News
Hi folks!
A day early and a bit of a quick one, as I'm still very much focused on onboarding in the new job, and leaving for a trip with friends over the weekend :-)
Enjoy the end of the week, kick butt at whatever you do, and see you next week!
Lockbit ransomware gang leader identified as Dmitry Khoroshev and indicted for ransomware crimes
Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, ran the LockBit ransomware gang under the alias LockbitSupp, said authorities from the U.S., U.K. and Australia.
Microsoft warns of "Dirty Stream" attack impacting Android apps
Microsoft has highlighted a novel attack dubbed "Dirty Stream," which could allow malicious Android apps to overwrite files in another application's home directory, potentially leading to arbitrary code execution and secrets theft.
Read Satya Nadella’s Microsoft memo on putting security first
Microsoft CEO Satya Nadella is now making it clear to every employee that security should be prioritized above all else. Quote: "If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security."
He outlines three core principles:
- Secure by Design: Security comes first when designing any product or service.
- Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
- Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.
They'll also base part of the compensation of the senior leadership team on progress towards those milestones, which is probably the best way to ensure improvement.
All in all it sounds fantastic. I truly hope that they'll follow through on this.
Novel 'Tunnelvision' attack against virtually all VPN apps neuters their entire purpose
This vulnerability made a few headlines this week, but it's worth reading this HN discussion on how it might not be all that novel, widespread or complicated. To the researcher's credit, who's post you can read here, they recognise this.
OpenSSF and OpenJS Foundations issue alert for social engineering takeovers of open source projects
It's becoming pretty clear now that the XZ Utils project isn't the only place where these takeover attempts are happening. Interesting HN discussion here.
Massive webshop fraud ring steals credit cards from 850,000 people
A massive network of 75,000 fake online shops called 'BogusBazaar' tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders.
Github introduces Artifact Attestations
Artifact Attestations provides a verifiable way to link software artifacts back to their source code and build instructions. Sounds like a great step forward in supply chain security.
Breaches and leaks
- UK confirms Ministry of Defence payroll data exposed in data breach: link.
- Stolen children’s health records posted online in extortion bid: link.
- Nearly 184,000 MedStar Health patients' personal data possibly breached: link.
- DocGo discloses cyberattack after hackers steal patient health data: link.
- Ascension healthcare takes systems offline after cyberattack: link.
- Wichita government shuts down systems after ransomware incident: link.
- BetterHelp to pay $7.8 million to 800,000 in health data sharing settlement: link.
- University System of Georgia: 800K exposed in 2023 MOVEit attack: link.
- Boeing confirms attempted $200 million ransomware extortion attempt: link.
- Far-right websites hacked and defaced: link.
- Australian pubgoers' personal info posted to leak site: link.
- Zscaler takes "test environment" offline after rumors of a breach: link.
- Final Fantasy game servers hit by multiple DDoS attacks: link.
1Password for developers: secrets, SSH keys, and more
I don't think most developers realise how valuable 1Password can be. It doesn't just hold passwords, it also hold your SSH keys, signs your Git commits, injects token and other secrets in CLI scripts when you want, and much more. (Sponsored)