Carbon Chemist

Tag: hackers

  • Auto-Rebooting iPhones Are Causing Chaos for Cops

    Auto-Rebooting iPhones Are Causing Chaos for Cops

    [ad_1]

    Maybe you already heard, but Donald Trump will be president of the United States again. The far-right is celebrating by calling for mass executions. The left is responding with their own election conspiracy theories. Convicted January 6 rioters are banking on a pardon. And women who oppose Trump have frankly had enough.

    Ahead of Election Day, WIRED found that an “election integrity” app made by True the Vote, a right-wing group that helped popularize election denialism around the 2020 election, was leaking the emails of its users. In one instance it revealed an election officer in California who appeared to be engaged in illegal voter suppression.

    Disinformation and other forms of election interference have been a major issue since Russia’s hack of the Democratic National Committee in the lead-up to the 2016 election. But 2024 appears to have been the worst yet, with US officials warning that Russia had amplified its efforts to unprecedented levels.

    In non-election news, Canadian authorities arrested Alexander “Connor” Moucka, who is accused of hacking a slew of Snowflake cloud storage customers earlier this year. Security experts who’ve long followed the exploits of a hacker who went by the handle Waifu—whom authorities say is Moucka—believe him to be “one of the most consequential threat actors of 2024.”

    A federal judge in Michigan sentenced Richard Densmore to 30 years in prison after he pleaded guilty to sexually exploiting a child. Densmore was highly active in 764, an online criminal network that the FBI now considers to be a “tier one” terrorism threat.

    Finally, in WIRED’s first story published in partnership with 404 Media, reporter (and 404 co-owner) Joseph Cox took a deep dive into the world of infostealer malware—the same kind used in all those Snowflake account breaches Moucka is accused of committing.

    And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    Some iPhones that police have in their possession for forensic examination are suddenly rebooting themselves, making it more difficult for investigators to access their contents, reports 404 Media. Police use tools like Cellebrite to essentially hack into phones, but this is typically done when a device is in the so-called After First Unlock (AFU) state. Once they reboot, iPhones are put into Before First Unlock (BFU), which makes them much harder to access with forensic tools.

    According to a document obtained by 404, police believed the sudden reboots stemmed from the fact that the devices run iOS 18, Apple’s new mobile operating system. The police suspected that iOS 18 contains a secret feature that allowed the impacted devices, all of which were in airplane mode, to communicate with other nearby iPhones, which sent “a signal to devices to reboot after so much time had transpired since device activity or being off network,” the document reads.

    [ad_2]

    Source link

  • Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

    Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

    [ad_1]

    The week was dominated by news that thousands of pagers, walkie-talkies and other devices were exploding across Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were injured. The covert campaign has widely been attributed to Israel, though none of the country’s government agencies have commented.

    In addition to the carnage, the attacks have—seemingly by design—had the effect of sowing paranoia and fear, not just among members of Hezbollah but also in the general Lebanese public. Hardware and warfare experts say that the incident is unlikely to establish a global precedent that people’s most trusted communication devices and electronics, like smartphones, are rigged with explosives left and right. But it does create the potential to inspire copycats and puts defenders on notice that such attacks are possible.

    Researchers say that China’s 2023 Zhujian Cup, a hacking competition with ties to the country’s military, took the unusual step of requiring participants to keep the content of the exercise secret—and they may have been targeting a real victim as part of the event. Apple’s new stand-alone app Passwords that launched with iOS 18 may help solve your login problems. And a now-deleted post from billionaire Elon Musk that questioned why no one has attempted to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a national security threat in the United States.

    And there’s more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    Last month, media outlets, Microsoft, and Google warned that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump political campaigns, and that it had successfully stolen emails from the Trump campaign that were later shared with reporters. Now the FBI has chimed in with the added revelation that the same hackers also sent those stolen Trump communications to the Democrats, too—though for now there’s no sign that the Democrats solicited those emails from the Iranians or necessarily even received the Iranians’ message.

