Hornetsecurity research highlights that more than 1 in 4 companies have fallen victim to ransomware attacks, with 14.1% losing data and 6.6% paying a ransom.

**LONDON****,** **March 15, 2023** **/PRNewswire/ --** Global cybersecurity provider Hornetsecurity has today announced the launch of VM Backup V9 – the newest version of its award-winning virtual machine (VM) backup, replication and recovery solution.

This latest iteration offers ransomware protection leveraging immutable cloud storage on Wasabi and Amazon S3, with Microsoft Azure soon to follow. This new key feature enables customers to protect their backup data from ransomware by making their data tamper-proof for a defined period.

A recent Hornetsecurity study revealed that 15% of ransomware attacks specifically targeted backups, highlighting the essential need for immutable backups , which forms a key part of the V9 update.

Hornetsecurity CEO, Daniel Hofmann, said: "Data breaches and ransomware cost businesses millions of dollars every year. It's vital that organisations take preventative measures and are protected with the latest technology. We're excited to launch VM Backup V9, which provides reassurance to our customers and partners that their virtual machine data backups are protected against ransomware attacks. It also addresses the latest compliance regulations in data security and data protection."

**Ransomware protection**

Immutable Cloud Storage gives users ongoing access to their data without the need to pay a ransom if targeted by ransomware. This newest feature ensures that backup data becomes tamper-proof, as it cannot be modified or deleted by any user, including administrators and root users.

**Easy installation and newly overhauled backup repository**

VM Backup V9 has an easy-to-use, intuitive interface that gives individuals full control, allowing them to monitor and manage all Hyper-V and VMware VMs from a single console.

V9 can now handle larger infrastructure setups. Its overhauled backup repository optimises disk space, ensuring more robust long-term storage. In addition, background operations can now run in parallel with other ongoing backup and restore processes.

Hornetsecurity provides outstanding support 24 hours a day, 7 days a week, with a guaranteed call response time of less than 30 seconds.

**Learn more about Hornetsecurity's VM Backup V9** here.

**About Hornetsecurity**

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Hornetsecurity Launches VM Backup V9

Russia, North Korea, Iran, and China have been caught using fake profiles to gather information. But the platform’s tools to weed them out only go so far.

There is nothing immediately suspicious about Camille Lons’ LinkedIn page. The politics and security researcher’s profile photo is of her giving a talk. Her professional network is made up of almost 400 people; she has a detailed career history and biography. Lons has also shared a link to a recent podcast appearance—“always enjoying these conversations”—and liked posts from diplomats across the Middle East.

So when Lons got in touch with freelance journalist Anahita Saymidinova last fall, her offer of work appeared genuine. They swapped messages on LinkedIn before Lons asked to share more details of a project she was working on via email. “I just shoot an email to your inbox,” she wrote.

What Saymidinova didn’t know at the time was that the person messaging her wasn’t Lons at all. Saymidinova, who does work for Iran International, a Persian-language news outlet that has been harassed and threatened by Iranian government officials, was being targeted by a state-backed actor. The account was an imposter that researchers have since linked to Iranian hacking group Charming Kitten. (The real Camille Lons is a politics and security researcher, and a LinkedIn profile with verified contact details has existed since 2014. The real Lons did not respond to WIRED’s requests for comment.)

When the fake account emailed Saymidinova, her suspicions were raised by a PDF that said the US State Department had provided $500,000 to fund a research project. “When I saw the budget, it was so unrealistic,” Saymidinova says.

But the attackers were persistent and asked the journalist to join a Zoom call to discuss the proposal further, as well as sending some links to review. Saymidinova, now on high alert, says she told an Iran International IT staff member about the approach and stopped replying. “It was very clear that they wanted to hack my computer,” she says. Amin Sabeti, the founder of Certfa Lab, a security organization that researches threats from Iran, analyzed the fake profile’s behavior and correspondence with Saymidinova and says the incident closely mimics other approaches on LinkedIn from Charming Kitten.

The Lons incident, which has not been previously reported, is at the murkiest end of LinkedIn’s problem with fake accounts. Sophisticated state-backed groups from Iran, North Korea, Russia, and China regularly leverage LinkedIn to connect with targets in an attempt to steal information through phishing scams or by using malware. The episode highlights LinkedIn’s ongoing battle against “inauthentic behavior,” which includes everything from irritating spam to shady espionage. 

