Project

Profile

Help

Task #155504

open

this week in security — february 2 edition

Added by Zack Whittaker (this@weekinsecurity.com) from Zack Whittaker 9 days ago.

Status:
Open
Priority:
Normal
Assignee:
-
Category:
-
Start date:
02/02/2025
Due date:
% Done:

0%

Estimated time:
Company:
Zack Whittaker
Contact person:
Zack Whittaker
Additional contact persons:
-

Description

volume 8, issue 5
View this email in your browser (https://mailchi.mp/weekinsecurity/this-week-in-security-february-2-edition?e=9d10de3b61) | RSS (https://us18.campaign-archive.com/feed?u=e1ad6038c994abec17dafb116&id=a2457dc8ad)

~ ~

FBI seizes Cracked, Nulled hacking forums in Operation Talent (https://www.bleepingcomputer.com/news/security/fbi-seizes-crackedio-nulledto-hacking-forums-in-operation-talent/)
Bleeping Computer: The FBI* (*what's left (https://www.nbcnews.com/politics/justice-department/several-top-fbi-officials-are-told-resign-face-demotion-trump-continue-rcna190095) of the FBI) have seized the websites of two prolific hacking forums Cracked and Nulled, which prosecutors said allowed more than 10 million users between them to trade in hacking tools and stolen personal data. The FBI began seizing the domains on Jan. 29, which we saw thanks (https://x.com/vxunderground/status/1884664035225879038) to public DNS changes. Two more sites were seized, too. The takedown operation, dubbed Operation Talent, saw two people arrested. A ton of countries were behind the takedown operation, including Australia, Germany, Greece and Spain. Bad news for anyone of the 10 million users between them, your data is in the hands of the feds. Per the DOJ, Cracked had stolen data on some 17 million Americans
(https://techcrunch.com/2025/01/30/us-justice-department-says-cybercrime-forum-allegedly-affected-17-million-americans/) .
More: Reuters ($) (https://www.reuters.com/technology/cybersecurity/international-law-enforcement-operation-targets-group-cybercrime-websites-2025-01-29/) | Cyberscoop (https://cyberscoop.com/fbi-seized-cracked-nulled-sellix-cybercriminal-forum/) | TechCrunch (https://techcrunch.com/2025/01/30/international-police-coalition-takes-down-two-prolific-cybercrime-and-hacking-forums/)

DeepSeek exposed database spilling chat histories (https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak)
Wiz: DeepSeek, the Chinese AI company, has become all the rage in recent weeks, allegedly outperforming some Western models. But one thing it wasn't doing so well was keeping its backend databases secured from the open internet. Wiz discovered one of its exposed databases without any authentication, containing a million logs — including chat histories (of what was entered into the prompts and what came back) and other sensitive information, like API keys. (These exposures are almost always due to human error.) DeepSeek secured the database after Wiz reached out — and later confirmed the fix in a note to the Wiz researcher, @galnagli (https://x.com/galnagli/status/1884845519601565714) . Wired ($) (https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts-and-internal-data/) had a very good write-up.
More: Reuters ($) (https://www.reuters.com/technology/artificial-intelligence/sensitive-deepseek-data-exposed-web-israeli-cyber-firm-says-2025-01-29/) | Cyberscoop (https://cyberscoop.com/deepseek-ai-security-issues-wiz-research/) | @vxunderground (https://x.com/vxunderground/status/1885042740477513866)
https://x.com/vxunderground/status/1885042740477513866
WhatsApp disrupts hacking campaign targeting journalists with Paragon spyware (https://techcrunch.com/2025/01/31/whatsapp-says-it-disrupted-a-hacking-campaign-targeting-journalists-with-spyware/)
TechCrunch: And here we are again. Meta's WhatsApp unit said it disrupted an attack that saw 90 users — including journalists and members of civil society — have their phones hacked with zero-click spyware developed by Paragon by way of malicious PDFs. (Lockdown Mode (https://support.apple.com/guide/iphone/use-lockdown-mode-iph049680987/ios) ftw!) No need to update your devices this time as WhatsApp fixed the bug at the server side. It's not clear which Paragon customer (read: government) ordered the spying, but at least one Italian journalist was notified (https://www.theguardian.com/technology/2025/jan/31/italian-journalist-whatsapp-israeli-spyware) of the hacking. Paragon is Israeli-made spyware but was just recently agreed to be acquired (https://techcrunch.com/2024/12/16/israeli-spyware-maker-paragon-bought-by-u-s-private-equity-giant/) by AE Industrial, a U.S. private equity giant — so that's going to complicate things... Paragon is classic spyware, it punches into your phone without
you knowing. U.S. ICE signed a contract with Paragon's U.S. subsidiary last year (https://www.wired.com/story/ice-paragon-solutions-contract/) , but apparently comes with safeguards to prevent customers overseas from targeting U.S. citizens (but not the U.S. government...)
More: The Guardian (https://www.theguardian.com/technology/2025/jan/31/whatsapp-israel-spyware) | NBC News (https://www.nbcnews.com/tech/security/whatsapp-says-spyware-company-paragon-solutions-targeted-journalists-rcna190227) | The Record (https://therecord.media/whatsapp-paragon-spyware-targeting-users)
~ ~

