Carbon Chemist

Tag: hackers

  • Change Healthcare Ransomware Attack: BlackCat Hackers Quickly Returned After FBI Bust

    Change Healthcare Ransomware Attack: BlackCat Hackers Quickly Returned After FBI Bust

    [ad_1]

    Six days before Christmas, the US Department of Justice loudly announced a win in the ongoing fight against the scourge of ransomware: An FBI-led, international operation had targeted the notorious hacking group known as BlackCat or AlphV, releasing decryption keys to foil its ransom attempts against hundreds of victims and seizing the dark web sites it had used to threaten and extort them. “In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” deputy attorney general Lisa Monaco declared in a statement.

    Two months and one week later, however, those hackers don’t appear particularly “disrupted.” For the last seven days and counting, BlackCat has held hostage the medical firm Change Healthcare, crippling its software in hospitals and pharmacies across the United States, leading to delays in drug prescriptions for an untold number of patients.

    The ongoing outage at Change Healthcare, first reported to be a BlackCat attack by Reuters, represents a particularly grim incident in the ransomware epidemic not just due to its severity, its length, and the potential toll on victims’ health. Ransomware-tracking analysts say it also illustrates how even law enforcement’s wins against ransomware groups appear to be increasingly short-lived, as the hackers that law enforcement target in carefully coordinated busts simply rebuild and restart their attacks with impunity.

    “Because we can’t arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, we can’t stop them,” says Allan Liska, a ransomware-focused researcher for cybersecurity firm Recorded Future. Instead, Liska says, law enforcement often has had to settle for spending months or years arranging takedowns that target infrastructure or aid victims, but without laying hands on the attacks’ perpetrators. “The threat actors just need to regroup, get drunk for a weekend, and then start right back up,” Liska says.

    In another, more recent bust, the UK’s National Crime Agency last week led a broad takedown effort against the notorious Lockbit ransomware group, hijacking its infrastructure, seizing many of its cryptocurrency wallets, taking down its dark web sites, and even obtaining information about its operators and partners. Yet less than a week later, Lockbit has already launched a fresh dark web site where it continues to extort its victims, showing countdown timers for each one that indicate the remaining days or hours before it dumps their stolen data online.

    None of that means law enforcement’s BlackCat or Lockbit operations haven’t had some effect. BlackCat listed 28 victims on its dark web site for February so far, a significant drop from the 60-plus Recorded Future counted on its site in December prior to the FBI’s takedown. (Change Healthcare isn’t currently listed among BlackCat’s current victims on its site, though the hackers reportedly took credit for the attack, according to ransomware-tracking site Breaches.net. Change Healthcare also didn’t respond to WIRED’s request for comment on the cyberattack.)

    Lockbit, for its part, may be hiding the extent of its disruption behind the bluster of its new leak site, argues Brett Callow, a ransomware analyst at security firm Emsisoft. He says that the group is likely downplaying last week’s bust in part to avoid losing the trust of its affiliate partners, the hackers who penetrate victim networks on Lockbit’s behalf and might be spooked by the possibility that Lockbit has been compromised by law enforcement.

    [ad_2]

    Source link

  • A Mysterious Leak Exposed Chinese Hacking Secrets

    A Mysterious Leak Exposed Chinese Hacking Secrets

    [ad_1]

    While the documents have now been removed from GitHub, where they were first posted, the identity and motivations of the person, or people, who leaked them remains a mystery. However, Chang says the documents appear to be real, a fact confirmed by two employees working for i-Soon, according to the Associated Press, which reported that the company and police in China are investigating the leak.

    “There are around eight categories of the leaked files. We can see how i-Soon engaged with China’s national security authorities, the details of i-Soon’s products and financial problems,” Chang says. “More importantly, we spotted documents detailing how i-Soon supported the development of the notorious remote access Trojan (RAT), ShadowPad,” Chang adds. The ShadowPad malware has been used by Chinese hacking groups since at least 2017.

