The Internet Archive (Archive.org), home to the Wayback Machine, is temporarily offline due to a reported power outage.…

The Internet Archive (Archive.org), home to the Wayback Machine, is temporarily offline due to a reported power outage. Engineers are working to restore access as users await updates. This follows recent challenges, including DDoS attacks and a data breach.

The Internet Archive (aka Wayback Machine), an online treasure trove for researchers, history buffs, and anyone looking for a blast from the past, is currently experiencing a service outage.

If you’ve tried to access the Wayback Machine or any of their vast collections recently, you’ve likely been met with a simple “Temporarily Offline” message. The organization has taken to their official social media channels, including Twitter/X, Bluesky, and Mastodon, to let users know they’re dealing with a power outage.

“We are experiencing a power outage. Engineers are working on it now,” they **stated**, offering a brief explanation for the sudden disruption. It’s a simple, straightforward message, but it leaves many wondering about the implications. For a service that relies so heavily on constant uptime, any interruption can be a setback.

Current view of the Internet Archive’s homepage (Screenshot credit: Hackread.com)

This power outage comes at a sensitive time for the Internet Archive. Just a few months ago, **in October 2024**, they were hit with a series of massive DDoS attacks, which are designed to overwhelm a site with traffic and knock it offline. And even more concerning, they also suffered a data breach where hackers made off with details from **31 million user accounts**. That incident left many users understandably worried about their personal information.

While the current outage is being attributed to a power issue, the timing naturally raises questions. Is this just an unfortunate coincidence, or could there be more to it? The Internet Archive hasn’t explicitly mentioned a **DDoS attack** this time around, but the past incidents make it hard not to speculate. For now, we’re left waiting for updates from their engineers as they work to restore service.

The Internet Archive is more than just a website; it’s a vital resource for preserving digital history. From old websites and books to films and music, it’s a place where the past is kept alive. Therefore, the current downtime is more than an inconvenience.

We’ll be keeping an eye on their social media for updates and hoping for a speedy resolution. In the meantime, those of us who rely on the archive will just have to be patient.

Internet Archive (Archive.org) Goes Down Following “Power Outage”

A WIRED review shows national security adviser Mike Waltz, White House chief of staff Susie Wiles, and other top officials left sensitive information exposed via Venmo—until WIRED asked about it.

A Venmo account under the name “Michael Waltz,” carrying a profile photo of the national security adviser and connected to accounts bearing the names of people closely associated with him, was left open to the public until Wednesday afternoon. A WIRED analysis shows that the account revealed the names of hundreds of Waltz’s personal and professional associates, including journalists, military officers, lobbyists, and others—information a foreign intelligence service or other actors could exploit for any number of ends, experts say.

Among the accounts linked to “Michael Waltz” are ones that appear to belong to Susie Wiles, the White House chief of staff, and Walker Barrett, a staffer on the United States National Security Council. Both were fellow participants in a now-infamous Signal group chat called “Houthi PC small group.”

The White House declined to comment after being presented with WIRED’s findings, but the accounts appearing to belong to Waltz and Wiles went fully private following WIRED’s inquiry.

Earlier this week, The Atlantic reported that an account with the name “Michael Waltz” accidentally invited the publication’s editor in chief, Jeffrey Goldberg, to the chat, in which senior administration officials discussed plans for a strike on Yemen. (Waltz told Fox News’ Laura Ingraham he takes “full responsibility” for inviting Goldberg, adding, “We have some of the best technology minds looking at how this happened.”) Over the encrypted messaging app, which Department of Defense guidelines bar from being used for the discussion of any nonpublic defense information, the group debated whether a strike should be carried out at all. Hours after an account with the name of defense secretary Pete Hegseth shared missile targets, strike timing, and other highly sensitive operational details of a coming strike, US forces bombed Houthi targets in Yemen, reportedly killing at least 53 people.

A WIRED review of public data exposed on Venmo accounts associated with senior administration officials suggests that the Signal group chat was not an isolated mistake, but part of a broader pattern of what national security experts describe as reckless behavior by some of the most powerful people in the US government.

The Venmo account under Waltz’s name includes a 328-person friend list. Among them are accounts sharing the names of people closely associated with Waltz, such as Barrett, formerly Waltz’s deputy chief of staff when Waltz was a member of the House of Representatives, and Micah Thomas Ketchel, former chief of staff to Waltz and currently a senior adviser to Waltz and President Donald Trump.

Other accounts carry the names of a wide range of media figures, from on-air personalities like Bret Baier and Brian Kilmeade of Fox News and Brianna Keilar and Kristen Holmes of CNN to a cable news producer, a prominent national security reporter, local news anchors, documentarians, and noted conspiracy theorist Ivan Raiklin, who calls himself the “the secretary of retribution” and once created a deep state target list. (Fox News declined to comment; CNN did not respond to a request for comment.)

Many of the accounts appear to belong to local and national politicians and political operatives ranging from US representative Dan Crenshaw of Texas to a former mayor of Deltona, Florida, as well as venture capitalists, defense industry entrepreneurs, and executives like Christian Brose, the president of defense tech giant Anduril. (Crenshaw’s office and Anduril did not respond to requests for comment.)