    Republicans were nonetheless quick to compare the news to accusations that the Trump campaign “colluded” with the Russian hackers, part of the Kremlin’s GRU military intelligence agency, who breached the Democratic National Committee and the Clinton Campaign in 2016 to carry out a hack-and-leak operation. In a statement, the Trump campaign demanded that the Democrats “must come clean on whether they used the hacked material.” The Harris campaign told CNN that it has cooperated with law enforcement and that it was “not aware of any material being sent directly to the campaign,” believing the emails to be spam or phishing attempts. “We condemn in the strongest terms any effort by foreign actors to interfere in US elections, including this unwelcome and unacceptable malicious activity,” Morgan Finkelstein, the national security spokesperson for the Harris campaign, told CNN.

    The FBI announced this week that it had taken down a network of hacked machines being secretly controlled by a Chinese state-sponsored hacking group known as Flax Typhoon. The botnet, made up of 260,000 routers and internet-of-things devices, was allegedly being run by a Chinese contractor known as the Beijing Integrity Technology Group, a rare instance of a known, publicly traded company operating essentially a massive collection of hacked devices on behalf of the Chinese state. The botnet, according to the FBI and security firm Black Lotus Labs, had been used to hack government agencies, defense contractors, telecoms, and other US and Taiwanese targets. At the time of its takedown, the botnet still encompassed 60,000 machines, making it the largest Chinese state-sponsored botnet ever, according to Black Lotus Labs.

    On Wednesday night, two young men were arrested after they allegedly stole hundreds of millions of dollars of cryptocurrency and spent the earnings on luxury cars, watches, jewelry, and designer handbags. In an unsealed indictment, the US Department of Justice charged Malone Lam, 20, known online as “Anne Hathaway” and Jeandiel Serrano, 21, aka “VersaceGod,” with stealing $243 million in cryptocurrency and laundering the proceeds through mixing services to conceal the origin.

    CoinDesk reported that the men allegedly tricked the heist’s victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoin to a compromised wallet. An analysis of the transaction by blockchain investigator ZachXBT revealed that the $243 million was divided among multiple wallets and then distributed to over 15 exchanges.

    On Thursday, TechCrunch reported that Apple’s latest desktop operating system update, macOS 15 (Sequoia), breaks some functionality of major security tools made by CrowdStrike, SentinelOne, and Microsoft. It’s unclear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.

    A CrowdStrike sales engineer informed colleagues via Slack, as seen by TechCrunch, that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new OS releases. While they hope for a quick patch, they will likely need to scramble to resolve the issue with an update in their own code, assuming no immediate fix is available from Apple, which has not yet commented on the issue.

    Cryptocurrency theft has become practically a common-garden form of cybercrime. But one brutal gang took that form of thievery to a new level of cruelty and violence, breaking into a series of victims’ homes to threaten and extort them into handing over their crypto holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to a close with the sentencing of the group’s ring leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang to have now been charged, convicted, and sentenced. Prior to the home invasions that St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions with more traditional crypto hacking techniques. But St. Felix’s more violent, offline extortion attempts netted his gang only around $150,000 in cryptocurrency before they were caught and sentenced to years behind bars. The lesson: Crime doesn’t pay—or at least, not the physical kind.

    [ad_2]

    Source link

  • Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

    Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

    [ad_1]

    It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

    EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

    The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

    “Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor’s laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

    The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

    This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

    Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to [make the] default MFA,” he says.

    [ad_2]

    Source link

  • The White House Has a New Master Plan to Stop Worst-Case Scenarios

    The White House Has a New Master Plan to Stop Worst-Case Scenarios

    [ad_1]

    The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.

    On Tuesday, President Joe Biden will sign a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.

    Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life. In addition to foreign government hackers and cyber criminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.

    But foreign cyber threats loom largest as a danger in the near future. “America faces an era of strategic competition, where state actors will continue to target American critical infrastructure and tolerate or enable malicious activity conducted by nonstate actors,” Caitlin Durkovich, the deputy homeland security adviser for resilience and response, told reporters during a briefing on Monday.

    The memorandum has three core purposes: to formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency tasked with protecting infrastructure from bad actors and natural hazards; to improve partnerships with the private sector through faster, more comprehensive information sharing; and to lay out the groundwork for minimum cybersecurity requirements for sectors that currently lack them.

    The regulatory push represents a dramatic shift from the government’s approach to infrastructure protection a decade ago. The Biden administration, having concluded that voluntary partnerships were not sufficiently reducing risks to essential services, has applied new cyber rules to the aviation, pipeline, railroad, maritime, and medical device industries, and the Department of Health and Human Services is working on security requirements for hospitals. Now, the administration plans to use the new memo to turbocharge efforts to apply rules to other sectors.

