You can officially test if you’d make it working in the highest level of intelligence, as a top UK security agency releases a puzzle to appeal to potential recruits.

The opaquely named Government Communications Headquarters (GCHQ) is a subsidiary of the country’s National Cyber Security Centre (NCSC) and it acts as an intelligence and security organization responsible for providing information assurance to the government and armed forces for the United Kingdom. The U.S. equivalent is the National Security Agency (NSA).

Posting on LinkedIn for the first time, the GCHQ has asked people if they’ve ‘got what it takes to be an intelligence analyst’ as they aim to reach possible new team members.

They worked with professional Manchester-based artist Justin Eagleton to create a puzzle with a hidden message.

Within the artwork are 13 elements that represent letters of the alphabet. All you have to do is identify those letters and assemble them to find the message.

Speaking further on the social media post, the team at GCHQ explain more about the requirement of having strong lateral-thinking skills: “Problem-solving is at the heart of what we do.

“Our people tackle the most complex of challenges every day to help keep the country safe. It’s only possible by bringing together a mix of minds – people who can see things differently or think outside the box.”

GCHQ is hiring on LinkedIn

Also in their LinkedIn debut is an introductory video by director Anne Keast-Butler who expands on their day-to-day and why they’ve chosen now to join the professional networking site: “So we’re on a journey to make sure that we reach out to and connect to people who’ve never thought of working with us…

“And I hope you’ll be inspired to think about careers with us. If you like problem-solving, if you’re great in teams, if you know your tech, if you just see the bigger picture and want to make a difference. These are all skills and qualities that we look for in the people who work with us.”

The post GCHQ: Are you smart enough to join the UK’s cyber intelligence agency? appeared first on ReadWrite.

According to lawyer Sara Goldstein of the law firm BakerHostetler, the Change Healthcare massive attack has caused approximately 120 of the company’s IT products and services to go offline since February 21. This cyber disruption substantially and extensively affects the whole healthcare business, including major companies. The cybercriminals claimed to be from BlackCat/Alphv.

From eligibility checks and prior authorization to pharmacy benefits and claims processing, Change Healthcare, a division of Optum, a UnitedHealth Group company, offers a broad range of vital IT tools to healthcare sector enterprises. The company conducts 15 billion healthcare transactions every year.

The devastating effects of cybercrime

“So the amount, the volume of information that’s transferred to them and that’s transferred out, as well the role that they have in healthcare is tremendous. The impact of this has been substantial,” said Goldstein. She went on to say, “Many healthcare providers cannot process claims, payments, or do patient billing. Without these services and being able to generate revenue, it’s really going to create a precarious financial situation for many healthcare systems and healthcare providers.”

350,000 doctors and 15,000 group medical practices are represented by the Medical Group Management Association, which pushed the US Department of Health and Human Services to “utilize all the tools at its disposal to mitigate these impacts, so medical groups do not have to take drastic actions to remain in operation.” The HHS was told by the MGMA that “guidance, financial resources, enforcement discretion, and more are needed to avoid escalating an already serious situation.”

The downside of large companies consolidation

Goldstein said that organizations with no contractual relationship with Change Healthcare are also affected. She continued, “One thing that is being flagged is about the downside of consolidation of these types of vendors in healthcare. So, that has been a challenge. This is pretty catastrophic.”

Cybercrime affects everyone.

Here is the Goldstein interview from Inforisktoday.com.

Featured Image Credit: Created by Total Shape; Pexels

The post Change Healthcare hack continues to inflict major damage appeared first on ReadWrite.

Israel’s NSO Group, best known for its spyware, has been ordered by a U.S. court to hand over its Pegasus code to WhatsApp.

It’s the latest hurdle for the company, having been blacklisted in the U.S., subjected to a lawsuit by Apple, and experienced significant financial difficulties.

According to the Guardian, Judge Phyllis Hamilton reviewed NSO’s request to be released from all its discovery duties in the lawsuit, citing “various US and Israeli restrictions.” Despite this, she ruled in favor of WhatsApp, mandating that NSO produce “all relevant spyware” data spanning one year before and after the timeframe when 1,400 WhatsApp users were reportedly targeted by the Pegasus spyware, covering the dates from April 29, 2018, to May 10, 2020. 

NSO is also required to provide WhatsApp with details about the complete capabilities of the specific spyware. However, Hamilton ruled in favor of NSO on a separate issue, deciding that the company is not obligated to reveal the identities of its customers or details about its server setup at this stage.

A WhatsApp spokesperson told the Guardian, “The recent court ruling is an important milestone in our long-running goal of protecting WhatsApp users against unlawful attacks. Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law.”

What are the dangers of Pegasus spyware?

Pegasus is advanced spyware designed for military use, capable of infiltrating mobile phones remotely to gain complete dominance over the device. When Pegasus covertly installs itself on a phone, it can duplicate texts, images, emails, and record conversations, as well as turn on microphones and cameras for uninterrupted spying, all without the user’s awareness. 

It was developed by the cyber-arms firm and was subsequently blacklisted by the U.S. President Joe Biden’s administration in 2021. The government stated that the company knowingly provided spyware used by foreign governments to maliciously target the phones of dissidents, human rights activists, and journalists.

Meta has been approached for further comment.

Featured image: Canva

The post Pegasus spyware: US court orders maker to hand over code to WhatsApp appeared first on ReadWrite.

Organizations face endless challenges, especially now when everything revolves around tech. These range from sophisticated cyber threats to commonly ignored compliance requirements. However, amidst the rapidly evolving cyber threat realm, organizations must protect sensitive company data for various benefits. Being cyber-secure and having a healthy cybersecurity posture preserves and improves customer trust and business continuity.