One of the most notable appears to belong to Wiles, one of Trump’s most trusted political advisers. That account’s 182-person friend list includes accounts sharing the names of influential figures like Pam Bondi, the US attorney general, and Hope Hicks, Trump’s former White House communications director.

While none of the Venmo transactions for the account listed for Waltz, Wiles, or Barrett were publicly visible, it appears that none of them had opted out of sharing their contact list, allowing their friend lists to remain visible to the public. After WIRED reached out to the White House for comment, both Waltz and Wiles appeared to change their Venmo privacy settings to hide their friend lists.

Venmo spokesperson Erin Mackey said in a statement, “We take our customers’ privacy seriously, which is why we let customers choose their privacy settings on Venmo for both their individual payments and friends lists—and we make it incredibly simple for customers to make these private if they choose to do so.” The comment is nearly identical to the one Venmo provided to WIRED in response to a 2024 story about now-vice president JD Vance’s Venmo.

Last July, WIRED reported that Vance had left his Venmo account public, exposing a network of connections to Project 2025 architects, DOJ officials, Yale Law classmates, and far-right media figures. (While it was not reported at the time, WIRED’s analysis of that public Venmo account—and the networks of his listed friends—found that the Michael Waltz Venmo account appeared in Vance’s extended network, comprising friends and friends of friends.) According to The Atlantic, Vance was also an active participant in the Signal chat alongside Waltz, where he questioned whether the planned military operation in Yemen aligned with President Trump’s broader message on Europe.

When the Michael Waltz account was set up in 2017, the app would display a prompt allowing users to sync their phone contacts, automatically populating their friends list with anyone in their address book already using the platform. Privacy advocates, including the Electronic Frontier Foundation, criticized this design, arguing that it exposes users to unnecessary risks by making social connections public by default. It wasn’t until BuzzFeed News revealed in 2021 that then-president Joe Biden was easily found on the app that Venmo, which is owned by PayPal, added the option to hide friend lists. But that setting remains opt-in. According to its privacy policy, unless users proactively change their privacy settings, their network remains visible to anyone.

Mixed in with the high-profile names connected to the apparent Waltz Venmo account are a number of accounts appearing to belong to ordinary people, such as several doctors, real estate agents, and a tailor. These are the kinds of low-level connections that, experts say, spies look at for basic information—a relationship with a medical specialist could expose that a person is being treated for an illness that hasn’t been made public—as well as patterns, pressure points, or a way in. Experts call them “soft targets”: people who have access but aren’t protected.

For instance, when the US and Israel reportedly sabotaged Iran’s nuclear program with the Stuxnet virus, they used a control engineer’s USB stick, not one belonging to a senior official. Chinese intelligence has used similar tactics, contacting thousands of foreign citizens using LinkedIn or going after university students to get closer to US researchers and companies. While WIRED has found no evidence that foreign adversaries have used Venmo to target a US politician’s network, the platform makes these relationships visible—potentially giving adversaries a searchable map of the people around power.

“The first thing you think of is the counterintelligence issue, right? And the security vulnerabilities. It kind of boggles the mind, in a way,” says Michael Ard, a former intelligence analyst who now runs the masters program in intelligence analysis at Johns Hopkins. “It would be really easy for somebody to spoof a contact, and that is something the security industry has already been issuing notices on.”

Waltz has spent years inside the Republican national security establishment. A former Green Beret—something reflected in the number of apparent veteran Green Berets, Navy SEALs, and other special operators to whom the Venmo account bearing his name is connected—he served as a defense adviser at the Pentagon under former defense secretaries Donald Rumsfeld and Robert Gates, and later counseled US vice president Dick Cheney on counterterrorism. In 2020, following the US drone strike that killed Iranian general Qassem Soleimani, Waltz says he was part of a small group of lawmakers privately briefed at the White House.

Another participant in that thread was Hegseth. A public Venmo account under his name, identified by The American Prospect in February, revealed a similarly elite network—including names matching executives at defense firms like Palantir and Anduril as well as lobbyists and President George W. Bush–era officials. In the Signal chat, the defense secretary directly responded to Vance’s concerns: “VP: I fully share your loathing of European free-loading. It’s PATHETIC.”

Both Vance’s and Hegseth’s Venmo accounts have since been deleted.

_Jake Lahut contributed reporting._

Mike Waltz Left His Venmo Friends List Public

The Trump cabinet’s shocking leak of its plans to bomb Yemen raises myriad confidentiality and legal issues. The security of the encrypted messaging app Signal is not one of them.

The eye-popping scandal surrounding the Trump cabinet’s accidental invitation to The Atlantic’s editor in chief to join a text-message group secretly planning a bombing in Yemen has rolled into its third day, and that controversy now has a name: SignalGate, a reference to the fact that the conversation took place on the end-to-end encrypted free messaging tool Signal.