Missing Links

LinkedIn is an immensely valuable tool for research, networking, and finding work. But the amount of personal information people share on LinkedIn—from location and languages spoken to work history and professional connections—makes it ideal for state-sponsored espionage and weird marketing schemes. False accounts are often used to hawk cryptocurrency, trick people into reshipping schemes, and steal identities.  

Sabeti, who’s been analyzing Charming Kitten profiles on LinkedIn since 2019, says the group has a clear strategy for the platform. “Before they initiate conversation, they know who they are contacting, they know the full details,” Sabeti says. In one instance, the attackers got as far as hosting a Zoom call with someone they were targeting and used static pictures of the scientist they were impersonating.

The fake Lons LinkedIn profile, which was created in May 2022, listed the real Lons’ correct work and education histories and used the same image from her real Twitter and LinkedIn accounts. Much of the biography text on the fake page had been copied from profiles of the real Lons as well. Sabeti says the group ultimately wants to gain access to people’s Gmail or Twitter accounts to gather private information. “They can collect intelligence,” Sabeti says. “And then they use it for other targets.” 

The UK government said in May 2022 that “foreign spies and other malicious actors” had approached 10,000 people on LinkedIn or Facebook over 12 months. One person acting on behalf of China, according to court documents, found that the algorithm of one “professional networking website” was “relentless” in suggesting potential new targets to approach. Often these approaches start on LinkedIn but move to WhatsApp or email, where it may be easier to send phishing links or malware.

In one previously unreported example, a fake account connected to North Korea’s Lazarus hacking group, pretended to be a recruiter at Meta. They started by asking the target how their weekend was before inviting them to complete a programming challenge to continue the hiring process, says Peter Kalnai, the senior malware researcher at security firm ESET who discovered the account. But the programming challenge was a scam designed to deploy malware to the target’s computer, Kalnai says. The LinkedIn messages sent by the scammers didn’t contain many grammatical errors or other typos, he says, which made the attack more difficult to catch. “Those communications were convincing. No red flags in the messages.”

It’s likely that scam and spam accounts are much more common on LinkedIn than those connected to any nation or government-backed groups. In September last year, security reporter Brian Krebs found a flood of fake chief information security officers on the platform and thousands of false accounts linked to legitimate companies. Following the reporting, Apple and Amazon’s profile pages were purged of hundreds of thousands of fake accounts. But due to LinkedIn’s privacy settings, which make certain profiles inaccessible to users who don’t share connections, it’s difficult to gauge the scope of the problem across the platform. 

The picture gets clearer at an individual company level. An analysis of WIRED’s company profile in January showed 577 people listing WIRED as their current employer—a figure well above the actual number of staff. Several of the accounts appeared to use profile images generated by AI, and 88 profiles claimed to be based in India. (WIRED does not have an India office, although its parent company, Condé Nast, does.) One account, listed as WIRED’s “co-owner,” used the name of a senior member of WIRED’s editorial staff and was advertising a suspicious financial scheme. 

In late February, soon after we told LinkedIn about suspicious accounts linked to WIRED, approximately 250 accounts were removed from WIRED’s page. The total employee count dropped to 225, with 15 people based in India—more in line with the real number of employees. The purpose of these removed accounts remains a mystery.

“If people were using fake accounts to impersonate WIRED journalists, that would be a major issue. In the disinformation space, we have seen propagandists pretend to be journalists to gain credibility with their target audiences,” says Josh Goldstein, a research fellow with the CyberAI Project at Georgetown University’s Center for Security and Emerging Technology. “But the accounts you shared with me don’t seem to be of that type.” 

Without more information, Goldstein says, it’s impossible to know what the fake accounts linked to WIRED may have been up to. Oscar Rodriguez, LinkedIn’s vice president in charge of trust, privacy, and equity, says the company does not go into detail about why it removes specific accounts. But he says many of the accounts linked to WIRED were dormant. 

Fighting Fakes

In October 2022, LinkedIn introduced several features meant to clamp down on fake and scam profiles. These included tools to detect AI-generated profile photos and filters that flag messages as potential scams. LinkedIn also rolled out an “About” section for individual profiles that shows when an account was created and whether the account has been verified with a work phone number or email address. 