    Since the files were first published, security researchers have been poring over their contents and analyzing the documentation. Included were references to software to run disinformation campaigns on X, details of efforts to access communications data across Asia, and targets within governments in the United Kingdom, India, and elsewhere, according to reports by the New York Times and the The Washington Post. The documents also reveal how i-Soon worked for China’s Ministry of State Security and the People’s Liberation Army.

    According to researchers at SentinelOne, the files also include pictures of “custom hardware snooping devices,” such as a power bank that could help steal data and the company’s marketing materials. “In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work,” the researchers write. “The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.”

    The Federal Trade Commission has fined antivirus firm Avast $16.5 for collecting and selling people’s web browsing data through its browser extensions and security software. This included the details of web searches and the sites people visited, which, according to the FTC, revealed people’s “religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.” The company sold the data through its subsidiary Jumpshot, the FTC said in an order announcing the fine.

    The ban also places five obligations on Avast: not to sell or license browsing data for advertising purposes; to obtain consent if it is selling data from non-Avast products; delete information it transferred to Jumpshot and any algorithms created from the data; tell customers about the data it sold; and introduce a new privacy program to address the problems the FTC found. An Avast spokesperson said that while they “disagree with the FTC’s allegations and characterization of the facts,” they are “pleased to resolve this matter.”

    Two Chinese nationals living in Maryland—Haotian Sun and Pengfei Xue—have been convicted of mail fraud and a conspiracy to commit mail fraud for a scheme that involved sending 5,000 counterfeit iPhones to Apple. The pair, who could each face up to 20 years in prison, according to the The Register, hoped Apple would send them real phones in return. The fake phones had “spoofed serial numbers and/or IMEI numbers” to trick Apple stores or authorized service providers into thinking they were genuine. The scam took place between May 2017 and September 2019 and would have cost Apple more than $3 million in losses, a US Department of Justice press release says.

    Security researchers from the US and China have created a new side-channel attack that can reconstruct people’s fingerprints from the sounds they create as you swipe them across your phone screen. The researchers used built-in microphones in devices to capture the “faint friction sounds” made by a finger and then used these sounds to create fingerprints. “The attack scenario of PrintListener is extensive and covert,” the researchers write in a paper detailing their work. “It can attack up to 27.9 percent of partial fingerprints and 9.3 percent of complete fingerprints within five attempts.” The research raises concerns about real-world hackers who are attempting to steal people’s biometrics to access bank accounts.

    [ad_2]

    Source link

  • How 3 Million ‘Hacked’ Toothbrushes Became a Cyber Urban Legend

    How 3 Million ‘Hacked’ Toothbrushes Became a Cyber Urban Legend

    [ad_1]

    Documents exclusively obtained by WIRED reveal that AI surveillance software tracked thousands of people using the London Underground to detect crime or unsafe situations. The machine learning software scoured live CCTV footage to spot aggressive behavior, weapons being brandished, and people dodging fares. The documents also detail errors made during the trial—for instance, mistakenly identifying children walking with their parents as fare evaders.

    Meanwhile, on Wednesday, cryptocurrency tracing firm Chainalysis published a report finding ransomware payments in 2023 reached over $1.1 billion, the highest annual total ever recorded. The record-breaking sum of extorted funds was due to two things: the high number of ransomware attacks and the amount of money that hackers were demanding from victims, many of whom were targeted specifically for their ability to pay and their inability to sustain a prolonged disruption of services.

    A tech company, notorious for keeping websites with far-right and other extreme content online, was bought last year by a secretive company whose business is to help set up businesses, often in ways that keep details of those companies secret, WIRED reported on Thursday. Registered Agents Inc.’s acquisition of Epik may allow the shadowy company to provide its customers with another layer of anonymity.

    For the past month, senior security reporter Matt Burgess has been transitioning away from using passwords to log in to his hundreds of online accounts. Instead, he’s using passkeys, a more secure form of authentication that uses generated codes stored on your device to log in to websites and apps using a biometric identifier like a fingerprint, face scan, or PIN. When it works, it’s seamless and secure. When it doesn’t, it’s a mess.

    WhatsApp is developing a feature to allow its users to message across apps, all while maintaining its secure end-to-end encryption. In theory, the move would allow users to chat with people on WhatsApp using apps like Signal or Telegram. It’s unclear which companies, if any, will link their services with WhatsApp.

    And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

    Hackers have, in the real world, caused blackouts, set fire to a steel mill, and released worms that took down medical record systems in hospitals across the US and the UK. So it hardly seems necessary to invent new nightmares about them taking over our toothbrushes.

    Yet, when the Swiss newspaper Aargauer Zeitung published a story that cybercriminals had infected 3 million internet-connected toothbrushes with malware, then used them to launch a cyberattack that downed a website for four hours and caused millions of dollars in damage, the tale was somehow irresistible. This week, news outlets around the world picked up the story, which quoted the cybersecurity firm Fortinet as its source, spinning it out as the perfect illustration of how hackers can exploit the most mundane technology for epic malevolence. “This example, which seems like a Hollywood scenario, actually happened,” the Swiss newspaper wrote.

    [ad_2]

    Source link

  • I Stopped Using Passwords. It’s Great—and a Total Mess

    I Stopped Using Passwords. It’s Great—and a Total Mess

    [ad_1]

    Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)

    “The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”

    Being able to save a passkey on essentially any device makes them more useful and means you aren’t locked in to Google’s, Microsoft’s, or Apple’s ecosystems. However, where you save a passkey is going to take some remembering. When setting up one passkey, I was asked by my password manager, browser, and the device operating system whether I wanted to save my passkey with each of them. Picking one spot and sticking to it is probably the best option.

    Most of my work is done on my laptop—and it’s rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.

    However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead. Orenstein, from Bitwarden, says that making passkeys work on mobile is a priority for Bitwarden and more support should be rolling out in the coming months. The company has seen a “fantastic” adoption of passkeys so far, he says, but acknowledges people will have to get used to the change. “You still need an awareness about where it is,” Orenstein says. “I think, over time, as an industry, we can reduce the need for that awareness, hopefully to zero.”

    The Password’s Long Goodbye

    You may not have set up any passkeys yet, but it’s only a matter of time. Tech companies are starting to make passkeys the default, and more businesses are adopting them. In the past couple of weeks, X has started allowing some people to use passkeys, and WhatsApp is bringing them to iPhones and iPads after previously rolling out passkey support for Android devices.

    Leona Lassak, Blase Ur, and Maximilian Golla, three academics from Germany and the US who have researched the adoption of passkeys, say that businesses they’ve interviewed are generally positive about the adoption of passkeys and the extra security it will bring. However, it will likely take some time until the majority of websites, apps, and companies are using passkeys for everything. “I don’t think we will have a big bang in the next few months,” Lassak says. “It’s going to be a slow process, which on the way will then also catch other and smaller entities.”

    As a result, passwords will still be around for a while. It’ll be a long time until I have converted my remaining 320-ish accounts to be using passkeys. And for the time being at least, those accounts where I do have passkeys will still have existing passwords that I can fall back on. “Passkeys is having fewer passwords, but not necessarily no passwords,” says Golla.

    Experts recommend setting up a few passkeys whenever you come across them on your online accounts, rather than necessarily trying to change them all at once. There are guides to what websites are using passkeys already, and Google, Microsoft, and Apple all have straightforward explanations on how to create passkeys. And there are plenty of benefits to getting started now.

    “They are a true password replacement that eliminate the threat of phishing, eliminate the hassle of password resets, and eliminate the liability that service providers have when they’re managing thousands, tens of thousands, or tens of millions, or billions of passwords,” Shikiar says. “It really is an entirely new way of doing user authentication.”

    [ad_2]

    Source link