As that name becomes a shorthand for the biggest public blunder of the second Trump administration to date, however, security and privacy experts who have promoted Signal as the best encrypted messaging tool available to the public want to be clear about one thing: SignalGate is not about Signal.

Since The Atlantic’s editor, Jeffrey Goldberg, revealed Monday that he was mistakenly included in a Signal group chat earlier this month created to plan US airstrikes against the Houthi rebels in Yemen, the reaction from the Trump cabinet’s critics and even the administration itself has in some cases seemed to cast blame on Signal for the security breach. Some commentators have pointed to reports last month of Signal-targeted phishing by Russian spies. National security adviser Michael Waltz, who reportedly invited Goldberg to the Signal group chat, has even suggested that Goldberg may have hacked into it.

On Wednesday afternoon, even President Donald Trump suggested Signal was somehow responsible for the group chat fiasco. “I don't know that Signal works,” Trump told reporters at the White House. “I think Signal could be defective, to be honest with you.”

The real lesson is much simpler, says Kenn White, a security and cryptography researcher who has conducted audits on widely used encryption tools in the past as the director of the Open Crypto Audit Project: Don’t invite untrusted contacts into your Signal group chat. And if you’re a government official working with highly sensitive or classified information, use the encrypted communication tools that run on restricted, often air-gapped devices intended for a top-secret setting rather than the unauthorized devices that can run publicly available apps like Signal.

“Unequivocally, no blame in this falls on Signal,” says White. “Signal is a communication tool designed for confidential conversations. If someone's brought into a conversation who’s not meant to be part of it, that's not a technology problem. That's an operator issue.”

Cryptographer Matt Green, a professor of computer science at Johns Hopkins University, puts it more simply. “Signal is a tool. If you misuse a tool, bad things are going to happen,” says Green. “If you hit yourself in the face with a hammer, it’s not the hammer’s fault. It’s really on you to make sure you know who you’re talking to.”

The only sense in which SignalGate _is_ a Signal-related scandal, White adds, is that the use of Signal suggests that the cabinet-level officials involved in the Houthi bombing plans, including secretary of defense Pete Hegseth and director of national intelligence Tulsi Gabbard, were conducting the conversation on internet-connected devices—possibly even including personal ones—since Signal wouldn’t typically be allowed on the official, highly restricted machines intended for such conversations. “In past administrations, at least, that would be absolutely forbidden, especially for classified communications,” says White.

Indeed, using Signal on internet-connected commercial devices doesn’t just leave communications open to anyone who can somehow exploit a hackable vulnerability in Signal, but anyone who can hack the iOS, Android, Windows, or Mac devices that might be running the Signal mobile or desktop apps.

This is why US agencies in general, and the Department of Defense in particular, conduct business on specially managed federal devices that are specially provisioned to control what software is installed and which features are available. Whether the cabinet members had conducted the discussion on Signal or another consumer platform, the core issue was communicating about incredibly high-stakes, secret military operations using inappropriate devices or software.

One of the most straightforward reasons that communication apps like Signal and WhatsApp are not suitable for classified government work is that they offer “disappearing message” features—mechanisms to automatically delete messages after a preset amount of time—that are incompatible with federal record retention laws. This issue was on full display in the principals’ chat about the impending strike on Yemen, which was originally set for one-week auto-delete before the Michael Waltz account changed the timer to four-week auto-delete, according to screenshots of the chat published by The Atlantic on Wednesday. Had The Atlantic’s Goldberg not been mistakenly included in the chat, its contents might not have been preserved in accordance with long-standing government requirements.

In congressional testimony on Wednesday, US director of national intelligence Tulsi Gabbard said that Signal can come preinstalled on government devices. Multiple sources tell WIRED that this is not the norm, though, and noted specifically that downloading consumer apps like Signal to Defense Department devices is highly restricted and often banned. The fact that Hegseth, the defense secretary, participated in the chat indicates that he either obtained an extremely unusual waiver to install Signal on a department device, bypassed the standard process for seeking such a waiver, or was using a non-DOD device for the chat. According to political consultant and podcaster FP Wellman, DOD “political appointees” demanded that Signal be installed on their government devices last month.

Core to the Trump administration’s defense of the behavior is the claim that no classified material was discussed in the Signal chat. In particular, Gabbard and others have noted that Hegseth himself is the classification authority for the information. Multiple sources tell WIRED, though, that this authority does not make a consumer application the right forum for such a discussion.

“The way this was being communicated, the conversation had no formal designation like 'for official use only' or something. But whether it should have been classified or not, whatever it was, it was obviously sensitive operational information that no soldier or officer would be expected to release to the public—but they had added a member of the media into the chat,” says Andy Jabbour, a US Army veteran and founder of the domestic security risk-management firm Gate 15.

Jabbour adds that military personnel undergo annual information awareness and security training to reinforce operating procedures for handling all levels of nonpublic information. Multiple sources emphasize to WIRED that while the information in the Yemen strike chat appears to meet the standard for classification, even nonclassified material can be extremely sensitive and is typically carefully protected.