In its most recent transparency report, covering January to June 2022, LinkedIn said that 95.3 percent of the fake accounts it discovered were blocked by “automated defenses,” including 16.4 million that were blocked at the time of registration. LinkedIn’s Rodriguez says the company has identified a number of signs it looks for when hunting fake accounts. For instance, commenting or leaving messages with super-human speed—a potential sign of automation—might cue LinkedIn to ask the account to provide a state-issued ID and make the account inaccessible to other users.

Similarly, when an account is being created, a mismatch between its IP address and listed location wouldn’t automatically be a trigger—someone could be traveling or using a VPN—but it might be a “yellow flag,” Rodriguez says. If the account shares other characteristics with previously removed accounts from a particular region or set of devices, he adds, that might be a clearer signal that the account is fraudulent.

“For the very small percent of accounts that managed to interact with members, we retrace our steps to understand the common characteristics across the different accounts,” Rodriguez says. The information is then used to “cluster” groups of accounts that may be fraudulent. Sabeti says LinkedIn is “very proactive” when human rights or security organizations report suspicious accounts. “It’s good in comparison with the other tech companies,” he says.

In some cases, LinkedIn’s new defenses appear to be working. In December, WIRED created two fake profiles using AI text generators. “Robert Tolbert,” a mechanical engineering professor at Oxford University, had an AI-generated profile photo and a resume written by ChatGPT, complete with fake journal articles. The day after the account was created, LinkedIn asked for ID verification. A second fake profile attempt—a “software developer” with Silicon Valley credentials and no photo—also received a request for an ID the following day. Rodriguez declined to comment on why these accounts were flagged, but both accounts were inaccessible on LinkedIn after they received the request for ID.

But detecting fake accounts is tricky—and scammers and spies are always trying to stay ahead of systems designed to catch them. Accounts that slip past initial filters but haven’t started messaging other people—like many of the scam accounts claiming to be WIRED staff—seem to be particularly hard to catch. Rodriguez says dormant accounts are generally removed through user reports or when LinkedIn discovers a fraudulent cluster. 

Today, WIRED’s page is a fairly accurate snapshot of its current staff. The fake Camille Lons profile was removed after we began reporting this story—Rodriguez did not say why. But in a process similar to the Lons impersonators, we conducted one additional experiment to try to slip past LinkedIn’s filters. 

With his permission, we created an exact duplicate of the profile for Andrew Couts, the editor of this story, only swapping out his photo for an alternative. The only contact information we provided when creating the account was a free ProtonMail account. Before we deleted the account, Fake Couts floated around on LinkedIn for more than two months, accepting connections, sending and receiving messages, browsing job listings, and promoting the occasional WIRED story. Then, one day, Fake Couts received a message from a marketer with an offer that seems too good to be true: a custom-built “professional WordPress website at no cost.”

A Spy Wants to Connect With You on LinkedIn

By Deeba Ahmed
The cybercrime group has given a deadline of March 20th, 2023 for their demands, which as expected, is a ransom.
This is a post from HackRead.com Read the original post: LockBit Ransomware Claims Data Breach at SpaceX Contractor

****The infamous LockBit ransomware claims to have stolen 3,000 “drawings certified by SpaceX engineers,” which they plan to sell “to other manufacturers” through an auction in a week unless they receive a ransom payment.****

The **LockBit** Ransomware Group Claims Data Breach at SpaceX Contractor ransomware group has recently made headlines by claiming to have stolen sensitive data belonging to SpaceX, a leading American aerospace manufacturer, and space transportation company owned by Elon Musk.

The news comes at the same time as the ALPHV ransomware group’s claim of **hacking into Amazon’s Ring** and stealing sensitive data, raising serious privacy concerns.

As seen by Hackread.com, the group targeted Texas-based Maximum Industries, one of **SpaceX’s third-party contractors**, and stole valuable data related to the company’s operations and projects.

LockBit hackers claim to have stolen 3,000 “drawings certified by SpaceX engineers,” which they plan to sell “to other manufacturers” through an auction in a week unless they receive a ransom payment. However, none of the claims regarding the stolen data could be confirmed.

Maximum Industries offers traditional and non-traditional machining processes and specializes in laser cutting and CNC machining services. While the exact details of how the contractor was compromised are not yet clear, it is likely that the ransomware group used phishing emails, and **social engineering**, or relied on an insider to gain access to the company’s systems.

Launched in 2019, the **LockBit ransomware group** is known for its sophisticated attack methods and aggressive demands for payment. The group typically targets large corporations and organizations, encrypts their data, and demands a hefty ransom in exchange for the decryption key.

