience to its Acrobat PDF management software, which aims to "completely transform the digital document experience" by making information in long documents easier to find and understand. From a report: Announced in Adobe's press release as "AI Assistant in Acrobat," the new tool is described as a "conversational engine" that can summarize files, answer questions, and recommend more based on the content, allowing users to "easily chat with documents" to get the information they need. It's available in beta starting today for paying Acrobat users.

The idea is that the chatbot will reduce the time-consuming tasks related to working with massive text documents -- such as helping students quickly find information for research projects or summarizing large reports into snappy highlights for emails, meetings, and presentations. AI Assistant in Acrobat can be used with all document formats supported by the app, including Word and PowerPoint. The chatbot abides by Adobe's data security protocols, so it won't store data from customer documents or use it to train AI Assistant.
The new AI Assistant experience is available for Acrobat customers on Standard ($12.99 per month) and Pro ($19.99 per month) plans.
Security

International Law Enforcement Disrupts LockBit Ransomware (sky.com) 13

A coalition of global law enforcement agencies including the FBI and UK National Crime Agency have taken control of the LockBit ransomware gang's dark web site, replacing it with a notice saying their services had been disrupted by joint international action. The "Operation Cronos" task force includes Europol and enforcement agencies from a dozen countries across Europe, Asia and North America. LockBit is a prolific ransomware group that hacks corporate networks then threatens to leak stolen data unless ransom demands are paid. The notice said the operation against them was "ongoing and developing."
Microsoft

Microsoft Fixes Edge Browser Bug That Was Stealing Chrome Tabs and Data 49

An anonymous reader shared an news report: Microsoft has fixed an issue where its Edge browser was again misbehaving, this time by automatically importing browsing data and tabs from Chrome without consent. I personally experienced the bug last month, after I rebooted my PC for a regular Windows update and Microsoft Edge automatically opened with the Chrome tabs I was working on before the update. I asked Microsoft repeatedly to explain why this behavior had occurred for myself and many other Windows users, but the company refused to comment. Microsoft has now quietly issued a fix in the latest Microsoft Edge update.

Here's how Microsoft describes the fix: "Edge has a feature that provides an option to import browser data on each launch from other browsers with user consent. This feature's state might not have been syncing and displaying correctly across multiple devices. This is fixed."
Security

MIT Researchers Build Tiny Tamper-Proof ID Tag Utilizing Terahertz Waves (mit.edu) 42

A few years ago, MIT researchers invented a cryptographic ID tag — but like traditional RFID tags, "a counterfeiter could peel the tag off a genuine item and reattach it to a fake," writes MIT News.

"The researchers have now surmounted this security vulnerability by leveraging terahertz waves to develop an antitampering ID tag that still offers the benefits of being tiny, cheap, and secure." They mix microscopic metal particles into the glue that sticks the tag to an object, and then use terahertz waves to detect the unique pattern those particles form on the item's surface. Akin to a fingerprint, this random glue pattern is used to authenticate the item, explains Eunseok Lee, an electrical engineering and computer science (EECS) graduate student and lead author of a paper on the antitampering tag. "These metal particles are essentially like mirrors for terahertz waves. If I spread a bunch of mirror pieces onto a surface and then shine light on that, depending on the orientation, size, and location of those mirrors, I would get a different reflected pattern. But if you peel the chip off and reattach it, you destroy that pattern," adds Ruonan Han, an associate professor in EECS, who leads the Terahertz Integrated Electronics Group in the Research Laboratory of Electronics.

The researchers produced a light-powered antitampering tag that is about 4 square millimeters in size. They also demonstrated a machine-learning model that helps detect tampering by identifying similar glue pattern fingerprints with more than 99 percent accuracy. Because the terahertz tag is so cheap to produce, it could be implemented throughout a massive supply chain. And its tiny size enables the tag to attach to items too small for traditional RFIDs, such as certain medical devices...

"These responses are impossible to duplicate, as long as the glue interface is destroyed by a counterfeiter," Han says. A vendor would take an initial reading of the antitampering tag once it was stuck onto an item, and then store those data in the cloud, using them later for verification."

Seems like the only way to thwart that would be carving out the part of the surface where the tag was affixed — and then pasting the tag, glue, and what it adheres to all together onto some other surface. But more importantly, Han says they'd wanted to demonstrate "that the application of the terahertz spectrum can go well beyond broadband wireless."

In this case, you can use terahertz for ID, security, and authentication. There are a lot of possibilities out there."
AI

'Luddite' Tech-Skeptics See Bad AI Outcomes for Labor - and Humanity (theguardian.com) 202

"I feel things fraying," says Nick Hilton, host of a neo-luddite podcast called The Ned Ludd Radio Hour.

