UK bans TikTok from government mobile phones
Britain is moving to ban TikTok, the Chinese-owned video-sharing app, the phones of ministers and civil servants. This reflects similar actions done in the US and with the European Commission. It further reflects deteriorating relations with Beijing. The decision heralds a change of policy from a previous position held by the UK, and happened shortly after TikTok’s owner, ByteDance, had been told by Washington to “sell the app or face a possible ban in the country.” The ban will only affect work phones and not personal ones.
Out of Band security updates for Windows Snipping tool flaw
Following up on a story we brought you last week, Microsoft has released an emergency security update for the Windows 10 and Windows 11 Snipping tool to address a vulnerability named Acropalypse. Numbered as CVE-2023-28303, the Acropalypse vulnerability is caused by “image editors not properly removing cropped image data when overwriting the original file.” This bug is causing the Google Pixel’s Markup Tool and the Windows Snipping Tool to leave the cropped data within the original file.
Vice Society claims attack on Puerto Rico Aqueduct and Sewer Authority
A cyberattack hit the the Puerto Rico Aqueduct and Sewer Authority (PRASA) two weeks ago and was disclosed on March 19. Investigations suggest that threat actors got access to customer and employee information, however operations were not impacted. At this time, the agency has yet to reveal the name of the group behind the attack, but according to Security Affairs, “the Vice Society ransomware gang added the authority to the list of victims on its Tor leak site.”
Intel co-founder, philanthropist Gordon Moore dies at 94
Gordon Moore, the co-founder of Intel died Friday at his home in Hawaii. Moore, who held a Ph.D. in chemistry and physics, made his famous observation, now known as “Moore’s Law”, three years before he co-founded Intel in 1968. The prediction, which had been originally applied to the doubling of transistors on a semiconductor has since been applied to hard drives, computer monitors and other electronic devices and symbolizes the benefits and effects of exponential scale on technology. The law states that the number of transistors on a microchip roughly doubles every two years while its cost is halved over that same time period.
Thanks to this week’s episode sponsor, Trend Micro
Inaudible ultrasound attack can control your phone, smart speaker
“Near-Ultrasound Inaudible Trojan” (NUIT) is the name of a novel new attack method revealed by Professor Guenevere Chen of the University of Texas in San Antonio (UTSA), her doctoral student Qi Xia, and professor Shouhuai Xu of the University of Colorado (UCCS), that can launch “silent attacks against devices powered by voice assistants, like smartphones, smart speakers, and other IoTs.” This poses a threat to millions of devices such as Apple’s Siri, Google’s Assistant, Microsoft’s Cortana, and Amazon’s Alexa, since the tchnique can send malicious commands to those devices. As posted in Bleeping Computer, “the main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology.”
Panera Bread will use palm-scanning technology for its loyalty program
The fast-food chain Panera Bread is deploying palm scanners that will link customers’ handprints to their loyalty accounts> This is being promoted as a convenience for customers, but privacy advocates are not so sure. It uses biometric-gathering technology developed by Amazon, and Panera says the scanners will appear in stores over the next few months. The technology will “suggest menu items based on customers’ order histories and allow employees to greet customers by their names and share customers’ available rewards,” the company said. Panera Bread CEO Niren Chaudhary described the move as a “frictionless, personalized, and convenient” evolution of the company’s loyalty program, which boasts 52 million members. However, digital rights activists worry that information could be tapped by federal agencies or accessed by hackers.
(CBS News)
UK National Crime Agency reveals it ran fake DDoS-for-hire sites
In an effort to infiltrate the online criminal underground, Britain’s National Crime Agency on Friday announced that it set up a number of fake DDoS-for-hire sites. A spokesperson for the agency said that “users who registered for the sites were not given access to cybercrime tools but instead had their data collated by investigators.” This operation was aimed at “low level criminals” who tend to use tools like booters, and if offers police with a technique for intervening in the cases of potential offenders when they are engaged in what the NCA described as “an attractive entry-level crime.”
Last week in ransomware
Last week’s news was mostly about the Clop ransomware gang which has been extorting companies whose GoAnywhere services were breached using a zero-day vulnerability. Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, and the UK Pension Protection Fund are related to the vulnerability. The City of Oakland is being extorted on the LockBit data leak site, although a few weeks ago, they were identified as having been victims of a Play ransomware attack. We also saw MKS Instruments and Lehigh Valley Health hit with lawsuits stemming from ransomware activity.
(Bleeping Computer and CISOSeries)