If the victim refuses to pay, LockBit threatens to publish their stolen data online or sell it on the dark web. To date, LockBit has targeted more than 1,000 organizations.

The apparent theft of valuable data from a high-profile company like SpaceX highlights the growing threat of ransomware attacks and the need for organizations to take proactive measures to protect their sensitive information.

In recent years, ransomware attacks have become more frequent and sophisticated, causing billions of dollars in losses to companies worldwide. In addition to financial damage, these attacks can also have severe consequences for an organization’s reputation and customer trust.

To prevent ransomware attacks, organizations must implement robust security measures, including regular data backups, **multi-factor authentication**, and employee training on how to identify and respond to phishing attempts.

It is also essential to work with trusted third-party vendors who follow best practices in data security and regularly perform security audits.

1.  **Bangkok Airways hit by Lockbit ransomware**
2.  **Accenture claims to fight off LockBit ransomware**
3.  **LockBit ransomware hits French Ministry of Justice**

LockBit Ransomware Claims Data Breach at SpaceX Contractor

By Deeba Ahmed
ALPHV ransomware group threatens to leak sensitive data allegedly stolen from amazon's ring security cameras unless demands are met.
This is a post from HackRead.com Read the original post: ALPHV ransomware gang claims it has hacked Amazon’s Ring

****Amazon has no evidence of having been hit by a ransomware attack; however, the company is investigating a third-party vendor over the data breach.****

ALPHV, a ransomware group known for using the BlackCat malware, has claimed responsibility for the attack on Amazon’s popular security camera company, Ring, and is now threatening to leak their data.

The ALPHV ransomware group is involved in a series of ransomware attacks using BlackCat malware and operates a ransomware-as-a-service platform. Here’s the message ALPHV posted on their website with Ring’s logo:

> “There’s always an option to let us leak your data.”

The group has also created a searchable database of its victims who deny paying the ransom, which can be accessed by its affiliated groups.

This is what the ALPHV ransomware gang has to say about the alleged hack

In its tweet, VX-Underground, online malware source code collectors, confirmed on 13th March that ALPHV is responsible for the attack on Ring. However, the company did not confirm if the hackers compromised any data, so there are currently no recommendations for Ring users on how to address the situation.

For your information, Ring doorbell and security camera devices support E2EE (end-to-end) encryption in a majority of the regions where it is available. This means neither any government entity, hackers, nor even its parent company Amazon can access the uploaded footage.

However, it is possible for the attackers to exfiltrate corporate/customer data instead of the video. According to a Ring spokesperson, the company has no evidence of having been hit by a ransomware attack; however, they are investigating a third-party vendor over the data breach.

1.  Amazon Ring flaw could expose camera recordings
2.  ThroughTek flaw exposed millions of IoT cams to spying
3.  Hacked ring cams used in livestreaming swatting attacks

ALPHV ransomware gang claims it has hacked Amazon’s Ring

AT&T, PayPal, and Microsoft top the list of domains that victims visit following a link in a phishing email, as firms fight to prevent fraud and credential harvesting.

Credential-seeking cyberattackers garnered the most phishing success by impersonating the brands of telecommunications firms, financial institutions, and popular technology companies in 2022.

That's according to an analysis of data collected by Internet services provider Cloudflare, which found that Individuals most often clicked on links in emails that appeared to come from AT&T and Verizon, PayPal and Wells Fargo, or Microsoft and Facebook. The rankings did not align with popularity — the Internal Revenue Service ranked No. 6 — but rather with the size of the brand's user base and the relative opportunity to turn compromise into cash, says Matthew Prince, CEO and co-founder of Cloudflare.

"We're seeing up and down the brand list, from the largest and most risky down to the smallest, that phishing is not going away as a problem," Prince says. "Email still continues to be the No. 1 entry point for an attacker \[and\] phishing still continues to be the No. 1 threat for almost all of our customers."

In addition, attackers are increasingly using phishing in an attempt to steal credentials from privileged employees and gain access to corporate networks, he says.

Cloudflare is not the only organization to see phishing as a threat, of course. In 2022, more than 300,000 complaints of phishing attacks flooded the FBI's Internet Crime Complaint Center (IC3), slightly down from the peak in 2021 of nearly 324,000 complaints, but a 162% increase from three years ago. The numbers do not include business email compromise (BEC) and investment scams, the most damaging types of attacks, both of which typically have a targeted phishing component.