    “It is important that we work together to set baseline security standards for the lifeline sectors on which the American way of life and our democracy depends,” Durkovich says.

    The document tasks the government’s “Sector Risk Management Agencies,” or SRMAs—each of which oversees and assists one or more infrastructure sectors with cyber and physical security—with determining whether existing rules adequately address their industries’ vulnerabilities and, if not, crafting new rules. The memo includes a process to help agencies if they conclude that they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously pursuant to the White House’s terms.

    That process is designed to support agencies like the Environmental Protection Agency, which tried to issue cyber requirements for water systems in 2023 but abandoned the effort after a legal challenge from industry groups and Republican-led states.

    [ad_2]

    Source link

  • Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse

    Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse

    [ad_1]

    Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claimed is Americans’ sensitive medical and financial records stolen from the health care giant.

    “For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.

    The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.

    The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company’s claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.

    Change Healthcare, a subsidiary of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat or AlphV breached its systems, and told WIRED last week that it is investigating RansomHub’s claims about possessing the company’s stolen data. Change Healthcare did not immediately respond to a request for comment about the group’s alleged sale of its data.

    The wide variety of patient data that RansomHub claims to be selling is a testament to Change Healthcare’s role as a critical intermediary between insurers and health care provider, facilitating payments between both parties and collecting reams of sensitive information about patients and their medical procedures in the process.

    Among the sample records that RansomHub posted are a list of open claims handled by the company’s EquiClaim subsidiary that includes patient and provider names; a hospital record for a 74-year-old woman in Tampa, Florida; and part of a database record related to US military service members’ health care.

    RansomHub said it would allow individual insurance companies that worked with Change Healthcare and had their data compromised to pay ransoms to prevent the sale of their records. It specified that it was selling data belonging to several major insurance companies.

    Change Healthcare’s “processing of sensitive data for all of these companies is just something unbelievable,” RansomHub said in its announcement.

    Brett Callow, a threat analyst at the security firm Emsisoft who closely tracks ransomware gangs, says the new sale of stolen data was probably “less about actually selling the data” and more about pressuring Change Healthcare—and the partner companies whose records it failed to protect—“under additional pressure to pay.”

    Change Healthcare appears to have paid a $22 million ransom to AlphV to stop it from leaking terabytes of stolen data.

    Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses. The company recently reported spending $872 million responding to the incident as of March 31.

    At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent another hack.

    A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify. And the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing its data violated federal data-security rules.

    [ad_2]

    Source link

  • A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask

    A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask

    [ad_1]

    “That’s not nice, and it’s not a good norm,” says Schneider. She says that much of the US government’s slow approach to cyberattacks stems from its care to ensure it avoids unintentionally hitting civilians as well as breaking international law or triggering dangerous blowback.

    Still, Schneider concedes that Caceres and Angus have a point: The US could be using its cyber forces more, and some of the explanations for why it doesn’t amount to bureaucracy. “There are good reasons, and then there are bad reasons,” says Schneider. “Like, we have complicated organizational politics, we don’t know how to do things differently, we’re bad at using this type of talent, we’ve been doing it this way for 50 years, and it worked well for dropping bombs.”

    America’s offensive hacking has, by all appearances, gotten less aggressive and less nimble over the past half decade, Schneider points out. Starting in 2018, for instance, General Paul Nakasone, then the head of Cyber Command, advocated a “defend forward” strategy aimed at taking cyber conflict to the enemy’s network rather than waiting for it to occur on America’s turf. In those years, Cyber Command launched disruptive hacking operations designed to cripple Russia’s disinformation-spouting Internet Research Agency troll farm and take down the infrastructure of the Trickbot ransomware group, which some feared at the time might be used to interfere in the 2020 election. Since then, however, Cyber Command and other US military hackers appear to have gone relatively quiet, often leaving the response to foreign hackers to law enforcement agencies like the FBI, which face far more legal constraints.