“Putting aside for a moment that classified information should never be discussed over an unclassified system, it’s also just mind-boggling to me that all of these senior folks who were on this line and nobody bothered to even check, security hygiene 101, who are all the names? Who are they?” US senator Mark Warner, a Virginia Democrat, said during Tuesday’s Senate Intelligence Committee hearing.

According to The Atlantic, 12 Trump administration officials were in the Signal group chat, including vice president JD Vance, secretary of state Marco Rubio, and Trump adviser Susie Wiles. Jabbour adds that even with ​​decisionmaking authorities present and participating in a communication, establishing an information designation or declassifying information happens through an established, proactive process. As he puts it, “If you spill milk on the floor, you can’t just say, ‘That’s actually not spilled milk, because I intended to spill it.’”

All of which is to say, SignalGate raises plenty of security, privacy, and legal issues. But the security of Signal itself is not one of them. Despite that, in the wake of The Atlantic’s story on Monday, some have sought tenuous connections between the Trump cabinet’s security breach and Signal vulnerabilities. On Tuesday, for example, a Pentagon adviser echoed a report from Google’s security researchers, who alerted Signal earlier this year to a phishing technique that Russian military intelligence used to target the app’s users in Ukraine. But Signal pushed out an update to make that tactic—which tricks users into adding a hacker as a secondary device on their account—far harder to pull off, and the same tactic also targeted some accounts on the messaging services WhatsApp and Telegram.

“Phishing attacks against people using popular applications and websites are a fact of life on the internet,” Signal spokesperson Jun Harada tells WIRED. “Once we learned that Signal users were being targeted, and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago."

In fact, says White, the cryptography researcher, if the Trump administration is going to put secret communications at risk by discussing war plans on unapproved commercial devices and freely available messaging apps, they could have done much worse than to choose Signal for those conversations, given its reputation and track record among security experts.

“Signal is the consensus recommendation for highly at-risk communities—human rights activists, attorneys, and confidential sources for journalists,” says White. Just not, as this week has made clear, executive branch officials planning airstrikes.

_Updated at 5:50 pm ET, March 25, 2025: Added remarks about Signal by President Trump._

SignalGate Isn’t About Signal

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability. Veeam B&R is a client-server software solution for centralized backup of virtual machines in VMware vSphere and Microsoft Hyper-V environments. A deserialization flaw (CWE-502) lets an attacker run arbitrary code on a Veeam server. The necessary conditions: the Veeam server must be part of […]

**About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability.** Veeam B&R is a client-server software solution for centralized backup of virtual machines in VMware vSphere and Microsoft Hyper-V environments.

A deserialization flaw (CWE-502) lets an attacker run arbitrary code on a Veeam server. The necessary conditions: the Veeam server must be part of an Active Directory domain, and the attacker must be authenticated in this domain.

The vendor’s security advisory was released on March 19. The next day, on March 20, WatchTowr Labs published an analysis of the vulnerability. A PoC exploit is expected to appear soon.

Veeam products were widely deployed in Russia until 2022, and many active installations likely remain.

❗️ Compromising the backup system could severely delay infrastructure recovery following a ransomware attack. 😉

Upgrade to version 12.3.1 and, if possible, disconnect the B&R server from the domain.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Veeam Backup & Replication (CVE-2025-23120) vulnerability

Ramat Gan, Israel, 25th March 2025, CyberNewsWire

**Ramat Gan, Israel, March 25th, 2025, CyberNewsWire**

CYREBRO, the AI-native Managed Detection and Response (MDR), today announced its recognition as a leading detection and response startup in the Gartner report, Emerging Tech: Techscape for Detection and Response Startups. This acknowledgment highlights CYREBRO’s innovative approach to cybersecurity, leveraging advanced technology and expert analysis to combat evolving cyber threats.

Among the key findings in the report:

*   Startups are experimenting with generative AI (GenAI) technologies. The use of AI agents/AI security operations center (SOC) analysts and GenAI remediation recommendations has become crucial for staying ahead of evolving threats.
*   The preemptive cybersecurity approach to detection and response has gained momentum, with startups working across complex threat intelligence, adopting purple team cultures, and improving their strategic industry offerings.

CYREBRO has been identified as a key startup in the preemptive cybersecurity category, which highlights companies with a proactive strategy designed to prevent, disrupt, or deter cyberattacks before they can achieve their goals. CYREBRO’s inclusion validates its commitment to delivering comprehensive future-proof security solutions, providing organizations with a robust defense against diverse risks and cyberattacks.

> “We are honored to be recognized by Gartner for our emerging technology in the detection and response space,” said Ori Arbel, CTO of CYREBRO. “The report highlights the growing need for innovative detection and response solutions that can effectively address the increasing sophistication of cyberattacks. CYREBRO is committed to empower its partners and customers with cutting-edge solutions.”

CYREBRO’s platform leverages advanced proprietary technology, including AI and machine learning, to precisely detect and respond to threats. By automating the correlation and prioritization of security events, CYREBRO ensures that businesses can focus on critical threats, minimizing disruption and maintaining operational continuity.

