Security

by Paul Ducklin At the well-known DEF CON security shindig in Las Vegas, Nevada, last week, Mac cybersecurity researcher Patrick Wardle revealed a “get-root” elevation of privilege (EoP) bug in Zoom for Mac: Mahalo to everybody who came to my @defcon talk “You’re M̶u̶t̶e̶d̶ Rooted” 🙏🏽 Was stoked to talk about (& live-demo 😅) a

A threat actor group named SolidBit is actively advertising RaaS (Ransom-as-a-Service) and looking to recruit new affiliates on dark web forums. The news comes from CloudSEK security researchers, who published an advisory about the new threat actors on Thursday. “The group is actively looking for partners to gain access to companies’ private networks in order to

Vulnerabilities in Xiaomi’s mobile payment could lead to an attacker stealing private keys used to sign Wechat Pay control and payment packages. The flaws were found by Check Point Research (CPR) in Xiaomi’s trusted execution environment (TEE), the system element responsible for storing and managing sensitive information such as keys and passwords. “We discovered a

by Paul Ducklin Here’s this week’s BWAIN, our jocular term for a Bug With An Impressive Name. BWAIN is an accolade that we hand out when a new cybersecurity flaw not only turns out to be interesting and important, but also turns up with its own logo, domain name and website. This one is dubbed

Social media giant Meta has announced it will start testing end-to-end encryption (E2EE) as the default option on its Facebook Messenger platform. The company made the announcement in a blog post on August 11, where it explained the feature will be initially available only to selected users. “If you’re in the test group, some of

by Paul Ducklin Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. Schroedinger’s cat outlines in featured image via Dhatfield under CC BY-SA 3.0. You can listen to us on Soundcloud, Apple Podcasts, Google

A remote-code-execution (RCE) vulnerability affecting Zimbra Collaboration Suite (ZCS) email servers was exploited without valid administrative credentials, unlike previously believed. The finding come from security researchers at Volexity, who detailed them in an advisory published on Wednesday. While the RCE issue (tracked CVE-2022-27925) was patched by Zimbra in March 2022, in July and early August 2022 Volexity investigated

Cyber-criminals spreading malware families are shifting to shortcut (LNK) files to deliver malware, HP Wolf Security’s latest report suggests. According to the new research, shortcuts are gradually replacing Office macros (which are starting to be blocked by default by Microsoft) as a way for attackers to get a foothold within networks by tricking users into

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) said on Monday it issued sanctions against virtual currency mixer Tornado Cash. According to the announcement, Tornado Cash has been used to launder more than $7bn worth of virtual currency since its foundation in 2019. The figure includes more than $455m stolen by the

A new analysis by Kaspersky unveiled a wave of targeted attacks on military-industrial complex enterprises and public institutions in Belarus, Russia, Ukraine and Afghanistan. The cybersecurity company made the announcement in an advisory published on Monday, which claims the attackers were able to penetrate several enterprises and hijack the IT infrastructure of some of them.

by Paul Ducklin Popular collaboration tool Slack (not to be confused with the nickname of the world’s longest-running Linux distro, Slackware) has just owned up to a cybersecurity SNAFU. According to a news bulletin entitled Notice about Slack password resets, the company admitted that it had inadvertently been oversharing personal data “when users created or

by Paul Ducklin We’ve written about PQC, short for post-quantum cryptography, several times before. In case you’ve missed all the media excitement of the past few years about so-called quantum computing… …it is (if you will pardon what some experts will probably consider a reckless oversimplification) a way of building computing devices that can keep

North Korea stole hundreds of millions of dollars worth of crypto assets in at least one major hack, according to a confidential United Nations (UN) report seen by Reuters on Thursday. The document also reportedly suggests the US previously accused North Korea of carrying out cyber-attacks to fund its nuclear and missile programs. “Other cyber activity

by Paul Ducklin The word “protocol” crops up all over the place in IT, usually describing the details of how to exchange data between requester and replier. Thus we have HTTP, short for hypertext transfer protocol, which explains how to communicate with a webserver; SMTP, or simple mail transfer protocol, which governs sending and receiving

ReversingLabs researchers discovered a new ransomware family targeting Linux-based systems in South Korea. Dubbed GwisinLocker, the malware was detected by ReversingLabs on July 19 while undertaking successful campaigns targeting firms in the industrial and pharmaceutical space. “In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) – looking to

by Paul Ducklin Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just

A team of security researchers from CloudSEK has discovered a new phishing tactic used by threat actors (TA) to target Indian banking customers via preview domains from Hosting Provider Hostinger. The new feature enables access to a site before it is accessible globally. In other words, it enables the viewing of website content without a

by Paul Ducklin Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI. This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the

Cybersecurity-focussed non-profit CREST has partnered up with the Open Web Application Security Project (OWASP) to release the OWASP Verification Standard (OVS). The move aims to provide mobile and web app developers with enhanced security assurance and accredited organizations with improved access to the app development industry. “Both CREST and OWASP are non-profit organizations and we

by Paul Ducklin Cryptocurrency protocol Nomad (not to be confused with Monad, which is what PowerShell was called when it first came out) describes itself as “an optimistic interoperability protocol that enables secure cross-chain communication,” and promises that it’s a “security-first cross-chain messaging protocol.” In plain English, it’s supposed to let you swap cryptocurrency tokens

European missile maker MBDA has publicly denied some of the hacking allegations against the company made on a dark web forum in July and posted on Twitter by Today Cyber News on Tuesday. The self-proclaimed hacking group who first made the allegation went under the name “Andrastea,” and claimed to have obtained roughly 60 GB of

Google published its monthly security bulletin for August on Monday, detailing the latest available patches for Android. A total of 37 vulnerabilities have been patched, including a critical security flaw in the System component that could lead to remote code execution via Bluetooth with no additional execution privileges needed. The Bluetooth vulnerability is tracked as

by Paul Ducklin The best-known cryptographic library in the open-source world is almost certainly OpenSSL. Firstly, it’s one of the most widely-used, to the point that most developers on most platforms have heard of it even if they haven’t used it directly. Secondly, it’s probably the most widely-publicised, sadly because of a rather nasty bug

Security researchers are warning of a new phishing campaign which tries to hurry users into making poor decisions by presenting them with a countdown clock. Cofense recently spotted the credential harvesting campaign, which arrives in the form of an alert email about a non-existent ‘suspicious login’ to their account. Purporting to come from a fake

A cyber-attack on the US justice system has compromised a public document management system, revealed lawmakers on the Hill yesterday. Jerrold Nadler (D-NY), chairman of the House Judiciary Committee, revealed the attack at a hearing on oversight of the Justice Department on Thursday. Nadler said three hostile actors had breached the Public Access to Court Electronic Records

A bill designed to increase visibility of foreign ransomware attackers has passed in the US House of Representatives. The Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act (also known as the RANSOMWARE Act) will make it easier for the US to respond to ransomware attacks from foreign

by Paul Ducklin If you’ve ever watched a professional plumber at work, or a plasterer, or a bricklayer, or the people who deftly use those improbably long sticks to craft paper-thin pancakes the size of a bicycle wheel… …you’ve probably had the same thoughts that we have. I could do that. I really could. But

Spanish and Romanian police have joined forces to take down a gang suspected of earning at least €3m ($3.1) from internet scams. Spanish National Police arrested three suspects in the southern city of Malaga while their Romanian counterparts cuffed six, following a multi-year investigation, according to Europa Press. They are accused of publishing false adverts

by Paul Ducklin Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just

Applications have opened for the next cohort of the NCSC For Startups program, which is looking for early-stage companies focused on protecting the UK’s critical national infrastructure from cyber threats. The program, launched in 2021, is run by the UK’s National Cyber Security Centre (NCSC) in partnership with Plexal. A successor to the NCSC Cyber Accelerator, the