Several vendors for consumer and enterprise PCs share a compromised crypto key that should never have been on the devices in the first place.

Source: Lim Yong Hian via Shutterstock

Attackers can bypass the Secure Boot process on millions of Intel and ARM microprocessor-based computing systems from multiple vendors, because they all share a previously leaked cryptographic key used in the device startup process.

The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a device's firmware and boot software.

Unfortunately, researchers from firmware security vendor Binarly discovered that the key had been publicly exposed in a data leak back in 2018. "This key was likely included in \[AMI's\] reference implementation with the expectation that it would be replaced with another safely generated key by downstream entities in the supply chain," Binarly said in a posting on the issue this week.

**The PKFail Secure Boot Issue**

What appears to have happened is that an original equipment manufacturer (OEM) used the AMI test key for firmware it produced for different Intel and ARM-based device makers. The result is there are potentially millions of consumer and enterprise devices around the world that are currently using the same compromised AMI PK during the secure bootup process, says Alex Matrosov, CEO and founder of Binarly. Affected vendors include Lenovo, HP, Asus and SuperMicro.

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," says Matrosov, who has dubbed the issue as "PKFail." The issue makes it easier for attackers to, among other things, deploy Unified Extensible Firmware Interface (UEFI) bootkits like last year's BlackLotus, which offer persistent kernel access and privileges.

"The fix is easy: the compromised key needs to be replaced, and device vendors need to ship a firmware update," Matrosov says. Several have already done so, he notes. However, in many cases — as with data center servers, for instance, or for systems used in critical applications — the firmware updates could take some time to be deployed.

"Exploitation of this issue is trivial in the case that the device is impacted," he says, pointing to a proof-of-concept exploit (PoC) that Binarly developed for PKFail. Matrosov recommends that organizations disconnect devices with the leaked AMI PK from critical networks until they are able to deploy a firmware upgrade.

**A Master Key and a Really Big Deal**

The PKfail issue is a big deal because it makes it easy for hackers to bypass Secure Boot, which is like having a master key that unlocks many houses, said Rogier Fischer, CEO of Netherlands-based Hadrian in an emailed comment. "Since the same keys are used across different devices, one breach can affect many systems, making the problem widespread," he said.

PKFail is the only the latest manifestation of a problem that has been around for more than a decade, which is the tendency by OEMs and device-makers to use non-production and test cryptographic keys in production firmware and devices, Matrosov says. The AMI PK for instance was clearly meant to be treated as completely untrusted, and yet it ended up in devices from multiple vendors.

Binarly's report pointed to an incident in 2016 tracked as CVE-2016-5247, where security researchers discovered multiple Lenovo devices that shared the same AMI test PK. At the time, the National Vulnerability Database described the issue as allowing "local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key."

Ultimately, PKFail is a manifestation of poor cryptographic key management practices in the device supply chain, Binarly said in its report.

"This is a huge problem," Matrosov says. "If you think about an apartment complex where all the door locks have the same keys. If one key goes missing, it could create problems for everyone."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Devices Vulnerable to 'PKFail' Secure Boot Bypass Issue

Plus: The Heritage Foundation gets hacked over Project 2025, a car dealership software provider seems to have paid $25 million to a ransomware gang, and authorities disrupt a Russian bot farm.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

For the third time since 2010, spyware vendor mSpy has suffered a substantial data breach, this time exposing millions of customers and prospective users around the globe, many of whom appear to have used the software to snoop on others. The leaked trove, published by transparency group Distributed Denial of Secrets, contains potentially terabytes of data apparently stolen from mSpy’s customer support system, Zendesk. It reveals names, email addresses, customer support tickets and documentation, and more.

Unlike military-grade spyware, like NSO Group’s infamous Pegasus, mSpy is a consumer product that’s often marketed as a way for parents to keep tabs on their children’s phone usage. But its customer base isn’t necessarily limited to nosey parents. Among the data is evidence that US government entities at least inquired about using the software, including the Social Security Administration, Immigration and Customs Enforcement personnel, and a US federal judge. Given the amount of data exposed by the leak, expect more revelations to trickle out.

