This week on the Lock and Code podcast, we tell the true story of a virtual kidnapping scam from December of last year.

_This week on the Lock and Code podcast…_

On Thursday, December 28, at 8:30 pm in the Utah town of Riverdale, the city police began investigating what they believed was a kidnapping.

17-year-old foreign exchange student Kai Zhuang was missing, and according to Riverdale Police Chief Casey Warren, Zhuang was believed to be “forcefully taken” from his home, and “being held against his will.”

The evidence leaned in police’s favor. That night, Zhuang’s parents in China reportedly received a photo of Zhuang in distress. They’d also received a ransom demand.

But as police in Riverdale and across the state of Utah would soon learn, the alleged kidnapping had a few wrinkles.

For starters, there was no sign that Zhuang had been forcefully removed from his home in Riverdale, where he’d been living with his host family. In fact, Zhuang’s disappearance was so quiet that his host family was entirely unaware that he’d been missing until police came and questioned them. Additionally, investigators learned that Zhuang had experienced a recent run-in with police officers nearly 75 miles away in the city of Provo. Just eight days before his disappearance in Riverdale, Zhuang caught the attention of Provo residents because of what they deemed strange behavior for a teenager: Buying camping gear in the middle of a freezing winter season. Police officers who intervened at the residents’ requests asked Zhuang if he was okay, he assured them he was, and a ride was arranged for the teenager back home.

But what Zhuang didn’t tell Provo police at the time was that, already, he was being targeted in an extortion scam. But when Zhuang started to push back against his scammers, it was his parents who became the next target.

Zhuang—and his family—had become victims of what is known as “virtual kidnapping.”

For years, virtual kidnapping scams happened most frequently in Mexico and the Southwestern United States, in cities like Los Angeles and Houston. But in 2015, the scams began reaching farther into the US.

The scams themselves are simple yet cruel attempts at extortion. Virtual kidnappers will call phone numbers belonging to affluent neighborhoods in the US and make bogus threats about a holding a family member hostage.

As explained by the FBI in 2017, virtual kidnappers do not often know the person they are calling, their name, their occupation, or even the name of the family member they have pretended to abduct:

“When an unsuspecting person answered the phone, they would hear a female screaming, ‘Help me!’ The screamer’s voice was likely a recording. Instinctively, the victim might blurt out his or her child’s name: ‘Mary, are you okay?’ And then a man’s voice would say something like, ‘We have Mary. She’s in a truck. We are holding her hostage. You need to pay a ransom and you need to do it now or we are going to cut off her fingers.’”

Today, on the Lock and Code podcast with host David Ruiz, we are presenting a short, true story from December about virtual kidnapping. Today’s episode cites reporting and public statements from the Associated Press, the FBI, ABC4.com, Fox 6 Milwaukee, and the Riverdale Police Department.

Tune in today to listen to the full story.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 A true tale of virtual kidnapping: Lock and Code S05E02 

Gentoo Linux Security Advisory 202401-24 - Multiple denial of service vulnerabilities have been discovered in Nettle. Versions greater than or equal to 3.9.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-24  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Nettle: Denial of Service  
     Date: January 16, 2024  
     Bugs: #806839, #907673  
       ID: 202401-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple denial of service vulnerabilities have been discovered in  
Nettle.

Background  
=========  
Nettle is a cryptographic library that is designed to fit easily in  
almost any context: In cryptographic toolkits for object-oriented  
languages, such as C++, Python, or Pike, in applications like lsh or  
GnuPG, or even in kernel space.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
dev-libs/nettle  < 3.9.1       >= 3.9.1

Description  
==========  
Multiple vulnerabilities have been discovered in Nettle. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
A flaw was found in the way nettle's RSA decryption functions handled  
specially crafted ciphertext. An attacker could use this flaw to provide  
a manipulated ciphertext leading to application crash and denial of  
service.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Nettle users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/nettle-3.9.1"

References  
=========  
[ 1 ] CVE-2021-3580  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3580  
[ 2 ] CVE-2023-36660  
      https://nvd.nist.gov/vuln/detail/CVE-2023-36660

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-24

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-24

Gentoo Linux Security Advisory 202401-23 - A buffer overread vulnerability has been found in libuv. Versions greater than or equal to 1.41.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-23  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: libuv: Buffer Overread  
     Date: January 16, 2024  
     Bugs: #800986  
       ID: 202401-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overread vulnerability has been found in libuv.

