Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams.
The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering,

Cryptocurrency / Online Scam

Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams.

The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering.

The U.S. Department of Justice (DoJ), which announced the arrests of both Zhang and Walker in connection with the fraudulent operation, said the quartet opened shell companies and bank accounts to carry out pig butchering scams, transferring the ill-gotten funds to domestic and international financial entities.

If convicted, Zhang and Walker face a maximum penalty of 20 years in prison. Their alleged co-conspirators remain at large.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

"The overall fraud scheme in the related pig-butchering syndicate involved at least 284 transactions and resulted in more than $80 million in victim losses," the DoJ said. "More than $20 million in victim funds were directly deposited into bank accounts associated with the defendants."

The enforcement action comes as a Nigerian national named Eze Harrison Arinze was sentenced to three years in prison for his role in conducting pig butchering scams and defrauding 34 victims in 13 countries, leading to $592,000 in losses.

Late last month, the U.S. DoJ also announced the seizure of nearly $9 million worth of Tether that were traced to cryptocurrency addresses allegedly associated with a Southeast Asia based organization that exploited over 70 victims through pig butchering scams.

Pig butchering falls under the category of so-called romance-investment scams, wherein people are targeted via dating apps under fictitious identities to gain their trust and dupe them into investing their money in seemingly legitimate and profitable ventures, typically promising high investment returns within a short span of time.

"After persuading the victim to invest, the scammers collect the funds, often using digital payment platforms or cryptocurrencies to make tracking more difficult," Trend Micro said in a report detailing the scam.

"Once they have received a substantial sum from their victims, or once the victims try to withdraw funds from the account, the scammers will suddenly become unreachable, or the brokerage platform will have trouble transferring funds. Scammers could also delete their online presence or create new identities, making it difficult for victims to recover their lost funds."

One of the emerging trends in the space involves the use of group chats, indicating that the cyber criminals are adapting and refining their strategies to make them more effective.

In these cases, prospective victims are added to a fake investment chat group under their control. Should the target express interest in investing in cryptocurrencies, the conversation is moved to a one-to-one chat, where they are introduced to a bogus brokerage platform and persuaded to transfer their funds to the service.

According to the Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) report, cryptocurrency investment scams have led to unprecedented losses totaling $2.57 billion in 2022, registering a 183% increase from 2021.

"A significant portion of these phone numbers can be traced back to leaked databases containing personal information," the cybersecurity firm said. "More than half of the numbers added to the fake group chats have been found in such databases, indicating that scammers could be using leaked information to find their next victims."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Four U.S. Nationals Charged in $80 Million Pig Butchering Crypto Scam

On Telegram, scammers are impersonating doctors to sell fake Covid-19 vaccination certificates and other products, showing how criminals are taking advantage of conspiracy theories.

Kristina Collins didn’t know her photo was being used on Telegram. Over the past few months, an Instagram picture of Collins, a Texas-based doctor and dermatologist, has been used by scammers on the chat app to try to persuade people to buy false proof that they have been vaccinated against Covid-19 and other diseases.

“The last thing you want as a physician is for your identity to be used to promote misinformation,” Collins tells WIRED, adding that many doctors use social media specifically to make sure people have access to accurate health information. “When people are able to take that likeness and use it for bad purposes, whether it’s fraud, whether it’s misinformation, I think it’s really scary.”

The Telegram channel impersonating Collins wasn’t alone. Researchers at Logically, a UK-based disinformation detection company, have uncovered a network of around 60 Telegram channels selling Covid-19 vaccination certificates and other proof of vaccination documents, and claiming to sell various medicines. In 25 of the channels, administrators used a “Dr.” prefix in their username, with 13 of the channels using the real-world names and/or photographs of legitimate medical professionals.

The network has been operating since at least June 2022, with more than a thousand accounts on X posting links that push people toward the Telegram channels selling “vaccine passes,” according to Chris Proops and Maisie Draper, Logically researchers who investigated the activity. Overall, they say, the social media operation has reached more than 3 million people with over 62,000 posts, and cryptocurrency accounts linked to the efforts have processed $286,000.