  • THE STUFF YOU MIGHT'VE MISSED
    ------------------------------------------------------------
    All Apple devices get security updates after zero-day exploited (https://support.apple.com/en-us/122066)
    Apple: Every Apple device got updates this week — from iPhones to iPads, Macs, Apple Watches and TVs, and its Vision Pro headset — thanks to a zero-day bug under attack (https://techcrunch.com/2025/01/28/apple-fixes-zero-day-flaw-affecting-all-devices/) in CoreMedia, the media engine shared across various Apple platforms. This is Apple's first zero-day of the year. ([DEL: Phhrrbbt.... 🥳 :DEL] — no, not this time!) Details of the bug weren't disclosed — but have occasionally been related to spyware compromises. Devices running software older than iOS 17.2 were actively hacked, whereas other devices were just vulnerable (or that no exploitation was detected). Update all of your devices!

Meet the 23-year-old who infiltrated a North Korean laptop farm (https://sashaingber.substack.com/p/the-23-year-old-who-infiltrated-a)
Sasha Ingber: Fascinating story of threat intelligence CEO Aidan Raney (https://x.com/devaidandotcom) , who told the story of how he infiltrated a North Korean IT worker operation aimed at exploiting U.S. businesses. This story goes behind the scenes and offers rare insights into how the North Korean operation works — to gain employment, earn money, then steal and extort corporate data — the so-called "triple threat" (https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/) — all to fund the regime's nuke program.

SonicWall reports new zero-day under attack (https://techcrunch.com/2025/01/27/sonicwall-says-hackers-are-exploiting-a-new-zero-day-bug-to-breach-customer-networks/)
TechCrunch: It's update-your-tech o'clock again. This time it's SonicWall warning of a new unauthenticated bug in its widely used SMA1000 software used to remotely manage a range of its corporate firewalls. The bug, tracked as CVE-2025-23006 (https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002) was flagged by Microsoft but details of exploitation remain slim. SonicWall is the latest in a long string of enterprise tech makers that've been hit by device hacks in recent years (https://techcrunch.com/2025/01/31/a-brief-history-of-mass-hacks/) — thanks to their buggy tech products. It's a little ironic, given these devices are meant to protect from outside threats and intruders, but given their position on the network as digital gatekeepers, the simplest bug can undermine the entire product's security, rendering it moot and the network it's protecting compromised. Hundreds of companies are affected by this latest bug, per @nekono_naha
(https://x.com/nekono_naha/status/1882646843970195510) .

Almost one-in-10 people use the same four-digit PIN (https://www.abc.net.au/news/2025-01-28/almost-one-in-ten-people-use-the-same-four-digit-pin/103946842)
ABC (Australia): Fascinating research from Have I Been Pwned's database of "pwned passwords," or passwords that have been previously breached and therefore no longer unique (read: unsafe). Aussie news outlet ABC took 29 million four-digit PIN codes from the database and discovered the most popular reused PIN codes. Of course, there are some predictable ones — 1234, 0000, and the like — though some might surprise you — but the analysis is pretty smart and worth reading. And, if you're using a more predictable code (since there are only 10,000 of them), this might make you rethink your choices. (via @troyhunt (https://bsky.app/profile/troyhunt.com/post/3lgqyx5yaos2h) )
https://www.abc.net.au/news/2025-01-28/almost-one-in-ten-people-use-the-same-four-digit-pin/103946842
ExtensionHound analyzes DNS queries from Chrome extensions (https://github.com/arsolutioner/ExtensionHound)
Amram Englander: Since Chrome extensions (and other browser plugins) have come under the spotlight of late, including "sync-jacking" attempts (https://www.bleepingcomputer.com/news/security/new-syncjacking-attack-hijacks-devices-using-chrome-extensions/) and just plain-old hacking into developer accounts (https://arstechnica.com/security/2025/01/googles-chrome-web-store-has-a-serious-spam-problem-promoting-shady-extensions/) , analyzing potentially problematic extensions for shady code or network connections can be tricky. ExtensionHound (https://github.com/arsolutioner/ExtensionHound) is a new open-source project that can identify DNS queries made by browser extensions for suspicious traffic. (via @campuscodi (https://bsky.app/profile/campuscodi.risky.biz/post/3lgtazwytnc2p) and @df1r633k (https://x.com/df1r633k/status/1883859991175512392) )
~ ~

Gemini AI, help me hack: Hackers linked to China, Iran and other not-so-friendly nations are using AI to beef up their cyberattacks against U.S. and global targets, per U.S. officials and new research from Google's threat intel (https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai) folks. Google's own Gemini was used to help write malicious code and hunt for vulnerabilities (flex much?). AI use by adversarial nations isn't new, but clearly it's becoming an increasing part of the hackers' research capabilities. (via Google (https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai) , WSJ ($) (https://www.wsj.com/tech/ai/chinese-and-iranian-hackers-are-using-u-s-ai-products-to-bolster-cyberattacks-ff3c5884) )