Gartner, Emerging Tech: Techscape for Detection and Response Startups, 19 March 2025. Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner members can access the full report here. (For Gartner subscribers only).

**Gartner Disclaimer**

GARTNER is the registered trademark and service mark of Gartner Inc., and/or its affiliates in the U.S. and/or internationally and has been used herein with permission. All rights reserved. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner’s research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

**About CYREBRO**

CYREBRO is an AI-native, end-to-end Managed Detection and Response (MDR) solution, designed for hands-off or hands-on control through its future-proof SOC platform.

With its advanced Security Data Lake revolutionizing SIEM and SOAR capabilities, CYREBRO includes 24/7 SOC monitoring and threat intelligence, augmented with exceptionally swift incident response and forensic investigations. CYREBRO delivers precision-guided threat detection and response across any tech stack, providing clear, actionable insights to ensure world-class security and compliance.

With comprehensive visibility and expert guidance, CYREBRO empowers over 900 businesses of all sizes to manage threats proactively, enhancing their security posture and delivering full and complete protection.  

**Contact**

**CMO**  
**Gil Harel**  
**CYREBRO**  
**\[email protected\]**

CYREBRO Recognized in Gartner Emerging Tech Report for Detection and Response Startups

Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.

Cybercriminals are exploiting custom and compromised drivers to disable endpoint detection and response (EDR) systems, facilitating undetected malicious activity. Elastic Security Labs (ESL) has identified a financially motivated campaign deploying MEDUSA ransomware, utilizing a loader paired with a revoked certificate-signed driver named AbyssWorker. This driver, originating from a Chinese vendor, is designed to neutralize EDR solutions.

As per ESL’s investigation, shared with Hackread.com, this tactic blinds security tools and allows malicious actors to operate freely, increasing the success rate of their attacks.

The AbyssWorker driver, originating from a Chinese vendor, is a key component in a campaign that installs itself on victim machines and systematically targets and silences various EDR solutions.

“This EDR-killer driver was recently reported by ConnectWise in another campaign, using a different certificate and IO control codes, at which time some of its capabilities were discussed. In 2022, Google Cloud Mandiant disclosed a malicious driver called POORTRY, which we believe is the earliest mention of this driver,” researchers noted in the blog post.

The actual filename of the malicious driver is identified as smuol.sys (a 64-bit Windows PE driver). It cleverly mimics a legitimate CrowdStrike Falcon driver, probably to blend into legitimate system processes. ESL identified multiple samples on VirusTotal dating from August 2024 to February 2025, all signed with revoked certificates from various Chinese companies, including Foshan Gaoming Kedeyu Insulation Materials Co., Ltd and FEI XIAO, among others. These certificates, while widely used across various malware campaigns, are not specific to AbyssWorker.

Upon initialization, AbyssWorker establishes a device and symbolic link, registering callbacks for major functions. A critical defence evasion mechanism involves stripping existing handles to its client process from other processes, preventing external manipulation. It also registers callbacks to deny access to handles of protected processes and threads.

The driver’s core functionality resides in its DeviceIoControl handlers, which execute a range of operations based on I/O control codes. These operations include file manipulation, process and driver termination, and API loading. A password is required to enable the driver’s malicious capabilities. For file operations, AbyssWorker uses I/O Request Packets (IRPs), bypassing standard APIs.

AbyssWorker can remove notification callbacks, replace driver major functions, detach mini-filter devices, terminate processes and threads, and restore hooked NTFS and PNP driver functions. Notably, it can trigger a system reboot using the undocumented HalReturnToFirmware function. These capabilities directly support MEDUSA ransomware’s ability to operate without security interference.

A key obfuscation technique AbyssWorker employs is calling “constant-returning functions” throughout the binary to complicate static analysis. However, Elastic deemed it inefficient, as they are easy to identify and declared it “an inefficient obfuscation scheme.”

Nevertheless, AbyssWorker represents a significant threat, demonstrating the increasing sophistication of kernel-level malware designed to disable security infrastructure. ESL has provided a client implementation example, offering researchers a means to further explore and experiment with this malware. To further aid in detection, Elastic Security has released YARA rules, available on their GitHub repository, enabling security professionals to identify instances of AbyssWorker within their environments.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development, stating,

_“_The Medusa malware is living up to its name, finding new ways to infect hosts even after one method has been blocked. Using a batch file to disable system services is a short-term ploy as it can be detected and blocked. Security teams should be on alert for any systems that have a time change and review end-user permissions to prevent the user from stopping the time service._“_

Top/Featured Image by WaveGenerics from Pixabay

Medusa Ransomware Disables Anti-Malware Tools with Stolen Certificates

When you think of malware, your mind probably jumps to malicious downloads or email attachments. But it turns…

When you think of malware, your mind probably jumps to malicious downloads or email attachments. But it turns out, some pretty innocent-looking devices can also be used as sneaky vectors for malicious software. Here are five surprising gadgets that could become malware delivery systems, and how to protect yourself.