The phishing problem can be more problematic on mobile devices, since attackers are harder to spot in most mobile mail clients. In 2022, mobile phishing encounter rates — a measure of the number of phishing attempts the average user receives — increased roughly 10% for enterprise devices and more than 20% for personal devices, according to mobile-device management firm Lookout. Overall, half of mobile users faced a phishing attack at some point in 2022, the company stated in its recent "State of Mobile Phishing in 2023" report.

**An Often-Ignored Threat**

Most users have become inured to the fake emails using known brands to attempt to harvest credentials as the first step in an account compromise. Yet the deluge of disguised emails do have the occasional success, which makes the effort worth the attackers' time and mean that they remain the most common cause of data breaches.

Cloudflare used data from its domain name service (DNS) resolver to find the known phishing URLs that were most often visited by users, with visits to common hosting sites, such as Google and GoDaddy, removed from the data if the site could not be confirmed to be fraudulent.

It's not an indication of a successful phishing attack, but the top-50 list does show which emails overcome the recipient's initial skepticism, Cloudflare's Prince says.

"There are plenty of phishing scams where you might get something and say — 'Is this legitimate?' — so you might click on that link," he says. "It's at least the start down a journey of success; it doesn't mean that somebody necessarily entered their credentials, or even, if they entered information, that they entered accurate information."

Last August, Cloudflare detected a sophisticated phishing attack against the company, the same attack that compromised customer-data platform Twilio and more than 100 other companies, dubbed "Oktapus" for its targeting of the identity firm Okta.

Most recently, a phishing email sent to a Reddit employee led to a cloned gateway for the company and allowed an attacker to gain access to the social media site's internal network for a few hours.

**The Long Tail of Phish**

The top-50 list represents typical targets of credential stealing campaigns, and while there is a significant difference in volume between the start and the end of the list, smaller companies and the much lower volume of phishing directed against their brands result in a very long tailed distribution, Prince says.

Attackers tend to see phishing directed against brands in the top 50 as a way to steal money, packages, or valuable information from accounts, while the long-tail phishing tends to focus on gaining access for further compromise, Prince says. The first 10 companies on the list are AT&T, PayPal, Microsoft, DHL, Facebook, the IRS, Oath Holdings/Verizon, Mitsubishi UFJ NICOS, Adobe, and Amazon. The final five companies on the list are Banco Itaú Unibanco, Steam, Swisscom, LexisNexis, and Orange S.A.

"In most of these cases, when it's in the top-50 list, it's about how an attacker can gain access to an account to, in relatively short order, do something that generates cash for the attacker," he says. "I think that when we look at some of the more targeted attacks, those \[that\] are much more about compromising systems, they then can be used more indirectly to launch some sort of attack."

Brand Names in Finance, Telecom, Tech Lead Successful Phishing Lures

Directory Traversal vulnerability in iThemes BackupBuddy plugin 8.5.8.0 - 8.7.4.1 versions.

We recently discovered a security vulnerability in our BackupBuddy plugin. The vulnerability could allow a breach of your WordPress site, so we are asking all customers to **confirm your sites are running version 8.7.5 or higher of the BackupBuddy plugin.**

**BackupBuddy**

Plugin

BackupBuddy

Vulnerability

Directory Traversal Vulnerability

Patched in Version

8.7.5

Severity Score

High

**Who This Vulnerability Impacts**

This vulnerability only impacts sites **running BackupBuddy versions 8.5.8.0 through 8.7.4.1.**

**We have indications that this vulnerability is being _actively exploited_ in the wild.** We were notified of suspicious activity related to a BackupBuddy installation on September 2nd, 2022. The earliest exploits we have discovered appear to have started on August 27th, 2022.

*   Once we identified the exploit, we released a patch on September 2, 2022, to resolve the exploit in BackupBuddy version 8.7.5.
*   **We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of your current BackupBuddy licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.**
*   We also pushed auto-updates for all iThemes Sync users who have BackupBuddy installed.

**What Information Can Hackers Get Access To?**

This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd.

**Indicators of Compromise**

To detect if your site was attacked, look for the following indicators of compromise. Search your server’s access logs for any text that contains local-destination-id and /etc/passwd or wp-config.php with an HTTP 2xx Response. (If you need help with this, please reach out to our support team by creating a support ticket on the iThemes Help Desk.)

