Beware of DDoSes from Mirai-based botnet of Mitel phones • The Register - Mitel, the phone thats sat on hundreds of desks across the world may have default credentials, and may have been roped into a Mirai botnet as part of the new Aquabotv3. Just a reminder to patch everything. Everywhere. All the time.
Lazarus Group’s latest heist hits hundreds globally • The Register - Phantom Circuit, planted backdoors in clones of legitimate software packages and open source tools so that developers and others specifically in the cryptocurrency industry would accidentally use them, compromising their machines. These poisoned projects would be shared via places like Gitlab. The modified repositories included Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and other cryptocurrency-related apps, authentication packages, and web3 technologies, Ryan Sherstobitoff, senior VP of research and threat intelligence at SecurityScorecard, told The Register.
DeepSeek database left open, exposing sensitive info • The Register - Database used by Deepseek exposes chat logs, api keys, etc… Remember that any free product is using you as the product. And any data you give away is potentially going to be lost stolen or abused.
Ransomware strikes at New York blood services provider • The Register - NY Blood Center Enterprises is being ransomwared, making already dangerously low level blood supplies, even lower. NYBCe supplies over 1m blood products to 400 hospitals in 15 states.
Charges mount in former ex-Googler’s AI theft case • The Register - Insider threat is real, and it might be part of an espionage attempt. See something say something. Also, don’t badge in for other people.
India wants all banking to happen at bank.in domain • The Register - The world gets more TLD domains. India (.in) will be bringing online (fin.in) and (bank.in) for financial and banking services and highly restricting access to the domains.
Cloudflare outage caused by botched blocking of phishing URL - Security is hard, its even harder at scale. And third party risk becomes our risk. The incident lasted for 59 minutes, between 08:10 and 09:09 UTC, and apart from the R2 Object Storage itself, it also affected services such as:
- Stream – 100% failure in video uploads and streaming delivery.
- Images – 100% failure in image uploads/downloads.
- Cache Reserve – 100% failure in operations, causing increased origin requests.
- Vectorize – 75% failure in queries, 100% failure in insert, upsert, and delete operations.
- Log Delivery – Delays and data loss: Up to 13.6% data loss for R2-related logs, up to 4.5% data loss for non-R2 delivery jobs.
- Key Transparency Auditor – 100% failure in signature publishing & read operations.
UK Home Office stays shtum on alleged Apple backdoor order • The Register - The Home Office told The Register: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.” The Washington Post, which first reported the story, said Apple will likely stop offering the iCloud encryption feature to users in the United Kingdom in response to the secret order, rather than break the encryption of users globally.
Apple AI has whipped up a storm over its use with private messages - Apple Intelligence seeks to mimic Windows Recall feature by consuming everything shown on the screen to train its on-device AI features. Including reading and consuming end-to-end-encrypted messages once they’re shown in plaintext. (Interestingly, this has been the most often used threat vector for Signal Messenger, with govt often deploying malware that screenshots or records victims phone screens)
Apple and Google take down malicious mobile apps from their app stores | TechCrunch - Using code that’s designed to capture text visible on the user’s display — known as optical character recognition (OCR) — researchers found the malware scanned the image galleries on victims’ devices for keywords to find recovery phrases for cryptocurrency wallets across various languages, including English, Chinese, Japanese, and Korean.
https://play.google.com/store/apps/details?id=com.google.android.safetycore - If you have an Android phone, a new app that doesn’t appear in your menu has been automatically and silently installed (or soon will be) by Google. It is called AndroidSystemSafetyCore and does exactly the same - scan all images on your device as well as all incoming ones (via messaging). The new spin is that it does so “to protect your privacy”.
Chinese ‘Infrastructure Laundering’ Abuses AWS, Microsoft Cloud - Security is hard, its harder at scale. Funnull CDN, responsible for the 2024 Polyfill(.io) poisoning of javascript code, is now leasing thousands of IPs from Azure and AWS to rent to malicious actors. Making it nigh impossible for security teams to block or defend.
Reused AWS S3 buckets a weak link in supply chain security • The Register - 150 Amazon S3 buckets were purchased for $420 and found that Fortune 500, Fortune 100, military networks, payment card industry, NASA, UK and US Gov, etc… all made requests to the buckets for assets or software that had been previously stored there. Also banks, fin services, universities, infosec firms, etc… After identifying an S3 bucket that’s expected to host a software update or code for deployment and realizing that the bucket no longer exists, an attacker would simply need to do what watchTowr did next: Re-register this S3 bucket with the same name inside their AWS account.
Netgear critical vulns come amid global netsec concern • The Register - Patch Patch Patch
CISA election security officials placed on leave: report | TechCrunch - 17 more CISA employees have been placed on leave.
Safari, Chrome at risk of data theft on Apple Silicon • The Register - Among the demonstrations cited, the researchers showed how this technique can be used to target an authenticated Gmail user who visits the attacker’s webpage. The attacker webpage allocates 1.7 MB of filler and training strings, and then calls window.open on Gmail’s inbox page when the mouse cursor is placed over itself," the authors explain. “As Gmail loads, JavaScript in the page starts rendering the inbox, whose content is personalized to the target. Over repeated trials, we show that the subject line and the sender’s identity can land in the reachable out-of-bounds region of the LAP, allowing for recovery by the adversary…” Using this technique, the researchers say they were able to obtain the target’s location history from Google Maps, inbox content from ProtonMail, and iCloud Calendar events.
The following Apple hardware is said to be affected:
- All Mac laptops from 2022-present (MacBook Air, MacBook Pro)
- All Mac desktops from 2023-present (Mac Mini, iMac, Mac Studio, Mac Pro)
- All iPad Pro, Air, and Mini models from September 2021-present (Pro 6th and 7th gen., Air 6th gen., Mini 6th gen.)
- All iPhones from September 2021-present (All 13, 14, 15, and 16 models, SE 3rd gen.)
Apple warns ’extremely sophisticated attack’ targets iThings • The Register - Speaking of, update all your iPhones again.
Bitdefender Scamio - Free Scam Detector - BitDefender makes its AI scam detector available to the public for free