Risky Biz News Microsoft budges on Windows 11 Recall

pIn other news Apple to add a password manager DJI to disable flight data syncing for US drones another stalkerware app gets hackedppThis newsletter is brought to you by DetectionasCode company Panther You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple PodcastsppGetResponse data breach The email marketing platform GetResponse disclosed a security breach after a threat actor gained access to one of its employees accounts The company says the attacker used the account to pivot to less than 10 of its customers So far the GetResponse breach has been linked to at least one other breachat cryptocurrency platform CoinGecko The company says the hacker stole the email addresses of almost two million CoinGecko subscribersppLendingTree breach Loan comparison site LendingTree has confirmed that its QuoteWizard subsidiary had data stolen from its Snowflake account Additional coverage in TechCrunchppBangladesh data leak The Bangladesh intelligence agency has caught two police officers from its antiterror unit selling citizen data to criminals on Telegram According to TechCrunch the officers sold both PII and classified data via a Telegram channel The Bangladesh government says the two officers had access to government systems suspended as they are being investigated The NTMC intelligence agency caught the two after reviewing logs of its own systemsppNYT Wordle leak A threat actor has leaked the source code for the New York Times after one of the companys workers allegedly left a private GitHub access token in a public code paste The leaked data allegedly includes the source code of the companys public website mobile apps and even its Wordle game The dump contains 270GB of data with most being unencryptedppPreelection DDoS attacks A proKremlin hacktivist group launched DDoS attacks last week against the websites of several Dutch political parties just ahead of the EU Parliament elections this weekend Additional coverage in Politico EuropeppCEPOL data breach The EU Agency for Law Enforcement Training CEPOL says it was the victim of a cyberattack last week The agency did not reveal any details about the nature of the incident but said that its services have remained functional Officials say they have notified CERTEU and are working with the EU agency to investigate the incidentppBSU hack Belarusian hacktivist group the Cyber Partisans say they hacked the Belarusian State University the countrys oldest and largest university The group claims it obtained documents and audio records from the universitys internal network showing how its leadership dismissed staff and students who participated in antigovernment protests The documents also show that the university declined to admit new students who participated in protests and left comments online against the dictatorship The Cyber Partisans say the political repression is still ongoing at the university to this dayppmSpy hack Hacker and privacy advocate Maia Arson Crimew claims that a threat actor has hacked and dumped the helpdesk of stalkerware service mSpy The researcher says the helpdesk database contains evidence that several law enforcement agencies reached out to the company to rent out its spyware under a white label Maia Arson Crimew claims the company received inquiries from the Israeli National Police the Thai Royal Police and the Vietnamese Defense Ministry It also received inquiries from Italian law enforcement the UAE government the Nebraska National Guard and the Tasmanian Police The researcher says there is no evidence in the helpdesk dump that any agreements were signed mSpy joins a list of over a dozen hacked spyware vendorsppVietnam Post ransomware attack Vietnams national postal service says it restored IT systems after suffering a ransomware attack on June 4 Vietnam Post websites and mobile apps have been offline since the attack According to reports in local media the attack has impacted postal delivery services but not package delivery or financial services Additional coverage in VietnamNetppPanasonic Australia incident The Akira ransomware group has breached Panasonics Australian division The group listed the company on its dark web leak site at the end of last week Panasonic confirmed the breach to Australian cybersecurity news site CyberDaily but said the group did not manage to get its hands on any customer datappApple to add a password manager Bloombergs Mark Gurman reports that Apple will announce a password manager app at its upcoming WWDC developer conference this week The app will be named Passwords and will be shipped to both iOS and macOS users alike Besides storing passwords the app will also function as a MFA authenticator similar to the Google and Microsoft Authenticator appsppChromeOS Recalllike feature A Google executive confirmed last week that the company is working on a Windows 11 Recalllike feature for its Chromebooks The feature is currently named ChromeOS memory and is still under development John Solomon the Google VP in charge of ChromeOS says the feature