Security News > 2023 > February

"Pig butchering" is the colorful name given to online cons that trick the victim into giving money to the scammer, thinking it is an investment opportunity. It's a rapidly growing area of fraud, and getting more sophisticated.

This weekend, Cloudflare blocked what it describes as the largest volumetric distributed denial-of-service attack to date. "The majority of attacks peaked in the ballpark of 50-70 million requests per second with the largest exceeding 71 million rps," Cloudflare's Omer Yoachimik, Julien Desgats, and Alex Forster said.

Over 450 malicious PyPI python packages were found installing malicious browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites. This discovery is a continuation of a campaign initially launched in November 2022, which initially started with only twenty-seven malicious PyPi packages, and now greatly expanding over the past few months.

Apple has released emergency security updates to address a new zero-day vulnerability used in attacks to hack iPhones, iPads, and Macs. The zero-day patched today is tracked as CVE-2023-23529 [1, 2] and is a WebKit confusion issue that could be exploited to trigger OS crashes and gain code execution on compromised devices.

Spain's National Police and the U.S. Secret Service have dismantled a Madrid-based international cybercrime ring comprised of nine members who stole over €5,000,000 from individuals and North American companies. The cybercrime gang specializes in online scams, employing social engineering, phishing, and smishing to collect sensitive victim details and then use that information to commit financial fraud.

Microsoft says Windows 10, version 20H2 for enterprise and education users will reach the end of service in three months, on May 9, 2023. After the EOS date is reached, Windows 10 20H2 devices running Enterprise and Education editions will no longer receive monthly quality or security updates containing bug fixes and patches to protect them from recently discovered security threats.

Domain registrar Namecheap blamed a "Third-party provider" that sends its newsletters after customers complained of receiving phishing emails from Namecheap's system. More than one customer noted that the emails - which purported to be from DHL and crypto-asset wallet provider MetaMask - were digitally signed with DKIM and received at distinct emails they'd assigned solely for comms with Namecheap.

The Lazarus Group, as the threat actor is typically referred to, has laundered about $100 million in stolen Bitcoin since October 2022 through a single crypto-mixing service called Sinbad. Lazarus behind major crypto heists. Last year, the U.S. Treasury's Office of Foreign Assets Control announced sanctions against the cryptocurrency mixing services Blender and Tornado Cash, which Lazarus had used to launder close to $500 million in illicitly obtained cryptocurrency.

An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena video game that could have been exploited to establish backdoor access to players' systems. Following responsible disclosure to Valve, the game publisher shipped fixes on January 12, 2023, by upgrading the version of V8. Game modes are essentially custom capabilities that can either augment an existing title or offer completely new gameplay in a manner that deviates from the standard rules.

The U.S. Federal Trade Commission says Americans once again reported record losses of $1.3 billion to romance scams in 2022, with median losses of $4,400. "Last year's romance scam numbers looked a lot like 2021 all over again, and it's not a pretty picture. In 2022, nearly 70,000 people reported a romance scam, and reported losses hit a staggering $1.3 billion," the FTC said.