Newsletters

A malicious backdoor has been found inside the user interface component of the Tornado Cash cryptocurrency mixing project.

The code has been exploited in the wild to hijack assets deposited in Tornado Cash installations.

The malicious code was added to the project by one of its developers.

Google has released this week version 122 of its Chrome browser, which comes with a new security feature meant to reduce the browser's attack surface.

The feature has no catchy name but can be found in the Chrome settings section and enabled with only a few clicks.

It allows Chrome users to disable performance features for V8, the engine inside Chrome that processes JavaScript and WebAssembly code.

Written with Catalin Cimpanu of Risky Business News

An unknown individual or entity has leaked files that suggest a Chinese cyber security company is developing malware and carrying out cyber espionage on behalf of the Chinese government.

The data allegedly belongs to i-SOON, a company based in Chengdu, that also does business as Sichuan Anxun (四川安洵信息技术有限公司).

Law enforcement agencies from 11 countries have disrupted the LockBit ransomware operation in the most thorough and coordinated takedown of a cybercrime portal that has been seen to date.

As part of what they codenamed Operation Cronos, officials seized LockBit server infrastructure, froze cryptocurrency wallets holding past ransoms, released decryption tools, arrested members, filed additional charges, and imposed international sanctions.

The operation began months ago and was led by the UK's National Crime Agency (NCA). The agency claims it infiltrated the gang's servers, mapped out infrastructure, collected encryption keys, and accessed the LockBit backend, where admins and affiliates collected stats about attacks and negotiated with victims.

ENEA, a Sweden-based telecom security firm, claims it reproduced a user fingerprinting technique advertised and sold by Israeli spyware vendor NSO Group.

Named MMS Fingerprinting, the technique can collect information on a target's smartphone and operating system just by sending an MMS message.

NSO Group claims no user interaction is needed besides knowing the target's phone number.

Microsoft has released this week an optional servicing update that rotates digital certificates used by the Secure Boot feature.

The update is likely to unclench some sphincters in the IT administration and cybersecurity community, as the certificates were set to expire in 2026.

Once the certificates expired, Windows systems where Secure Boot was enabled would have failed to boot. The issue would have also impacted some Linux systems that use Microsoft certificates for their bootloader, such as Ubuntu.

A new report turns a harsh spotlight onto the commercial surveillance industry that markets spyware reportedly used by bad actors to target human rights defenders, dissidents and other 'high risk' users.

Published by Google's Threat Analysis Group (TAG), the report and accompanying blog describes what it calls a "lucrative industry" that sells governments and "nefarious actors" the ability to exploit vulnerabilities in consumer devices.

The report states that while spyware vendors point to their tools' "legitimate use in law enforcement and counterterrorism," analysis from Google and researchers from the University of Toronto’s Citizen Lab and Amnesty International uncovers the use of spyware against "high risk users" such as journalists, human rights defenders, dissidents and opposition party politicians.

South Korean researchers have cracked the encryption scheme used by the Rhysida ransomware and have released a decrypter that can allow victims to recover files without paying the ransom.

The decrypter is available through the website of South Korea's cybersecurity agency (KISA) and is based on a white paper published by academics from Kookmin University and KISA members.

The decryption tool works only for Windows systems and exploits a weakness in the ransomware's cryptographically secure pseudo-random number generator (CSPRNG). This is an algorithm that takes data from a local PC to generate a random number that is then used to create an encryption key that Rhysida uses to encrypt a victim's files.

An international law enforcement operation has led to the capture of two individuals believed to have created and operated Warzone RAT, a Malware-as-a-Service operation that has been running since at least 2019.

Authorities have detained Daniel Meli, a 27-year-old from Malta, and Prince Onyeoziri Odinakachi, a 33-year-old from Nigeria.

Meli allegedly created and sold the Warzone RAT through its official website at warzone.ws. Odinakachi allegedly worked as a customer support, providing help to the malware's buyers.

Ransomware gangs made out like bandits last year, collecting an estimated $1.1 billion worth of cryptocurrency via ransomware payments, according to blockchain tracking company Chainalysis.

The number is at an all-time high for ransomware operations and is almost double 2022's figure when experts saw only $567 million going to ransom payments.

The 2022 dip can be attributed to Russia's invasion of Ukraine, which disrupted relations in the cybercriminal underground as gangs shuffled members or some operations were "redirected/hijacked" towards hacktivism or cyber espionage.