Security News > 2023 > January

GoTo is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data. "Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility," reads the notice to customers.

Just another obscure warrantless surveillance program. US law enforcement can access details of money transfers without a warrant through an obscure surveillance program the Arizona attorney general's office created in 2014.

The U.S. Federal Bureau of Investigation on Monday confirmed that North Korean threat actors were responsible for the theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022. The law enforcement agency attributed the hack to the Lazarus Group and APT38, the latter of which is a North Korean state-sponsored threat group that specializes in financial cyber operations.

Vulnerability analysis results in Orange Cyberdefenses' Security Navigator show that some vulnerabilities first discovered in 1999 are still found in networks today. The chart below suggests that even Critical Vulnerabilities are taking around 6 months on average to resolve, but that is encouragingly at least 36% faster than the time for low-severity issues.

Apple has released security updates for macOS, iOS, iPadOS and watchOS, patching - among other things - a type confusion flaw in the WebKit component that could be exploited for remote code execution on older iPhones and iPads running iOS v12. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the company said.

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. With macros becoming an obsolete method of payload distribution and initial infection, the attacks have latched on to other methods to sneak Emotet past malware detection tools.

A Chinese-speaking hacking group tracked as 'DragonSpark' was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. What makes the campaign stand out is the use of Golang source code iterpretation to execute code from Go scripts embedded in the malware binaries.

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. While it was originally addressed by the company on November 30, 2022, as part of iOS 16.1.2 update, the patch was expanded to a broader set of Apple devices with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2.

Meta Platforms on Monday announced that it has started to expand global testing of end-to-end encryption in Messenger chats by default. The social media behemoth said it intends to notify users in select individual chat threads as the security feature is enabled, while emphasizing that the process of choosing and upgrading the conversations to support E2EE is random.

In particular, NCA and several of its partners are hosting Data Privacy Week virtual events where you can listen to data security experts, learn about today's most pressing data privacy issues, and even share some of your own tips and advice. Keep in mind that Data Privacy Week and Data Privacy Day are both widely recognized events in the data and security spaces, so other technology and security leaders may be hosting similar events.