Top congressional lawmakers are meeting in private to discuss the future of a widely unpopular surveillance program, worrying members devoted to reforming Section 702.

Twice in the past decade, legislation limiting the United States government’s domestic surveillance powers sailed through the US House of Representatives. Attached to bills that would ultimately become law, both of these pro-privacy amendments were killed off in the final hours of consideration—erased each time in secret meetings held among a select group of congressional power brokers. Capitol Hill sources familiar with ongoing negotiations over a top US surveillance program fear House leaders may once again scrap popular civil-liberty-focused reforms.

Last week, House members became aware that closed-door discussions were ongoing at the highest levels concerning the latest pro-privacy reforms to gain widespread legislative support. Public reporting on the discussions, first disclosed by Politico, set off a firestorm of speculation over whether another deal may have been quietly struck to prolong a domestic surveillance program no longer assumed to have the support of a majority of Congress.

Sources with knowledge of ongoing negotiations over the future of Section 702—a controversial but pivotal US foreign surveillance program—say a host of pro-privacy reforms, including new warrant requirements for obtaining commercially available data, have gained serious traction among an anomalous coalition of progressives and conservatives otherwise at odds on most matters. WIRED granted these sources anonymity because they were not authorized to speak publicly about ongoing negotiations.

A source with knowledge of the 702 fight tells WIRED that last week House speaker Mike Johnson and House majority leader Steve Scalise met privately about drafting a new bill to reauthorize the program—an attempt to somehow merge existing bills introduced separately in December by the House Judiciary and Intelligence committees. The history of genuine privacy legislation being killed off in these closed-door sessions immediately sparked concerns among reformers.

“This is the room where we get fucked,” one civil liberties expert tells WIRED.

Senior aides on the Hill, working from offices on both ends of the surveillance fight, say there is a 90 percent agreement among the two bipartisan factions. It is the final 10 percent—composed almost entirely of the warrant issue—on which neither is willing to budge.

Several aides attributed the drawn-out nature of the fight, at least in part, to the relative naivete of the House speaker on national security matters, saying that, with little experience in the area, Johnson had not previously had the opportunity to be captured by the intelligence community—powerful interests accused by congressional staffers of routinely deploying “fear tactics” to defend surveillance operations plagued by regular error and abuse.

Johnson’s lack of any intelligence background, staffers say, would have likely increased his dependence on House intelligence staffers, who, while cultivating a sense of awe due to their access to national secrets, routinely behave as ambassadors between the spy agencies and regular congressional staff.

House members remained in the dark Monday morning as to the details of Johnson and Scalise’s purported plan for Section 702, and whether the compromise—potentially to arrive later this week—would include popular measures aimed at ending a prominent data broker loophole, through which US spy agencies are known to purchase information on Americans for which a warrant is typically required.

Johnson, notably, previously voted in favor of legislation that would have drastically reformed the 702 program with a slew of privacy protections.

Despite the uncommon bipartisan support for reforming Section 702, sources familiar with the negotiations say pro-privacy amendments have a history of dying in backroom deals. An amendment proposed last summer to ban the US military from tracking Americans’ cell phones without a warrant was snuffed out in a closed-door session despite winning widespread support in the House. Yet another amendment—which would have done little to interfere with the federal government’s domestic surveillance work—likewise gained support in the House two years ago. But even this half-measure ultimately found itself on the chopping block after negotiations were moved into rooms open to neither the public nor the press.

The effectiveness of this latest round of pro-privacy bipartisanship came as a surprise to many in the national security establishment. Congressional sources say that a year ago, only a feeble resistance to reauthorizing the surveillance was anticipated. Even its biggest detractors acknowledge that the 702 program is likely vital to the US national defense, crucial to investigations of terrorist threats, acts of espionage, and the constant deluge of cyberattacks aimed at US companies and national infrastructure.

To the contrary, a serious challenge to continuing the program under status quo conditions did arise in the fall of 2023. Compounded by the sudden fight over the House speakership in October, the smooth reauthorization of Section 702 became a distant fantasy. Working groups established in the House to find common ground eventually disintegrated, leaving only two discernible factions in their wake—one that believes the FBI should apply for warrants before accessing US calls, texts, and emails intercepted by US spies; and another that says warrants are too much of a burden for investigators.

What’s counted toward compromise since then might best be described as a “rounding error.” Lawmakers opposed to warrants agreed in December that the FBI should obtain a warrant before accessing 702 data in investigations that lack a foreign component. But of the hundreds of thousands of Americans queried by the bureau each year, only a small fraction fall into this category—fewer than 1 percent, according to some civil liberties experts.

The Section 702 program was last extended in December until April, when certifications issued by the Foreign Intelligence Surveillance Court expire, ending a requirement that American companies cooperate with the intelligence community’s wiretap demands. Some experts have forecast that the intelligence community may begin to apply for new certifications as early as next month, allowing the surveillance to continue uninterrupted for an additional year, even if Congress fails to act.