How to Protect and Strengthen Your Cybersecurity Posture

One of the key components of a comprehensive organizational cybersecurity posture is attack surface management (ASM). This revolves around looking for and finding ways to stop potential cybersecurity issues. Below are a few ways attack surface management improves your company’s cybersecurity.

1. Risk Reduction

ASM plays a significant role in reducing cybersecurity risks. Attach surface management helps address various vulnerabilities within your organization’s digital footprint. It allows your cybersecurity teams to find and prioritize vulnerabilities. As such, they get ample time to stop these risks at an early stage.

Reducing the attack surface, which is the entry point that attackers exploit, significantly lowers the likelihood of successful attacks. ASM tools continuously scan and assess your organizational digital footprints for vulnerabilities such as weak security controls and software flaws.

Attack surface management also plays an important role in patch management. Identifying digital systems that require updates ensures timely patches and updates are made. This closes the gaps and reduces the likelihood that present vulnerabilities get exploited. Generally, systematically identifying and prioritizing system vulnerabilities and weaknesses in attack surfaces minimizes organizational exposure to cyber threats.

2. Incident Response

Incident response is an important cybersecurity element. Having an incident response strategy reduces the time it takes to respond and bounce back from an infiltration. Attack surface management helps businesses detect and respond to cybersecurity issues effectively by providing in-depth visibility into their vulnerabilities in the following ways:

• Early detection: Cybersecurity professionals conducting ASM continually monitor the organization’s attack surface for signs of compromise or unauthorized access.
• Threat hunting: ASM empowers cybersecurity teams to conduct proactive threat hunting for signs of compromise or malicious activities. ASM tools help organizations identify hidden threats and emerging attack patterns.
• Incident triage and prioritization: Through ASM, organizational incident response teams can triage and prioritize cybersecurity incidents based on potential impact on company data and business operations.

Integrating attack surface management into the incident response process helps organizations adopt a proactive approach to cybersecurity. This allows for a coordinated response to potential and emerging threats.

3. Improved Resilience

Improved resilience is the other key outcome of proficient attack surface management. Better resilience makes it possible for organizations to withstand and recover faster from cybersecurity incidents. Attack surface management involves continuous monitoring of your organization’s digital assets to identify and address weaknesses.

Introducing measures that adapt to arising cybersecurity threats helps organizations remain resilient to cyber threats. ASM also provides a solid base for agile incident response. Security teams can quickly pick up and respond to potential threats. This significantly minimizes the impact of successful attacks on your business operations.

Organizations can effectively improve their resilience against threats by embracing ASM in their cybersecurity strategies. Adopting these proactive measures improves your ability to withstand and recover from an attack.

4. Cost Saving

An effective ASM also has cost-saving benefits to businesses and organizations. For starters, a good ASM helps identify and mitigate potential vulnerabilities in your organization’s digital infrastructure. This prevents breaches and incidents that cost your organization in terms of remediation efforts, legal fees, and damaged reputation.

That aside, a proper ASM reduces downtime and disruption. Cybersecurity incidents like DDoS attacks significantly disrupt business operations. This leads to downtime and disrupts productivity. Attack surface management minimizes the occurrence of such incidents. ASM similarly improves operational efficiency. Automating various aspects of threat detection and vulnerability management improves your organization’s operational efficiency.

ASM also saves costs by streamlining compliance efforts. Well drafted attack surface management ensures that organizations remain compliant with various industry regulations and data protection guidelines. Meeting compliance requirements proactively helps businesses avoid non-compliance penalties.

5. Better Visibility

Proper visibility of your digital systems is the backbone of an effective cybersecurity strategy. Attack surface management improves visibility into your organization’s digital assets and vulnerabilities in many ways. ASM solutions like network scanning and asset profiling regularly take an inventory of the organizations’ digital assets and possible attack surfaces.

Attack surface management also provides real-time monitoring of your businesses’ attack surface for potential vulnerabilities. Real-time monitoring makes it possible for your cybersecurity teams to detect suspicious activities in their early stages. Early detection of potential vulnerabilities also promotes risk prioritization.

Cybersecurity teams use ASM tools to gather insights into the potential impact and severity of identified vulnerabilities. This allows them to prioritize mitigation efforts based on the level of risk exposure.

Proper attack surface management is a key foundation of a robust cybersecurity posture. It gives organizations the requisite tools and insights required to strengthen their defense. Managing the attack surface improves the organization’s visibility into potential threats and vulnerabilities.

The post How Attack Surface Management Strengthens Your Cybersecurity Posture appeared first on ReadWrite.

The White House Office of the National Cyber Director (ONCD) has urged the largest players in emerging technologies to adopt safer programming languages.

The advice was released as part of a new report titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software.”

The ONCD stated, “method manufacturers can use to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language. Using memory-safe programming languages can eliminate most memory safety errors.”

What is the Office of the National Cyber Director (ONCD)?

The ONCD advises the President of the United States on matters of cybersecurity policy, and strategy and highlights any concerns in this space. The security entity spans all U.S. government departments, private companies, and international partners to coordinate federal cybersecurity policy.

“The challenge of eliminating entire classes of software vulnerabilities is an urgent and complex problem,” The new report would state.

“It is a path that requires the convergence of government initiative, private sector innovation, and groundbreaking academic research. Working together to proactively eliminate software vulnerabilities alleviates the burden from those least equipped to bear it, and empowers front-line cyber defenders to look forward. Defining high-quality cybersecurity realigns incentives and provides confidence in what cyberspace can be.”

The Biden-Harris Administration has received recognition from industry leaders for this decision to reaffirm the vulnerabilities that must be considered in lockstep with technological advancements.