    Caceres isn’t entirely wrong to criticize that more conservative stance, says Jason Healey, who until February served as a senior cybersecurity strategist at the US Cybersecurity and Infrastructure Security Agency. He responds to Caceres’ cyberhawk arguments by citing the Subversive Trilemma, an idea laid out in a 2021 paper by the researcher Lennart Maschmeyer: Hacking operations have to choose among intensity, speed, and control. Even in earlier, more aggressive years, US Cyber Command has tended to turn up the dial for control, Healey says, prioritizing it over those other variables. But he notes there may in fact be certain targets—such as ransomware gangs or hackers working for Russia’s no-holds-barred GRU military intelligence agency—who might warrant resetting those dials. “For those targets,” says Healey, “you really can release the hounds.”

    P4x Is Dead, Viva P4x

    As for Caceres himself, he says he’s not opposed to American hacking agencies taking a conservative approach to limiting their damage or protecting civilians—as long as they take action. “There’s being conservative,” he says, “and then there’s doing fuck all.”

    On the argument that more aggressive cyberattacks would lead to escalation and counterattacks from foreign hackers, Caceres points to the attacks those foreign hackers are already carrying out. The ransomware group AlphV’s catastrophic attack on Change Healthcare in February, for instance, crippled medical claim platforms for hundreds of providers and hospitals, effects about as disruptive for civilians as any cyberattack can be. “That escalation is already happening,” Caceres says. “We’re not doing anything, and they’re still escalating.”

    Caceres says he hasn’t entirely given up on convincing someone in the US government to adopt his more gloves-off approach. Ditching the P4x handle and revealing his real name is, in some sense, his last-ditch attempt to get the US government’s attention and restart the conversation.

    But he also says he won’t be waiting for the Pentagon’s approval before he continues that approach on his own. “If I keep going with this alone, or with just a few people that I trust, I can move a lot faster,” he says. “I can fuck shit up for the people who deserve it, and I don’t have to report to anyone.”

    The P4x handle may be dead, in other words. But the P4x doctrine of cyberwarfare lives on.

    [ad_2]

    Source link

  • The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

    The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

    [ad_1]

    Ultimately, Scott argues that those three years of code changes and polite emails were likely not spent sabotaging multiple software projects, but rather building up a history of credibility in preparation for the sabotage of XZ Utils specifically—and potentially other projects in the future. “He just never got to that step because we got lucky and found his stuff,” says Scott. “So that’s burned now, and he’s gonna have to go back to square one.”

    Technical Ticks and Time Zones

    Despite Jia Tan’s persona as a single individual, their yearslong preparation is a hallmark of a well-organized state-sponsored hacker group, argues Raiu, the former Kaspersky lead researcher. So too are the technical hallmarks of the XZ Utils malicious code that Jia Tan added. Raiu notes that, at a glance, the code truly looks like a compression tool. “It’s written in a very subversive manner,” he says. It’s also a “passive” backdoor, Raiu says, so it wouldn’t reach out to a command-and-control server that might help identify the backdoor’s operator. Instead, it waits for the operator to connect to the target machine via SSH and authenticate with a private key—one generated with a particularly strong cryptographic function known as ED448.

    The backdoor’s careful design could be the work of US hackers, Raiu notes, but he suggests that’s unlikely, since the US wouldn’t typically sabotage open source projects—and if it did, the National Security Agency would probably use a quantum-resistant cryptographic function, which ED448 is not. That leaves non-US groups with a history of supply chain attacks, Raiu suggests, like China’s APT41, North Korea’s Lazarus Group, and Russia’s APT29.

    At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit. In fact, several commits were made with a computer set to an Eastern European time zone instead, perhaps when Jia Tan forgot to make the change.

    “Another indication that they are not from China is the fact that they worked on notable Chinese holidays,” say Karty and Henniger, students at Dartmouth College and the Technical University of Munich, respectively. Boehs, the developer, adds that much of the work starts at 9 am and ends at 5 pm for Eastern European time zones. “The time range of commits suggests this was not some project that they did outside of work,” Boehs says.

    All of those clues lead back to Russia, and specifically Russia’s APT29 hacking group, argues Dave Aitel, a former NSA hacker and founder of the cybersecurity firm Immunity. Aitel points out that APT29—widely believed to work for Russia’s foreign intelligence agency, known as the SVR—has a reputation for technical care of a kind that few other hacker groups show. APT29 also carried out the Solar Winds compromise, perhaps the most deftly coordinated and effective software supply chain attack in history. That operation matches the style of the XZ Utils backdoor far more than the cruder supply chain attacks of APT41 or Lazarus, by comparison.