**“Gay Furry Hackers” Annoy the Heritage Foundation**

The Heritage Foundation—a right-wing think tank whose “Project 2025” plan for molding the US into what critics describe as an autocratic Christian nationalist state ruled by an Über President Donald Trump—suffered a minor cyberattack this week at the gloved hands of self-described “gay furry hackers.” The breach itself appears to have been fairly minor—2 gigabytes of data taken from a blog called the Daily Signal. Much of it was “useless,” according to “vio,” one of the hackers with the group SeigSec, which said it targeted the Heritage Foundation because “Project 2025 threatens the rights of abortion health care and LGBTQ+ communities in particular.” Still, the intrusion apparently irked Heritage columnist Mike Howell, whose alleged chat with “vio” was leaked and later shared by Howell. SeigSec, which previously targeted a US nuclear lab and NATO, now says it is disbanding.

**Car Dealership Software Firm Appears to Have Paid $25M to Ransomware Gang**

Victims of ransomware attacks only have two choices, and both of them are bad: Refuse to pay the attackers and try to claw your way back without access to your systems and data, or pay up and hope they give you the decryption keys—and don’t leak your data anyway. CDK Global, which provides software to US car dealerships, seems to have picked the latter option. According to researchers at crypto tracing firm TRM Labs, CDK sent 387 bitcoin, worth around $25 million, to an account believed to be controlled by the BlackSuite ransomware gang. CDK has not confirmed the payment, but if accurate it would be at least the second major payment to ransomware gangs this year. In March, Change Healthcare paid a $22 million ransom to help end the disruption to medical facilities across the US. The problem with paying—besides costing a literal fortune—is that it can encourage more ransomware attacks. In fact, following Change Healthcare’s payment, researchers at security firm Recorded Future saw the largest spike in ransomware attacks targeting the health care industry in the four years that it has tracked the criminal activity. The catch, of course, is that paying can work: CDK indicated last week that nearly all of the 15,000 dealerships it works with are back online.

**DOJ Disrupts “AI-Enhanced” RT Bot Farm**

The US Department of Justice announced on Tuesday that US, Canadian, and Dutch authorities seized two domains used to operate a “bot farm” allegedly created by RT, the Russian state media organization, and operated by Russia’s Federal Security Service (FSB). The DOJ says it identified 968 social media accounts linked to the bot farm that were used to amplify RT content online. The RT bot farm was created in 2022, according to the DOJ, and commandeered by an FSB agent in 2023. It is unclear what impact the bot farm had, and the DOJ says its investigation is ongoing.

Spyware Users Exposed in Major Data Breach

Apple has sent a warning to people targeted by mercenary spyware in 98 countries.

In April 2024, we reported how Apple was warning people of mercenary attacks via its threat notification system. At the time it warned users in 92 countries. In a new round, Apple is now warning users in 98 countries of potential mercenary spyware attacks.

The message sent to the affected users says:

> “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID.”

In the same message, Apple says that it is very likely that the person in question is being specifically targeted because of what they do or who they are. And, although there is a certain margin of error, the user should take this warning seriously.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

On the website that explains Apple threat notifications and protection against mercenary spyware, it specifically mentions Pegasus:

> “According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies developing mercenary spyware on their behalf, such as Pegasus from the NSO Group.”

Apple has sent out similar notifications multiple times a year since 2021 but doesn’t disclose how it determines who to send them to, since that might aid attackers in evading future detection.

Amnesty International urges those that have received such a notification to take it seriously. Amnesty’s Security Lab offers digital forensic support to potential victims like human rights defenders, activists, journalists and members of civil society.

If you are a member of civil society, and you have received an Apple notification, you can contact Amnesty International and request forensic support using the Get Help form.

Whether you’ve received that notification or not, every iPhone user should make sure they have the latest updates, protect the device with a passcode, use multi-factor authentication and a strong password for Apple ID, only install apps from the Apple Play store, use a mobile security product, and be careful what they open or tap on.

People that have reason to believe they might be individually targeted by mercenary spyware attacks, can enable Lockdown Mode on their Apple devices for additional protection.

Lockdown Mode does the following:

*   Blocks most message attachments
*   Blocks incoming FaceTime calls from people you have not called previously
*   Blocks some web technologies and browsing features
*   Excludes location from shared phots and removes Shared Albums
*   Blocks wired connections when the device is locked
*   Blocks auto-joining non-secure WiFi networks
*   Blocks incoming invitations from people you have not previously invited
*   Blocks installation of configuration profiles you may require for work or school

**How to turn on Lockdown Mode on iPhone or iPad**

1.  Open the **Settings** app.
2.  Tap **Privacy & Security**.
3.  Scroll down, tap **Lockdown Mode.**
4.  Tap **Turn On Lockdown Mode**.
5.  Read what it does and tap **Turn On Lockdown Mode** if that is what you want.
6.  Tap **Turn On & Restart**, then enter your device passcode.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 iPhone users in 98 countries warned about spyware by Apple 

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication.
Tracked as CVE-2024-3080, the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0.
"Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device,"

Router Security / Vulnerability

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication.