The ONCD would post on the official X page about the clamor of support from members of academia and the private sector about the White House’s direction:

In support of our report calling for a memory safe future, we have received an incredible response with statements of support from a variety of companies, academic experts, and leaders in civil society. Join us!https://t.co/N725GaEoPa

— Office of the National Cyber Director (@ONCD) February 26, 2024

Fidelma Russo, Executive Vice President and General Manager, Hybrid Cloud and Chief Technology Officer at Hewlett Packard Enterprise said, “we commend Director Coker and the Administration for this initiative, which is an important response to the ever-evolving cyber threat landscape. Memory-safe computing prevents vulnerabilities before they can be exploited by threat actors, and will be a new internal standard at HPE for cloud-native development.”

Professor of Computer Science at Stanford University, Dan Boneh commented that the “White House is taking a pragmatic approach, and is proposing to start this conversion with critical space systems, which is a good testing ground for the proposed approach. Preventing memory safety bugs is only the beginning of a long journey towards more secure software.”

“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory-safe programming languages,” National Cyber Director Harry Coker would say.

Featured image: Pexels

The post White House urges tech companies to adopt secure program languages appeared first on ReadWrite.

Leaked files reveal a variety of services available for purchase, including information obtained from targets across the globe. According to a significant data leak from a Chinese cybersecurity company, state security agents are paying tens of thousands of pounds to gather data on targets, including foreign governments. Meanwhile, hackers are gathering massive amounts of data on any individual or organization that could be of interest to their potential clients.

It’s believed that over 500 files have been leaked worldwide

Cybersecurity experts believe the cache of over 500 leaked files from the Chinese company I-Soon, which was uploaded on the Github developer website, to be authentic. NATO and the UK Foreign Office are a couple of the suggested targets.

More than a year ago, in an unprecedented joint address, the FBI and MI5 leaders warned about the issue of Chinese spying, asking for upgraded security measures. At that time, the two agencies said that they were voicing a new concern about the Chinese government and informing corporate executives that Bejing was intent on stealing their technology in order to obtain a competitive advantage.

The files, a collection from chat logs, business prospectuses, and data samples, show the scope of China’s intelligence-collecting activities and the challenges that the nation’s commercial hackers face in the competitive market. China is currently experiencing a downturn in its economy.

I-Soon and Chengdu 404 have been in dispute over one company using the other company’s tools to hack

I-Soon seems to have collaborated with Chengdu 404, another Chinese hacking group, and became involved in a business dispute with them later. The US Department of Justice has charged Chengdu 404’s hackers for using their tools to launch cyberattacks against US companies and pro-democracy activists in Hong Kong, among other targets.

The other targets mentioned in the I-Soon disclosures are the British research tank Chatham House, the Association of Southeast Asian Nations (ASEAN) countries’ foreign affairs ministries, and public health bureaus. While some of this data appears to have been collected indiscriminately, other instances involve specific contracts with the Chinese Public Security Bureau to collect particular kinds of data.

“We are aware of this data coming to light and are naturally concerned,” a Chatham House spokeswoman stated. We have precautions in place to protect you, including technological ones that are regularly examined and updated.

“The alliance faces persistent cyberthreats and has prepared for this by investing in extensive cyber defenses,” a NATO official stated. NATO examines each allegation of a cyberthreat. However, the UK Foreign Office chose not to respond,

I-Soon provides a wide range of services. In one instance, Shandong City’s public security department paid about £44,000 to gain a year’s worth of access to the email accounts of ten targets. The I-Soon business also asserted that it could breach many operating systems, including Mac and Android, access personal data from Facebook, hijack accounts on X, and obtain data from corporate databases.

Featured Image Credit: Photo by Yaroslav Shuraev; Pexels

The post China’s hired hackers: a massive cybersecurity breach exposing China’s operations appeared first on ReadWrite.

There has been a significant surge in hunter-killer malware, with a 333% rise, according to the latest Picus Red Report.

The fourth edition of this annual report revealed insights from the analysis of over 600,000 real-world malware samples, pinpointing the most frequently used techniques by attackers. The study found a significant shift in the strategies of cyber attackers, notably the emergence of malware designed to actively seek out and disable security defenses.

“We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines,” said Dr. Suleyman Ozarslan, Picus Security co-founder and vice president of Picus Labs. 

“Just as these subs move silently through deep waters and launch devastating attacks to defeat their targets’ defenses, new malware is designed to not only evade security tools but actively bring them down,” he added.

Dr. Ozarslan further explained the strategic pivot in cybercriminal behavior, attributing it to the significantly enhanced security measures of businesses and the advanced threat detection capabilities of widely used tools. He highlighted a notable shift from the past year, stressing, “A year ago, it was relatively rare for adversaries to disable security controls. Now, this behavior is seen in a quarter of malware samples and is used by virtually every ransomware group and APT group.”

How to deal with Hunter-killer malware

To deal with Hunter-killer malware, the security validation company urged organizations to embrace machine learning, protect user credentials, and consistently validate their defenses against the latest tactics and techniques used by cybercriminals.

According to Huseyin Can Yuceel, Security Research Lead at Picus Security, “It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools, because they may still appear to be working as expected.” 

Yuceel reiterated, “Preventing attacks that would otherwise operate under the radar requires the use of multiple security controls with a defense-in-depth approach. Security validation must be a starting point for organizations to better understand their readiness and identify gaps.” 

He then warned that “unless an organization is proactively simulating attacks to assess the response of its EDR, XDR, SIEM, and other defensive systems that may be weakened or eliminated by Hunter-killer malware, they will not know they are down until it is too late.”

Other key findings of the Red Report 2024

The research also revealed that 70% of analyzed malware now employ stealth-oriented techniques by attackers, particularly those that facilitate evading security measures and maintaining persistence in networks. It spotted a noticeable 150% increase in the use of T1027 Obfuscated Files or Information, showcasing a hacker’s ability to conceal their malicious activities and hinder digital forensics and incident response efforts.