    “It could very well be someone else,” says Aitel. “But I mean, if you’re looking for the most sophisticated malicious operations on the planet, that’s going to be our dear friends at the SVR.”

    Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. That means we should expect to see Jia Tan return by other names: seemingly polite and enthusiastic contributors to open source projects, hiding a government’s secret intentions in their code commits.

    [ad_2]

    Source link

  • Chinese Hackers Charged in Decade-Long Global Spying Rampage

    Chinese Hackers Charged in Decade-Long Global Spying Rampage

    [ad_1]

    For years, China’s state-backed hackers have stolen huge troves of company secrets, political intelligence, and the personal information of millions of people. On Monday, officials in the United States and United Kingdom expanded the long list of hacking allegations, claiming China is responsible for breaching the UK’s elections watchdog and accessing 40 million people’s data. The countries also issued a raft of criminal charges and sanctions against a separate Chinese group following a multiyear hacking rampage.

    In August last year, the UK’s Electoral Commission revealed “hostile actors” had infiltrated its systems in August 2021 and could potentially access sensitive data for 14 months until they were booted out in October 2022. The deputy prime minister, Oliver Dowden, told lawmakers on Monday that a China state-backed actor was responsible for the attack. In addition, Dowden said, the UK’s intelligence services have determined that Chinese hacking group APT31 targeted the email accounts of politicians in 2021.

    “This is the latest in a clear pattern of malicious cyber activity by Chinese state-affiliated organizations and individuals targeting democratic institutions and parliamentarians in the UK and beyond,” Dowden said in the UK’s House of Commons. The revelations were accompanied by the UK sanctioning two individuals and one company linked to APT31.

    Alongside the UK’s announcement on Monday, the US Department of Justice and Department of the Treasury’s Office of Foreign Assets Control unveiled further action against APT31, also known as Violet Typhoon, Bronze Vinewood, and Judgement Panda, including charging seven Chinese nationals with the conspiracy to commit computer intrusions and wire fraud.

    The DOJ claims the hacking group, which has been linked back to China’s Ministry of State Security (MSS) spy agency, has spent 14 years targeting thousands of critics, businesses, and political entities around the world in widespread espionage campaigns. This includes posing as journalists to send more than 10,000 malicious emails that tracked recipients, compromising email accounts, cloud storage accounts, telephone call records, home routers, and more. The spouses of one high-ranking White House official and those of multiple US senators were also targeted, the DOJ says.

    “These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from US elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” Breon Peace, a US attorney for the Eastern District of New York, said in a statement. “Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

    The moves come as countries increasingly warn of an increase in China-linked espionage, during a year when more than 100 countries will host major elections. Statements from officials focus on the impact of the hacking activity on democratic processes, including the targeting of elected officials around the world and the compromising of pro-democracy activists and lawmakers in Hong Kong. However, the disclosures also coincide with continued jostling from Western politicians over pro- or anti-China stances, including the proposed sale of TikTok to a US company, which could result in a ban on the popular app if the sale fails to go through.

    [ad_2]

    Source link

  • Security News This Week: Russian Hackers Stole Microsoft Source Code—and the Attack Isn’t Over

    Security News This Week: Russian Hackers Stole Microsoft Source Code—and the Attack Isn’t Over

    [ad_1]

    For years, Registered Agents Inc.—a secretive company whose business is setting up other businesses—has registered thousands of companies to people who appear to not exist. Multiple former employees tell WIRED that the company routinely incorporates businesses on behalf of its customers using what they claim are fake personas. An investigation found that incorporation paperwork for thousands of companies that listed these allegedly fake personas had links to Registered Agents.

    State attorneys general from around the US sent a letter to Meta on Wednesday demanding the company take “immediate action” amid a record-breaking spike in complaints over hacked Facebook and Instagram accounts. Figures provided by the office of New York attorney general Letitia James, who spearheaded the effort, show that in 2023 her office received more than 780 complaints—10 times as many as in 2019. Many complaints cited in the letter say Meta did nothing to help them recover their stolen accounts. “We refuse to operate as the customer service representatives of your company,” the officials wrote in the letter. “Proper investment in response and mitigation is mandatory.”

