UK bans TikTok from government mobile phones
Britain is to ban the Chinese-owned video-sharing app TikTok from ministers’ and civil servants’ mobile phones, bringing the UK in line with the US and the European Commission and reflecting deteriorating relations with Beijing. The decision marks a sharp U-turn from the UK’s previous position and came a few hours after TikTok said its owner, ByteDance, had been told by Washington to sell the app or face a possible ban in the country. The ban will cover ministers’ and civil servants’ work phones, but not their personal phones.
Microsoft pushes OOB security updates for Windows Snipping tool flaw
Following up on a story we brought you last week, Microsoft released an emergency security update for the Windows 10 and Windows 11 Snipping tool to fix the Acropalypse privacy vulnerability. Now tracked as CVE-2023-28303, the Acropalypse vulnerability is caused by image editors not properly removing cropped image data when overwriting the original file. However, with this bug, both the Google Pixel’s Markup Tool and the Windows Snipping Tool were found to be leaving the cropped data within the original file.
Vice Society claims attack on Puerto Rico Aqueduct and Sewer Authority
The Puerto Rico Aqueduct and Sewer Authority (PRASA) is investigating a cyberattack that hit the agency two weeks ago. The attack was disclosed on March 19, and the announcement stated that threat actors had access to customer and employee information. The agency pointed out that operations at the critical infrastructure managed by the agency in Puerto Rico were not impacted. At this time, the agency has yet to reveal the name of the group behind the attack, but the Vice Society ransomware gang added the authority to the list of victims on its Tor leak site.
Intel co-founder, philanthropist Gordon Moore dies at 94
Gordon Moore, the co-founder of Intel died Friday at his home in Hawaii. Moore, who held a Ph.D. in chemistry and physics, made his famous observation — now known as “Moore’s Law” — three years before he helped start Intel in 1968. The prediction, which had been originally applied to the doubling of transistors on a semiconductor has since been applied to hard drives, computer monitors and other electronic devices and symbolizes the benefits and effects of exponential scale on technology. The law states that the number of transistors on a microchip roughly doubles every two years while its cost is halved over that same time period.
Thanks to this week’s episode sponsor, Trend Micro
Inaudible ultrasound attack can stealthily control your phone, smart speaker
American university researchers have developed a novel attack called “Near-Ultrasound Inaudible Trojan” (NUIT) that can launch silent attacks against devices powered by voice assistants, like smartphones, smart speakers, and other IoTs. Professor Guenevere Chen of the University of Texas in San Antonio (UTSA), her doctoral student Qi Xia, and professor Shouhuai Xu of the University of Colorado (UCCS) demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple’s Siri, Google’s Assistant, Microsoft’s Cortana, and Amazon’s Alexa, showing the ability to send malicious commands to those devices. The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology.
Panera Bread will use palm-scanning technology for its loyalty program
Panera Bread is rolling out palm scanners that will link customers’ handprints to their loyalty accounts — a move the company paints as convenient but that privacy advocates have decried. The biometric-gathering technology, developed by Amazon, will hit stores in the next few months, Panera said on Wednesday. The gadgets will help suggest menu items based on customers’ order histories and allow employees to greet customers by their names and share customers’ available rewards, the company said. Panera Bread CEO Niren Chaudhary described the move as a “frictionless, personalized, and convenient” evolution of Panera’s loyalty program, which boasts 52 million members. However, digital rights activists worry that information could be tapped by federal agencies or accessed by hackers.
UK National Crime Agency reveals it ran fake DDoS-for-hire sites to collect users’ data
Britain’s National Crime Agency (NCA) revealed on Friday that it had set up a number of fake DDoS-for-hire sites to infiltrate the online criminal underground. It said that users who registered for the sites were not given access to cybercrime tools but instead had their data collated by investigators. The operation aims at low level criminals who tend to use booters, and provides police with a mechanism to intervene in the cases of potential offenders when they are engaged in what the NCA described as “an attractive entry-level crime.”
Last week in ransomware
Last week’s news was dominated by the Clop ransomware gang extorting companies whose GoAnywhere services were breached using a zero-day vulnerability. BleepingComputer has confirmed this week that Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, and the UK Pension Protection Fund are related to the vulnerability. The City of Oakland is suddenly being extorted on the LockBit data leak site, when a few weeks ago, they were claimed by a Play ransomware attack. It is unclear if LockBit is helping Play extort the City. We also saw MKS Instruments and Lehigh Valley Health hit with lawsuits stemming from ransomware activity.
(Bleeping Computer and CISOSeries)