is different from Recall because users will have control of how and where the memory feature works Additional coverage in PCWorldppMicrosoft budges on Windows Recall Microsoft has cracked under the publics pressure and is rolling out changes to its upcoming Windows 11 Recall feature The company says Recall will ship disabled by default for all upcoming Windows 11 compatible systems Users will be able to activate Recall only if they previously enrolled in the Windows Hello biometrics authentication system Recall data will also be encrypted and accessible only after users have authenticated via Windows Hello The Recall feature has been a PR disaster for Microsoft over the past month Users have reacted negatively to the news that Recall would be taking snapshots of their screen every five seconds and storing sensitive information in an unencrypted local database Microsoft says it made changes to Recall after feedback from its customersppDJI to disable flight data syncing for US drones DJI is disabling the ability for US users to sync drone flight data to its servers The change will take place on June 12 and the option to sync US drone data will be removed completely by the end of the month The companys decision comes as the US Senate is scheduled to discuss a bill Countering CCP Drones Act to limit the use of Chinesemade drones in the US on national security groundsppLastPass outage LastPass was down last week for half a day because of a borked update to its Chrome extensionppEDHOC The IETF takes a look at EDHOC Ephemeral DiffieHellman Over COSE a recently approved key exchange protocol for IoT devicesppOpenSSH antibruteforce protection The OpenSSH project is adding a new security feature to protect servers from exploits and bruteforce attacks The new feature will penalize and time out SSH clients that repeatedly fail authentication or crash the server Default timeouts are 30 seconds and trusted clients can be exemptedppCYBERCOM acquisition power US Cyber Command is standing up a new program executive office to get more acquisition authority for its Joint Cyber Warfighting Architecture program Additional coverage in FNNppIn this Risky Business News sponsor interview Catalin Cimpanu talks with Panther Senior Engineering Manager Nicholas Hakmiller on how the IT market is adapting to the cybersecurity skill shortage by training regular software talent in detection engineering how AI is not there yet and how Panther excels at spotting initial account compromiseppSmishing suspects arrested London Police detained two individuals suspected of using a homemade mobile antenna to send thousands of smishing messages The duo sent SMS messages posing as UK banks and other official organizations Officials say the antenna allowed the duo to bypass telco security systems that defend against SMS spamppGenesis user pleads guilty A 27yearold man from Buffalo has pleaded guilty to using the Genesis Market to buy stolen credentials Officials say Wul Isaac Chol bought 778 credentials from the market between June 2019 and January 2021 Chol used one of the credentials to access and steal over 25000 from the New York State Department of LaborppKuiper failed sale The threat actor behind the Kuiper ransomware tried to sell its source code on the XSS hacking forums only to get immediately banned back in AprilppVidar campaign eSentire looks at a malvertising campaign spreading the Vidar stealer to users searching for the KMSPico appppAgent Tesla campaign Fortinet researchers analyze a malspam campaign targeting Spanishspeaking users with the Agent Tesla infostealerppJScript RAT campaign On the same note G Data researchers look at a malspam campaign delivering Cobalt Strike beacons and the JScript RATppDDoS groups analysis South Korean security firm S2W has published a comprehensive look at the DDoSasaService operations that are promoting themselves via Telegram these days Researchers look at the likes of Project DDoSia SERVER KILLERS CYBERBOOTER DDOSV4 and more The research is in KoreanppEU election DDoS threats Several proKremlin faketivist groups have promised a wave of DDoS attacks on the websites of EU governments on June 9 the date of the EUs Parliament election day How lovely Additional coverage in DailyDarkWebppHU election spearphishing Hungarian security researcher Szabolcs Schmidt reports a massive spearphishing wave coming from the same threat actor and targeting Hungarian NGOs right ahead of the EU Parliamentary election this past weekend The payload is the Snake keyloggerppDERO cryptominer campaign part II Last year CrowdStrike published a report on a new cryptomining operation that was targeting exposed Kubernetes systems with a miner for the Dero cryptocurrency token This threat actorno official name yetis still active today according to a new report from cloud security firm WizppNew npm malware Onehundredthirtyfive malicious npm packages were discovered last week Check out GitHubs security advisory portal for additional detailsppThreattrend reports Arete Cloudflare ConnectWise Hornetsecurity Moodys and