Security

German logistics provider Hellmann Worldwide Logistics has warned customers social engineering attacks could target them after being hit by a ransomware attack earlier this month. In an update on the incident, which forced the company to take its IT systems temporarily offline on December 9, Hellmann confirmed that the attackers extracted data. While it is still investigating what type

The state of New York has passed a law that makes it a crime to falsify information on a COVID-19 vaccination card. New York governor Kathy Hochul signed new legislation on Wednesday that makes falsifying information on a COVID-19 vaccination card a Class D felony comparable under the New York Penal Law to promoting a sexual performance

Russia has slapped American tech company Google with a record-breaking fine for failing to remove “banned content.”  A Russian court issued the $100m financial penalty on Friday in response to Google’s alleged “systematic failure to remove banned content.” Although the financial penalty is the largest fine of its kind ever to be issued by a

The prime minister of Albania has issued a public apology after the personal data of hundreds of thousands of Albanian citizens was allegedly leaked online. An Excel file containing what appears to be data relating to employees in the public and private sectors was found circulating on social media and has reportedly been broadly shared through messaging

by Paul Ducklin SFW! Here they are! The Top N cybersecurity stories of the year that are totally SFW, and entirely conducive to Happy Holidays! And by totally SFW, we don’t just mean Suitable For Work, but also Something For the Weekend – a double bonus if you’re on official duty over the holiday break and

A Russian cyber-criminal who hacked into three tech companies and stole more than 100 million user credentials will not have to pay restitution to his corporate victims. Yevgeniy Aleksandrovich Nikulin was found guilty in July 2020 of causing data breaches at LinkedIn, Dropbox, and the now defunct social media platform Automatic in 2012.  Speaking during the closing

by Paul Ducklin The picture you see above is not only a real Fisher-Price product, released in the second decade of the 21st century… …but is also officially NOT A TOY! Sure, it looks like a Chatter Phone toy, with an external appearance that adults of all ages will recognise, perhaps from having had one,

Threat actors have exploited a vulnerability in Log4j software to wage a cyber-attack on Belgium’s Defense Ministry. The attack began on December 16 and was confirmed by Belgium’s Ministry of Defense on Monday.  Speaking to the AFP in Brussels on Tuesday, Belgian military spokesman Commander Olivier Séverin said that the incident had caused damage to services that were connected to the

by Paul Ducklin This story isn’t quite as dramatic as if the Feds had managed to reverse tens of thousands of separate Bitcoin (BTC) transactions used in a global online scam to defraud tens of thousands of separate and vulnerable victims… …but it’s spectacular nevertheless, given that the stolen-but-recovered amount came to BTC 3,879.16, which

A United States court has sentenced a Russian national who admitted being involved in a conspiracy to launder money stolen from American victims of computer fraud. Maksim Boiko, also known as Maxim Boyko, and online as “gangass,” was one of 20 individuals indicted by the US in connection with the transnational criminal organization QQAAZZ. With members

by Paul Ducklin Pick a random person, and ask them these two questions: Q1. Have you heard of Apache? Q2. If so, can you name an Apache product? We’re willing to wager that you will get one of two replies: A1. No. A2. (Not applicable.) A1. Yes. A2. Log4j. Two weeks ago, however, we’d suggest

Detectives investigating a hacking incident at a Florida college have charged a former nurse with possessing child sexual abuse material (CSAM). An investigation was launched in June 2021 when two IT accounts belonging to a program coordinator and an instructor at Polk State College were hacked. The employees were locked out of their labs and scheduling accounts,

by Paul Ducklin ‘Twas the night before Christmas       When all through the house Not a creature was stirring,       not even a mouse… As Christmas 2021 approaches, spare a thought for your sysamins, for your IT team, and for your cybersecurity staff. There may be plenty of mice stirring all through the IT house right up

Data belonging to an Illinois-based accountancy firm has been exposed in a cyber-attack.  Bansley and Kiener, which is also known as B&K, is a 99-year-old full-service accounting firm headquartered in Chicago.  Earlier this month, B&K issued a security notice stating that it had been successfully targeted by cyber-criminals using ransomware a year ago.  “On December 10, 2020, B&K

Seven students at the University of Mississippi have been charged with cyber-stalking a fellow student who blew the whistle on their fraternity’s hazing activities.  College hazing is an initiation ceremony in which freshmen undertake humiliating and sometimes dangerous feats to gain admittance into a fraternity or sorority. Ole Miss Pi Kappa Alpha fraternity members Baylor Reynolds, aged

Cybersecurity official Anne Neuberger has implored American businesses to actively prepare for a seasonal surge in cybercrime. In a statement issued through the White House on Thursday, the deputy assistant to the president and deputy national security advisor for cyber and emerging technology explained why threat actors like to time their attacks with the holidays.  “Historically we have seen

by Paul Ducklin Amidst the ongoing brouhaha created by the apparently omnipresent Log4Shell insecurity featuresecurity vulnerability, it’s easy to lose track of all the other things that you should, and normally would, be working on anyway. Indeed, the UK’s National Cyber Security Centre (NCSC) is warning that: Remediating [the Log4Shell] issue is likely to take

A trio of healthcare providers in New Jersey has agreed to pay $425,000 and adopt new security measures to settle a legal claim involving a double data breach.  The state of New Jersey alleged that Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively “RCCA”) failed to adequately safeguard the personal data and

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Virginia is fighting cyber-fires on two fronts after ransomware attacks affected both its state legislature and an agency within its executive branch.  In an attack that struck on the evening of December 12, key IT systems under the Division of Legislative Automated Systems (DLAS) were rendered inaccessible. The attack was focused on certain internal servers, impacting the

Hundreds of financial applications are being targeted by a threat campaign featuring a new strain of the Anubis Android banking trojan malware. The malicious campaign was detected by researchers at cybersecurity company and integrated endpoint-to-cloud provider Lookout. Researchers observed the banking malware masquerading as an account management application created by France’s largest telecommunications company, Orange S.A., to target customers of

by Paul Ducklin Amongst all the brouhaha about Log4Shell, it’s easy to forget all the other updates that surround us. Not only is it Patch Tuesday (keep your eye on our sister site news.sophos.com for the latest on that score later in the day)… …but it’s also time to check your Apple devices, because Apple

Police have arrested a professor at a Louisiana university after child sexual abuse material was discovered on his office desktop computer.  An investigation was begun in East Baton Rouge on Thursday after officials at Louisiana State University’s (LSU’s) Agricultural Center (AgCenter) were contacted by concerned employees in the center’s IT department.  The IT workers raised the alarm

by Paul Ducklin In this article, we explain the Apache Log4Shell vulnerability in plain English, and give you some simple educational code that you can use safely and easily at home (or even directly on your own servers) in order to learn more. Just to be clear up front: we’re not going to show you

Cyber-thieves hacked into the computer network of Swedish car manufacturer Volvo and exfiltrated research and development secrets. The carmaker posted a notice on its website yesterday stating that it had suffered a cybersecurity breach in which a limited amount of data was stolen.  Though the quantity of data swiped in the incident was small, Volvo warned that its loss

An investigation into the springtime cyber-attack on HSE Ireland has found that criminals spent two months inside the healthcare system’s computer network before deploying ransomware. The attack, which struck HSE Ireland with Conti ransomware in mid-May, forced the health service to take its IT systems offline, leading to the cancellation of multiple hospital appointments. An investigation

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A cyber-attack has been carried out against major German logistics provider Hellmann Worldwide Logistics.  The security incident forced Hellmann to take its central data center offline yesterday. Today, operations at the Osnabrück-based company remain disrupted.  Hellmann said that since the attack was discovered, it has been under the constant observation of its Global Crisis Taskforce, which

by Paul Ducklin Just when you thought it was safe to relax for the weekend… …when your cybersecurity Christmas decorations lit up with the latest funkily-named bug: Log4Shell. Apparently, early reports of the bug referred to it as LogJam, because it allows you to JAM dodgy download requests into entries in LOG files. But LogJam

A political activist and former star of the reality TV show 19 Kids and Counting has been convicted of two charges relating to the sexual abuse of children. On Thursday, after a six-day trial that featured ten witnesses, a jury found Josh Duggar guilty of one count of receiving CSAM and one count of possessing CSAM. It took the jury just