The scam is the latest in a long line of Covid-19 and health-related misinformation and disinformation, which has broadly attempted to capitalize on conspiracy theories and some people’s concerns about vaccinations. It highlights how scammers can abuse social media platforms, particularly those with loose stances on moderation, and potentially erode trust in medical systems.

“They're directing people, anti-vaxxers primarily, on X to then move to Telegram and subscribe to the around 50 Telegram channels that they have,” Draper says. The researchers identified around 20 “campaigns” on the Elon Musk–owned social media platform that were pushing people toward Telegram channels. The first was in June 2022 and the most recent at the start of December.

Draper and Proops say the efforts used repeated messaging, often replying to “verified” accounts on X that are linked to anti-vaccination sentiments, and consistently mentioned conspiracy theories such as the “great reset.”

“A lot of it is playing on anti-vaxxers’ vulnerabilities to being paranoid about things like the next pandemic, or other kinds of vaccines, like the measles vaccine,” Draper says.

The Telegram channels, where administrators impersonate doctors, also follow similar patterns to one another. Many of the channels have names related to Covid-19 vaccinations, and they claim to sell pandemic-related travel passes, allowing people to enter the UK, US, Canada, and other countries. They can sell the passes for around $250 to $500 each, with payments often being requested in bitcoin. Photos of the documents they claim to sell look similar to the official versions of the documents.

However, the vast majority of countries no longer require proof of vaccination to enter them and haven’t done so for long periods of time—for instance, the UK removed travel restrictions in 2022. “Over time, we started seeing a trend change where it wasn't just Covid passes,” Proops says. The Telegram channels have offered tuberculosis test results, meningitis vaccine results, and documentation around hepatitis A and B, tetanus, polio, and more, he says.

The researchers say they believe doctors are being impersonated to give the scammers a veneer of legitimacy. The Logically researchers contacted several doctors who were not aware their identities were being used. One doctor, they say, had not heard of Telegram. Collins says she was not aware of her image being used in this way until she was contacted by Logically and WIRED. She added that her image had also been used on a scam Instagram account.

Since the researchers started monitoring the X accounts and Telegram channels last year, many of the accounts and channels have been removed by the social media companies; however, around half of the Telegram channels are still active. Neither Telegram nor X responded to WIRED’s request for comment on the accounts or whether Telegram was aware of the impersonation of doctors taking place.

A WIRED review of the Telegram channels still active shows regular posts from administrators and other members. Some of the channels have only a few hundred members; others have a few thousand. The administrators of some channels have been inactive for several months. Within the channels is a slurry of well-worn and debunked conspiracy theories.

One still-active channel claims itself as a “coalition of doctors” who can get people “genuinely registered documentation” for those traveling to the US, Canada, UK, Australia, and 15 EU countries. The owner of the channel uses the name of a legitimate US-based plastic surgeon who has around 50,000 followers on social media, and a photograph of another doctor. Draper says that within the communities, people “are sharing photographs of side effects of the vaccine and fearmongering about the future impacts of lockdowns.”

The channels also claim to sell the drug ivermectin, which the US Food and Drug Administration said should not be used to treat or prevent Covid-19 in 2021. One of the channels lists half a dozen different kinds of medicines it claims to be able to provide. One claims it is selling weight loss drug Ozempic, while another tells people to not get a flu shot.

“The landscape of misinformation actors is abundant,” says Aliaksandr Herasimenka, a researcher of political communication at the Oxford Internet Institute who has studied misinformation on Telegram and vaccine and health misinformation. Herasimenka, who was not involved in the Logically research, says he has not seen doctors being impersonated on Telegram regularly, but that those behind misinformation and disinformation can use a variety of tactics. He says misinformation efforts can often be run for political or social goals, while those using it to make money can be often overlooked. “There are so many people who try to make money using misinformation, they would use any opportunity to profit,” Herasimenka says.