It is often the last resort of congressional leaders to block privacy-enhancing bills from reaching the floor for a vote—even if the result is that a surveillance program goes suddenly unauthorized by Congress. Letting a program expire is often preferable to allowing a vote to take place if it runs the risk of enshrining unwanted restrictions in the law.

Expired surveillance programs can find ways to carry on. US lawmakers introduced bills twice last year, for instance, with measures aimed at banning FBI surveillance techniques technically rendered unlawful four years after Congress failed to reauthorize Section 215: a package of surveillance tools provided by the 9/11-era Patriot Act legislation.

House leaders—Democrats at the time—faced similar popular opposition to continuing the 215 surveillance under status quo conditions. Rather than risk a vote that might permanently kill the programs, it was simply allowed to expire. Since then, the FBI has continued availing itself of the surveillance techniques, year after year, “grandfathering” in a bevy of new cases.

A Backroom Deal Looms Over Section 702 Surveillance Fight

In January, we recorded a total of 261 ransomware victims.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In January, we recorded a total of 261 ransomware victims, the lowest number of attacks since February 2023. This is normal, as past data reveals that historical January months tend to be one of the least active periods for ransomware gangs. But don’t let the relatively low number of attacks fool you: there was plenty of important ransomware news last month. 

In January, researchers observed fake “security researchers” trying to trick ransomware victims into thinking that they can recover their stolen data. Described as “follow-on extortion” attacks, the goal of these scams is to get the victims to pay Bitcoin for supposed assistance.

The two examples we have of follow-on extortion attacks targeted victims of the Royal and Akira ransomware gangs, but it’s unclear if the fake security researchers are a part of either of those gangs. Our guess? It’s more likely that they are a fringe group simply seizing an opportunity to exploit victims already targeted by these gangs. 

Let’s analyze why, using two scenarios, assuming that the follow-up extortioners really are Royal or Akira.  

In scenario one, Royal or Akira steals data, prompting a ransom payment from the victim for data deletion. Then, Royal or Akira sends a splinter group to the same victim claiming Royal didn’t delete the data, offering deletion services for an additional fee. This scenario is pretty unlikely, as it undermines Royal’s credibility from the victim’s perspective, damaging the gang’s reputation.

In scenario two, Royal or Akira steals data, but the victim hasn’t paid for deletion yet. The Royal or Akira splinter group then offers to recover the data for a fee. This predicament forces the victim to choose who to trust, likely deciding that it might be more logical to rely on Royal since they have more incentive to maintain a semblance of reliability. So, it then just becomes a normal double-extortion case but with an unnecessary extra step.

In the first case, the “initial ransomware gang” has no leverage for a second round of extortion without contradicting their own claims and damaging their reputation. In the second case, the initial ransomware gang just does more work to get the same outcome, namely payment for data deletion. 

Neither option presents a guaranteed connection to the original attackers.

Known ransomware attacks by gang, January 2024

Known ransomware attacks by country, January 2024

Known ransomware attacks by industry sector, January 2024

In other January news, the UK’s National Cybersecurity Centre (NCSC) released a report suggesting that AI will boost ransomware attack volume and severity in the next two years, particularly through lowering the entry barrier for novice hackers. A simple example is an affiliate using generative AI to create more persuasive phishing emails. This could decrease affiliates’ dependence on Initial Access Brokers for accessing networks, leading to more attacks by individuals enticed by the lower initial investment.

In general, however, we should be cautious about these predictions. Incorporating AI into cybercrime—especially for automated discovery of vulnerabilities or efficient high-value data extraction, as NCSC’s report suggests—is extremely complex and costly. For major gangs like LockBit and CL0P, who manage multimillion-dollar operations, adopting these AI advancements might be more feasible, yet it is still far too early to speculate upon.

In our view, RaaS groups will maintain their current operations in the short term. AI may introduce new methods and techniques for cybercriminals, to be sure, but the core principles of ransomware gangs—based on access, leverage, and profit—will likely continue unchanged for the foreseeable future.

In other news, researchers last month witnessed Black Basta affiliates leveraging a new phishing campaign aimed at delivering a relatively new loader named PikaBot. 

PikaBot, an ostensible replacement for the notorious OakBot malware, is an initial access tool that we first wrote about in mid-December—and it looks like it didn’t take ransomware gangs long to start using it. While our original post about PikaBot focused on its distribution via malicious search ads and not phishing emails, ransomware gangs are known to use both attack vectors to gain initial access. 

A typical distribution chain for PikaBot, writes ThreatDown Intelligence researcher Jérôme Segura, usually starts with an email (within an already-hijacked thread) containing a link to an external website. Users are then tricked to download a zip archive containing malicious JavaScript that downloads Pikabot from an external server. 

As this news marks the first time that PikaBot has been publicly connected with any ransomware operations, it’s safe to assume that the malware is actively being used by other gangs as well—or that if it’s not, it will be soon.

**New leak site: MYDATA**

Mydata is a new leak site from Alpha ransomware, a distinct group not to be confused with ALPHV ransomware. The site published the data of 10 victims in January.