Tracked as CVE-2024-3080, the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0.

"Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device," according to a description of the flaw shared by the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC).

Also patched by the Taiwanese company is a high-severity buffer overflow flaw tracked as CVE-2024-3079 (CVSS score: 7.2) that could be weaponized by remote attackers with administrative privileges to execute arbitrary commands on the device.

In a hypothetical attack scenario, a bad actor could fashion CVE-2024-3080 and CVE-2024-3079 into an exploit chain in order to sidestep authentication and execute malicious code on susceptible devices.

Both the shortcomings impact the following products -

*   ZenWiFi XT8 version 3.0.0.4.388\_24609 and earlier (Fixed in 3.0.0.4.388\_24621)
*   ZenWiFi XT8 version V2 3.0.0.4.388\_24609 and earlier (Fixed in 3.0.0.4.388\_24621)
*   RT-AX88U version 3.0.0.4.388\_24198 and earlier (Fixed in 3.0.0.4.388\_24209)
*   RT-AX58U version 3.0.0.4.388\_23925 and earlier (Fixed in 3.0.0.4.388\_24762)
*   RT-AX57 version 3.0.0.4.386\_52294 and earlier (Fixed in 3.0.0.4.386\_52303)
*   RT-AC86U version 3.0.0.4.386\_51915 and earlier (Fixed in 3.0.0.4.386\_51925)
*   RT-AC68U version 3.0.0.4.386\_51668 and earlier (Fixed in 3.0.0.4.386\_51685)

Earlier this January, ASUS patched another critical vulnerability tracked as (CVE-2024-3912, CVSS score: 9.8) that could permit an unauthenticated remote attacker to upload arbitrary files and execute system commands on the device.

Users of affected routers are advised to update to the latest version to secure against potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models

By Waqas
Be cautious! Hackers are selling fake Pegasus spyware source code, alerts CloudSEK. Learn how to protect yourself from…
This is a post from HackRead.com Read the original post: Hackers Sell Fake Pegasus Spyware on Clearnet and Dark Web

Be cautious! Hackers are selling fake Pegasus spyware source code, alerts CloudSEK. Learn how to protect yourself from this cyber deception.

Contextual AI platform CloudSEK’s latest research report reveals a concerning trend of widespread misuse of NSO Group’s Pegasus spyware name, leveraged by threat actors on the dark web for monetary gains, with almost all identified samples being fraudulent. 

This development aligns with Hackread’s recent report on Apple’s warning about “mercenary spyware” attacks on April 10, 2024. The tech giant revealed how such attacks affect iPhone users in 92 countries, highlighting that state actors or private companies could create mercenary spyware, like Pegasus.

Apple notification sent in April 2024

****What is Pegasus Spyware?****

Pegasus is a powerful and invasive spyware linked to serious attacks on journalists, activists, and even government officials. It can steal data, track locations, and even activate phone microphones for eavesdropping.

After Apple’s advisory, CloudSEK researchers started analyzing Dark and Deep Web sources for incidents involving the NSO Group names and Pegasus spyware. They analyzed 25k Telegram posts, over 150 potential Pegasus sellers, 15 samples, and 30+ indicators from HUMINT and underground platforms. 

Their analysis revealed that threat actors were offering fraudulent Pegasus source code, tools, and scripts for hundreds of thousands of dollars, with most posts often following a standard template where illicit services were offered as Pegasus and other NSO Tools to make money.

“Threat actors created their own tools and scripts, distributing them under Pegasus’ name to capitalize on its notoriety for financial gain,” report author Anuj Sharma explained.

For instance, Deanon ClubV7, a TG group, obtained legitimate access to Pegasus and offered permanent access for USD 1.5 million. Within two days, they sold four accesses, bringing in $6,000,000.

The most propagated samples were Pegasus HVNC (Hidden Virtual Network Computing), with six unique samples posted on the deep web between May 2022 and Jan 2024, offered for “hundreds of thousands of dollars.”

Two among several examples that researchers shared in their technical report

Researchers also noted that actors are spreading malware to compromise users’ devices, using Pegasus’ name to persuade them to download malicious programs. The misuse of surface web code-sharing platforms was also observed, where actors were spreading fake, randomly generated source code as Pegasus Spyware.