There is no evidence indicating that the Telegram channels offer legitimate goods, and it isn’t possible to verify whether anyone purchasing items from them receives anything. Some channels have posts from “customers” who claim to have purchased items from the Telegram groups. One account, which claims it ordered a vaccine certificate and drugs to the US, shared a photo of the back of an envelope claiming they received their order. Other posts use generic photos of drugs or vaccine certificates to claim items were delivered.

The Logically researchers say the likelihood that the false documents have been sent to people is “relatively low,” and their main motivation is likely financial. Proops says that while the documents the groups claim to be selling are not of much use now, the networks could be used in different ways in the future. The continued use of the channels and spreading of anti-vaccination messages could also undermine trust in health systems around the world, Proops says.

Collins, the doctor who had her image stolen, says she is concerned that it will become easier for scammers or people looking to undermine health care professionals to do so as image generation with artificial intelligence becomes more available. “As AI gets even better, they can go beyond just taking your picture off of a website, and actually potentially make a video of you talking,” Collins says. This will make it “really hard for an average person to sort out if this is a fake account or not.”

Scammers Are Tricking Anti-Vaxxers Into Buying Bogus Medical Documents

Low-code/no-code (LCNC) and robotic process automation (RPA) have gained immense popularity, but how secure are they? Is your security team paying enough attention in an era of rapid digital transformation, where business users are empowered to create applications swiftly using platforms like Microsoft PowerApps, UiPath, ServiceNow, Mendix, and OutSystems?
The simple truth is often swept under

Low-code/no-code (LCNC) and robotic process automation (RPA) have gained immense popularity, but how secure are they? Is your security team paying enough attention in an era of rapid digital transformation, where business users are empowered to create applications swiftly using platforms like Microsoft PowerApps, UiPath, ServiceNow, Mendix, and OutSystems?

The simple truth is often swept under the rug. While low-code/no-code (LCNC) apps and robotic process automations (RPA) drive efficiency and agility, their dark security side demands scrutiny. LCNC application security emerges as a relatively new frontier, and even seasoned security practitioners and security teams grapple with the dynamic nature and sheer volume of citizen-developed applications. The accelerated pace of LCNC development poses a unique challenge for security professionals, underscoring the need for dedicated efforts and solutions to effectively address the security nuances of low-code development environments.

****Digital Transformation: Trading off Security?****

One reason security finds itself in the backseat is a common concern that security controls are potential speed bumps in the digital transformation journey. Many citizen developers strive for quick app creation but unknowingly create new risks simultaneously.

The fact is that LCNC apps leave many business applications exposed to the same risks and damage as their traditionally developed counterparts. Ultimately, it takes a closely aligned security solution for LCNC to balance business success, continuity, and security.

As organizations dive headfirst into LCNC and RPA solutions, it's time to acknowledge that the current AppSec stack is inadequate for safeguarding critical assets and data exposed by LCNC apps. Most organizations are left with manual, cumbersome security for LCNC development.

****Unlocking Uniqueness: Security Challenges in LCNC and RPA Environments****

While the security challenges and threat vectors in LCNC and RPA environments might appear similar to traditional software development, the devil is in the details. Democratizing software development across a wider audience, the development environments, processes, and participants in LCNC and RPA introduce a transformative shift. This kind of decentralized app creation comes with three main challenges.

First, citizen and automation developers tend to be more prone to unintentional, logical errors that may result in security vulnerabilities. Second, from a visibility point of view, security teams are dealing with a new kind of shadow IT, or to be more precise, Shadow Engineering. Third, security teams have little to no control over the LCNC app life cycle.

****Governance, Compliance, Security: A Triple Threat****

The three-headed monster haunting CISOs, security architects, and security teams – governance, compliance, and security – is ever more ominous in LCNC and RPA environments. To illustrate, here are some and, of course, not comprehensive examples:

*   Governance challenges manifest in outdated versions of applications lurking in production and decommissioned applications, causing immediate concerns.
*   Compliance violations, from PII leakage to HIPAA violations, reveal that the regulatory framework for LCNC apps is not as robust as it should be.
*   The age-old security concerns of unauthorized data access and default passwords persist, challenging the perception that LCNC platforms offer foolproof protection.