MYDATA leak data

**Preventing Ransomware**

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough. 

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. 

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. 

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.

****How ThreatDown Addresses Ransomware****

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
*   RDP Shield: Securing remote access points with Brute Force Protection.
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them.
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network.
*   Ransomware Rollback: Reversing the impact of any successful attacks.

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Ransomware review: February 2024 

The FCC has ruled that the use of AI generated voices in robocalls is illegal, by considering them as artificial under the Telephone Consumer Protection Act.

The Federal Communications Commission (FCC) has announced that calls made with voices generated with the help of Artificial Intelligence (AI) will be considered “artificial” under the Telephone Consumer Protection Act (TCPA). Effective immediately, that makes robocalls that implement voice cloning technology and target consumers illegal.

Robocalls are automated phone calls, often associated with scams, which can be a nuisance to individuals and businesses alike. Some of these calls use AI generated voices of trusted celebrities to gain the trust of the target, in a technique known as voice cloning.

Robocallers not only sell products or services in an annoying way, they’ve also been known to be part of political misinformation campaigns as well.

The unanimous ruling by the FCC provides state attorneys general across the country with new tools to go after the people behind these nefarious robocalls. Many of these calls would be considered illegal anyway because they are scams or fraudulent, but now the fact that they use AI generated voices alone is enough for them to be considered illegal.

The FCC says it received a letter signed by attorneys general from 26 states asking the agency to act on restricting the use of AI in marketing phone calls.

FCC Chairwoman Jessica Rosenworcel stated:

> “Bad actors are using AI-generated voices in unsolicited robocalls to extort vulnerable family members, imitate celebrities, and misinform voters. We’re putting the fraudsters behind these robocalls on notice.”

From now on, those who wish to send robocalls must obtain prior express consent from the called party before making a call that utilizes artificial or prerecorded voice simulated or generated through AI technology.

Violations of the TCPA are subject to stiff civil penalties. Abusers can anticipate fines of up to $1,500 per incident without a cap on damages.

On January 30, 2024, the FCC said its previous actions against international robocalls appear to have reduced apparently illegal robocall traffic across multiple networks. If this new announcement leads to an even bigger reduction, you won’t hear us complaining.

**What to do if you answer a robocall**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1.  Hang up as soon as you realize that it is an automated robocall.
2.  Do not engage with the call at all.
3.  Don’t follow any instructions.
4.  Avoid giving away any personal information.
5.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your recorded voice could allow for voice-cloning and used in scams against you or your loved ones.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 AI-generated voices in robocalls are illegal, rules FCC 

New research finds that Israel’s attacks on Gaza damaged hospitals and other medical facilities at the same rate as other buildings, potentially in violation of international law.

The world has witnessed a near-unprecedented and ongoing humanitarian crisis in Gaza during the first 129 days of the Israel-Hamas war. Despite their critical role in saving lives, hospitals and other health care facilities—which are protected under international law—have not been spared the widespread destruction in the Palestinian territory, according to new research.

A study published Monday in the _British Medical Journal Global Health_ from researchers at the Yale School of Public Health found that from October 7—the day Hamas launched an unexpected attack on Israel that left some 1,200 Israelis dead—to November 7, 2023, hospitals and health care facilities were damaged at the same rate as other buildings. The paper’s authors suggest that the Israel Defense Forces (IDF) did not take measures to ensure it did not strike these facilities, despite their protected status.

“This pattern of war, at least in this first month, looks like it was not really aligned with international humanitarian law,” says Danielle Poole, an associate research scientist at the Yale School of Public Health and lead author on the paper.

The United Nations Relief and Works Agency for Palestine Refugees in the Near East estimates that at the start of 2024, 85 percent of Gaza’s population, or some 1.9 million people, had been displaced by the conflict, and the Gaza Ministry of Health reports that at least 28,064 Palestinians were killed between October 7, 2023, and February 10, 2024. Human Rights Watch, a nonprofit watchdog organization, has characterized Israel’s attacks on health care facilities in Gaza as “apparently unlawful.”

Using high-resolution satellite imagery from the United Nations, data from the open source mapping platform OpenStreetMap, and known locations of medical facilities listed by the World Health Organization (WHO) and the United Nations Office for Coordination of Humanitarian Assistance, the researchers were able to identify damage to over 167,000 buildings during the first month of the conflict. Poole and her team found that 15,768 nonmedical structures and nine health care–related facilities suffered damage—about 9 percent in each case. The analysis also found that health care facilities were more likely than other buildings to have sustained severe damage or to have been destroyed completely.

“Already in this first month, their health system was severely compromised due to the conflict,” says Poole. As the researchers note in their report, the attacks on medical facilities “will undoubtedly have long-term effects on the health system through the severely decreased ability to provide necessary medical care to the population.”