****Don’t be duped by the name****

The incident highlights how scammers can use Pegasus’ source code as a scheme to distribute custom-built malware. If you encounter a suspicious offer, don’t respond to emails, or messages, or click on the links provided. Report the incident to the platform where it occurred or a trusted cybersecurity organization.

1.  Fake Voicemails Target Users, 1000 Attacks in 14 Days
2.  OpenSSF Warns: Fake Maintainers Targeting JavaScript Projects
3.  Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam
4.  iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
5.  Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

Hackers Sell Fake Pegasus Spyware on Clearnet and Dark Web

By Waqas
Millions of IoT and industrial devices at risk! Critical vulnerabilities in Cinterion cellular modems allow remote attackers to take control.
This is a post from HackRead.com Read the original post: Cinterion Modem Vulnerabilities Leave IoT and Industrial Networks Exposed

Kaspersky researchers have identified multiple security vulnerabilities in Cinterion cellular modems, which could potentially be exploited by threat actors to access sensitive information and execute arbitrary code.

These vulnerabilities pose significant risks to critical communication networks and IoT devices across various sectors, including industrial, healthcare, automotive, financial, and telecommunications.

The most severe vulnerability, CVE-2023-47610 (CVSS score: 8.1), is a heap overflow flaw that allows remote attackers to execute arbitrary code by sending a specially crafted SMS message. This access could be further exploited to manipulate RAM and flash memory, granting attackers more control over the modem without requiring authentication or physical access.

Other vulnerabilities discovered by Kaspersky stem from security lapses in handling MIDlets, Java-based applications running within the modems. These flaws could be abused to bypass digital signature checks and allow unauthorized code execution with elevated privileges.

Cinterion modems, initially developed by Gemalto, became part of Telit after its acquisition from Thales in a deal announced in July 2022. These findings were unveiled during OffensiveCon in Berlin on May 11, 2024. The full list of vulnerabilities disclosed by Kaspersky includes:

*   CVE-2023-47610 (CVSS score: 8.1)
*   CVE-2023-47611 (CVSS score: 7.8)
*   CVE-2023-47612 (CVSS score: 6.8)
*   CVE-2023-47613 (CVSS score: 4.4)
*   CVE-2023-47614 (CVSS score: 3.3)
*   CVE-2023-47615 (CVSS score: 3.3)
*   CVE-2023-47616 (CVSS score: 2.4)

Jason Soroko, Senior Vice President of Product at Sectigo, emphasized the importance of these findings, stating, _“_Cinterion integrated modems are used in the supply chain of many IoT devices to allow data access by cellular communication and the vulnerabilities that are being reported are mostly about flaws in memory management that could lead to unauthorized code execution, not just for attackers in the physical possession of the device._“_

_“_There is also a remote attack potential via a carefully crafted SMS message. These are the highest priority vulnerabilities that organizations and security teams need to be aware of,_“_ he warned.

As Cinterion modems are widely used in IoT devices across various industries, organizations and security teams must be aware of these vulnerabilities and take necessary measures to mitigate the risks associated with them.

Kaspersky’s findings show the importance of robust security practices and regular vulnerability assessments in ensuring the safety and integrity of critical communication networks and IoT devices.

1.  Vulnerability Exposed Ibis Budget Guest Room Codes to Hackers
2.  “LeakyCLI” Vulnerability Leaks AWS and Google Cloud Credentials
3.  LiteSpeed Cache Plugin Vulnerability Affects 1.8M WordPress Sites
4.  TheMoon Malware Returns: 6,000 Asus Routers Hacked in 72 Hours
5.  New GEOBOX Tool Hijacks Raspberry Pi, Lets Hackers Fake Location

Cinterion Modem Vulnerabilities Leave IoT and Industrial Networks Exposed

The iPhone maker has detected spyware attacks against people in more than 150 countries. Knowing if your device is infected can be tricky—but there are a few steps you can take to protect yourself.

All that needs to happen is, the victim receives an iMessage with an attachment containing a zero-click exploit. “Without any further interaction, the message triggers a vulnerability, leading to code execution for privilege escalation and providing full control over the infected device,” says Boris Larin, principal security researcher at Kaspersky's Global Research & Analysis Team.

Once the attacker establishes their presence on the device, he says, the message is automatically deleted.

**Rise of Pegasus**

The most prominent and well-known spyware is Pegasus, made by Israeli firm NSO Group to target vulnerabilities in iOS and Android software.