****Four Crucial Security Steps****

In the ebook "Low-Code/No-Code And Rpa: Rewards And Risk," security researchers at Nokod Security suggest that a four-step process can and should be introduced to LCNC app development.

1.  **Discovery** \- Establishing and maintaining comprehensive visibility over all applications and automations is essential for robust security. An accurate, up-to-date inventory is imperative to overcome blind spots and ensure the proper security and compliance processes.
2.  **Monitoring** \- Comprehensive monitoring involves evaluating third-party components, implementing processes to confirm the absence of malicious code, and preventing accidental data leaks. Effectively thwarting the risk of critical data leaks requires a meticulous identification and classification of data usage, ensuring applications and automation systems handle data under their respective classifications. Governance includes proactively monitoring developer activity, particularly scrutinizing modifications made in the production environment post-publication.
3.  **Act on Violations** \- Efficient remediation must involve the citizen developer. Use clear communication in accessible language and with the LCNC platform-specific terminology, accompanied by step-by-step remediation guidance. You must bring in the necessary compensating controls when tackling tricky remediation scenarios.
4.  **Protecting the Apps** - Use runtime controls to detect malicious behavior inside your apps and automations or by apps in your domain.

While the steps outlined above provide a foundation, the reality of a growing attack surface, uncovered by the current application security stack, forces a reevaluation. Manual security processes are not scaling enough when organizations churn out dozens of LCNC applications and RPA automations weekly. The efficacy of a manual approach is limited, especially when companies are using several LCNC and RPA platforms. It is time for dedicated security solutions for LCNC application security.

****Nokod Security: Pioneering Low-code/no-code App Security****

Offering a central security solution, the Nokod Security platform addresses this evolving and complex threat landscape and the uniqueness of the LCNC app development.

The Nokod platform provides a centralized security, governance, and compliance solution for LCNC applications and RPA automations. By managing cybersecurity and compliance risks, Nokod streamlines security throughout the entire lifecycle of LCNC applications.

Key features of Nokod's enterprise-ready platform include:

*   Discovery of all low-code/no-code applications and automations within your organization
*   Placement of these applications under specified policies
*   Identification of security issues and detection of vulnerabilities
*   Auto-remediation and empowerment tools for low-code / no-code / RPA developers
*   Enabling enhanced productivity with lean security teams

****Conclusion:****

In the dynamic landscape of contemporary business technologies, the widespread adoption of low-code/no-code (LCNC) and robotic process automation (RPA) platforms by organizations has ushered in a new era. Despite the surge in innovation, a critical security gap exists. Enterprises must gain comprehensive insights into whether these cutting-edge applications are compliant, free from vulnerabilities, or harbor malicious activities. This expanding attack surface, often unnoticed by current application security measures, poses a considerable risk.

For more timely information about low-code/no-code app security, follow Nokod Security on LinkedIn.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Unmasking the Dark Side of Low-Code/No-Code Applications

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network.
Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.
"Targets

A new wave of phishing messages distributing the **QakBot** malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network.

Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.

"Targets received a PDF from a user masquerading as an IRS employee," the tech giant said in a series of posts shared on X (formerly Twitter).

"The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL."

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

Microsoft said that the payload was generated the same day the campaign started and that it's configured with the previously unseen version 0x500.

QakBot, also called QBot and Pinkslipbot, was disrupted as part of a coordinated effort called Operation Duck Hunt after the authorities managed to gain access to its infrastructure and instructed the infected computers to download an uninstaller file to render the malware ineffective.

Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot is capable of harvesting sensitive information as well as delivering additional malware, including ransomware.

In October 2023, Cisco Talos revealed that QakBot affiliates were leveraging phishing lures to deliver a mix of ransomware, remote access trojans, and stealer malware.

The return of QakBot mirrors that of Emotet, which also resurfaced in late 2021 months after it was dismantled by law enforcement and has remained an enduring threat, albeit at a lower level.