**What You Should Do: Recommended Next Steps****1\. Update BackupBuddy to version 8.7.5 immediately.**

**Please update to BackupBuddy 8.7.5. immediately to fix this exploit.** Even if you aren’t running one of the vulnerable versions of BackupBuddy, we still recommend updating to BackupBuddy 8.7.5 as a best practice for running the latest versions of all your plugins and themes.

Running BackupBuddy on multiple WordPress sites? Use iThemes Sync to quickly update all your sites to BackupBuddy 8.7.5.

**2\. Follow the steps in the previous section to search for a compromise.**

If you have determined that your site may have been compromised, we recommend performing the following steps.

1.  **Reset your database password.** You may have to reach out to your hosting provider to help you with this.
2.  **Change your WordPress salts.** iThemes Security can do this for you automatically via Tools > Change WordPress Salts. You can update them manually following our guide on how to change your WordPress salts and keys.
3.  **Rotate other secrets in wp-config.php**. You may have stored API keys for services like Amazon S3 in your wp-config.php file. If so, these should be reset and updated.

If your server has an exposed phpMyAdmin installation, or your WordPress server connects to a publicly accessible database server, we recommend restoring to a backup from a date prior to the earliest logged access attempt. If this isn’t possible, engage a Hack Repair service to help you manually clean your WordPress website. At a minimum, you should search for and remove any suspicious administrator users on your website and reset the passwords for all other administrator users.

**If you manage your own server**

1.  **Consider rotating SSH passwords for all users.** An attacker could brute force the hashed password in the file and possibly continue to gain further unauthorized access to your server.
2.  **Consider updating your web user’s SSH keys.** An attacker could read the private SSH key file and the associated known hosts that the web user might have accessed previously.

Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. **Please share this post with your friends to help get the word out and make WordPress safer for everyone**!

**Questions?**

Our support team is standing by if you have questions or need help. Please open a ticket through the iThemes Help Desk.

CVE-2022-31474: WordPress Vulnerability Report, Special Edition – September 6, 2022: BackupBuddy

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Plus: A data breach exposes Washington, Ring camera footage has a new problem, and the George Santos scandal slips into the world of cybercrime.

In a statement released a day before the investigation’s release, Jayd Henricks, the group’s president, said, “It isn't about straight or gay priests and seminarians. It’s about behavior that harms everyone involved, at some level and in some way, and is a witness against the ministry of the church.”

No national US data privacy laws prohibit the sale of this kind of data.

On Wednesday, the District of Columbia’s health insurance exchange confirmed that it was working with law enforcement to investigate an alleged leak after a database containing personal information of about 170,000 individuals was offered for sale on a hacker forum popular with cybercriminals. The reported breach in DC Health Link, as the exchange is known, could expose sensitive personal data of lawmakers, their employees, and their families. Thousands of the exchange’s participants work in the US House and Senate, and a sample of the stolen data set reviewed by CyberScoop indicates that the victims of the breach also range from lobbyists to coffee shop employees. 

According to a letter to the head of the DC Health Benefit Exchange Authority from House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries, the FBI has apparently purchased some of the stolen data from the dark web. While the FBI had not yet determined the extent of the breach, according to the letter, “the size and scope of impacted House customers could be extraordinary.”

A report by Politico published March 7 details how Ring, Amazon’s home-surveillance company, handed law enforcement videos captured by an Ohio man’s 20 Ring cameras against his will. In December, the Hamilton Police Department sought a warrant for camera footage—including from inside the man’s house—while investigating his neighbor. According to the report, after he willingly providing video to the police that showed the street outside his home, police used the courts to access more footage against his will.

While law enforcement often seeks warrants for digital data, those warrants typically pertain to the subject of a particular investigation. However, as networked home surveillance cameras have become increasingly popular, sometimes blanketing city blocks, law enforcement is increasingly turning to individuals who are completely unaffiliated with a case to provide data. According to Politico, the lack of legal controls on what police can ask for opens the door for a bystander’s indoor home footage to be lawfully acquired by police.

Following Politico's story, Gizmodo reported that a customer service agent for Ring told a concerned customer that the Politico story was a “hoax” perpetrated by a competitor. In response, an Amazon spokesperson told Gizmodo that the company does not in fact think the story was a hoax and the statement was the result of a misunderstanding on the part of the customer support agent. “We will ensure the agent receives the appropriate coaching,” the spokesperson said.