Researchers ranked the damage done to buildings in four ascending categories: “possible damage,” “moderate damage,” “severe damage,” and “destroyed.” Poole says the numbers noted in her team’s report are conservative because they don’t count smaller medical facilities, like pharmacies or small clinics. “You wouldn't expect an artillery officer to know about the little pharmacy in the strip mall, even though those things are still protected” under international humanitarian law, she says.

IDF flares light up the sky above the Al-Shifa hospital on November, 6, 2023.Photograph: Ahmad Salem/Bloomberg/Getty Images

International humanitarian law prohibits attacks on hospitals and health care facilities, or against patients, doctors, and their means of transport, during a conflict. A health care facility can lose its protected status if it is used to “commit acts that are harmful to the enemy,” according to the International Committee of the Red Cross (ICRC).

“Hospitals have special protection status underneath the Geneva Conventions and the Law of Armed Conflict,” says Nathaniel Raymond, a human rights investigator and a coauthor of the study. “To intentionally strike a hospital, the protocol required is the most restrictive for any type of civilian infrastructure. An armed party to a conflict must ensure that the hospital is notified that it has lost protected status, and efforts are made to ensure the evacuation of those facilities prior to any kinetic strike. That is what the law requires.”

In a lengthy response to WIRED’s questions about what measures it has taken to prevent damage to health care facilities, the IDF defended its military operations. “A central feature of Hamas’ strategy is the exploitation of civilian structures for terror purposes,” says an IDF spokesperson. “It is against this context of widespread exploitation of medical facilities and intelligence indicating their knowledge and even participation in terror activities that Israel has apprehended and questioned individuals in Gaza, including medical staff. We reiterate that individuals found not to have been involved in terrorist activity are released after questioning.”

The IDF has alleged that Hamas was operating out of tunnels underneath Al-Shifa, the largest hospital in Gaza, thereby making it a legitimate target. IDF forces raided the hospital on November 15. The tunnels have not been proven to have had a military function, and the legality of that IDF military operation remains in dispute.

Even in cases where the military has leveraged civilian structures, combatants are expected to exercise what IHL dubs “proportionality” and “precaution,” meaning that any attack should be done such that civilian harms do not outweigh the military benefit. “This does not mean there’s free license to attack,” ICRC chief legal officer Cordula Droege said in an ICRC video posted November 2 on X. “The party to the conflict has to do everything feasible in order to avoid or at least minimize harm to patients and medical staff.”

Although the destruction of health care facilities in Gaza is far more extensive, the WHO also recorded “33 attacks on health care in Israel during the violent events of October 7.” The WHO cautioned Hamas and Israel to remember “their obligation under international humanitarian law to respect the sanctity of, and actively protect, health facilities.” An independent UN Human Rights Council commission also says it is “collecting and preserving evidence of war crimes committed by all sides since 7 October 2023.”

The implications for Gaza’s health system have been disastrous. Even in the earliest weeks of the conflict, doctors warned that hospitals were running out of space to treat the wounded and were operating without access to anesthetics or even clean water. Hospitals and the health care system have also seen continued destruction. On January 3, the WHO estimated that only 13 of the 36 hospitals in Gaza remained operational. The WHO also says that instances of disease in Gaza have skyrocketed as access to health care, food, and clean water has plummeted.

Poole says she hopes the research leads to further investigations to “ascertain whether or not the medical complexes were getting distinction, proportionality, and precaution principles that protects them through IHL” throughout the course of the conflict.

“If the principle of distinction was being respected in this conflict, there would be a stark difference in our findings between special protected infrastructure—in this case, health facilities—and non-health facility infrastructure,” Raymond says. “What we find instead is that there is no difference.”

_Update: 2/12/2024, 8:40 am ET to clarify the description of the satellite material on which the researchers based their analysis._

Satellite Images Point to Indiscriminate Israeli Attacks on Gaza’s Health Care Facilities

Cyberattacks and criminal scams can impact anyone. But communities of color and other marginalized groups are often disproportionately impacted and lack the support to better protect themselves.

Talk about the promise and the peril of artificial intelligence is everywhere these days. But for many low-income families, communities of color, military veterans, people with disabilities, and immigrant communities, AI is a back-burner issue. Their day-to-day worries revolve around taking care of their health, navigating the economy, seeking educational opportunities, and upholding democracy. But their worries are also being amplified through advanced, persistent, and targeted cyberattacks.

Cyber operations are relentless, growing in scale, and exacerbate existing inequalities in health care, economic opportunities, education access, and democratic participation. And when these pillars of society become unstable, the consequences ripple through national and global communities. Collectively, cyberattacks have severe and long-term impacts on communities already on the margins of society. These attacks are not just a technological concern—they represent a growing civil rights crisis, disproportionately dismantling the safety and security for vulnerable groups and reinforcing systemic barriers of racism and classism. The United States currently lacks an assertive response to deter the continued weaponization of cyber operations and to secure digital access, equity, participation, and safety for marginalized communities.