    Meanwhile, Meta suffered a major outage this week that took most of its platforms offline. When it came back, users were often forced to log back in to their accounts. Last year, however, the company changed how two-factor authentication works for Facebook and Instagram. Now, any devices you’ve frequently used with Meta services in recent years will be trusted by default. The move has made experts uneasy; this means that your devices may not need a two-factor authentication code to log in anymore. We updated our guide for how to turn off this setting.

    A ransomware attack targeting medical firm Change Healthcare has caused chaos at pharmacies around the US, delaying delivery of prescription drugs nationwide. Last week, a Bitcoin address connected to AlphV, the group behind the attack, received $22 million in cryptocurrency—suggesting Change Healthcare has likely paid the ransom. A spokesperson for the firm declined to answer whether it was behind the payment.

    And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

    In January, Microsoft revealed that a notorious group of Russian state-sponsored hackers known as Nobelium infiltrated the email accounts of the company’s senior leadership team. Today, the company revealed that the attack is ongoing. In a blog post, the company explains that in recent weeks, it has seen evidence that hackers are leveraging information exfiltrated from its email systems to gain access to source code and other “internal systems.”

    It is unclear exactly what internal systems were accessed by Nobelium, which Microsoft calls Midnight Blizzard, but according to the company, it is not over. The blog post states that the hackers are now using “secrets of different types” to breach further into its systems. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”

    Nobelium is responsible for the SolarWinds attack, a sophisticated 2020 supply-chain attack that compromised thousands of organizations including the major US government agencies like the Departments of Homeland Security, Defense, Justice, and Treasury.

    [ad_2]

    Source link

  • The Mysterious Case of the Fizzled Trump Trial Ransomware Leak

    The Mysterious Case of the Fizzled Trump Trial Ransomware Leak

    [ad_1]

    The LockBit hackers also posted some convincing sample documents that appeared to have been stolen from the Fulton County court systems prior to the takedown last week, according to Georgia-based reporter George Chidi, who wrote about the incident earlier this month. Chidi reported seeing documents that included court files and even documents under seal in specific cases, though none appeared to be related to Donald Trump’s prosecution.

    Then on Wednesday, just hours before LockBit’s deadline for the county to pay its ransom expired, the countdown timer for that leak on Lockbit’s website froze, with an added line of text that read, “Timer stopped.” At the promised time of 1:49 PM UTC Thursday, the leak failed to materialize. Instead, all mention of Fulton County was removed from LockBit’s extortion threat site.

    That mysterious disappearance leaves the looming question of whether Fulton County paid LockBit’s ransom. The Fulton County officials didn’t respond to multiple inquiries from WIRED asking whether it had paid the hackers, or how much.

    Just as likely, however, is that LockBit is bluffing in some sense—that it either doesn’t have the goods it claims or isn’t yet ready to give up on its extortion demand. Robert McArdle, a researcher who leads a cybercrime-focused research team at security firm Trend Micro and was involved in the law enforcement operation against LockBit, says the group’s thus-far empty threat is a sign that it was likely more disrupted by the bust than it wants to admit.

    “This appears to be further evidence of the difficulties facing LockBit ever since Op Chronos took place, and should be considered as a sign they are unable to reliably follow through on their statements,” says McArdle. He points out that the victims listed on the group’s new dark web site were all compromised prior to Operation Chronos, and that continuing to threaten them is the group’s attempt to “appear as if everything is normal when most evidence points very much to the contrary.”

    There remain other theories, however, that Lockbit might still possess the court’s data, but be seeking to use it in some other way. “They generally don’t lie about victims because they’re so worried about their reputation,” says Analyst1’s DiMaggio. He notes that the decision to take down the leak threat may have been the decision of the “affiliate” hackers who partner with LockBit to penetrate victims like Fulton County and may have different motivations from LockBit itself.

    If Fulton County documents do remain in the hands of hackers, and if any of them relate to the Trump case, they could further complicate an already deeply messy trial. The state’s case already been rocked by allegations that the prosecutor in the case, Fulton County district attorney Fanni Willis, had an improper affair with another prosecutor involved in Trump’s prosecution, which the defense has argued should require her dismissal. The compromise of non-public documents in the case could make the proceedings—and the upcoming US presidential elecion—even more chaotic.

    “We’re watching with interest to see how the Fulton leak develops,” McArdle’s Trend Micro says. So, no doubt, will the US political sphere—including a certain former president.

    Additional reporting by Matt Burgess.

    [ad_2]

    Source link