Hackers scam Coinbase users and ransom data for $20M • The Register - Coinbase said that at no point during the compromise could the attackers have accessed customers’ funds, and confirmed the sources of the data were insiders bribed to steal information on behalf of the extortionists. The company said the data does not include passwords or private keys, but depending on the use, the following details of its customers may be compromised:
- Names
- Addresses
- Phone numbers
- Email addresses
- Last four digits of Social Security Numbers
- Masked bank account numbers and some bank account identifiers
- Images tied to government IDs such as passports and driving licenses
- Coinbase account data including balance snapshots and transaction histories
- “Limited corporate data,” including documents, training material, and communications available to support agents
Attn: fired US govt workers, Uncle Xi wants you! • The Register - China ramping up hiring US Gov Employees. At least five intelligence fronts have been found so far:
- Smiao Intelligence — smiao[.]com[.]cn
- Dustrategy — dustrategy[.]com
- RiverMerge Strategies — rivermergestrategies[.]com
- Tsubasa Insight — tsubasainsight[.]com
- Wavemax Innov — wavemaxinnov[.]com
Go-Based Malware Deploys XMRig Miner on Linux Hosts via Redis Configuration Abuse - “In addition to server-side cryptojacking, RedisRaider’s infrastructure also hosted a web-based Monero miner, enabling a multi-pronged revenue generation strategy,” the researchers said.
New Intel CPU flaws leak sensitive data from privileged memory - CVE-2024-45332 impacts all Intel CPUs from the ninth generation onward, including Coffee Lake, Comet Lake, Rocket Lake, Alder Lake, and Raptor Lake. Small race condition when processes are escalated where branch is executed but at the wrong permission level. By beating the clock, researchers can jump privileges.
Android 16 expands ‘Advanced Protection’ with device-level security - New security features for Android 16
Google Chrome to block admin-level browser launches for better security - Google Chrome will unlaunch as admin, to prevent downloads as being executed as admin.
New Tor Oniux tool anonymizes any Linux app’s network traffic - Ran through Rust, this helpful tool allows you to launch any command across the tor network.
New ‘Defendnot’ tool tricks Windows into disabling Microsoft Defender - The Defendnot tool, created by researcher es3n1n, abuses this API by registering a fake antivirus product that meets all of Windows’ validation checks. The tool is based on a previous project called no-defender, which used code from a third-party antivirus product to spoof registration with WSC. That earlier tool was pulled from GitHub after the vendor filed a DMCA takedown.
O2 UK patches bug leaking mobile user location from call metadata - Williams intercepted raw IMS signaling messages exchanged during a call and decoded the cell ID to find the last cell tower the call recipient connected to. Then, he used public tools that provide cell tower maps to find the geographic coordinates of the tower.
https://gbhackers.com/hackers-abuse-copilot-ai-in-sharepoint/ - Default Agents, pre-configured by Microsoft, analyze documents, pages, and metadata within their assigned site. Attackers leverage these agents to conduct targeted searches for credentials, internal jargon, and system details that would otherwise require manual navigation.
Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper - os-info-checker-es6, vue-dev-serverr, vue-dummyy, vue-bit were updated to include malicious calls to….Google Calendar? The google calendar event name was a base64 encoded IP address. But researchers haven’t been able to discover the follow-on payload. And uses invisible Unicode modifiers to hide additional information. Veracode noticed the packages as well: Malicious NPM package uses Unicode steganography to evade detection
Malicious PyPI Package Posing as Solana Tool Stole Source Code in 761 Downloads - Copy and exfiltrates all files in the Python execution stack as a function “register_node()”
UK Ransomware
Ransomware strikes UK food distributor in latest retail blow • The Register - Based in Somerset, Peter Green Chilled serves most major supermarkets in the UK, including Asda, Morrison’s, Sainsbury’s, Tesco, Waitrose – plus Co-op and M&S, which are battling their own cyber-related issues.
What we know about DragonForce ransomware • The Register - Infosec researchers believe DragonForce ransomware was used in the late-April attacks that claimed victims including retailers Marks & Spencer, Co-op, and Harrods. DragonForce, a new-ish ransomware-as-a-service operation, has given organizations another cyber threat to worry about — unless they’re in Russia, which is off limits to the would-be extortionists.
Arla Foods confirms cyberattack disrupts production, causes delays - Arla, which includes Starbucks, impacted
FBI Deep fakes
FBI: US officials targeted in voice deepfake attacks since April - “The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts.”