A former roommate of noted fabulist George Santos told federal authorities that the US congressman from Long Island, New York, had orchestrated a credit card skimming operation in Seattle in 2017. In a declaration submitted to authorities and obtained by Politico, the Brazilian man—convicted of credit card fraud and deported from the US—told the FBI, “Santos taught me how to skim card information and how to clone cards. He gave me all the materials and taught me how to put skimming devices and cameras on ATM machines.” 

According to the declaration, Gustavo Ribeiro Trelha met Santos in 2016 when he rented a room from him in his Florida apartment. There Santos reportedly taught Trelha how to use credit card cloning equipment and eventually flew him to Seattle to begin stealing financial information. “My deal with Santos was 50 percent for him, 50 percent for me,” Trelha wrote.

How a Catholic Group Doxed Gay Priests

Categories: News
Categories: Privacy
Speaking at a US Senate hearing on Wednesday, General Paul Nakasone, Director of the NSA, said one sixth of American youth say they're constantly on TikTok. That's a loaded gun.



(Read more...)




The post TikTok "a loaded gun" says NSA appeared first on Malwarebytes Labs.

America's TikTok-addicted youth is playing with a "loaded gun" according to General Paul Nakasone, Director of the National Security Agency (NSA). Speaking at a US Senate hearing on Wednesday, the general said "one third of Americans get their news from TikTok", adding "one sixth of American youth say they're constantly on TikTok. That's a loaded gun."

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It's enjoyed explosive growth since it first appeared in 2017, and now it claims to have 1 billion users, an estimated 100 million of them in the US.

Unique among major social media apps, TikTok is owned by a Chinese company Bytedance. Due to its ties with China and the ruling Chinese Communist Party (CCP), the platform has been under a national security review by the government’s Committee on Foreign Investment in the US, or CFIUS, and will soon be banned on federal devices.

A loud chorus of concern has surrounded the app for some time now. 

One of the earliest signs of trouble occurred in 2020 when retail giant Amazon sent a memo to employees telling them to delete TikTok from their phones. In the same year, the app escaped a total ban in the US after rumors that it was sharing the data of US citizens with the Chinese government.

Things picked up again in 2022, when Federal Communications Commissioner (FCC) Brendan Carr called for TikTok to be banned in America, months after deeming it an "unacceptable security risk", and called for Apple and Google to remove the app from their respective stores.

TikTok has also been scrutinized by the European Union (EU), Canadian privacy protection authorities, and on Wednesday the White House backed legislation introduced by a dozen senators that gives President Biden's administration new powers to identify and stop any technology from China or other adversaries from entering the US if it is deemed a national security risk. The bill would give the Commerce Department the ability to ban TikTok and other foreign-based technologies.

At the same hearing attended by General Nakasone, FBI Director Christopher Wray spelled out the agency's three concerns:

*   **The algorithm**. The FBI is concerned that the CCP's control of the TikTok algorithm, which decides which posts are shown to which users, could be used to conduct hard-to-detect influence operations against Americans.
*   **Access to data**. The Director explained that TikTok's vast database of information about individuals in the US could be used to conduct traditional espionage operations.
*   **Control of the software**. TikTok is installed on millions on devices, where it has access to location data, cameras, microphones and other sensors.

Fundamentally though, his concern with TikTok is a concern about who controls those three things: "it's the ownership of the CCP that fundamentally cuts across all those concerns," he told the hearing.

Wray used dividing Americans on the subject of Taiwan’s independence as an example of how TikTok's reach could be used.

When asked about a situation in which China wanted to invade Taiwan, Wray agreed that the platform could be used to show Americans videos arguing why Taiwan belongs to China and why the US. should not intervene. He added that it could be difficult to see “the outward signs of it happening, if it was happening.”

Just last week, the White House issued an order requiring all federal agencies to remove TikTok from government devices within 30 days, citing security risks the app poses to sensitive government data. Now, another step has been taken towards a complete ban. If it weren’t for the popularity of the app, it is questionable whether these decisions would take so long. Even though the app is more popular among younger people (under 35 years old), a majority of its users are old enough to vote.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

TikTok "a loaded gun" says NSA

Don't expect AI to suddenly start stealing jobs or making malware more powerful.

Thursday, March 9, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

There is no shortage of hyperbolic headlines about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.

It’s the talk of SEO managers everywhere who can’t wait to find a way to work “ChatGPT” into a headline. And in the security community, everyone is concerned that AI models will help attackers get smarter, faster or more dangerous.