In addition to this, there has been a 176% surge in the use of ransomware or T1071 Application Layer Protocol. These malicious tools are strategically employed for data exfiltration, forming integral components of sophisticated double extortion schemes.

Featured image: Canva

The post Stealthy hunter-killer malware rises by 333%, report reveals appeared first on ReadWrite.

North Korean hackers are reportedly using ChatGPT to trick users on LinkedIn and other social media platforms into providing sensitive information and data, according to a report.

ChatGPT parent company OpenAI and investor Microsoft revealed last week that it had “disrupted five state-affiliated actors that sought to use AI services in support of malicious cyber activities.”

Using Microsoft Threat Intelligence, accounts associated with two China-affiliated threat actors known as Charcoal Typhoon and Salmon Typhoon, the Iran-affiliated threat actor known as Crimson Sandstorm, the North Korea-affiliated actor known as Emerald Sleet, and the Russia-affiliated actor known as Forest Blizzard were identified and terminated.

Microsoft, which owns LinkedIn, noted that Emerald Sleet, also known as Kimsuky, impersonated “reputable academic institutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies related to North Korea.”

It said in its blog post that it had not found evidence of these actors having carried out any significant cyberattacks but that much of its findings were “representative of an adversary exploring the use cases of a new technology.”

OpenAI reported that North Korea’s Emerald Sleet account used its services “to identify experts and organizations focused on defense issues in the Asia-Pacific region, understand publicly available vulnerabilities, help with basic scripting tasks, and draft content that could be used in phishing campaigns.”

How North Korean hackers are targeting LinkedIn

According to Yonhap, South Korea’s state intelligence agency detected signs that North Korea tried incorporating generative AI into its hacking attacks and other illicit cyber activities.

“Recently, it has been confirmed that North Korean hackers use generative AI to search for hacking targets and search for technologies needed for hacking,” a senior official at the National Intelligence Service (NIS) told reporters. The NIS said it found a daily average of 1.62 million hacking attempts in South Korea’s public sector last year, up 36% from a year ago.

The NIS added that it is also suspected of using its overseas IT workers to find jobs at IT companies to plant malicious codes on software programs they developed at the companies to steal cryptocurrencies.

Erin Plante, vice-president of investigations at crypto-focused cyber security company Chainalysis, told the Financial Times that “North Korean hacking groups have been seen to create credible-looking recruiter profiles on professional networking sites such as LinkedIn.”

“Generative AI helps with chatting, sending messages, creating images and new identities — all the things you need to build that close relationship with your target,” she added.

OpenAI stated that its findings align with external evaluations, indicating that GPT-4’s capabilities in aiding “malicious cybersecurity tasks” are limited to what can already be accomplished using publicly accessible tools that do not utilize AI.

Last year, it was reported that North Korea-backed hackers targeted cryptocurrency clients by infiltrating the systems of U.S. enterprise software company JumpCloud.

Featured image: Canva / DALL·E

The post North Korean hackers use ChatGPT to scam Linkedin users appeared first on ReadWrite.

A Wyze executive has confirmed that at least a dozen users were able to see thumbnails taken from other users’ cameras, due to an outage with their partner network.

David Crosby wrote in a Wyze forum post on Friday that access to the Events tab was being restricted while the company investigated a potential security issue. He said that the servers “got overloaded and it corrupted some user data,” confirming there had been 14 reports of such an incident.

Since then, Crosby stated that additional verification has been added for each user before they can view thumbnails. On top of this, all users who used the Wyze app on February 16 are now being logged out to reset tokens.

Wyze’s digital community manager has subsequently reassured users that “over 99.75% of all Wyze accounts were not affected by the security event,” but added that around 13,000 users received thumbnails from cameras that were not their own and 1,504 users had access to it.

“Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed,” he said.

What Wyze users have said

Several social media users took to Reddit to share that they had been able to access someone else’s camera. One person wrote: “One of my cameras notified me of an event from inside someone else home with them in it walking around. Absolutely no security with wyze whatsoever.” Another stated, “I just got a motion detection notification with a picture for someone else’s house that isn’t mine!”

Wyze security breaches

It is not the first time Wyze has faced issues with data protection. In 2019, the company admitted to leaving data gathered from two million people exposed on the Internet where criminals could freely harvest it. This data included email addresses as well as health information.

Wirecutter, a product review website owned by The New York Times Company, also cut ties with Wyze last year after it reported a similar breach, saying “We believe Wyze is acting irresponsibly to its customers,” for reportedly not reaching out to customers with “meaningful details.”

Wyze and Amazon have been approached for further comment.

Featured image: Canva

The post Wyze camera outage allowed some users to spy inside others’ homes appeared first on ReadWrite.

The creation and distribution of gaming websites that are pre-infected with malware is North Korea’s most recent money-making scheme, according to the National Intelligence Service (NIS) of South Korea. The NIS identified cybercrime organizations as buyers of the sites.

According to the report, the North Korean group behind the initiative is an IT company connected to the secretive Office 39, also called “Gyeongheung.” Office 39 is in the ruling Workers Party of Korea, and the US Department of Treasury believes it to be a revenue-generating machine of the country.

According to Secretary for Terrorism and Financial Intelligence Stuart Levey, “Korea Daesong Bank and Korea Daesong General Trading Corporation are key components of Office 39’s financial network supporting North Korea’s illicit and dangerous activities. Treasury will continue to use its authorities to target and disrupt the financial networks of entities involved in North Korean proliferation and other illicit activities.” The NIS believes this organization has already made billions of dollars in profit. Each website can be rented for about $5,000 a month, and North Korea provides technical help for an additional $3,000 per month.