Background  
=========  
libuv is a multi-platform support library with a focus on asynchronous  
I/O.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
dev-libs/libuv  < 1.41.1      >= 1.41.1

Description  
==========  
libuv fails to ensure that a pointer lies within the bounds of a defined  
buffer in the uv__idna_toascii() function before reading and  
manipulating the memory at that address.

Impact  
=====  
The overread can result in information disclosure or application crash.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libuv users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libuv-1.41.1"

References  
=========  
[ 1 ] CVE-2021-22918  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22918

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-23

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-23

Gentoo Linux Security Advisory 202401-22 - Multiple vulnerabilities have been discovered in libspf2, the worst of which can lead to remote code execution. Versions greater than or equal to 1.2.11 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-22  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libspf2: Multiple vulnerabilities  
     Date: January 15, 2024  
     Bugs: #807739  
       ID: 202401-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in libspf2, the worst of  
which can lead to remote code execution.

Background  
=========  
libspf2 is a library that implements the Sender Policy Framework,  
allowing mail transfer agents to make sure that an email is authorized  
by the domain name that it is coming from.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
mail-filter/libspf2  < 1.2.11      >= 1.2.11

Description  
==========  
Multiple vulnerabilities have been discovered in libspf2. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Various buffer overflows have been identified that can lead to denial of  
service and possibly arbitrary code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libspf2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-filter/libspf2-1.2.11"

References  
=========  
[ 1 ] CVE-2021-20314  
      https://nvd.nist.gov/vuln/detail/CVE-2021-20314  
[ 2 ] CVE-2021-33912  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33912  
[ 3 ] CVE-2021-33913  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33913

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-22

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-22

Gentoo Linux Security Advisory 202401-21 - A vulnerability has been found in KTextEditor where local code can be executed without user interaction. Versions greater than or equal to 5.90.0-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: KTextEditor: Arbitrary Local Code Execution  
     Date: January 15, 2024  
     Bugs: #832447  
       ID: 202401-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in KTextEditor where local code can be  
executed without user interaction.

Background  
=========  
Framework providing a full text editor component for KDE.

Affected packages  
================  
Package                     Vulnerable    Unaffected  
--------------------------  ------------  ------------  
kde-frameworks/ktexteditor  < 5.90.0-r2   >= 5.90.0-r2

Description  
==========  
A vulnerability has been discovered in KTextEditor. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
KTextEditor executes binaries without user interaction in a few cases,  
e.g. KTextEditor will try to check on external file modification via  
invoking the "git" binary if the file is known in the repository with  
the new content.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All KTextEditor users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=kde-frameworks/ktexteditor-5.90.0-r2"

References  
=========  
[ 1 ] CVE-2022-23853  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23853

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-21

Gentoo Linux Security Advisory 202401-20 - A vulnerability has been found in QPDF which can lead to a heap-based buffer overflow. Versions greater than or equal to 10.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: QPDF: Buffer Overflow  
     Date: January 15, 2024  
     Bugs: #803110  
       ID: 202401-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in QPDF which can lead to a heap-based  
buffer overflow.

Background  
=========  
QPDF: A content-preserving PDF document transformer.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
app-text/qpdf  < 10.1.0      >= 10.1.0

Description  
==========  
A vulnerability has been discovered in QPDF. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
QPDF has a heap-based buffer overflow in Pl_ASCII85Decoder::write  
(called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain  
downstream write fails.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QPDF users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/qpdf-10.1.0"

References  
=========  
[ 1 ] CVE-2021-36978  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36978

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-20

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-20

Gentoo Linux Security Advisory 202401-19 - Multiple vulnerabilities have been found in Opera, the worst of which can lead to remote code execution. Versions greater than or equal to 73.0.3856.284 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Opera: Multiple Vulnerabilities  
     Date: January 15, 2024  
     Bugs: #750929  
       ID: 202401-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Opera, the worst of which  
can lead to remote code execution.

