Twitter launches encrypted private messages
Although direct messages sent on Twitter will be end-to-end encrypted, ex-CEO Elon Musk warned that this is an early version, and people should “try it, but don’t trust it yet”. The feature can only be used by people who pay for Twitter Blue or are affiliated to a verified Twitter account. It is also text and links only – no media. Twitter said, “while messages themselves are encrypted, metadata (recipient, creation time, etc.) are not, and neither is any linked content,” it said, continuing, “if a malicious insider, or Twitter itself as a result of a compulsory legal process – were to compromise an encrypted conversation, neither the sender or receiver would know.” Late yesterday, Musk tweeted that he had found a new chief executive for Twitter, but did not immediately provide a name, saying simply, “She will be starting in around six weeks!”
Microsoft releases fix for patched Outlook issue exploited by Russian hackers
On Tuesday, Microsoft released another fix for a vulnerability that had initially been patched in March but was later discovered to be flawed. Ukrainian cybersecurity officials at CERT-UA had reported the vulnerability to the Microsoft incident response team after Russia-based hackers took advantage of a vulnerability in Microsoft’s Outlook email service. Akamai researcher Ben Barnea discovered a way around the March patch that would allow an attacker to use the vulnerability to get Outlook clients to connect to an attacker-controlled server. “Barnea said the issue is a zero-click vulnerability, and all Windows versions are affected by it.”
North Korea-linked APT group breaches the Seoul National University Hospital
The security breach, which occurred between May and June 2021 and was designed to steal sensitive medical information and personal details, likely that belonging to “high-profile figures who got medical treatment at the hospital,” according to experts speculating on the event. South Korea’s National Police Agency states that nation-state actors gained access to the hospital’s intranet and stole the personal information of about 830,000 patients and workers, including 17,000 current and former hospital employees. The attack did not impact hospital operations. Based on TTPs observed by the National Police Agency, including IP addresses, the used of specific words in the North Korean vocabulary, and the anonymization techniques involved in the attacks, South Korean police have identified the attack as coming from a North Korean-linked group, with local media speculated it was the Kimsuky APT.
More than 45,000 affected by December cyberattack on Metropolitan Opera
Yesterday we brought you stories of ransomware hitting the arts communities in Canada and in popular music and now it seems that the December cyberattack on the Metropolitan Opera in New York resulted in the leak of names, financial account information, tax identification numbers, Social Security numbers, payment card information and driver’s license numbers of 45,094 people. In December, the Met was unable to process new ticket orders, refunds or employee paychecks for two weeks. On March 1, the Snatch ransomware gang, known for attacks against the government of Modesto, California, a large school district in Wisconsin, and Swedish automaker Volvo, took credit for the attack.
Thanks to this week’s episode sponsor, Trend Micro
Microsoft signs nuclear fusion deal as part of sustainability push
According to Axios, “Microsoft has signed a power purchase agreement with nuclear fusion energy startup Helion for at least 50 megawatts of electricity beginning in 2028.” It plans to use the electricity to power its data centers, chief sustainability officer Melanie Nakagawa told Axios in an interview. Fusion has long been viewed as the holy grail of clean energy, and recent advances have led to a mini-boom of funding fusion startups.
(Axios)
WordPress Elementor plugin bug let attackers hijack accounts on 1M sites
One of the most popular Elementor plugins on wordPress, Essential Addons for Elementor, has been found vulnerable to an unauthenticated privilege escalation. According to Bleeping Computer, “Essential Addons for Elementor is a library of 90 extensions for the ‘Elementor’ page builder, used by over one million WordPress sites.” PatchStack discovered the flaw tracked as CVE-2023-32243, on May 9. It is unauthenticated privilege escalation vulnerability on the plugin’s password reset functionality, impacting versions 5.4.0 to 5.7.1. The Patchstack bulletin reads “[By exploiting the flaw] It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account.”
(Bleeping Computer and Patchstack)
Millions of mobile phones still come pre-infected with malware, say researchers
Trend Micro researchers at Black Hat Asia state that millions of Android phones worldwide get infected with malicious firmware before the devices have even been shipped from their manufacturers. This applies to low-priced Android mobile devices, that have their manufacturing outsourced to an original equipment manufacturer, a process the researchers say makes them easily infiltrated. Although this is not a new process, Trend Micro characterized this threat as a growing problem for regular users and enterprises, though they add, “big brands like Samsung and Google take care of their supply chain security relatively well.”
Outdated IT systems threaten UK food security and air quality, say British MPs
Both food security and air quality in the UK are at risk due to outdated IT systems at the Department for Environment, Food and Rural Affairs (Defra), says a UK parliamentary committee. Examples include the use of paper forms by officials charged with tracking fast-moving animal disease, and with keeping food, air and water safe. Some of the systems the report says, are so old that they have no protection from cyberattacks, and in some cases, users must search out old secondhand laptops to run the applications. The department was found to be struggling to recruit digital, data, and technology staff, leaving it over-reliant on external contractors.