Tag Archive for: week

Security News This Week: US Energy Firm Targeted With Malicious QR Codes in Mass Phishing Attack

/in


At the Defcon security conference in Las Vegas last weekend, thousands of hackers competed in a red-team challenge to find flaws in generative AI chat platforms and help better secure these emerging systems. Meanwhile, researchers presented findings across the conference, including new discoveries about strategies to bypass a recent addition to Apple’s macOS that is supposed to flag potentially malicious software on your computer. 

Kids are facing a massive online scam campaign that targets them with fake offers and promotions related to the popular video games Fortnite and Roblox. And the racket all traces back to one rogue digital marketing company. The social media platform X, formerly Twitter, has been filing lawsuits and pursuing a strategic legal offensive to oppose researchers who study hate speech and online harassment using data from the social network.

On Thursday, an innovation agency within the US Department of Health and Human Services announced plans to fund research into digital defenses for health care infrastructure. The goal is to rapidly develop new tools that can protect US medical systems against ransomware attacks and other threats.

But wait, there’s more! Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A large phishing campaign that’s been active since May has been targeting an array of companies with malicious QR codes in attempts to steal Microsoft account credentials. Notably, researchers from the security firm Cofense observed the attacks against “a major Energy company based in the US.” The campaign also targeted organizations in other industries, including finance, insurance, manufacturing, and tech. Malicious QR codes were used in nearly a third of the emails reviewed by researchers. QR codes have disadvantages in phishing, since victims need to be compelled to scan them for the attack to progress. But they make it more difficult for victims to evaluate the trustworthiness of the URL they’re clicking on, and it’s more likely that emails containing a QR code will reach their target, because it’s more difficult for spam filters to assess QR…

Source…

The Week in Security: Researchers hack ‘unbreakable’ card-shuffling hardware, Discord.io shut after breach

/in


deckmate2-shuffling-hack

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security. This week: Researchers kick it Ocean’s Eleven style with an attack on card shuffling machines. Also: A software vulnerability could be behind a breach that shut down Discord’s invite system.

AWS Builder Community Hub

This Week’s Top Story

Hackers Rig Casino Card-Shuffling Machines for ‘Full Control’ Cheating 

History has shown us that there are few better ways of getting a piece of technology hacked than to declare it secure and “un-hackable.” The latest case in point: the Deckmate 2, an automated card shuffling machine used in casinos around the world. After an investigation into an alleged incident of cheating in a high stakes poker tournament prompted an official investigation that declared the Deckmate shuffling machine one that “is secure and cannot be compromised,” three IOActive researchers took up the implicit challenge. Spoiler alert: the Deckmate was, in fact, hackable. 

At a presentation at DEF CON, researchers Joseph Tartaro, Enrique Nissim and Ethan Shackelford of IOActive presented the results of a months-long investigation into the Deckmate. As reported by Wired, the three found attackers could employ a simple USB-enabled minicomputer to gain total control over the machine, potentially allowing a poker player to know exactly what cards the dealer and other players hold and, thus, become unstoppable at the table.

Tartaro and his fellow researchers were able to alter the shuffler’s code to hijack the machine, and tamper the shuffling process. They also were able to access an internal camera on the Deckmate, giving them the ability to know exactly which cards were being dealt and to whom. However, as of yet the IOActive researchers have not been able to engineer a technique that allows for them to choose the exact order of cards via this remote access. Light & Wonder, the makers of Deckmate, said in emails to the researchers that they are in the process of patching the issues discovered by the researchers. The company denies the compromises have been used against machines deployed on a casino floor. So if…

Source…

Security News This Week: The Cloud Company at the Center of a Global Hacking Spree

/in


Between a cascade of indictments against former US president Donald Trump, a tumultuous 2024 election season (in which Trump is a main character), and the rapid rise of generative artificial intelligence, 2024 is shaping up to be a complete nightmare.

At the center of it will be a rise in personalized disinformation. Not only will there be more BS to sift through thanks to tools like ChatGPT and Google’s Bard, but the disinformation will likely be more effective, and even tailored to target specific groups with frightening consequences. Of course, some of this could be fixed with new regulations. But the US Congress still hasn’t figured out how to tackle privacy, and regulating AI will only be more difficult.

In addition to disinformation, people keep figuring out new ways to break through the guardrails that generative AI tools have in place to stop malicious activities. The latest is something called an “adversarial attack,” which researchers at Carnegie Mellon University found can be carried out simply by attaching a string of nonsense-looking instructions to the end of certain prompts entered into tools like ChatGPT. While it’s possible to block specific attack strings, nobody yet knows how to fix this flaw entirely.

AI might be the new frontier for security researchers. But regular ol’ platforms are still a wealth of terrible vulnerabilities. The latest is the Points platform, which provides the underlying tech for dozens of major travel rewards programs. Researchers recently discovered flaws in the Points API that exposed people’s private information. And a bug in a Points administrator website could have allowed an attacker to give themselves unlimited airline miles and hotel points. But don’t get any big ideas, hackers—all the flaws have since been fixed.

The Points bugs aren’t the only ones patched recently. If you use Apple iOS, Google Android, or Microsoft products, check our list of the recent security updates you’ll want to install right now.

But that’s not all. Each week, we round up the security and privacy stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A single cloud firm has…

Source…

Week in review: MOVEit Transfer critical zero-day vulnerability, Kali Linux 2023.2 released

/in


Week in review

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

MOVEit Transfer zero-day attacks: The latest info
Progress Software has updated the security advisory and confirmed that the vulnerability (still without a CVE number) is a SQL injection vulnerability in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

Penetration tester develops AWS-based automated cracking rig
Building a custom cracking rig for research can be expensive, so penetration tester Max Ahartz built one on AWS. In this Help Net Security interview, he takes us through the process and unveils the details of his creation.

The strategic importance of digital trust for modern businesses
In this Help Net Security interview, Deepika Chauhan, CPO at DigiCert, talks about the importance of maintaining high trust assurance levels for businesses in today’s digital landscape.

Navigating cybersecurity in the age of remote work
In this Help Net Security interview, Jay Chaudhry, CEO at Zscaler, talks about connecting and securing remote employees and their devices to access organizational resources from any location.

Threat actors can exfiltrate data from Google Drive without leaving a trace
Google Workspace (formerly G Suite) has a weak spot that can prevent the discovery of data exfiltration from Google Drive by a malicious outsider or insider, Mitiga researchers say.

Zyxel firewalls under attack by Mirai-like botnet
CVE-2023-28771, the critical command injection vulnerability affecting many Zyxel firewalls, is being actively exploited by a Mirai-like botnet, and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Someone is roping Apache NiFi servers into a cryptomining botnet
If you’re running an Apache NiFi instance exposed on the internet and you have not secured access to it, the underlying host may already be covertly cryptomining on someone else’s behalf.

Kali Linux 2023.2 released: New tools, a pre-built Hyper-V image, a new audio stack, and more!
Offensive Security has released Kali Linux 2023.2, the latest version of its popular penetration testing…

Source…