An anonymous reader quotes a report from Ars Technica: A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time. The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow a door to be opened, a device connected to a smart plug to be turned off, or an alarm to be disarmed. Worse still, over the past three months, personnel for Texas-based Nexx haven't responded to multiple private messages warning of the vulnerabilities. "Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media," Sabetan wrote in a post published on Tuesday. "Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue." Sabetan estimates that more than 40,000 devices, located in residential and commercial properties, are impacted, and more than 20,000 individuals have active Nexx accounts.

Read more of this story at Slashdot.

eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware. BleepingComputer reports: eFile.com was caught serving malware, as spotted by multiple users and researchers. The malicious JavaScript file in question is called 'popper.js'. The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date. BleepingComputer can confirm, the malicious JavaScript file 'popper.js' was being loaded by almost every page of eFile.com, at least up until April 1st. As of today, the file is no longer seen serving the malicious code. On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was "hijacked." At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack. Turns out that's indeed the case. [...] The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe - VirusTotal] or Firefox [installer.exe - VirusTotal]. Antivirus products have already started flagging these executables as trojans. BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this incident. Security research group, MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP -- a fact that the research group mocked. Additionally, the group called out eFile.com for leaving the malicious code on its website for weeks: "So, the website of [efile.com]... got compromised at least around middle of March & still not cleaned," writes MalwareHunterTeam.

Read more of this story at Slashdot.

Capita, the United Kingdom's largest outsourcing company, confirmed Monday that an IT outage which left staff locked out of their accounts on Friday was caused by "a cyber incident." The Record reports: Staff attempting to login were erroneously told their usual passwords were "incorrect" according to reports, fueling speculation that a cyberattack was to blame, although not all of Capita's 61,000 employees were affected. At the time, a Capita spokesperson said the company was investigating "a technical issue." In an update on Monday about the incident sent to the Regulatory News Service, the company confirmed it "experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications." The nature of the incident has not been disclosed. While financially motivated ransomware attacks remain a prevalent threat for organizations in Britain, Capita also provides services to the British government that may be of interest to state-sponsored espionage groups. Capita's numerous contracts include several with the Ministry of Defence. Last year, a consortium it leads took control over engineering and maintenance support of training simulators for the Royal Navy's nuclear-powered ballistic missile submarines used as part of the U.K.'s nuclear deterrent. In its statement, Capita said: "Immediate steps were taken to successfully isolate and contain the issue," which was "limited to parts of the Capita network."

Read more of this story at Slashdot.

Researchers from Darktrace have seen a 135% increase in novel social engineering attack emails in the first two months of 2023. IT Pro reports: The cyber security firm said the email attacks targeted thousands of its customers in January and February 2023, an increase which it said matches the adoption rate of ChatGPT. The novel social engineering attacks make use of "sophisticated linguistic techniques," which Darktrace said include increasing text volume, sentence length, and punctuation in emails. Darktrace also found there's been a decrease in the number of malicious emails that are sent with an attachment or link. The firm said that this behavior could mean that generative AI, including ChatGPT, is being used by malicious actors to construct targeted attacks rapidly. Survey results indicated that 82% of employees are worried about hackers using generative AI to create scam emails which are indistinguishable from genuine communication. It also found that 30% of employees have fallen for a scam email or text in the past. Darktrace asked survey respondents what the top-three characteristics are that suggest an email is a phish and found: - 68% said it was being invited to click a link or open an attachment - 61% said it was due to an unknown sender or unexpected content - Poor use of spelling and grammar was chosen by 61% too In the last six months, 70% of employees reported an increase in the frequency of scam emails. Additionally, 79% said that their organization's spam filters prevent legitimate emails from entering their inbox. 87% of employees said they were worried about the amount of their personal information online which could be used in phishing or email scams.

Read more of this story at Slashdot.

Data storage giant Western Digital has confirmed that hackers exfiltrated data from its systems during a "network security incident" last week. From a report: The California-based company said in a statement on Monday that an unauthorized third party gained access to "a number" of its internal systems on March 26. Western Digital hasn't confirmed the nature of the incident or revealed how it was compromised, but its statement suggests the incident may be linked to ransomware. [...] Western Digital notes that the incident "has caused and may continue to cause disruption" to the company's business operations.

Read more of this story at Slashdot.

"The Gaurdian reports on a document leak from Russian cyber 'security' company Vulkan," writes Slashdot reader Falconhell. From the report: Inside the six-storey building, a new generation is helping Russian military operations. Its weapons are more advanced than those of Peter the Great's era: not pikes and halberds, but hacking and disinformation tools. The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like a run-of-the-mill cybersecurity consultancy. However, a leak of secret files from the company has exposed its work bolstering Vladimir Putin's cyberwarfare capabilities. Thousands of pages of secret documents reveal how Vulkan's engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet. The company's work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia's foreign intelligence organization. One document links a Vulkan cyber-attack tool with the notorious hacking group Sandworm, which the US government said twice caused blackouts in Ukraine, disrupted the Olympics in South Korea and launched NotPetya, the most economically destructive malware in history. Codenamed Scan-V, it scours the internet for vulnerabilities, which are then stored for use in future cyber-attacks. Another system, known as Amezit, amounts to a blueprint for surveilling and controlling the internet in regions under Russia's command, and also enables disinformation via fake social media profiles. A third Vulkan-built system -- Crystal-2V -- is a training program for cyber-operatives in the methods required to bring down rail, air and sea infrastructure. A file explaining the software states: "The level of secrecy of processed and stored information in the product is 'Top Secret'."

Read more of this story at Slashdot.

The United States and some of its partner countries on Thursday called for strict domestic and international controls to counter the proliferation and misuse of commercial spyware. From a report: The joint statement was issued by the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States. The countries said they were committed to preventing the export of technology and equipment to end-users who are likely to use them for "malicious cyber activity." The joint statement also said the countries would share information with each other on spyware proliferation and misuse, including to better identify these tools. On Monday, U.S. President Joseph Biden signed an executive order intended to curb the malicious use of digital spy tools around the globe targeting U.S. personnel and civil society. The new executive order was designed to apply pressure on the secretive industry by placing new restrictions on U.S. government defense, law enforcement and intelligence agencies' purchasing decisions.

Read more of this story at Slashdot.

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned. From a report: The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM's proprietary FASP -- short for Fast, Adaptive, and Secure Protocol -- to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that's similar to email. In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10. On Tuesday, researchers from security firm Rapid7 said they recently responded to an incident in which a customer was breached using the vulnerability.

Read more of this story at Slashdot.

An anonymous reader quotes a report from KrebsOnSecurity: The United Kingdom's National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services. The NCA says all of its fake so-called "booter" or "stresser" sites -- which have so far been accessed by several thousand people -- have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks. "However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators," reads an NCA advisory on the program. "Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement." The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990. "Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?" the NCA announcement continues.

Read more of this story at Slashdot.

Belgium's intelligence service is scrutinizing the operations of technology giant Huawei as fears of Chinese espionage grow around the EU and NATO headquarters in Brussels, according to confidential documents seen by POLITICO and three people familiar with the matter. From the report: In recent months, Belgium's State Security Service (VSSE) has requested interviews with former employees of the company's lobbying operation in the heart of Brussels' European district. The intelligence gathering is part of security officials' activities to scrutinize how China may be using non-state actors -- including senior lobbyists in Huawei's Brussels office -- to advance the interests of the Chinese state and its Communist party in Europe, said the people, who requested anonymity due to the sensitivity of the matter. The scrutiny of Huawei's EU activities comes as Western security agencies are sounding the alarm over companies with links to China. British, Dutch, Belgian, Czech and Nordic officials -- as well as EU functionaries -- have all been told to stay off TikTok on work phones over concerns similar to those surrounding Huawei, namely that Chinese security legislation forces Chinese tech firms to hand over data. The scrutiny also comes amid growing evidence of foreign states' influence on EU decision-making -- a phenomenon starkly exposed by the recent Qatargate scandal, where the Gulf state sought to influence Brussels through bribes and gifts via intermediary organizations. The Belgian security services are tasked with overseeing operations led by foreign actors around the EU institutions.

Read more of this story at Slashdot.

GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository. BleepingComputer reports: The software development and version control service says, the private RSA key was only "briefly" exposed, but that it took action out of "an abundance of caution." In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for GitHub.com had been ephemerally exposed in a public GitHub repository. "We immediately acted to contain the exposure and began investigating to understand the root cause and impact," writes Mike Hanley, GitHub's Chief Security Officer and SVP of Engineering. "We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change." As some may notice, only GitHub.com's RSA SSH key has been impacted and replaced. No change is required for ECDSA or Ed25519 users.

Read more of this story at Slashdot.

New submitter Kitkoan writes: Hackers had gained control of Linus Tech Tips' YouTube channel to promote a cryptocurrency scam. Earlier on Thursday, hackers had gained control of the Linus Tech Tips YouTube channel and used it to promote a fake crypto giveaway that falsely used the name of Elon Musk and the Tesla brand (obviously without the permission of either party). Thankfully, the Linus Tech Tips crew quickly worked to re-establish control of the channel, but not before the channel had started two live streams to promote AI, chat GPT, Bitcoin, and their aforementioned (fake) crypto giveaway.

Read more of this story at Slashdot.

turp182 shares a report from Ars Technica: Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can't be reversed, the kiosk manufacturer has revealed. The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that aren't entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface. Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASes operated by the company and by customers. To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application. The actor then drained various hot wallets of about 56 BTC, worth roughly $1.5 million. General Bytes patched the vulnerability 15 hours after learning of it, but due to the way cryptocurrencies work, the losses were unrecoverable. [...] Once the malicious application executed on a server, the threat actor was able to (1) access the database, (2) read and decrypt encoded API keys needed to access funds in hot wallets and exchanges, (3) transfer funds from hot wallets to a wallet controlled by the threat actor, (4) download user names and password hashes and turn off 2FA, and (5) access terminal event logs and scan for instances where customers scanned private keys at the ATM. The sensitive data in step 5 had been logged by older versions of ATM software. Going forward, this weekend's post said, General Bytes will no longer manage CASes on behalf of customers. That means terminal holders will have to manage the servers themselves. The company is also in the process of collecting data from customers to validate all losses related to the hack, performing an internal investigation, and cooperating with authorities in an attempt to identify the threat actor. General Bytes said the company has received "multiple security audits since 2021," and that none of them detected the vulnerability exploited. The company is now in the process of seeking further help in securing its BATMs.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: As reported by the Agence France-Presse (via CBS News) on Tuesday, five Ecuadorian journalists have received USB drives in the mail from Quinsaloma. Each of the USB sticks was meant to explode when activated. Upon receiving the drive, Lenin Artieda of the Ecuavisa TV station in Guayaquil inserted it into his computer, at which point it exploded. According to a police official who spoke with AFP, the journalist suffered mild hand and face injuries, and no one else was harmed. According to police official Xavier Chango, the flash drive that went off had a 5-volt explosive charge and is thought to have used RDX. Also known as T4, according to the Environmental Protection Agency (PDF), militaries, including the US's, use RDX, which "can be used alone as a base charge for detonators or mixed with other explosives, such as TNT." Chango said it comes in capsules measuring about 1 cm, but only half of it was activated in the drive that Artieda plugged in, which likely saved him some harm. On Monday, Fundamedios, an Ecuadorian nonprofit focused on media rights, put out a statement on the incidents, which saw letters accompanied by USB-stick bombs sent to two more journalists in Guayaquil and two journalists in Ecuador's capital. Fundamedios said Alvaro Rosero, who works at the EXA FM radio station, also received an envelope with a flash drive on March 15. He gave it to a producer, who used a cable with an adapter to connect it to a computer. The radio station got lucky, though, as the flash drive didn't explode. Police determined that the drive featured explosives but believe it didn't explode because the adapter the producer used didn't have enough juice to activate it, Fundamedios said. Yet another reporter attempted to access the drive's unknown content. Milton Perez at Teleamazonas' Quito offices might have set off the USB stick's explosives if he had plugged it into the computer properly, according to Fundamedios. Police intercepted a fourth drive sent to Carlos Vera in Guayaquil and performed a "controlled detonation" on one sent to Mauricio Ayora at TC Television, also in Guayaquil, BBC reported. It's unclear what the motive is behind the exploding drives. Ecuador Interior Minister Juana Zapata confirmed that all five cases used the same type of USB device and said the incidents send "an absolutely clear message to silence journalists," per AFP. In a statement cited by BBC, the Ecuadorian government said, "Any attempt to intimidate journalism and freedom of expression is a loathsome action that should be punished with all the rigor of justice."

Read more of this story at Slashdot.

The number of victims affected by a mass-ransomware attack, caused by a bug in a popular data transfer tool used by businesses around the world, continues to grow as another organization tells TechCrunch that it was also hacked. From the report: Canadian financing giant Investissement Quebec confirmed to TechCrunch that "some employee personal information" was recently stolen by a ransomware group that claimed to have breached dozens of other companies. Spokesperson Isabelle Fontaine said the incident occurred at Fortra, previously known as HelpSystems, which develops the vulnerable GoAnywhere file transfer tool. Hitachi Energy also confirmed this week that some of its employee data had been stolen in a similar incident involving its GoAnywhere system, but saying the incident happened at Fortra. Over the past few days, the Russia-linked Clop gang has added several other organizations to its dark web leak site, which it uses to extort companies further by threatening to publish the stolen files unless a financial ransom demand is paid. TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward. However, while the number of victims of the mass-hack is widening, the known impact is murky at best. Since the attack in late January or early February -- the exact date is not known -- Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization's network that allows companies to securely transfer huge sets of data and other large files.

Read more of this story at Slashdot.