Spyware only exists because of vendors such as NSO Group, which claims it sells exploits to governments only to hunt criminals and terrorists. “Any customers, including governments in Europe and North America, agree not to disclose those vulnerabilities,” says Richard Werner, cybersecurity advisor at Trend Micro.

Despite NSO Group’s claims, spyware has continued to target journalists, dissidents, and protesters. Saudi journalist and dissident Jamal Khashoggi’s wife, Hanan Elatr, was allegedly targeted with Pegasus before his death. In 2021, _New York Times_ reporter Ben Hubbard learned his phone had been targeted twice with Pegasus.

Pegasus was silently implanted onto the iPhone of Claude Magnin, the wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco. Pegasus has also been used to target pro-democracy protesters in Thailand, Russian journalist Galina Timchenko, and UK government officials.

In 2021, Apple filed a lawsuit against NSO Group and its parent company to hold it accountable for “the surveillance and targeting of Apple users.”

The case is still ongoing, with NSO Group attempting to dismiss the lawsuit, but experts say the problem is not going to go away as long as spyware vendors are able to operate.

David Ruiz, senior privacy advocate at security firm Malwarebytes, blames “the obsessive and oppressive operators behind spyware, who compound its danger to society.”

**The Spyware Drain**

If you think you may be targeted by spyware, there are only a few useful things you can do. First, enable Apple's Lockdown Mode, which disables certain features but is surprisingly usable and can protect your iPhone from getting infected in the first place. Second, if you suspect your device is already infected, helplines are available to aid you in removing spyware, such as Access Now’s Digital Security Helpline and Amnesty International’s Security Lab.

Detecting spyware can be extremely challenging—and for sophisticated spyware like Pegasus, discovering an infection on your own is all but impossible. There are less-sophisticated types of spyware that can cause unusual behavior, such as your battery draining quickly, unexpected shutdowns, or high data usage could be indicative of some types of infections, says Javvad Malik, lead security awareness advocate at security training organization KnowBe4. While specific apps claim to spot spyware, their effectiveness can vary, and professional assistance is often necessary for reliable detection, he says.

Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit `runAsUser` attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified `mustRunAsNonRoot: true`, the kubelet will refuse to start the container as root. If the pod did not specify `mustRunAsNonRoot: true`, the kubelet will run the container as uid 0.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2019-11245

**Kubelet Incorrect Privilege Assignment**

Moderate severity GitHub Reviewed Published Apr 24, 2024 to the GitHub Advisory Database • Updated Apr 24, 2024

**Package**

gomod k8s.io/kubernetes/cmd/kubelet (Go)

**Affected versions**

\>= 1.14.0, < 1.14.3

\>= 1.13.0, < 1.13.7

**Patched versions**

1.14.3

1.13.7

**Description**

Published to the GitHub Advisory Database

Apr 24, 2024

Last updated

Apr 24, 2024

GHSA-r76g-g87f-vw8f: Kubelet Incorrect Privilege Assignment

The State Department can now deny entrance to the US for individuals accused of profiting from spyware-related human rights abuses, and their immediate family members.

Source: Robert Brown via Alamy Stock Photo

The US State Department is imposing visa restrictions on 13 people involved in the development and sale of commercial spyware, as well as their spouses and children. 

"These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and US government personnel," according to a press statement from the department issued yesterday. It's the first implementation on a spyware-related visa-restriction program announced in February.

Visa restrictions mean that the State Department can deny entrance to the United States for any of the people placed under the order. The move is the latest in a series of efforts by the government to combat the commercial spyware used by authoritarian governments, which it says constitutes a human rights abuse. NSO Group's infamous Pegasus mobile tracking tool, for instance, has been involved in a series of attacks on civil society by repressive regimes, the US has alleged.

Other efforts have included restrictions on the US government's own use of commercial spyware, export controls and sanctions, and private-public threat intelligence partnerships.

**About the Author(s)**

US Gov Slaps Visa Restrictions on Spyware Honchos

Plus: Apple warns iPhone users about spyware attacks, CISA issues an emergency directive about a Microsoft breach, and a ransomware hacker tangles with an unimpressed HR manager named Beth.

After months of delays, the US House of Representatives voted on Friday to extend a controversial warrantless wiretap program for two years. Known as Section 702, the program authorizes the US government to collect the communications of foreigners overseas. But this collection also includes reams of communications from US citizens, which are stored for years and can later be warrantlessly accessed by the FBI, which has heavily abused the program. An amendment that would require investigators to obtain such a warrant failed to pass.