Websites examined had malicious code placing bets automatically

Additionally, NIS stated that a feature on the websites it had examined included malicious code that placed bets automatically. The threat actors have attempted to sell about 1,100 pieces of personal information relating to South Korean people. They use the code to steal the personal information of any gamblers who signed up for the site.

The persons who erected the sites pretended to be Chinese IT workers to get around UN restrictions that forbade North Korean labor from being hired. They pilfered pertinent professional qualifications, and some had fake Chinese identity cards. The group hijacked South Korean cybergambling gang accounts and used bank accounts created under Chinese names to transfer money to disguise their tracks.

A Seol Korean source found that some clients didn’t mind that the sites were under sanctions and said they had knowingly maintained business with the North Koreans. The main reason? Because the North Koreans use and maintain the same common language they have — and all business done in North Korea involves much lower costs. Based in the border town Dandong, Gyeonghueng is a hotspot for Chinese apparel that can be obtained for a lot less money, and the people will work for much lower wages.

Featured Image Credit: Cottonbro Studio; Pexels

The post Malware on gambling websites that finance crime with your money appeared first on ReadWrite.

The latest wave of cybercriminals are targeting iOS users in Thailand with Face ID thefts that allow them to steal money from victims.

iPhone owners in Thailand fall prey to cybercriminals stealing Face ID scans that are then used to break into their bank accounts in a world first in cybercrime.

A Chinese-speaking cybercrime group, dubbed GoldFactory, started distributing trojanized smartphone apps in June of last year, as reported by the Register. GoldPickaxe and GoldPickaxe.iOS targets Android and iOS systems, tricking users into performing biometric verification checks and harvesting that information.

This biometric data is then used to bypass the same security checks used by actual finance apps in Vietnam and Thailand. This gives cybercriminals access to bank accounts and the ability to siphon off funds. So far, this specific type of crime is limited to these two countries, but there is fear of it spreading worldwide.

Having initially started in Thailand by appearing as the Thai government’s official digital pensions app, it then quickly spread to Vietnam. Authorities have had reports of very similar attacks taking place in both countries, resulting in the theft of tens of thousands of dollars.

iOS users are worse affected than Android

Android malware is often considered more common in such attacks, but in this case, it’s the reverse. There are generally much tighter security controls on iOS systems, but with GoldFactory, the Android hack is far simpler.

Researchers found that the Android version bore many more disguises than the iOS version, showing up in more than 20 different false government, finance, and utility organizations in Thailand. For iPhones, the cybercriminals rely on input from the victims themselves, impersonating government authorities on the LINE messaging app and gaining access to key information that way.

From there, they convinced victims (often elderly) to download GoldPickaxe.iOS directly and use the same techniques as Android users.

Featured image: Unsplash

The post Cybercriminals are stealing Face ID scans to break into mobile banking accounts appeared first on ReadWrite.

Ransomware hackers extorted $1bn across 2023, according to data insights company and blockchain platform.

The company published a report showing the extent of malicious hacking and developing trends affecting entities across the last year.

Chainanalysis provides data, software, services, and research to government agencies and companies across seventy countries.

”Our data powers investigation, compliance, and market intelligence software that has been used to solve some of the world’s most high-profile criminal cases and grow consumer access to cryptocurrency safely,” says the company site.

The report details a staggering increase of $433 million in ransom taken from victims compared to 2022, growing to the highest-ever rate of $1bn in 2023.

Report shows biggest ransomware attack of 2023

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory (CSA) in June of last year highlighting the MOVEit vulnerability, carried out by the CL0P Ransomware Gang.

This would be one of the biggest reported ransomware attacks recorded and was the spike point of 2023’s issue with ‘Zero-Day’ exploits.

What is a Zero-Day?

The report details this as a ‘Zero-Day’ vulnerability that compromised multiple institutions simultaneously. The attack is given this name as it gives the developers zero days to respond to it as it exploits an existing crack in the defenses they were unaware of.

The MOVEit hack was like finding all the keys to multiple company lockboxes in one big digital bank vault.

The hack hit several established institutions and exploited a vulnerability in the file transfer system. The software owner would announce that the service had been compromised with sensitive data, including personal details, and in some cases, banking information was in the hands of hackers.

Sony, the BBC, and Flagstar Bank were a few of those affected. The Maine Attorney General documented that 837,390 users had their data violated, with the report stating, “Information Acquired — Name or other personal identifiers in combination with Social Security Number.”

The Japanese tech giant, Sony, would also send letters to those affected stating that the company wanted to “provide you with information about a cybersecurity event related to one of our IT vendors, Progress Software, that involved some of your personal information.”

“This event was limited to Progress Software’s MOVEit Transfer platform and did not impact any of our other systems.”

This would extort massive amounts of data and considerably damage Progress Software’s reputation.

U.S. Federal forces and companies across the globe will be hoping that the number of attacks and the amount extorted will fall across 2024.

The post U.S. insights company shows ransomware hackers drew in $1bn across 2023 appeared first on ReadWrite.

The fake LastPass password manager found on Apple’s App Store has now been pulled. It is currently unknown whether Apple or the bogus software developer uninstalled the phony program — which disguised itself as the LastPass password manager on the Apple App Store. Apple has not responded to inquiries about the removal, though Apple is quite vigilant about these types of issues and relentlessly guards its app store.

Christofer Hoff, Chief Secure Technology Officer for LastPass, in a statement to TechCrunch, said, “Upon seeing the fake ‘LassPass’ app in the Apple App store, LastPass immediately began a coordinated and multi-faceted approach across our threat intelligence, legal and engineering teams to get the fraudulent app removed.” Hoff continues, “Our threat intelligence team posted a blog yesterday to raise awareness and help inform the public and our customers of the situation. We are in direct contact with representatives from Apple, and they have confirmed receipt of our complaints, and we are working through the process to have the fraudulent app removed.”