Cybercriminal gangs now releasing stolen photos of cancer patients, student records. From a report: In February, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, that's part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack "involved" a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, "but LVHN refused to pay this criminal enterprise." After a couple of weeks, BlackCat threatened to publish data stolen from the system. "Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business," BlackCat wrote on their dark-web extortion site. "Your time is running out. We are ready to unleash our full power on you!" The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information. The medical photos are graphic and intimate, depicting patients' naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers' desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay. "As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. "I think we'll see more of that. It follows closely patterns in kidnapping cases, where when victims' families refused to pay, the kidnappers might send an ear or other body part of the victim." Researchers say that another example of these brutal escalations came on Tuesday when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.

Read more of this story at Slashdot.

India plans to force smartphone makers to allow removal of pre-installed apps and mandate screening of major operating system updates under proposed new security rules, according to two people and a government document seen by Reuters. From a report: The new rules, details of which have not been previously reported, could extend launch timelines in the world's No.2 smartphone market and lead to losses in business from pre-installed apps for players including Samsung, Xiaomi, Vivo, and Apple. India's IT ministry is considering these new rules amid concerns about spying and abuse of user data, said a senior government official, one of the two people, declining to be named as the information is not yet public. "Pre-installed apps can be a weak security point and we want to ensure no foreign nations, including China, are exploiting it. It's a matter of national security," the official added. India has ramped up scrutiny of Chinese businesses since a 2020 border clash between the neighbours, banning more than 300 Chinese apps, including TikTok. It has also intensified scrutiny of investments by Chinese firms.

Read more of this story at Slashdot.

Decentralized lending protocol Euler Finance was hit by an attack that drained $197 million in cryptocurrencies from its platform on Monday, making it the largest hack in its corner of the digital-assets market this year. From a report: The bulk of the hacker's loot -- worth roughly $135 million -- was denominated in staked Ether tokens (stETH), while the remainder was held in wrapped Bitcoin and stablecoins DAI and USDC, according to security firm BlockSec. Some of the proceeds from the attack are already being laundered through Tornado Cash, a US-sanctioned platform which enables users to obfuscate their transaction history, security companies PeckShield Inc and Elliptic said. The incident on Monday morning in London has almost wiped out Euler's on-chain value, leaving only around $9.7 million locked on the platform, data from DeFiLlama show. Euler Finance allows users to lend and borrow large amounts of cryptoassets through an automated service that does not require human intervention. The protocol's EUL token fell more than 50% to a low of $2.88 after the attack was disclosed, according to pricing data from CoinGecko. Details of the hack weren't immediately provided by the platform's developer Euler Labs.

Read more of this story at Slashdot.

A top House official said that a "significant data breach" at the health insurance marketplace for Washington, D.C., on Tuesday potentially exposed personal identifiable information of hundreds of lawmakers and staff. NBC News reports: In a letter obtained by NBC News, Chief Administrative Officer Catherine L. Szpindor said Wednesday that the U.S. Capitol Police and the FBI had alerted her to a data breach at DC Health Link, the Affordable Care Act online marketplace that administers health care plans for members of Congress and certain Capitol Hill staff. "Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and [personally identifiable information] of hundreds of Member and House staff were stolen," Szpindor said. "I expect to have access to the list of impacted enrollees later today and will notify you directly if your information was compromised." Szpindor added that it did not appear that House lawmakers were "the specific target of the attack" on DC Health Link. Out of an "abundance of caution," Szpindor said, lawmakers may opt to freeze family credit at three major credit bureaus, Equifax, Experian and Transunion. The data breach has also affected Senate offices, according to an email sent to Senate offices Wednesday afternoon that said the Senate Sergeant at Arms was informed by law enforcement about a data breach. The notice said that the "data included the full names, date of enrollment, relationship (self, spouse, child), and email address, but no other Personally Identifiable Information (PII)."

Read more of this story at Slashdot.

The European Central Bank plans to test the cyber resilience of the euro zone's top banks after a sharp rise in cyberattacks, including after Russia's invasion of Ukraine, ECB supervisory chief Andrea Enria told a Lithuanian newspaper. From a report: "Next year we are launching a thematic stress test on cyber resilience, which will try to test how banks are able to respond to and recover from a successful cyberattack," Enria told Verslo zinios. The ECB has long been warning banks to be alert for cyberattacks from Russia after the European Union passed a long series of sanctions against Moscow over its invasion of Ukraine. "There has been a significant increase in cyberattacks," Enria said. "We cannot apportion this to any specific source, but it is a fact that the number of these attacks has increased since the war started." Enria said that part of the problem is that banks are outsourcing some of their critical IT infrastructure to outside providers or other entities in their group.

Read more of this story at Slashdot.