While it remains to be seen if the malware will return to its former glory, the resilience of such botnets underscores the need for organizations to avoid falling victim to spam emails used in Emotet and QakBot campaigns.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry 

A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner

CVE-2023-3907

Plus: Hackers reveal flaws in crypto wallets holding $1 billion, a massive breach of Danish electric utilities, and more.

If you work at a spy agency tasked with surveilling the communications of more than 160 million people, it’s probably a good idea to make sure all the data in your possession stays off the open internet. Just ask Bangladesh’s National Telecommunication Monitoring Center, which security researchers found connected to a leaky database that exposed everything from names and email addresses to cell phone numbers and bank account details. The data was likely just used for testing purposes, but WIRED confirmed at least some of the data is linked to real people.

A fight is brewing in the United States Congress over the future of a powerful surveillance program. Section 702 of the Foreign Intelligence Surveillance Act is set to expire at the end of the year. With the December 31 deadline quickly approaching, members of Congress and civil liberties groups are criticizing Section 702 for enabling the “incidental” surveillance of Americans’ communications and “abuses” by the FBI. While a privacy-preserving update to the program has been introduced in Congress, some 702 critics remain concerned that lawmakers will push through reauthorization using other, “must-pass” legislation.

The US Cybersecurity Infrastructure Security Agency this week rolled out its plan for implementing the Biden administration’s executive order on artificial intelligence. CISA’s efforts will focus on defending against weaponized AI and how to incorporate the technology for national security purposes.

Speaking of national security, WIRED spoke this week with Jacob Chansley, aka the Qanon Shaman, who plans to run for the US Congress after becoming a poster child for the US Capitol riot on January 6. Elsewhere in the world of unexpected political news, talk of 9/11 mastermind Osama bin Laden's “Letter to America” spread online this week—and was promptly used by far-right figures to push conspiracy theories.

For the first time, the Signal Foundation has revealed the cost of running its widely popular encrypted messaging app. With annual expenses set to hit $50 million by 2025, the nonprofit expects to rely more heavily on user donations to keep Signal going strong. “By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Meredith Whittaker, president of the Signal Foundation, tells WIRED.

Speaking of surveillance business models, Meta has updated the way two-factor authentication works on Facebook. We’ve got a rundown on what you need to know. Speaking of multifactor authentication, Google has a new Titan Security Key that supports passkeys, pushing the long-used (and misused) password closer to its ultimate demise.

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven't been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark's critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers' infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia's GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities' customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client's wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.

_Updated, 12/19/23, 3:10 pm EST: Earlier this month, Reuters temporarily removed the article, "How an Indian startup hacked the world” from its website, pursuant to a preliminary court order issued in New Delhi, India. Reuters said it stands by its reporting and that it plans to appeal the court's decision, which is based on a pending lawsuit. In light of Reuters's actions, WIRED has temporarily removed the link and description of the story in this security roundup._

Cybersecurity Industry Baffled by FBI’s Lack of Action on Ransomware Gang

By Waqas
The latest cybersecurity incident to impact a large-scale and highly popular company is the MongoDB Data Breach.
This is a post from HackRead.com Read the original post: Hackers Access Customer Info, Corporate Systems in MongoDB Data Breach

In an email, Lena Smart, MongoDB’s Chief Information Security Officer (CISO), confirmed the latest MongoDB Data Breach, revealing that while investigations are underway, it has been verified that hackers accessed customer metadata and contact information.

**MongoDB**, a leading database management company, has fallen victim to a security incident resulting in unauthorized access to certain corporate systems. The breach, detected on the evening of December 13th, 2023, US Eastern Standard Time, has prompted an immediate and comprehensive investigation by the company.

The breach includes the exposure of customer account metadata and contact information, heightening concerns about the potential misuse of sensitive data. MongoDB activated its incident response process upon the discovery of suspicious activities, but it is believed that the unauthorized access may have been ongoing for some time before being detected.

