DOJ charges five Chinese citizens with global hacking campaign

The Justice Department has charged five Chinese citizens with cyberattacks against more than 100 companies in the U.S. and across the globe, officials said Wednesday. Although the five are not in custody, two Malaysian businessmen alleged to have conspired with the Chinese hackers have been arrested in Malaysia and are facing extradition to the U.S. The DOJ says that the Chinese-based hacking group APT41 is behind the hacks, which targeted telecommunications providers, social media and video game companies, and universities.

(Associated Press)

Two Russians phished $17 million in cryptocurrency, DOJ says

U.S. authorities have charged two Russian nationals with a cryptocurrency phishing scam targeting online virtual currencies that netted them $16.8 million in 2017 and 2018. In addition to unsealing indictments against the two men for spoofing the websites of Binance, Gemini, and Poloniex, the Justice Department announced economic sanctions against them. 

(Krebs on Security)

Bluetooth flaw BLESA leaves billions of devices open to hackers

New research from Purdue University exposes a vulnerability in Bluetooth devices running on Android and other variations of Linux. The Bluetooth Low Energy Spoofing Attack, or BLESA, can give hackers unauthorized access to the device and allow them to send over spoofed data. Apple devices received a BLESA fix in March, and are not vulnerable as long as they are current with their security updates. Windows devices do not contain the vulnerability.

(Tom’s Guide)

Trump says nothing less than 100 percent for TikTok deal

Citing national security, President Donald Trump said that he would not approve a deal for U.S.-based Oracle to become a technology provider for mega-popular video-sharing network TikTok unless it was “100 percent.” He also wants TikTok owner ByteDance, which is based in China, to relinquish its control over the service in the U.S. 

(CNBC)

Thanks to this week’s sponsor, Dtex Systems

Dtex Systems
Forget projects, get answers. Start preventing insider threats, stopping data loss, and monitoring remote employees in minutes, not days. And do it all without invading user privacy. DTEX Systems helps enterprises run safer and smarter with a first-of-its-kind human-centric approach to enterprise operational intelligence.
Learn more and start a free 30-day trial at
dtexsystems.com.

New ‘devastating’ HTTP request smuggling could expose organizations, and their users

A new form of hiding malicious HTTP requests and smuggling them into networks on the backs of legitimate ones could leave organizations of all sizes—and their users—vulnerable to malicious hackers. In my latest story, the security researcher who discovered h2c smuggling explains why network administrators need to be wary of this hack, and learn what it takes to stop it.

(Dark Reading)

Money launderers exploit Chinese e-commerce sites to funnel cash offshore

Some of China’s top online shopping destinations have been used by money launderers to send more than $2 billion to offshore gambling sites. People who want to gamble at these sites, which is illegal in China, place fake orders on the shopping sites. A corresponding sum is then credited to their gaming accounts. In one instance, 600 million fake packages had been inserted into courier tracking systems by company insiders to falsify transactions. 

(Financial Times)

Utah patent troll claims contact tracing, wants states to pay

Salt Lake City–based software vendor Blyncsy, which helps cities gather and analyze mobility data, owns three patents related to contact tracing. One of them is for using wireless technology to track the spread of “contagion.” And it says that states which use contact tracing apps developed by Apple and Google now owe it $1 per resident.

(Wired)

U.S. Customs doubles down on Apple AirPod false positives

False positives in cybersecurity can be vexing, but they happen in real life as well. Whomever shipped a crate of 2,000 OnePlus Buds from Hong Kong to JFK Airport won’t be getting them back quickly, as U.S. Customs and Border Protection officers are alleging that the OnePlus Buds are counterfeit copies of Apple AirPods, specifically their “configuration trademark.” For what it’s worth, Apple doesn’t appear to be pursuing action against OnePlus. (The Verge)