SlashData have recently published reports covering infosec industry threats and trendsppRansomHouse Analyst1 has published a report that looks at the history of a ransomware operation named RansomHouse Researchers say the platform has been used by threat actors with links to ransomware gangs such as White Rabbit Mario ESXi RagnarLocker and Dark Angels Dunghill Leak Not to be confused with RansomHub which is a different groupppTodays podcast is brought to you by DetectionasCode company Panther and in what we think is a first theyve released a detectionascode graphic novel called Guardians of Valora It teaches the five key principles of DetectionasCode grab it now from panthercomppDisinfo ops Russian disinfo operators are back on Meta with paid ads just hours after the company shut down their accounts and published its adversarial threat report Apparently theyre extremely easy to spot for everyone except Meta Gotta get that breadppSticky Werewolf Morphisec has published a report on a campaign targeting Russias aviation sector The company linked the attacks to a group tracked as Sticky Werewolf an APT known to target Russia and Belarus exclusively This is the first report on the group from a nonRussian security firmppDarkPeony NTTs security team has published a report on a recent DarkPeony campaign that they tracked as Operation ControlPlug The campaign abused Microsoft Management Console MSC files to deliver the PlugX malwareppKimsuky Another group abusing MSCs is Kimsuky about which you can read in a separate report from South Korean security firm Genians here but this is a separate and unrelated campaignppPHPCGI vulnerability Security firm watchTowr has published its own analysis of CVE20244577 a PHPCGI vulnerability impacting Windows systems The bug was initially discovered by DEVCORE watchTowr has also released proofofconcept code and so have others This led to almost immediate exploitation in the wildpp0Din Mozilla has launched a new bug bounty program focused on large language models LLMs and other deep learning technologies The new platform is named 0Day Investigative Network 0Din and works as an intermediary between researchers and LLM vendorssimilar to the likes of ZDI Mozilla says 0Din will accept bug reports for common LLM vulnerabilities and attacks such as Prompt Injection Training Data Poisoning DenialofService and moreppDangerous WP plugin bug A security researcher has found a critical vulnerability in a WordPress authentication plugin The vulnerability impacts LoginSignup Popup a WordPress plugin installed on more than 40000 sites The bug is considered extremely dangerous because the plugin is often used on WooCommercebased online stores where new user registration is enabled by default Researchers say the bug can allow a threat actor to register a new account with full admin rights over a WordPress siteppDisabling Windows Defender Altered Securitys Munaf Shariff has published details and a PoC on how to disable Windows Defender by abusing SYSTEMTrustedInstaller privileges The technique works on all currently supported versions of Windows Administrative privileges are required to run the POC and technique so the technique will require an EoP before useppRIP David Ross David Ross one of the early pioneers of browser security research has passed away his family announced on Twitter In 1999 together with Georgi Guninski he authored the first paper on XSS attacks named Script Injection He also worked on implementing XFrameOptions in Internet ExplorerppNew toolWolfHSM WolfSSL has opensourced WolfHSM a quantumresistant cryptography framework for Automotive HSMs Hardware Security ModulesppNew toolaiDAPal Security firm Atredis Partners has opensourced aiDAPal an IDA Pro plugin that uses a locally running LLMthat has been finetuned for HexRays pseudocodeto assist with code analysisppNew tooljollyexec SensePosts Dominic White has released a tool named The Jolly Executioner jollyexec that works as a command execution proxyppRWC 2024 Talks from the Real World Crypto 2024 security conference which took place in March are available on YouTubeppPrivacyCamp24 Talks from the Privacy Camp 2024 security conference which took place this January are available on YouTubeppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about law enforcement agencies trolling cyber criminals when they carry out disruption operations and why it might be counterproductiveppIn other news Google patches Pixel zeroday Black Basta ransomware gang had a secret Windows zeroday for three months Ukraine arrests bot farm operators linked to smishing attacks on its soldiersppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Panther

This newsletter is going on a one weekppIn other news Ransomware gang goes after PHP servers Chinese hackers breached 20k Fortinet devices White House announces cybersecurity support for rural hospitalsppIn other news Kaspersky says Apple didnt pay bounty for Triangulation report Medibank faces monumental fine CISA named as firstever CVE ADPpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp