Security News

One problem with hacking on top-end specialised devices such as electric cars or fancy online bicycles, rather than on low-end devices such as light bulbs and webcams, is that budget and availability become an important issue. The researchers decided to take a real-world approach for two main reasons: they didn't have another bike handy, and they were keen to look for vulnerabilities that would work out of the box against stock products, rather than needing any "Pre-hacking" to be carried out on the device.

As ransomware attacks against critical infrastructure skyrocket, new research shows that threat actors behind such disruptions are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major targets. "Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains," researchers from Proofpoint said in a write-up shared with The Hacker News.

Apple late Monday shipped an out-of-band iOS update for older iPhones and iPads alongside a warning that a pair of WebKit security vulnerabilities may have been actively exploited. As is customary, Apple did not provide details on the zero-day attacks, which appear to be aimed at a range of older models of Apple flagship iPhone devices.

Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach. CodeCov, a little-known startup considered the vendor of choice for measuring code coverage in the tech industry, has shipped an entirely new Uploader using NodeJS to replace the Bash Uploader dev tool that was compromised in a recent software supply chain attack.

The Justice Department has recovered most of a multimillion-dollar ransom payment made to hackers after a cyberattack that caused the operator of the nation's largest fuel pipeline to halt its operations last month, officials said Monday. The operation to seize cryptocurrency paid to the Russia-based hacker group is the first of its kind to be undertaken by a specialized ransomware task force created by the Biden administration Justice Department.

If a sloppy internet service stores your password in plaintext and then gets breached, the crooks acquire your actual password directly, regardless of how complex it is. Keylogging malware on your computer can capture your passwords as you type, thus obtaining them "At source", no matter how long or weird they might be.

A top Russian-language underground forum has been running a "Contest" for the past month, calling on its community to submit "Unorthodox" ways to conduct cryptocurrency attacks. The forum's administrator, in an announcement made on April 20, 2021, invited members to submit papers that assess the possibility of targeting cryptocurrency-related technology, including the theft of private keys and wallets, in addition to covering unusual cryptocurrency mining software, smart contracts, and non-fungible tokens.

The White House says it believes U.S. government agencies largely fended off the latest cyberespionage onslaught blamed on Russian intelligence operatives, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month's planned presidential summit. The revelation of a new spy campaign so close to the June 16 summit between President Joe Biden and Russian counterpart Vladimir Putin adds to the urgency of White House efforts to confront the Kremlin over aggressive cyber activity that criminal indictments and diplomatic sanctions have done little to deter.

Cybersecurity researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document's visible content by displaying malicious content over the certified content without invalidating its signature. "The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels," said researchers from Ruhr-University Bochum, who have systematically analyzed the security of the PDF specification over the years.

Nobelium, the Russia-aligned gang identified as the perpetrators of the supply chain attack on SolarWinds' Orion software, has struck again, Microsoft vice president Tom Burt in a blogpost Thursday. Burt's post says the attacks saw Nobelium gain access to accounts on the email marketing service "Constant Contact" operated by The United States Agency for International Development.