A group of US lawmakers on Sunday unveiled a proposal that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data that companies can collect and give US residents greater control over the personal information that is collected about them. Passage of such legislation remains far off, however: Congress has attempted to pass a national privacy law for years and has thus far failed to do so.

Absent a US privacy law, you’ll need to take matters into your own hands. DuckDuckGo, the privacy-focused company famous for its search engine, now offers a new product called Privacy Pro that includes a VPN, a tool for having your data removed from people-search websites, and a service for restoring your identity if you fall victim to identity theft. There are also steps you can take to wrench back some of the data used to train generative AI systems. Not all systems out there offer the option to opt out of data collection, but we have a rundown of the ones that do and how to keep your data out of AI models.

Data collection isn’t the only risk associated with AI advancements. AI-generated scam calls are becoming more sophisticated, with cloned voices sounding eerily like the real thing. But there are precautions you can take to protect yourself from getting swindled by someone using AI to sound like a loved one.

Change Healthcare’s ongoing ransomware nightmare appears to have gotten worse. The company was originally targeted by a ransomware gang known as AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to grow between AlphV and affiliate hackers, who say AlphV took the money and ran without paying other groups that helped them carry out the attack. Now, another ransomware group, RansomHub, claims it has terabytes of Change Healthcare’s data and is attempting to extort the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the US.

That’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The streaming video service Roku warned customers Friday that 576,000 accounts had been compromised, a breach it discovered in the midst of its investigation of a far smaller-scale intrusion that it dealt with in March. Roku said that rather than actually penetrating Roku’s own network through a security vulnerability, the hackers had carried out a “credential-stuffing” attack in which they tried passwords for users that had leaked elsewhere, thus breaking into accounts where users had reused those passwords. The company noted that in less than 400 cases, hackers had actually exploited their access to make purchases with the hijacked accounts. But the company nonetheless reset users’ passwords and is implementing two-factor authentication on all user accounts.

**Apple Notifies Users of Mercenary Spyware Infections**

Apple sent notices via email to users in 92 countries around the world this week, warning them that they had been targeted by sophisticated “mercenary spyware” and that their devices may be compromised. The notice stressed that the company had “high confidence” in this warning and urged potential hacking victims to take it seriously. In a status page update, it suggested that anyone who receives the warning contact the Digital Security Helpline of the nonprofit Access Now and enable Lockdown Mode for future protection. Apple didn’t offer any information publicly about who the hacking victims are, where they’re located, or who the hackers behind the attacks might be, though in its blog post, it compared the malware to the sophisticated Pegasus spyware sold by the Israeli hacking firm NSO Group. It wrote in its public support post that it’s warned users in a total of 150 countries about similar attacks since 2021.

**CISA Warns Federal Agencies to Look Out for Russian Hackers Stealing Emails**

April continues to be the cruelest month for Microsoft—or perhaps Microsoft’s customers. On the heels of a Cybersecurity Review Board report on Microsoft’s previous breach by Chinese state-sponsored hackers, the Cybersecurity and Infrastructure Security Agency (CISA) published a report this week warning federal agencies that their communications with Microsoft may have been compromised by a group known as APT29, Midnight Blizzard, or Cozy Bear, believed to work on behalf of Russia’s SVR foreign intelligence agency. “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said in the emergency directive. As recently as March, Microsoft said that it was still working to expel the hackers from its network.

**When a Ransomware Hacker Calls a Victim Company’s Front Desk**

As ransomware hackers seek new ways to bully their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company it had targeted to verbally threaten its staff. Thanks to one HR manager named Beth, that tactic ended up sounding about as threatening as a clip from an episode of _The Office_.

TechCrunch describes a recording of the conversation, which a ransomware group calling itself Dragonforce posted to its dark-web site in a misguided attempt to pressure the victim company to pay. (TechCrunch didn’t identify the victim.) The call starts like any tedious attempt to find the right person after calling a company’s publicly listed phone number, as the hacker waits to speak to someone in “management.”

Eventually, Beth picks up and a somewhat farcical conversation ensues as she asks that the hacker explain the situation. When he threatens to make the company’s stolen data available for “fraudulent activities and for terrorism by criminals,” Beth responds “Oh, ok,” in an altogether unimpressed tone. She then asks if the data will be posted to “Dragonforce.com.” At another point, she notes to the increasingly frustrated hacker that recording their call is illegal in Ohio, and he responds, “Ma’am, I am a hacker. I don’t care about the law.” Finally, Beth refuses to negotiate with the hacker with a “Well, good luck,” to which the hacker responds, “Thank you, take care.”

Tag

#asus