The biggest issue I’m seeing with that is these tools aren’t that smart.

Other writers have done a far more eloquent and interesting job than I can in a few dozen words here about how bad these models are at writing creatively or interpreting human emotion, but I wanted to put my own spin on things with my incredibly niche interests and use case for ChatGPT.

First, I asked it to help me write this newsletter. While it politely declined to do the whole thing for me because it can’t produce something on Talos’ behalf, it did start to compile a list of “the top stories we’re following this week.”

These headlines included an update on the Cring malware that seems to be referencing a campaign from November 2021, a 16-month-old CVE from Microsoft and a story about money laundering in “Fortnite” that broke in January 2019.

Then I decided to ask it about wrestling, mainly because I was fresh off watching AEW: Revolution this weekend, about who will eventually beat Maxwell Jacob Friedman for the company’s title. The information it provided was shockingly lackluster considering a quick Google provided more accurate details.

One of the examples it floated was that Bryan Danielson could eventually dethrone MJF, and that “if” they two were to face, it’d be a “must see” match. Problem is, the two did literally face off Sunday night and Danielson lost. Another option, CM Punk, would create a “huge moment” for the company if he won the AEW titles, something he’s already done twice (he also may never appear on TV again, but that’s a long story for not this newsletter).

These are two incredibly specific examples, but I felt like it was cathartic for me to see this in action so I didn’t have to lose any sleep over thinking ChatGPT or another AI was going to take my job from me next week, or my wrestling fandom for that matter.

**The one big thing**

U.S. President Joe Biden’s administration released its new National Cybersecurity Strategy on March 2, outlining steps the federal government plans to take to combat cyber criminals, defend critical infrastructure and enforce security regulations in oft-targeted industries. The administration said it will pursue laws to hold software companies liable if they sell technology that lacks proper cybersecurity protections, and use "national powers” to disrupt state-sponsored actors.

**Why do I care?**

This is the first new cybersecurity policy from the U.S. government in five years, outlining how the next few years of cybersecurity policy may look and what other goals would look like in a hypothetical second term for Biden. If the desired laws eventually pass and are enforced, they would represent a major shift in the way we view digital service providers and reframes how government and private entities should look at cybersecurity.

**So now what?**

The strategy doesn’t mean much for the average user right now, but it does mean there will be heavy debates in the near future about regulating the software-as-a-service industry and the monetary investment needed to address many of the issues the Biden administration outlined.

**Top security headlines of the week**

Meta, Google and other social media sites are **sharing user data and chat logs to prosecute individuals in states where abortion is illegal.** Since the Supreme Court overturned U.S. national abortion law last year, there have been several cases where prosecutors have relied on data collected by online pharmacies, social media posts, and user data requests to charge women who were seeking an abortion. Online pharmacies that sell abortion medication share sensitive information with Google and other third-party sites, including users' web addresses, relative location and search data, which the third parties may eventually be asked to turn over to law enforcement. The large companies who manage this data rarely turn down law enforcement requests for data. (Insider, Mashable)

After the one-year anniversary of Russia’s invasion of Ukraine, experts are looking at how **this has become one of the world’s first hybrid wars**, including Russia’s many cyber weapons its deployed against Ukraine over the past year. Other countries who feel they may be vulnerable to large-scale cyber attacks from nation-states (such as Taiwan against China) can learn quite a bit from how Ukraine has responded so far to Russian attacks. A new deep-dive report also outlines how crucial a cyber attack against the Viasat satellite network helped Russia prepare for its ground invasion just a few days prior. (NPR, Bloomberg)

Password management company **LastPass said attackers accessed a decrypted vault available to only a handful of company developers by hacking an employee’s home computer** in August. The new details add on to a data breach the company first disclosed several months ago. LastPass said an unknown threat actor stole valid login credentials from a senior DevOps engineer and accessed the contents of a LastPass data vault. That vault contained access to a shared cloud storage environment that included encryption keys for customers’ vault backups stored on Amazon S3 buckets. The attackers reportedly exploited a flaw in Plex, a media-sharing software, to access the user’s home device in the first place. Plex disclosed its own data breach in late August. (Ars Technica, Wired)

**Can’t get enough Talos?**

*   Threat Roundup for Feb. 24 - March 3

*   Talos Takes Ep. #129: The benefits of taking an active approach to threat defense
*   The role of cyber weapons in Russia's war on Ukraine

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Tag

#amazon