To mislead consumers, the fraudster app mimicked LastPass’s branding and user interface

In an effort to mislead consumers, the fraudster app mimicked LastPass’s branding and user interface and was distributed under the identity of a single developer, Parvati Patel. The phony program included several typos, which should always give one pause and hints that something may be a fake. In addition to being released by a separate developer who was not LogMeIn — the company that owns LastPass.

It’s not really good for Apple Inc., which has been fighting against so many regulations recently — like the EU’s Digital Markets Act (DMA)- that such an apparently fraudulent app made it through Apple’s generally rigorous App Review process.

Appfigures, an app analytics company, reported that the phone app was released on January 21st, giving it a few weeks to get users’ attention. Appfigures saw that the users themselves appeared to have realized that the app was phony because every one of the Apple App Store reviews warned others about the bogus nature of this app. The fake app even leveraged keywords to rank in search.

The fake app may have succeeded in tricking some users, even though it probably didn’t fake-out too many. The worst for the LastPass Company is that it was forced to alert its real users in a public forum about the fraudulent app in the store — even though it should have never been released in the first place. The app wasn’t taken down from the App Store until the day after LastPass’s blog post was published.

Featured Image Credit: WeStartMoney; Pexels

The post A fake LastPass password manager was found on Apple’s App Store appeared first on ReadWrite.

Commerce Secretary Gina Raimondo announced the U.S. AI Safety Institute Consortium (AISIC). Raimondo said in a statement to Reuters, “The U.S. government has a significant role to play in setting the standards and developing the tools we need to mitigate the risks and harness the immense potential of artificial intelligence.”

The consortium members

Reuters published the list of consortium members, which includes BP (BP.L),  Cisco Systems (CSCO.O), IBM (IBM.N), Hewlett Packard (HPE.N), Northop Grumman (NOC.N), Mastercard (MA.N), Qualcomm (QCOM.O), Visa (V.N), and major academic institutions and government agencies, that will be housed under the U.S. AI Safety Institute (USAISI).

This group prioritizes the actions and guidelines listed in President Biden’s executive order:  “including developing guidelines for red-teaming (meaning identify new risks), capability evaluations, risk management, safety and security, and watermarking synthetic content.”

The executive order from U.S. President Joe Biden

Additionally, the Oct 30, 2023 executive order from U.S. President Joe Biden said that he “is seeking to reduce the risks that AI poses to consumers, workers, minority groups, and national security” with a new executive order. As per the Defense Production Act, creators of AI systems that endanger the national security, economics, health, or safety of the United States must notify the government of the United States of the findings of their safety texts before their public release.

In addition, agencies are instructed to establish guidelines for such testing and handle associated risks connected to cybersecurity, radiological, chemical, and biological hazards by the order Biden has signed at the White House. “To realize the promise of AI and avoid the risk, we need to govern this technology,” Biden said. “In the wrong hands, AI can make it easier for hackers to exploit software vulnerabilities that make our society run.”

The Commerce Department said in December 2023 that it was already taking the first steps toward “writing the key standards and guidance for the safe deployment and testing of AI.” The consortium also represents the biggest group of test and evaluation teams  who can now create a foundation for a “new measurement science in AI safety.”

Currently, generative AI has sparked both enthusiasm and concerns with its ability to produce text, images, and videos in response to open-ended cues, that it can eventually replace human labor in some occupations, disrupt elections, and have disastrous consequences.

The Biden administration is working to implement safeguards, but despite multiple high-level conferences, Congress has not passed laws addressing AI.

Featured Image Credit: Photo by Michelangelo Buonarroti; Pexels

The post Address risks: leading AI companies join safety consortium appeared first on ReadWrite.

Security researcher Stacksmashing showed how hackers may use a $4 Raspberry Pi Pico to retrieve the  BitLocker encryption key from Windows PCs in just 43 seconds, in a YouTube video. The researcher claims that specific attacks can get beyond BitLocker’s encryption by directly accessing the hardware and retrieving the encryption keys kept in the computer’s Trusted Platform Module (TPM) viz the LPC bus.

It has been shown that the encryption key requires physical access to the device and some extended know-how or expertise — so this is not an extended threat across the internet. Of course, BitLocker’s reliance on a TPM for security may be its own downfall in this particular experiment.

The dedicated Trusted Module, or TPM has a design flaw that the YouTuber took advantage of. In specific setups, Bitlocker depends on an external TPM to store vital data, including the Volume Master Key and Platform Configuration Registers (which are included in certain CPUs). When using an external TPM, the CPU and TPM communicate over an LPC bus to send the encryption keys needed to unlock the data on the disk. So the security hacker, Stacksmashing (YouTube), found the communication lanes (LPC bus) between the external TPM and the CPU are completely unencrypted on boot-up. This allowed the hacker to find critical data when it moved between the two units — and he was able to hack the encryption keys.

Keep in mind that the hacker used an old laptop that had BitLocker encryption — even though the same type of attack can be used on newer motherboards that use an external TPM. Also, the newer motherboards require more work and legwork to intercept the bus traffic. Security researcher Stacksmashing made it clear that the Windows BitLocker and external TPMs aren’t as foolproof as many individuals and companies think.

If your CPU has a built-in TPM, like the ones found in modern AMD and Intel CPUs, you should be safe from this security flaw since all TPM communication occurs within the CPU.

Featured Image Credit: Photo by George Becker; Pexels

The post Microsoft BitLocker encryption hacked by a cheap off-the-shelf Raspberry Pi Pico appeared first on ReadWrite.