****1\. Headphones and Speakers****

Yes, you read that right! Your trusty headphones or speakers could spread malware. This isn’t about plugging them into an infected device but rather using them to transmit data through sound waves. Researchers have demonstrated how malware can convert audio output devices into ultrasonic transmitters.

In one proof-of-concept attack called “AirHopper,” headphones were used to leak data from air-gapped computers by sending high-frequency audio signals that could be picked up by a nearby compromised device with a microphone.

While this kind of attack is rare and highly sophisticated, it shows that even your headphones can be weaponized. To minimize risk, always update your audio drivers and keep your system security tight.

****2\. Smart Light Bulbs****

Your fancy smart lighting system could be more than just mood lighting — it could also be a way for hackers to infiltrate your network. Researchers have shown that some smart bulbs can be infected with malware, which then spreads to other connected devices.

A notable example is the “Philips Hue” vulnerability discovered in 2020. Hackers could exploit flaws to jump from the smart bulb to the home network. Once inside, they could potentially access sensitive data or take control of other smart gadgets.

To stay safe, always update your smart devices’ firmware and keep them on a separate network from your primary devices.

****3\. Barcode Scanners****

Believe it or not, barcode scanners can become vectors for malware, too. In one case known as “Zombie Zero,” attackers embedded malware into the firmware of barcode scanners before they even left the factory.

Once these compromised scanners were used in warehouses, they infected connected systems, allowing hackers to spy on corporate networks and steal data. This is a prime example of a supply chain attack where infected hardware is shipped directly from the manufacturer.

Always check for firmware updates and run security scans even on seemingly simple devices like scanners.

****4\. Smart Coffee Maker****

Who knew your morning coffee could be a security risk? Some high-tech coffee makers come with Wi-Fi connectivity and smartphone control, making them vulnerable to attacks. Researchers have shown that smart coffee machines can be hacked to not only disrupt their functions but also act as a gateway into your home network.

One security researcher demonstrated how they could make the coffee maker constantly boil water or refuse to brew until a ransom was paid; a quirky but serious take on ransomware. However, a real-world cyber attack on a coffee machine has already happened. It happened in July 2017 when a coffee machine was compromised to infect computer devices at a factory company that has multiple petrochemical factories making chemicals in Europe.

****5\. Traffic Lights****

Smart traffic lights, essential for managing city traffic, are vulnerable to cyberattacks. Hackers can exploit weak security protocols or outdated software to manipulate signals, causing chaos on the roads. In some cases, malware can alter light patterns or disable systems entirely, leading to accidents or gridlock. Researchers have demonstrated how vulnerabilities in communication protocols allow control over signals.

****How to Stay Safe****

*   **Keep Firmware Updated:** No matter how harmless a device seems, make sure its software is up to date.

*   **Segment Your Network:** Keep IoT devices on a separate network from your primary devices.

*   **Use Strong Passwords:** Set unique, complex passwords for each device.

*   **Monitor Network Activity:** Regularly check which devices are connected to your network.

It’s crazy to think that everyday gadgets, from headphones to coffee makers, can become cybersecurity nightmares. However, that’s just how the world of cybersecurity works – make security part of your daily routine.

5 Unexpected Devices You Didn’t Know Could Spread Malware

LayerX Labs reports a sophisticated macOS phishing campaign, evading security measures. Learn how attackers adapt and steal credentials from Mac users.

A recent report by LayerX Labs has revealed a new phishing campaign that was initially designed to deceive Windows users but lately focused on targeting macOS users.

The campaign, which LayerX Labs monitored for several months, originally posed as Microsoft security alerts, aiming to steal user credentials. In the attack, attackers employed deceptive tactics, creating fake security warnings on hacked websites that claimed the user’s computer was “compromised” and “locked.” Victims were encouraged to enter their Windows username and password, while malicious code froze the webpage, mimicking a complete system lockdown.

According to LayerX’s analysis, shared with Hackread.com, several factors contributed to the campaign’s initial effectiveness. Firstly, the phishing pages were hosted on Microsoft’s Windows.net platform, making the fake security warnings appear legitimate.

Also, attackers utilized trusted hosting services, exploiting the fact that traditional anti-phishing defences often rely on top-level domain reputation. Furthermore, they employed randomized, rapidly changing subdomains, making it difficult for security tools to track and block the malicious pages, which themselves were professionally designed, and frequently updated to evade detection. Some even incorporated anti-bot and CAPTCHA technologies to hinder automated web crawlers. 

When Microsoft, along with Chrome and Firefox, introduced new anti-scareware features in early 2025, a dramatic 90% drop in Windows-targeted attacks was noticed. In response, the attackers adapted their strategy, shifting their focus to macOS users, unprotected by these new defences.

Within two weeks, LayerX Labs observed a surge in Mac-based attacks, much similar to the Windows-targeted ones but with slight code adjustments aiming to specifically target macOS and Safari users. Victims were lured to the phishing pages via compromised domain “parking” pages, often after making a typo in a URL.