MGM hacks hit 37 million people... twice: What's worse than a massive hack of 37 million people? A hack of 37 million people, twice. That appears to have been the case after a historical hack in 2019 saw millions of MGM customer records posted online (https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/) , then a ransomware attack in 2023 (https://investors.mgmresorts.com/investors/news-releases/press-release-details/2023/MGM-RESORTS-UPDATE-ON-RECENT-CYBERSECURITY-ISSUE/default.aspx) that saw much of MGM's Las Vegas properties hit by extensive outages and disruption (https://www.404media.co/inside-mgms-hacked-casinos/) . Following the breaches, customers sued in a bunch of class action suits. Now consolidated into one mega-class action, MGM has agreed to pay $45 million to settle the breaches — though, 30% of the payout goes straight to the lawyers. (via The Record
(https://therecord.media/mgm-agrees-45-million-payment-data-breach-ransomware-victims>) , WSJ ($) (https://www.wsj.com/articles/mgm-agrees-to-pay-45-million-to-settle-data-breach-lawsuit-e076c842) )

AngelSense spilled customers' location data: AngelSense, a GPS tracking company for people with disabilities, left an exposed logging database to the internet without a password, which contained reams of sensitive and personal information from AngelSense systems — including real-time precise location data of individuals being tracked. The data was accessible from the web browser, and viewable in plaintext. (Disclosure alert: I wrote this story.) UpGuard found the database (https://www.upguard.com/breaches/angelsense-data-leak) and alerted the company — which took a week and a follow-up phone call to offline the database. (via UpGuard (https://www.upguard.com/breaches/angelsense-data-leak) , TechCrunch (https://techcrunch.com/2025/01/30/angelsense-exposed-location-data-and-personal-information-of-tracked-users/) )
~ ~
THANK YOU FOR YOUR SUPPORT

this week in security is my free weekly cybersecurity newsletter supported entirely by donations from readers like you. As a working journalist (https://techcrunch.com/author/zack-whittaker/) , I don't run ads or accept sponsors for this newsletter. Donations help reduce the costs of sending this newsletter while keeping it free, weekly, and without tracking.

To support this newsletter, check out my Ko-fi (https://ko-fi.com/thisweekinsecurity) to drop a one-time donation, or sign up from $10/monthly to get cool swag (https://ko-fi.com/thisweekinsecurity/tiers) shipped worldwide.
~ ~

  • THE HAPPY CORNER
    ------------------------------------------------------------
    Welcome back to the happy corner, where everyone is welcome. Remember, it's not a controversial opinion to care about other people.

Cue a much-needed Inspirational Skeletor (https://mas.to/@skeletor/113895649391750718) , since it's all we have this week.
https://mas.to/@skeletor/113895649391750718
If you have good news you want to share, get in touch at: (mailto:?subject=Good%20news%20for%20your%20newsletter) .
~ ~

  • CYBER CATS & FRIENDS
    ------------------------------------------------------------
    Franklin is this week's cybercat, who... whispers... can be seen here ready to report this week's top cybersecurity news. Don't want to interrupt your recording, Franklin... oh — psst! — thanks to Ingrid S. for sending in!
    Franklin is a brown fluffy kitty sitting on their human's desk in front of a microphone.
    Keep sending in your cyber cats! (mailto:?Subject=Cyber%20Cat%20%28%26%20Friends%29%20submission&Body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%20%28or%20other%20non-feline%20friend%29%2C%20their%20name%2C%20and%20also%20your%20name%20and/or%20Twitter%20handle%20if%20you%20want%20credit.) (or a non-feline friend). Drop me an email at any time with their name and a photo, and they'll be featured in an upcoming newsletter!
    ~ ~
  • SUGGESTION BOX
    ------------------------------------------------------------
    That's it for this week's... messy news situation. As always, please do drop me an email (mailto:) if you want to get in touch with anything about or for the newsletter. It's really lovely hearing from you — and your cybercats (or friends).

Your cyber friend,
@zackwhittaker (http://mastodon.social/@zackwhittaker)

============================================================
You are receiving this email because you opted in.

this week in security doesn't track email opens or clicks.
($) indicate sites with paywalls or logins. Please support journalism!

Our mailing address is: this week in security
Zack Whittaker
PO Box 415
Jersey City, NJ 07303-0415
USA
You can * update your preferences (https://social.us18.list-manage.com/profile?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&e=9d10de3b61&c=da6b63a825)
or *
unsubscribe from this list (https://social.us18.list-manage.com/unsubscribe?u=e1ad6038c994abec17dafb116&id=a2457dc8ad&t=b&e=9d10de3b61&c=da6b63a825)
.

No data to display

Also available in: Atom PDF Tracking page