Background  
=========  
Opera is a fast web browser that is available free of charge.

Affected packages  
================  
Package                Vulnerable       Unaffected  
---------------------  ---------------  ----------------  
www-client/opera       < 73.0.3856.284  >= 73.0.3856.284  
www-client/opera-beta  < 73.0.3856.284  >= 73.0.3856.284

Description  
==========  
Multiple vulnerabilities have been discovered in Opera. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Opera users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/opera-73.0.3856.284"

All Opera users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/opera-beta-73.0.3856.284"

References  
=========  
[ 1 ] CVE-2020-15999  
      https://nvd.nist.gov/vuln/detail/CVE-2020-15999

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-19

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-19

Almost seven years after alleged FruitFly author Phillip Durachinsky’s arrest, judge Solomon Oliver has ruled he's incompetent to stand trial.

On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers. The university was notified by an undisclosed third party, who provided information to help the team find and identify the malware.

CWRU began working with the FBI, who determined that the systems had been infected for several years. Together, CWRU and the FBI were able to identify that an IP address with which the malware was communicating had also been used to access the alumni email account of a man called Phillip Durachinsky.

On January 10 2017, and unaware of this ongoing investigation, Malwarebytes became aware of the Mac version of the malware that would become known as FruitFly. We shared our investigation with Apple, and learned that it was working with the FBI and calling the malware “FruitFly” internally.

On January 25, 2017, Durachinsky was arrested for involvement with the FruitFly malware. On December 7, 2023 – nearly 7 years later – a judge ruled that Durachinsky is incompetent to stand trial.

****Who is Phillip Durachinsky?****

Durachinsky, a resident of northeast Ohio, was seen by his peers as “awkward and eccentric” throughout grade school and college. Despite this, he was active in extracurricular activities. In high school, he participated in a computer club. As a member of the club, he competed in a local programming competition, helping the team to win in both 2005 and 2006. Interviewed by a local newspaper reporter following one of these wins, Durachinsky said, “It’s about teamwork, knowing your strengths and weaknesses to help the team.”

In college at CWRU, he participated in a philosophy club, where he was “interested in the philosophy behind mathematics.” In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D.

However, Durachinsky was frequently in trouble for his other computing activities. He was rumored to have hacked into his high school’s computer system, although those rumors were never confirmed. While at CWRU, he was accused of “cracking passwords” on a CWRU network. In an interview following his 2017 arrest, a local law enforcement representative said that Durachinsky was “not unknown to the authorities.”

Initial investigation of the FruitFly malware showed something very interesting: some of the code in the malware was extremely old. There were many references to functions that dated back to the early days of the Macintosh, and that had been deprecated in macOS for years. (This led to Malwarebytes initially using the name “Quimitchin” for the malware, after the name for ancient Aztec spies that infiltrated enemy tribes. This name did not catch on.)

FruitFly included a number of very powerful capabilities, including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone. The FBI found more than 20 million files collected from victim machines on hardware confiscated from Durachinsky’s home.

According to an FBI Flash document released to affected organizations on March 27, 2017, machines were infected with FruitFly via brute force attacks, using weak passwords or passwords from breaches of other systems. (The latter is referred to as “credential stuffing.”)

> “The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.”
> 
> FBI Flash

In this manner, thousands of computers were infected over more than a decade.

****Arrest and arraignment****

Apple had been acting as an intermediary, coordinating with both the FBI and Malwarebytes. On January 18, 2017, all three organizations took simultaneous actions. Apple released a security update to protect users against FruitFly, Malwarebytes published a blog post with technical details about the malware, and the FBI knocked on the door of the house linked to the IP address used by the malware. (The IP address was linked to the malware using data collected by CWRU, Malwarebytes, and AT&T.)

The house, as it turned out, was the home of Durachinsky’s parents, who allowed the agents to enter and mentioned that Durachinsky had been in trouble in high school for breaking into his high school’s website and hacking into teachers’ email.

The FBI found a laptop in Durachinsky’s room. When they entered the room, the laptop lid was slightly ajar, and agents were able to see that the cursor was moving – indicating that it was being remotely accessed – and that the control panel for the malware was visible on the screen. Agents disconnected the network router to prevent further remote access, which could have resulted in deletion of evidence. Also found were numerous hard drives.