But he's one of the more optimistic tech skeptics interviewed by the Guardian: Eliezer Yudkowsky, a 44-year-old academic wearing a grey polo shirt, rocks slowly on his office chair and explains with real patience — taking things slowly for a novice like me — that every single person we know and love will soon be dead. They will be murdered by rebellious self-aware machines.... Yudkowsky is the most pessimistic, the least convinced that civilisation has a hope. He is the lead researcher at a nonprofit called the Machine Intelligence Research Institute in Berkeley, California... "If you put me to a wall," he continues, "and forced me to put probabilities on things, I have a sense that our current remaining timeline looks more like five years than 50 years. Could be two years, could be 10." By "remaining timeline", Yudkowsky means: until we face the machine-wrought end of all things...

Yudkowsky was once a founding figure in the development of human-made artificial intelligences — AIs. He has come to believe that these same AIs will soon evolve from their current state of "Ooh, look at that!" smartness, assuming an advanced, God-level super-intelligence, too fast and too ambitious for humans to contain or curtail. Don't imagine a human-made brain in one box, Yudkowsky advises. To grasp where things are heading, he says, try to picture "an alien civilisation that thinks a thousand times faster than us", in lots and lots of boxes, almost too many for us to feasibly dismantle, should we even decide to...

[Molly Crabapple, a New York-based artist, believes] "a luddite is someone who looks at technology critically and rejects aspects of it that are meant to disempower, deskill or impoverish them. Technology is not something that's introduced by some god in heaven who has our best interests at heart. Technological development is shaped by money, it's shaped by power, and it's generally targeted towards the interests of those in power as opposed to the interests of those without it. That stereotypical definition of a luddite as some stupid worker who smashes machines because they're dumb? That was concocted by bosses." Where a techno-pessimist like Yudkowsky would have us address the biggest-picture threats conceivable (to the point at which our fingers are fumbling for the nuclear codes) neo-luddites tend to focus on ground-level concerns. Employment, especially, because this is where technology enriched by AIs seems to be causing the most pain....

Watch out, says [writer/podcaster Riley] Quinn at one point, for anyone who presents tech as "synonymous with being forward-thinking and agile and efficient. It's typically code for 'We're gonna find a way around labour regulations'...." One of his TrashFuture colleagues Nate Bethea agrees. "Opposition to tech will always be painted as irrational by people who have a direct financial interest in continuing things as they are," he says.

Thanks to Slashdot reader fjo3 for sharing the article.
Open Source

Linux Becomes a CVE Numbering Authority (Like Curl and Python). Is This a Turning Point? (kroah.com) 20

From a blog post by Greg Kroah-Hartman: As was recently announced, the Linux kernel project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux.

This is a trend, of more open source projects taking over the haphazard assignments of CVEs against their project by becoming a CNA so that no other group can assign CVEs without their involvment. Here's the curl project doing much the same thing for the same reasons. I'd like to point out the great work that the Python project has done in supporting this effort, and the OpenSSF project also encouraging it and providing documentation and help for open source projects to accomplish this. I'd also like to thank the cve.org group and board as they all made the application process very smooth for us and provided loads of help in making this all possible.

As many of you all know, I have talked a lot about CVEs in the past, and yes, I think the system overall is broken in many ways, but this change is a way for us to take more responsibility for this, and hopefully make the process better over time. It's also work that it looks like all open source projects might be mandated to do with the recent rules and laws being enacted in different parts of the world, so having this in place with the kernel will allow us to notify all sorts of different CNA-like organizations if needed in the future.

Kroah-Hartman links to his post on the kernel mailing list for "more details about how this is all going to work for the kernel." [D]ue to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team are overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team...

No CVEs will be assigned for unfixed security issues in the Linux kernel, assignment will only happen after a fix is available as it can be properly tracked that way by the git commit id of the original fix. No CVEs will be assigned for any issue found in a version of the kernel that is not currently being actively supported by the Stable/LTS kernel team.

alanw (Slashdot reader #1,822) worries this could overwhelm the CVE infrastructure, pointing to an ongoing discussion at LWN.net.

But reached for a comment, Greg Kroah-Hartman thinks there's been a misunderstanding. He told Slashdot that the CVE group "explicitly asked for this as part of our application... so if they are comfortable with it, why is no one else?"
Programming

How Rust Improves the Security of Its Ecosystem (rust-lang.org) 45

This week the non-profit Rust Foundation announced the release of a report on what their Security Initiative accomplished in the last six months of 2023. "There is already so much to show for this initiative," says the foundation's executive director, "from several new open source security projects to several completed and publicly available security threat models."