A new threat to Roblox players comes in the form of a malicious impersonator of official Noblox.js and Noblox.js open-source downloads.

Noblox.js is an open-source Roblox API wrapper written in JavaScript that interacts with the game’s website.

Seeing 1,642 weekly downloads, this is one of Roblox’s most popular third-party node packet manager (NPM) downloads.

Alert to #Roblox developers: The Socket research team took a deep dive into a malicious npm package we flagged, which is masquerading as Noblox.js. It targets Roblox users for data theft. Read our full analysis on the blog: https://t.co/IDn60Nwv3r

— Socket (@SocketSecurity) February 6, 2024

How has this unsafe NPM tricked Roblox users?

NPN is the world’s largest software registry and the popular route for developers to share and install software relating to Java Script Object Notation (JSON), a lightweight format for storing and transporting data.

As reported by the Socket, the malicious NPM package is named noblox.js-proxy-server. Similar in name to the legitimate open-source Noblox.js.

According to the Socket Research Team, three techniques were used to make the malware seem legitimate: brandjacking, typosquatting, and starjacking.

Although these terms may seem overcomplicated, they are terminology used to identify how a malicious digital entity can present itself competently.

Brandjacking — A super simple term that impersonates a brand to gain legitimacy, hoping those not casting a keen eye will be duped.

Typosquatting — This is the space in between where a malicious entity benefits from that half-attempted search or typo, bringing the user into a place that looks legitimate enough but is, in fact a trap for unsuspecting users.

Starjacking — A slightly more elaborate way of linking an existing brand or models reviews and star-ratings without having anything to do with the product. Think about someone stealing all your positive eBay reviews or as a clone of a well-rated Instagram account.

The Socket Team uncovered that the evil NPM is designed to retrieve data, such as the Roblox username, and repeatedly scans files with specific extensions and adds them to a zip archive.

This zip file is then uploaded to a server on a specified URL. It sends a webhook to a Discord server with information on the uploaded file, prompting the same process to be repeated every 4,000 milliseconds.

Thanks to the Socket Team, awareness has been brought about this vindictive digital threat to the 70.2 million daily users and 216 million monthly active gamers on Roblox.

In related Roblox news, the game announced a development on the artificial intelligence (AI) front with a real-time text translation tool for users.

Image: photo by Sora Shimazaki; Pexels

The post Malicious NPM package disguises itself to steal Roblox data appeared first on ReadWrite.

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Iranian officials linked to cyber activities against critical infrastructure in the United States and other countries.

The six individuals in question were part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), an Iranian government organization.

All individuals have been added to the Specially Designated Nationals And Blocked Persons List (SDN) and their properties and financial assets have been held by the OFAC as part of the counterterrorism authority Executive Order (E.O.).

According to the note published by the OFAC, Hamid Reza Lashgarian, head of the IRGC-CEC and a commander in the IRGC-Qods Force, has been a part of IRGC cyber and intelligence operations in the past.

The other six persons are all senior officials of the IRGC; Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian.

Treasury sanctioned six officials in the IRGC’s Cyber-Electronic Command. Today’s sanctions reinforce our commitment to protecting America’s critical infrastructure from foreign adversaries like Iran. https://t.co/SvxCPntSJW

— Treasury Department (@USTreasury) February 2, 2024

Sensitive targets

The accused are reported to have hacked portable logic controllers produced by Israeli company Unitronics.

The United States, with Private Sector companies and the countries impacted, worked to minimize the damage to critical water systems that had been compromised.

Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson said that “the deliberate targeting of critical infrastructure by Iranian cyber actors is an unconscionable and dangerous act.”

The public services that had been hacked received minimum impact, but it has left the United States concerned that these infrastructure services have been targeted.

“The United States will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account,” Nelson concluded.

In other U.S. security news, the FBI has foiled an attempt by a Chinese hacker group known as Volt Typhoon. The hackers have targeted U.S. routers in homes and small businesses as part of a wider botnet.

Last week, Deputy Attorney General Lisa O. Monaco announced that “in wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools to disrupt national security threats – in real-time.”

Image credit: Pexels

The post Treasury’s Office of Foreign Assets Control sanctions six Iranian officials appeared first on ReadWrite.

That tape over your webcam might not be enough — the hackers are watching; it might be the right time to install another privacy shutter.

In a report just published in Science Advances, researchers at the Massachusetts Institute of Technology (MIT) emphasized the risks to imaging privacy that ambient light sensors can offer. Users of devices worried about security may find solace in software permissions that limit webcam use and hardware solutions like shutters. Nonetheless, studies have demonstrated that one of the typical ambient light sensors used in a variety of devices can be used to collect visual data. These tiny sensors are normally permission-free on a device level and aren’t closed or deactivated by users.

MIT researchers utilized the Samsung Galaxy View 2 in their investigations. The ambient light sensor on this relatively dated and huge (17.3-inch) consumer tablet is located close to the front-facing (selfie) camera — which is still a pretty popular arrangement.

Manufacturers of devices classify ambient light sensors as low-risk since software (or malware) may frequently access them directly without requiring any authorization or privileges. However, prior research has demonstrated that in roughly 80% of cases — even a basic sensor can yield sufficient information to deduce keystrokes from a keyboard and steal a device’s authorizations and passwords. The latest study demonstrates the potential of an ambient light sensor in conjunction with the device’s screen, which serves as an active light source.

Some devices are more susceptible to these ambient light sensor espionage techniques.

Some devices will be more susceptible to this ambient light sensor espionage technique than others because every device has a different light sensor speed and measurement bit depth, screen brightness, and light sensor precision (see image above). As you can see from the source article numbers, some of the tablet device’s image captures took several minutes. However, ambient light sensor imaging spy technology is verifiably accurate and has room for improvement.