****Lena Smart****, MongoDB’s Chief Information Security Officer (CISO), sent an email communication to MongoDB customers, outlining the details of the breach and urging caution in the wake of potential social engineering and phishing threats. The company assures customers that, as of now, there is no indication of exposure to the data stored in MongoDB Atlas, a cloud-based database service.

Despite the incident, MongoDB is actively managing the situation, with ongoing updates promised on their alert page (**mongodb.com/alerts**) as the investigation progresses. Relevant authorities have also been notified, underlining the seriousness of the security breach.

In a subsequent update at 5:25 PM EST on December 16, 2023, MongoDB reported a spike in login attempts, causing issues for customers attempting to access the MongoDB Atlas and Support Portal. However, MongoDB clarified that this was unrelated to the security incident and advised affected users to try again in a few minutes.

Lena Smart, in her email to customers, emphasized proactive steps to mitigate potential risks. MongoDB recommends customers be vigilant for **social engineering and phishing attacks** and take immediate action, such as activating phishing-resistant multi-factor authentication (MFA) and regularly rotating MongoDB Atlas passwords.

Hi,

MongoDB is investigating a security incident involving
unauthorized access to certain MongoDB corporate
systems. This includes exposure of customer account
metadata and contact information. At this time, we
are NOT aware of any exposure to the data that
customers store in MongoDB Atlas.

We detected suspicious activity on Wednesday (Dec.
13th, 2023) evening US Eastern Standard Time and
immediately activated our incident response process.
We are still conducting an active investigation and
believe that this unauthorized access has been going
on for some period of time before discovery. We have
also started notifying relevant authorities.

What should you do next?

Since we are aware that some customer
account metadata and contact information was
accessed, please be vigilant for social
engineering and phishing attacks.

If not already implemented, we encourage all
customers to activate phishing-resistant multi-
factor authentication (MFA) and regularly rotate
passwords.

MongoDB will continue to update mongodb.com/alerts
with additional information as we continue to
investigate the matter.

Sincerely,
Lena Smart
MongoDB CISO

Email sent by the company’s CISO reveals the latest MongoDB data breach (Screenshot credit: Hackread.com)

As the investigation unfolds, MongoDB customers are anxiously awaiting further updates on the situation. The incident serves as a stark reminder of the constant and evolving threats faced by companies in the digital age, underscoring the importance of robust cybersecurity measures and the need for continuous vigilance in safeguarding sensitive customer information.

****_RELATED ARTICLES_****

1.  **47% of online MongoDB databases hacked demanding ransom**
2.  **11 million personal unprotected MongoDB records leaked online**
3.  **Ride-hailing app leaks data of millions of Iranians from MongoDB**
4.  **Unprotected MongoDB leaks resume of 202M Chinese job seekers**
5.  **Hackers leave ransom note after wiping out MongoDB in 13 seconds**

Hackers Access Customer Info, Corporate Systems in MongoDB Data Breach

A buffer overflow in websockets in UnrealIRCd 6.1.0 through 6.1.3 before 6.1.4 allows an unauthenticated remote attacker to crash the server by sending an oversized packet (if a websocket port is open). Remote code execution might be possible on some uncommon, older platforms.

CVE-2023-50784: UnrealIRCd - The most widely deployed IRC server

Plus: Apple tightens anti-theft protections, Chinese hackers penetrate US critical infrastructure, and the long-running rumor of eavesdropping phones crystallizes into more than an urban legend.

A hacker group calling itself Solntsepek, previously linked to the infamous Russian military hacking unit Sandworm, took credit this week for a disruptive attack on the Ukrainian internet and mobile service provider Kyivstar. As Russia’s kinetic war against Ukraine has dragged on, inflicting what the World Bank estimates to be around $410 billion in recovery costs for Ukraine, the country has launched an official crowdfunding platform known as United24 as a means of raising awareness and rebuilding.