Health Care

Cyberattacks on hospitals and health care organizations more than doubled in 2023, impacting over 39 million people in the first half of 2023. A late-November cyberattack at the Hillcrest Medical Center in Tulsa, Oklahoma, led to a system-wide shutdown, causing ambulances to reroute and life-saving surgeries to be canceled. These attacks impact patients' reliance and trust in health care systems, which may make them more hesitant to seek care, further endangering the health and safety of already vulnerable populations.

The scale and prevalence of these attacks weaken public trust—especially among communities of color who already have deep-rooted fears about our health care systems. The now-condemned Untreated Syphilis Study at Tuskegee, where researchers denied treatment to Black men without their knowledge or consent in order to observe the disease’s long-term effects, only ended 52 years ago. However, the study created a legacy of suspicion and mistrust of the medical community that continues today, leading to a decrease in the life expectancy of Black men and lower participation in medical research among Black Americans. The compounding fact that Black women are three to four times more likely, and American Indian and Alaska Native women are two times more likely, to die from pregnancy-related causes than White women only adds to mistrust.

Erosion of trust also extends to low-income people. Over a million young patients at Lurie Children's Surgical Foundation in Chicago had their names, Social Security numbers, and dates of birth exposed in an August 2023 breach. The hospital treats more children insured by Medicaid—an economic hardship indicator—than any other hospital in Illinois. Once breached, a child’s personal data could be used to commit identity fraud, which severely damages credit, jeopardizes education financial aid, and denies employment opportunities. While difficult for anyone, children from financially insecure households are least equipped to absorb or overcome these economic setbacks.

Economic Opportunity

Identity theft is not the only way cyberattacks exploit hard times. Cyberattacks also go after financially vulnerable individuals—and they are getting more sophisticated. In Maryland, hackers targeted Electronic Benefits Transfer cards—used to provide public assistance funds for food—to steal more than $2 million in 2022 and the first months of 2023. That’s an increase of more than 2,100 percent compared to the $90,000 of EBT funds stolen in 2021. Maryland’s income limit to qualify for the government’s food assistance program is $39,000 for a family of four in 2024, and only if they have less than $2,001 in their bank account. Unlike a credit card, which legally protects against fraudulent charges, EBT cards don’t have fraud protections. Efforts to help the victims are riddled with red tape: reimbursements are capped at two months of stolen benefits, and only within a specific time period.

Cybercriminals also target vulnerable populations, especially within older age groups. Since the last reporting in 2019, 40 percent of Asian Pacific Islander Desi Americans (APIDAs) aged 50 and older have reported experiencing financial fraud, with one-third of those victims losing an average of $15,000. From 2018 through 2023, Chinese Embassy Scam robocalls delivered automated messages and combined caller ID spoofing, a method where scammers disguise their phone display information, targeting Chinese immigrant communities. This resulted in more than 350 victims across 27 US states and financial losses averaging $164,000 per victim for a total of $40 million. And for five years, this scam just kept going. As these scams evolve, groups now face increasingly sophisticated AI-assisted calls, where scammers use technology to convincingly mimic loved ones' voices, further exploiting vulnerabilities, particularly among older adults—many of whom live on fixed incomes or live with economic insecurity.

While social movements have fought to promote economic equity, cybercriminals undermine these efforts by exacerbating financial vulnerabilities. From the 1960s La Causa movement advocating for migrant worker rights to the Poor People’s Campaign mobilizing across racial lines, activists have worked to dismantle systemic barriers, end poverty, and push for fair wages. Current attacks on financial systems, however, often target the very groups these movements aim to empower—perpetuating the disparities that advocates have fought against. Digital scams and fraud incidents disproportionately impact those least equipped to recover—including natural disaster victims, people with disabilities, older adults, young adults, military veterans, immigrant communities, and lower-income families. By stealing essential resources, cybercriminals compound hardships for those already struggling to make ends meet or those experiencing some of the worst hardships of their lives—pushing groups deeper into the margins.

Education Access

Education is another area where cybercrime has soared. One of the worst hacks of 2023 exploited a flaw in a file transfer software called MOVEit that multiple government entities, nonprofits, and other organizations use to manage data across systems. This includes the National Student Clearinghouse, which serves 3,600 colleges, representing 97 percent of college students in the US, to provide verification information to academic institutions, student loan providers, and employers.

Attacks on educational systems are devastating at all levels. A top target for ransomware attacks last year was K-12 schools. While the complete data is not available yet, by August 2023 ransomware attacks (where hackers lock an organization’s data and demand payment for its release) hit at least 48 US school districts—three more than in all of 2022. Schools already have limited resources, and cybersecurity can be expensive, so many have few defenses against sophisticated cyberattacks.

The Hidden Injustice of Cyberattacks

“This eruption of violence had been brewing for years, through successive economic collapses, pandemics, and the utter dysfunction that had become American life.” An exclusive excerpt from 2054: A Novel.