The MIT researchers pointed out that the light sensors are “quite useful,” and we need and want them. The MIT researchers said to adjust the following to stop your peeping-cyber-toms.

• Rethink ambient light sensor device permissions.
• Reduce sensor speed.
• Reposition the sensor so it doesn’t face the user.

Hopefully, when manufacturers become better aware of the ambient light sensor issues, they will implement a few changes to prevent the “snooping tech” from finding more victims.

Featured Image Credit:  Jan from Pixabay

The post Covering your webcam won’t be sufficient to prevent hackers from watching you appeared first on ReadWrite.

Tens of thousands of Jenkins servers have been exposed to a high-severity bug after a patch update. This flaw enables malicious actors to execute harmful code remotely on affected systems. Around 45,000 Jenkins servers are said to be affected and open to critical remote code execution (RCE) attacks, called CVE-2024-23897.

Around 45K exposed Jenkins instances vulnerable to CVE-2024-23897 (Arbitrary file read vulnerability through the CLI can lead to RCE). If you run Jenkins & receive an alert from us make sure to read Jenkins advisory: https://t.co/aPPOHT1WXx

World map: https://t.co/GNVwKGM1R9 pic.twitter.com/Zb9Do5BOi8

— Shadowserver (@Shadowserver) January 29, 2024

In an advisory on the Jenkins website, it said that the severity of the situation has been marked as critical, as it “allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”

The open source project recently issued two updates to rectify this security issue. They strongly advise users to implement these patches promptly to minimize potential risks. The automation server for the CI/CD system is used by developers as a testing stage to try different processes.

The Register reports that the majority of the affected servers are located in the US and China, with counts of 15,806 and 11,955 respectively. Following these are India with 3,572 servers, Germany with 3,487, the Republic of Korea with 2,204, France with 1,482, and the UK with 1,179 vulnerable servers.

Despite the vulnerability being discovered by Sonar’s Vulnerability Research Team on January 24th, it remains unfixed, leaving it susceptible to potential attacks.

How severe is the attack?

CVE-2024-23897 is ranked at a high severity score of 9.8, which is seen to be serious. This vulnerability exploits a feature in Jenkins’ inherent command line interface (CLI), which is activated by default in versions up to and including Jenkins 2.441.

This vulnerability in #Jenkins is serious CVE-2024-23897

POCs have been published https://t.co/nGtbf8fehdhttps://t.co/pzY0NSL5bA

report by @SonarSource https://t.co/VNAUg2PDN8 pic.twitter.com/vbiWGmj47M

— Florian Roth (@cyb3rops) January 26, 2024

According to BleedingComputer, there is potential for attackers to decrypt stored secrets, delete items from Jenkins servers, and download Java heap dumps. It also suggested that there had already been several possible “genuine attempts at exploitation.”

In 2023, Jenkins was considered one of the best developer tools of the year due to its extensibility and adaptability. However, cybersecurity firm Armis has reported that cyber attacks more than doubled in 2023. They warn that numerous businesses worldwide continue to underestimate the escalating threat to cybersecurity.

Featured image: Canva / The Jenkins Project

The post Around 45k Jenkins servers still vulnerable to attacks due to critical flaw appeared first on ReadWrite.

Cyber attacks more than doubled in 2023, according to analysis from cyber security firm Armis, as it is claimed many businesses around the world continue to fail to acknowledge the increasing threat to cyber security.

The Armis report that attack attempts were at their peak in July, with imaging, manufacturing and communications devices targeted the most. Attacks on utilities tripled and attacks on manufacturing increased by 165%.

But businesses continue to ignore the growing threat and aren’t taking cyber security seriously, it is believed, with the report suggesting that companies are regularly ignoring blind spots, which is causing a surge in cyber breaches.

Co-founder and CTO of Armis, Nadir Izrael, said: “Armis found that not only are attack attempts increasing, but cyber security blind spots and critical vulnerabilities are worsening, painting prime targets for malicious actors.

“It’s critical that security teams leverage similar intelligence defensively so that they know where to prioritize efforts and fill these gaps to mitigate risk.”

The report goes on to suggest legacy technology is most at risk, with pre-2012 Windows OS versions found to be 77% more likely to experience cyber attacks than newer versions. Moreover, older server versions are reaching end-of-support, leaving them even more vulnerable to attack. This is mostly an issue in the educational services sector, with 18% of organizations facing this very issue.

Businesses in the education industry are 41% more vulnerable compared to other industries, which have a general average of 10%. Other vulnerable industries, due to outdated OS servers are retail, healthcare, manufacturing and public administration.

The report says more than 65,000 common vulnerabilities and exposures (CVEs) were discovered, pointing to wearable devices as having the highest percentage (93%) of unpatched CVEs.

What is a cyber attack?

A cyber attack can be defined as a malicious attempt to gain access to a computer, operating system or network without authorization, with the sole purpose of causing damage and/or stealing confidential information.

These attacks look to disrupt, destroy or control said computer systems and may also intend to steal, block or manipulate the data stored on these systems.

How to prevent a cyber attack?

Typically, installing up-to-date antivirus software protects your computer and network against malware, while firewalls are there to filter traffic that might enter your device.

Other ways people and businesses can protect themselves from cyber security threats include multi-factor authentication, ensuring passwords are strong, password encryption and using robust Virtual Private Networks (VPN).

The most simple way of staying on top of your cyber security is ensuring all of your apps, devices, operating systems and devices are running the most up-to-date versions to ensure security patches are prepared for any new cyber attacks.

Featured Image: Dall-E

The post Cyber attacks doubled in 2023 but businesses remain slow to act appeared first on ReadWrite.