From the executive summary: When the user base of any programming language grows, it becomes more attractive to malicious actors. As any programming language ecosystem expands with more libraries, packages, and frameworks, the surface area for attacks increases. Rust is no different. As the steward of the Rust programming language, the Rust Foundation has a responsibility to provide a range of resources to the growing Rust community. This responsibility means we must work with the Rust Project to help empower contributors to participate in a secure and scalable manner, eliminate security burdens for Rust maintainers, and educate the public about security within the Rust ecosystem...

Recent Achievements of the Security Initiative Include:

- Completing and releasing Rust Infrastructure and Crates Ecosystem threat models

- Further developing Rust Foundation open source security project Painter [for building a graph database of dependencies/invocations between crates] and releasing new security project, Typomania [a toolbox to check for typosquatting in package registries].

- Utilizing new tools and best practices to identify and address malicious crates.

- Helping reduce technical debt within the Rust Project, producing/contributing to security-focused documentation, and elevating security priorities for discussion within the Rust Project.

... and more!

Over the Coming Months, Security Initiative Engineers Will Primarily Focus On:

- Completing all four Rust security threat models and taking action to address encompassed threats

- Standing up additional infrastructure to support redundancy, backups, and mirroring of critical Rust assets

- Collaborating with the Rust Project on the design and potential implementation of signing and PKI solutions for crates.io to achieve security parity with other popular ecosystems

- Continuing to create and further develop tools to support Rust ecosystem, including the crates.io admin functionality, Painter, Typomania, and Sandpit

Data Storage

OpenZFS Native Encryption Use Has New(ish) Data Corruption Bug (phoronix.com) 16

Some ZFS news from Phoronix this week. "At the end of last year OpenZFS 2.2.2 was released to fix a rare but nasty data corruption issue, but it turns out there are other data corruption bug(s) still lurking in the OpenZFS file-system codebase." A Phoronix reader wrote in today about an OpenZFS data corruption bug when employing native encryption and making use of send/recv support. Making use of zfs send on an encrypted dataset can cause one or more snapshots to report errors. OpenZFS data corruption issues in this area have apparently been known for years.

Since May 2021 there's been this open issue around ZFS corruption related to snapshots on post-2.0 OpenZFS. That issue remains open. A new ticket has been opened for OpenZFS as well in proposing to add warnings against using ZFS native encryption and the send/receive support in production environments.

jd (Slashdot reader #1,658) spotted the news — and adds a positive note. "Bugs, old and new, are being catalogued and addressed much more quickly now that core development is done under Linux, even though it is not mainstreamed in the kernel."
Crime

Zeus, IcedID Malware Kingpin Faces 40 Years In Prison (theregister.com) 39

Connor Jones reports via The Register: A Ukrainian cybercrime kingpin who ran some of the most pervasive malware operations faces 40 years in prison after spending nearly a decade on the FBI's Cyber Most Wanted List. Vyacheslav Igorevich Penchukov, 37, pleaded guilty this week in the US to two charges related to his leadership role in both the Zeus and IcedID malware operations that netted millions of dollars in the process. Penchukov's plea will be seen as the latest big win for US law enforcement in its continued fight against cybercrime and those that enable it. However, authorities took their time getting him in 'cuffs. [...]

"Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk," said US attorney Michael Easley for the eastern district of North Carolina. "The Justice Department and FBI Cyber Squad won't stand by and watch it happen, and won't quit coming for the world's most wanted cybercriminals, no matter where they are in the world. This operation removed a key player from one of the world's most notorious cybercriminal rings. Extradition is real. Anyone who infects American computers had better be prepared to answer to an American judge."

This week, he admitted one count of conspiracy to commit a racketeer influenced and corrupt organizations (RICO) act offense relating to Zeus, and one count of conspiracy to commit wire fraud in relation to IcedID. Each count carries a maximum sentence of 20 years. His sentencing date is set for May 9, 2024.
Zeus malware, a banking trojan that formed a botnet for financial theft, caused over $100 million in losses before its 2014 dismantlement. Its successor, SpyEye, incorporated enhanced features for financial fraud. Despite the 2014 takedown of Zeus, Penchukov moved on to lead IcedID, a similar malware first found in 2017. IcedID evolved from banking fraud to ransomware, severely affecting the University of Vermont Medical Center in 2020 with over $30 million in damages.
Privacy

New 'Gold Pickaxe' Android, iOS Malware Steals Your Face For Fraud (bleepingcomputer.com) 13

An anonymous reader quotes a report from BleepingComputer: A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. [...]

For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple remove the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.'

Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount.

Slashdot Top Deals