2054, Part VI: Standoff at Arlington

By Waqas
The alleged data breach took place on October 2023. However, the database was only made public earlier today, on Sunday, February 11, 2024.
This is a post from HackRead.com Read the original post: Hackers Leak Alleged Partial Facebook Marketplace Database

The alleged partial Facebook Marketplace database has been leaked on Breach Forums by the infamous threat actor IntelBroker. They claim that another actor, using the alias “algoatson,” stole the database from a contractor responsible for managing cloud services for Facebook.

The infamous threat actor known as IntelBroker has claimed responsibility for leaking a partial database of the Facebook Marketplace. The alleged breach, apparently conducted by another cybercriminal using the alias “algoatson” on Discord, occurred in October 2023. However, the database was only made public earlier today, on Sunday, February 11, 2024.

According to a post on Breach Forums, IntelBroker disclosed that the hack targeted a contractor responsible for managing cloud services for Facebook. The breach resulted in the theft of approximately 200,000 entries from the user database, compromising sensitive personal information.

It is worth noting that IntelBroker did not disclose the name of the allegedly targeted contractor. Facebook doesn’t utilize a single contractor company to manage all of Facebook Marketplace data. Instead, they leverage a combination of internal teams and external partnerships depending on the specific data aspect.

The compromised data includes full names, Facebook IDs, phone numbers, physical IDs, and Facebook profile settings of the affected users. Hackread.com can exclusively confirm that there are 24,127 email addresses involved in the leak.

Screenshot from Breach Forums (Credit: Hackread.com)

The good news is that there are not passwords involved, but the bad news is that this breach potentially exposes Facebook Marketplace users to various forms of identity theft, phishing attacks, and other malicious activities.

****IntelBroker****

IntelBroker, notorious for their involvement in several high-profile cyber attacks, including the leaking of sensitive US Department of Defense documents **in December 2023**, has a track record of breaching organizations and selling stolen data on underground forums.

Their previous exploits include the General Electric security breach, which led to the sale of DARPA-related network access **in November, 2023**, as well as the Weee! Grocery Service hack, where 1.1 million accounts were leaked online **in Februrary 2023**.

At the time of reporting, attempts to contact “algoatson” via their Discord profile were unsuccessful, as their profile was unavailable. However, efforts to establish communication with the alleged perpetrator are ongoing, and updates will be provided as the situation develops.

****META, Facebook and Data Breaches****

META’s Facebook has previously made headlines for cybersecurity-related concerns. **In April 2021**, threat actors leaked the personal data of over 500 million users from 106 countries through web data scraping.

Similarly, **in December 2019**, hackers exposed the data of 267 million Facebook users on a hacker forum. This breach also stemmed from scraping activities and included users’ full names and email addresses.

In December 2019, **another incident occurred** where a thief stole unencrypted hard drives containing sensitive data belonging to 29,000 Facebook employees. The data was stored on hard drives within computer equipment owned by a payroll worker, which had been left in the worker’s vehicle.

Nevertheless, the latest alleged leak of the partial Facebook Marketplace database is another example how persistent cybercriminals have become. Facebook, along with alleged affected users, must take immediate steps to mitigate the impact of this breach and enhance security measures to prevent similar incidents in the future.

****What’s Next for Users?****

Here are five tips for Facebook Marketplace users to protect themselves in the aftermath of the alleged breach:

*   **Change Passwords and Enable Two-Factor Authentication (2FA):** While no passwords were leaked in this incident, users should immediately change their Facebook password and activate two-factor authentication (**2FA**) to enhance their account’s security. This precautionary measure is crucial, especially if threat actors attempt to exploit passwords obtained from previous data breaches leaked online.
*   **Monitor Account Activity:** Regularly monitor your Facebook account for any suspicious activity, such as unrecognized logins or changes to your account settings. Report any unauthorized activity to Facebook immediately.
*   **Be Cautious of Phishing Attempts:** Watch out for phishing emails, messages, or calls pretending to be from Facebook or other trusted sources. These may attempt to trick you into revealing sensitive information or clicking on malicious links. Avoid clicking on links from unfamiliar or suspicious sources.
*   **Review Privacy Settings:** Review and adjust your Facebook privacy settings to limit the visibility of your personal information. Consider restricting who can see your profile, contact information, and posts on the Marketplace to trusted individuals only. Additionally, consider **locking your Facebook profile** if the feature is available in your country.
*   **Watch Out for Voice and SMS Phishing:** Besides making sure your account is safe, keep an eye out for scams over the phone or through text messages, which we call **vishing** and **smishing**. Scammers might pretend to be someone you trust and try to get you to give away personal info. If you get a call or text asking for sensitive stuff like your bank details, be careful. Don’t click on any links or reply if you’re not sure who it’s from.

Stay tuned for further updates on this developing story.