Kytch, the small company that aimed to fix McDonald’s notably often-broken ice cream machines, claims it has discovered a “smoking gun” email from the CEO of McDonald’s ice cream machine manufacturer that Kytch's lawyers say suggests an alleged plan to undermine Kytch as a potential competitor. Kytch argues in a recent court filing that the email reveals the real reason why, a couple of weeks later, McDonald’s sent an email to thousands of its restaurant franchisees claiming safety hazards related to Kytch’s ice-cream-machine-whispering device.

WIRED looked at how Microsoft’s Digital Crime Unit has refined a strategy over the past decade that combines intelligence and technical capabilities from Microsoft’s massive infrastructure with creative legal tactics to disrupt both global cybercrime and state-backed actors. And we dove into the controversy over reauthorization of Section 702 surveillance powers in the US Congress.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Geofence warrants, which require tech companies to cough up data on everyone in a certain geographic area at a certain time, have become an incredibly powerful tool for law enforcement. Sending a geofence warrant to Google, in particular, has come to be seen as almost an “easy button” among police investigators, given that Google has long stored location data on users in the cloud, where it can be demanded to help police identify suspects based on the timing and location of a crime alone—a practice that has appalled privacy advocates and other critics who say it violates the Fourth Amendment. Now, Google has made technical changes to rein in that surveillance power.

The company announced this week that it would store location history only on users' phones, delete it by default after three months, and, if the user does choose to store it in a cloud account, keep it encrypted so that even Google can't decrypt it. The move has been broadly cheered by the privacy and civil liberties crowds as a long-overdue protection for users. It will also strip law enforcement of a tool it had come to increasingly rely on. Geofence warrants were sent to Google, for instance, to obtain data on more than 5,000 devices present at the storming of the US Capitol on January 6, 2021, but they have also been used to solve far smaller crimes, including nonviolent ones. So much for the “easy button.”

In a different sort of technical move to tighten users' data protections, Apple has added new security features designed to make it harder for thieves to exploit users' sensitive data and accounts. _The Wall Street Journal_ had previously reported on how thieves who merely learned someone's passcode—say, by looking over their shoulder—and then stole their phone could access their online accounts and even make payments to drain their bank balances. Apple has now created a Stolen Device Protection feature that, when enabled, will require you to use a biometric feature like TouchID or FaceID to access certain accounts and phone features, in addition to the passcode that unlocks the phone. For the most sensitive features, like changing passwords or passcodes or turning off Find My, Apple will also force you to wait an hour and authenticate again if the phone isn't in a location the user typically frequents.

The group of Chinese hackers known as Volt Typhoon has rung alarm bells across the cybersecurity industry all year with news of its intrusions targeting power grids and other critical infrastructure in the Pacific region and the US. A new report from _The Washington Post_ offers fresh details of the disturbing mix of networks that the group has breached, including a water utility in Hawaii, an oil and gas pipeline, and a major West Coast port. The hackers haven't actually caused any disruptions, nor have they penetrated the industrial control system side of their targets' networks—the sensitive systems capable of triggering physical effects. But in combination with previous reports of Volt Typhoon's work to plant malware inside electric utilities in the continental US and Guam, the report paints a picture of China's escalating moves to prepare the groundwork for disruption in the event of a crisis, such as an invasion of Taiwan.

The notion that your iPhone or Amazon Echo is quietly listening to your conversations has long been one of the most paranoid suspicions of all technology users—bolstered, of course, by the targeted ads that are often so accurate that they seem to be pulled directly from verbal conversations. This week, that suspicion finally became more than an urban legend when 404 Media reported on an advertising company actively claiming that it can eavesdrop on conversations via those kinds of devices. The company, Cox Media Group, (CMG) brags in its marketing materials that it's already offering the technique to clients and “the ROI is already impressive.” It lists Amazon, Microsoft, and Google as alleged customers. But 404 Media couldn't verify if the technique works as advertised—an enormous “if”—and CMG didn't respond to 404 Media's request for comment.

Google Just Denied Cops a Key Surveillance Tool

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.17.

**phpMyFAQ Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Dec 16, 2023 to the GitHub Advisory Database • Updated Dec 18, 2023

Tag

#git