In one instance, a macOS and Safari user from a LayerX enterprise customer was targeted. Although the organization employed a Secure Web Gateway, the attack bypassed it. However, LayerX’s AI-based detection system, which analyzes web pages using numerous parameters at the browser level, successfully blocked the attack.

Screenshot shows the phishing scam targeting both Windows and macOS users (Credit: LayerX Labs)

This campaign highlights the increasing sophistication of phishing attacks targeting macOS users. Menlo Security’s recent State of Browser Security report further highlights this trend, revealing a dramatic increase in browser-based attacks, especially since the popularity of generative AI.

The report found a whopping 140% increase in browser-based phishing attacks compared to 2023, with a 130% increase specifically in zero-hour phishing attacks and the impersonation of major brands like Facebook, Microsoft, and Netflix.  

Menlo Security’s analysis of over 752,000 browser-based phishing attacks reveals that one in five attacks now employs evasive techniques to bypass traditional security measures.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development stating, “In the past few weeks, we’ve seen an uptick in browser-based phishing attacks that use legitimate hosting services to trick users into falling for the attack and the ruse they use is a fairly old one and quite common.”

“If you ever get an unknown random pop-up saying your computer is compromised, it should be treated as suspicious and ignored,” Thomas warned. “Anti-virus services will never ask you to enter a username and password to remove a threat.”

New Phishing Campaign Targets macOS Users with Fake Security Alerts

This week on the Lock and Code podcast, we speak with Carey Parker about what Google Chrome knows about you.

_This week on the Lock and Code podcast…_

Google Chrome is, by far, the most popular web browser in the world.

According to several metrics, Chrome accounts for anywhere between 52% and 66% of the current global market share for web browser use. At that higher estimate, that means that, if the 5.5 billion internet users around the world were to open up a web browser right now, 3.6 billion of them would open up Google Chrome.

And because the browser is the most common portal to our daily universe of online activity—searching for answers to questions, looking up recipes, applying for jobs, posting on forums, accessing cloud applications, reading the news, comparing prices, recording Lock and Code, buying concert tickets, signing up for newsletters—then the company that controls that browser likely knows a lot about its users.

In the case of Google Chrome, that’s entirely true.

Google Chrome knows the websites you visit, the searches you make (through Google), the links you click, and the device model you use, along with the version of Chrome you run. That may sound benign, but when collected over long periods of time, and when coupled with the mountains of data that other Google products collect about you, this wealth of data can paint a deeply intimate portrait of your life.

Today, on the Lock and Code podcast with host David Ruiz, we speak with author, podcast host, and privacy advocate Carey Parker about what Google Chrome knows about you, why that data is sensitive, what “Incognito mode” really does, and what you can do in response.

We also explain exactly why Google would want this money, and that’s to help it run as an ad company.

> “That’s what \[Google is\]. Full stop. Google is an ad company who just happens to make a web browser, and a search engine, and an email app, and a whole lot more than that.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 What Google Chrome knows about you, with Carey Parker (Lock and Code S06E06) 

Counterfeit products are a growing problem in today’s market. With advancements in technology, counterfeiters have become more skilled…

Counterfeit products are a growing problem in today’s market. With advancements in technology, counterfeiters have become more skilled at creating fake labels that are hard to distinguish from the real thing. You need to know how these counterfeiters use technology and what steps you can take to protect yourself and your business.

This blog post will explore the clever methods counterfeiters use, such as digital printing and holograms, to create convincing fake labels. Understanding these tactics can help you identify counterfeit goods before they reach your hands. You will also learn practical strategies to spot and combat counterfeit products effectively.

Taking action against counterfeiters is crucial for safeguarding your reputation and finances. Knowing what to look for and how to verify product authenticity can help you make smarter choices as a consumer. Let’s dive into the details and empower ourselves against counterfeit threats.

****Understanding Counterfeit Labels****

Counterfeit labels use various techniques and technologies to imitate genuine products. Recognizing these methods helps protect both brands and consumers. Learn about how counterfeiters operate and why the issue matters.

****Techniques and Technologies Used by Counterfeiters****

Counterfeiters employ a range of methods to create fake labels. Some common techniques include:

*   Digital Printing: This allows them to produce high-quality labels that closely mimic real ones.
*   Augmented Reality: Some counterfeiters use AR to make labels appear authentic when scanned.
*   Custom Software: They often design their programs to copy logos and text styles.

The use of color calibration helps fake labels match the exact colors of legitimate brands. Counterfeiters may also buy legitimate products and copy the labels directly. This makes detecting fakes even harder.

****The Impact of Counterfeit Labels on Brands and Consumers****

Counterfeit labels seriously harm brands. They can cause damage to a brand’s reputation and lead to loss of sales. Some results include:

*   Loss of Trust: Consumers may question the quality of a brand’s offerings.
*   Financial Impact: Brands lose billions annually due to counterfeit products.

For consumers, the risks are substantial. Counterfeit products often lack quality control standards and can pose safety risks. They may receive subpar products that do not perform as promised. This can result in dissatisfaction and financial waste.