_**Note: The authenticity of the leaked database and the identities of the individuals involved are subject to ongoing investigation.**_

****RELATED ARTICLES****

1.  **Hacker Leaks 800,000 Scraped Chess.com User Records**
2.  **Facebook glitch sent unintended friend requests to users**
3.  **Hackers phish 615,000 login credentials by using Facebook ads**
4.  **Facebook’s Official Page Hacked; Demand Release of PM Imran Khan**
5.  **Chinese firm leaked 200m Facebook, Instagram, LinkedIn users’ data**

Hackers Leak Alleged Partial Facebook Marketplace Database

Plus: China’s Volt Typhoon hackers lurked in US systems for years, the Biden administration’s crackdown on spyware vendors ramps up, and a new pro-Beijing disinformation campaign gets exposed.

Documents exclusively obtained by WIRED reveal that AI surveillance software tracked thousands of people using the London Underground to detect crime or unsafe situations. The machine learning software scoured live CCTV footage to spot aggressive behavior, weapons being brandished, and people dodging fares. The documents also detail errors made during the trial—for instance, mistakenly identifying children walking with their parents as fare evaders.

Meanwhile, on Wednesday, cryptocurrency tracing firm Chainalysis published a report finding ransomware payments in 2023 reached over $1.1 billion, the highest annual total ever recorded. The record-breaking sum of extorted funds was due to two things: the high number of ransomware attacks and the amount of money that hackers were demanding from victims, many of whom were targeted specifically for their ability to pay and their inability to sustain a prolonged disruption of services.

A tech company, notorious for keeping websites with far-right and other extreme content online, was bought last year by a secretive company whose business is to help set up businesses, often in ways that keep details of those companies secret, WIRED reported on Thursday. Registered Agents Inc.’s acquisition of Epik may allow the shadowy company to provide its customers with another layer of anonymity.

For the past month, senior security reporter Matt Burgess has been transitioning away from using passwords to log in to his hundreds of online accounts. Instead, he’s using passkeys, a more secure form of authentication that uses generated codes stored on your device to log in to websites and apps using a biometric identifier like a fingerprint, face scan, or PIN. When it works, it’s seamless and secure. When it doesn’t, it’s a mess.

WhatsApp is developing a feature to allow its users to message across apps, all while maintaining its secure end-to-end encryption. In theory, the move would allow users to chat with people on WhatsApp using apps like Signal or Telegram. It’s unclear which companies, if any, will link their services with WhatsApp.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Hackers have, in the real world, caused blackouts, set fire to a steel mill, and released worms that took down medical record systems in hospitals across the US and the UK. So it hardly seems necessary to invent new nightmares about them taking over our toothbrushes.

Yet, when the Swiss newspaper _Aargauer Zeitung_ published a story that cybercriminals had infected 3 million internet-connected toothbrushes with malware, then used them to launch a cyberattack that downed a website for four hours and caused millions of dollars in damage, the tale was somehow irresistible. This week, news outlets around the world picked up the story, which quoted the cybersecurity firm Fortinet as its source, spinning it out as the perfect illustration of how hackers can exploit the most mundane technology for epic malevolence. “This example, which seems like a Hollywood scenario, actually happened,” the Swiss newspaper wrote.

Except, of course, it didn’t. Cybersecurity professionals quickly started to point out that the story was unsupported by any evidence—and was somewhat absurd on its face. (Even the Mirai botnet, which knocked out its targets with record-breaking tsunamis of junk traffic and eventually broke a large fraction of the internet, infected only 650,000 internet-connected devices at its peak.)

Fortinet belatedly sought to correct the record, writing in public statements that “it appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.” But the _Aargauer Zeitung_ pointed the finger back at Fortinet, noting in a follow-up story that Fortinet provided exact details of the dental doomsday it described as real, and that the company even reviewed the text of the article prior to publication. Regardless of who’s to blame, at least this cyber urban legend has inspired some solid meme content.

Back to more factual cyber doomsday headlines: The US Federal Bureau of Investigation, National Security Agency, and Cybersecurity and Infrastructure Security Agency this week warned in a report that China’s hacker group known as Volt Typhoon had quietly maintained access to some US critical infrastructure networks for as long as half a decade. The report included detailed descriptions of the intrusion and persistence techniques used by the group, which has distinguished itself as perhaps China’s most aggressive state-sponsored hacking force. Volt Typhoon’s broad penetration of US electric grids, transportation networks, and other critical infrastructure has raised alarms among US federal agencies since as early as May of last year, when those agencies began to warn that the group appeared to be laying the groundwork for cyberwar-style attacks in the midst of any future conflict. Now it’s clear that those warnings came only years after the hackers’ sabotage preparations were well underway.

The Biden administration announced that it will restrict the visas of foreign sellers of commercial spyware, potentially preventing executives or associates of those surveillance firms from traveling to the US. The new regulation is part of the White House’s slow tightening of the screws on spyware seller firms like NSO Group, Cytrox, Intellexa, and Candiru, after an earlier move to place those firms on a Commerce Department trade blocklist and prevent US government agencies from buying those hacking firms’ tools. On the day of the announcement, Google released its own detailed report on alleged commercial spyware vendors, calling out a dozen of the companies by name and offering policy recommendations for protecting users.

Citizen Lab this week exposed a vast network of Chinese websites posing as local news sites across the globe, all used to post pro-Beijing disinformation and propaganda. The 123 sites, targeting audiences in more than 30 countries in Europe, Asia, and Latin America, mixed innocuous commercial and cut-and-pasted content with anti-Western conspiracy theories, such as allegations of human experimentation carried out by the United States in Southeast Asia, and targeted attacks on critics of the Chinese government. While the visibility and impact of the influence operation has been “negligible,” according to Citizen Lab, it’s another sign of China’s growing efforts to wield disinformation as a soft power tactic.

How 3 Million ‘Hacked’ Toothbrushes Became a Cyber Urban Legend

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.
The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.
The exact initial access pathway used to propagate the implant is currently not known, although

macOS Malware / Cyber Threat

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.

The backdoor, codenamed **RustDoor** by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.

The exact initial access pathway used to propagate the implant is currently not known, although it's said to be distributed as FAT binaries that contain Mach-O files.

Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023.

It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint.

Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude.

The captured information is then exfiltrated to a command-and-control (C2) server.

The Romanian cybersecurity firm said the malware is likely linked to prominent ransomware families like Black Basta and BlackCat owing to overlaps in C2 infrastructure.

"ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model," security researcher Andrei Lapusneau said.

In December 2023, the U.S. government announced that it took down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: New Stealthy "RustDoor" Backdoor Targeting Apple macOS Devices

Ubuntu Security Notice 6628-1 - Quentin Minster discovered that a race condition existed in the KSMBD implementation in the Linux kernel when handling sessions operations. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Marek Marczykowski-Górecki discovered that the Xen event channel infrastructure implementation in the Linux kernel contained a race condition. An attacker in a guest VM could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6628-1February 09, 2024linux-intel-iotg vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-intel-iotg: Linux kernel for Intel IoT platformsDetails:Quentin Minster discovered that a race condition existed in the KSMBDimplementation in the Linux kernel when handling sessions operations. Aremote attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-32250, CVE-2023-32252,CVE-2023-32257)Marek Marczykowski-Górecki discovered that the Xen event channelinfrastructure implementation in the Linux kernel contained a racecondition. An attacker in a guest VM could possibly use this to cause adenial of service (paravirtualized device unavailability). (CVE-2023-34324)Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driverin the Linux kernel during device removal. A privileged attacker could usethis to cause a denial of service (system crash). (CVE-2023-35827)Tom Dohrmann discovered that the Secure Encrypted Virtualization (SEV)implementation for AMD processors in the Linux kernel contained a racecondition when accessing MMIO registers. A local attacker in a SEV guest VMcould possibly use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2023-46813)It was discovered that the Microchip USB Ethernet driver in the Linuxkernel contained a race condition during device removal, leading to a use-after-free vulnerability. A physically proximate attacker could use this tocause a denial of service (system crash). (CVE-2023-6039)Lin Ma discovered that the netfilter subsystem in the Linux kernel did notproperly validate network family support while creating a new netfiltertable. A local attacker could use this to cause a denial of service orpossibly execute arbitrary code. (CVE-2023-6040)It was discovered that the TLS subsystem in the Linux kernel did notproperly perform cryptographic operations in some situations, leading to anull pointer dereference vulnerability. A local attacker could use this tocause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2023-6176)It was discovered that the CIFS network file system implementation in theLinux kernel did not properly validate the server frame size in certainsituation, leading to an out-of-bounds read vulnerability. An attackercould use this to construct a malicious CIFS image that, when operated on,could cause a denial of service (system crash) or possibly expose sensitiveinformation. (CVE-2023-6606)Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel didnot properly handle dynset expressions passed from userspace, leading to anull pointer dereference vulnerability. A local attacker could use this tocause a denial of service (system crash). (CVE-2023-6622)Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel didnot properly handle inactive elements in its PIPAPO data structure, leadingto a use-after-free vulnerability. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6817)Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perfsubsystem in the Linux kernel did not properly validate all event sizeswhen attaching new events, leading to an out-of-bounds write vulnerability.A local attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6931)It was discovered that the IGMP protocol implementation in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6932)Kevin Rich discovered that the netfilter subsystem in the Linux kernel didnot properly check deactivated elements in certain situations, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0193)It was discovered that the TIPC protocol implementation in the Linux kerneldid not properly handle locking during tipc_crypto_key_revoke() operations.A local attacker could use this to cause a denial of service (kerneldeadlock). (CVE-2024-0641)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1047-intel-iotg  5.15.0-1047.53   linux-image-intel-iotg          5.15.0.1047.47After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6628-1   CVE-2023-32250, CVE-2023-32252, CVE-2023-32257, CVE-2023-34324,   CVE-2023-35827, CVE-2023-46813, CVE-2023-6039, CVE-2023-6040,   CVE-2023-6176, CVE-2023-6606, CVE-2023-6622, CVE-2023-6817,   CVE-2023-6931, CVE-2023-6932, CVE-2024-0193, CVE-2024-0641Package Information:   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1047.53

Tag

#intel