****Detection Methods****

You have several ways to spot counterfeit product labels. These methods include visual inspections and the use of digital tools. Each technique plays a crucial role in ensuring product authenticity.

****Visual Inspection Techniques****

Visual inspection is often the first step in detecting counterfeit labels. You should look closely at the packaging and labels for any signs of poor quality. This can include blurry text, uneven colors, or incorrect logos.

Key aspects to check:

*   Fonts: Check for incorrect font styles or sizes.
*   Logos: Ensure logos are aligned and have the right colors.
*   Labels: Examine for signs of tampering or mismatched colors.

Using a magnifying glass can help spot small details. Counterfeit products may also have misspellings or inaccurate information.

****Digital Authentication Tools****

Digital tools provide advanced methods for detecting fakes. You can use QR codes or holograms to verify product authenticity. When scanned, these codes can link to secure databases.

Some tools to consider:

*   Blockchain Technology: This keeps a secure record of product history.
*   Mobile Apps: Many brands offer apps that allow you to scan and verify items.

Using these tools can give you quick access to the product’s information. Make sure to stay updated with the latest verification technologies.

****Preventative Measures for Manufacturers****

Manufacturers must adopt specific strategies to protect their products from counterfeiters. By integrating advanced technologies and tracking systems, you can significantly lower the risk of fakes disrupting your business.

****Incorporating Advanced Security Features****

Using advanced security features on your product labels is essential. These features can include:

*   Holograms: Unique holographic designs make it hard for counterfeiters to replicate.
*   Color-Shifting Inks: Inks that change color based on angle or light add another layer of security.
*   Microprinting: Tiny text or patterns that are difficult to reproduce help verify authenticity.

You can also consider labeling your equipment with permanent identification. These types of labels offer a long-lasting way to identify your machines and products, making it easier to verify their authenticity.

****Utilizing Serialization and Track & Trace Systems****

Serialization assigns a unique code to each product. This code helps you track your items from production to the consumer. Some key benefits include:

*   Enhanced Accountability: You can monitor each product’s journey, making it easier to spot counterfeits.
*   Consumer Verification: Customers can verify a product’s authenticity using its serial number.

Implementing track and trace systems allows you to link those codes to your database. This ensures that each product is registered and easily validated. By combining these methods, you enhance your defense against counterfeit goods.

****Legal and Regulatory Framework****

Understanding the legal and regulatory measures in place can help you recognize how they combat counterfeit products. This section looks at how intellectual property rights and international agreements shape the fight against counterfeit labeling.

****Intellectual Property Rights Enforcement****

Intellectual property rights (IPR) play a key role in protecting brands and products from counterfeiters. These rights allow companies to take legal action against those who produce or sell fake goods.

In many countries, laws protect trademarks, patents, and copyrights. You can report counterfeit products to authorities who investigate and prosecute offenders. Some companies use advanced technology, like tracking systems, to monitor their goods.

Important Actions:

*   Register your trademarks.
*   Monitor the market for counterfeit goods.
*   Report violations quickly to local law enforcement.

Strong enforcement of IPR is essential to deter counterfeiters and protect consumers.

****International Standards and Agreements****

International standards and agreements help countries work together against product counterfeiting. Treaties like the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) create common rules for IPR enforcement.

These agreements encourage countries to have similar laws. This makes it harder for counterfeiters to operate across borders. Your country’s participation in these agreements can strengthen protections against fake labeling.

Key Points:

*   Collaboration among nations improves enforcement efforts.
*   Countries must implement IPR laws in line with international standards.
*   Shared information between countries aids in identifying counterfeit operations.

Effective international cooperation is necessary for significantly reducing counterfeit products in the market.

****Consumer Education and Awareness****

Consumers play a key role in fighting counterfeit products. By learning how to spot authentic items and reporting any suspicions, you can help protect yourself and others from fraud.

****Identifying Authenticity Indicators****

To verify product authenticity, look for specific signs. Many brands use unique features that show a product is real. Here are key indicators:

*   Holograms: Genuine products often have holograms that change appearance when tilted.
*   Serial Numbers: Check if the product includes a unique serial number, usually found on the packaging or label.
*   Quality of Materials: Authentic items typically use high-quality materials. Look for sturdy packaging and clear print.
*   Official Websites: Compare the product with images on the brand’s official website to spot differences.

Pay attention to these details when shopping. Counterfeit products may not include these features or might display them poorly.

****Reporting Suspected Counterfeits****

If you suspect a product is counterfeit, take action. Reporting these findings helps combat fraud. Here are steps to follow:

1.  Contact the Brand: Reach out to the company directly. Most brands have a way to report counterfeit items.
2.  Use Online Reporting Tools: Many websites allow you to report suspicious products or sellers.
3.  Inform Local Authorities: If the counterfeit poses a risk, contact your local consumer protection agency.

Keep any receipts or photos as evidence. Your help is crucial in stopping counterfeiters and ensuring safer shopping experiences for everyone.

Tag

#mac