On January 19, a judge signed a warrant allowing the FBI to examine the contents of the laptop and hard drives. As a result of the evidence found, Durachinsky was arrested on January 25. Following numerous requests by the defense and changes in Durachinsky’s legal representation, he was finally arraigned nearly a year later, on January 19, 2018.

Durachinsky was charged with 16 counts, including accessing and damaging computers without authorization, accessing a non-public government computer without authorization, production of child pornography, three counts of wire fraud, four counts of aggravated identity theft, and five counts of illegal wiretapping.

During the lengthy trial, it was the child pornography charge that seemed to be of most concern to the defense. Repeated attempts were made to evade it, including an attempt to suppress evidence due to claims of improper seizure, an attempt to suppress a confession made by Durachinsky, and an attempt to separate that charge from all the others and try it separately.

****Ruling****

Almost seven years after Durachinsky’s arrest, judge Solomon Oliver ruled that Durachinsky was incompetent to stand trial, by reason of being unable to assist in his own defense due to autism spectrum disorder (ASD). If psychologists determine that his “condition” can be treated to restore his competency, the trial will continue. Otherwise, he will be civilly committed.

Interestingly, although both prosecuting and defense attorneys agree on the competency ruling, Durachinsky himself does not. He has been cited as saying, “I don’t challenge the autism disorder diagnosis, but I disagree with the way this has been prosecuted.”

This ruling has caused some concerns in the information security community. ASD is not something that can be “cured,” though therapy can help to teach people on the spectrum how to improve social and communication skills. This can take years, however.

Some have expressed skepticism about the ruling, arguing that Durachinsky’s activities and public statements suggest that, like many affected by high-functioning ASD, he appears to be fully capable of understanding his situation and knowing the difference between right and wrong.

Others have expressed concerns about how this case has proceeded. Seven years of jail time without ever having been found guilty in a court of law is concerning. Although the evidence seems pretty damning, and it has been fully expected that Durachinsky would be found guilty, the US justice system is supposed to presume a defendant to be innocent until proven guilty.

****What next?****

It’s unclear what’s next for Mr. Durachinsky, but it would seem the saga is not yet over. Presumably he will be – or has been – released from jail, but there’s still the question of civil commitment. It’s unclear exactly what that will mean – whether this would require time in an institution and, if so, for how long. It’s also unclear whether there will be any kind of treatment that the court deems successful at restoring his competency, in which case the trial could resume.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Alleged FruitFly malware creator ruled incompetent to stand trial 

By Waqas
From Bubbles to Bytes: Lush investigates 'cyber incident' without giving any substantial information to customers.
This is a post from HackRead.com Read the original post: British Cosmetics Retailer Lush Investigating Cyber Attack

Lush Retail Ltd., a popular British cosmetics retailer headquartered in Poole, Dorset, is investigating a cyber attack. Still, it is unclear whether it is a ransomware attack, a data breach, or a DDoS attack causing disruption.

Lush Retail Ltd., a British cosmetics retailer is surrounded by uncertainty after confirming a cybersecurity incident is brewing within the company. While details remain scarce, the news has left customers and industry experts alike wondering just how deep the fragrant rabbit hole goes.

The company broke the news through a brief statement, admitting they are “currently responding to a cybersecurity incident,” but stopping short of revealing the attack’s nature or potential targets. This cryptic stance has only fueled speculation, with concerns ranging from customer data breaches to operational disruptions.

“We take cybersecurity exceptionally seriously,” stressed the statement, attempting to quell rising worry. “We have informed relevant authorities and are working with external IT forensic specialists to conduct a thorough investigation.”

> _“Lush UK&I is currently responding to a cyber security incident and working with external IT forensic specialists to undertake a comprehensive investigation. The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations. We take cyber security exceptionally seriously and have informed relevant authorities.”_

This move suggests the attack might be more than a minor hiccup, potentially involving sensitive data or wider security implications. The potential scenarios storming around this incident paint a troubling picture:

*   **Data breach:** Customer names, addresses, and even payment information could be on the line if hackers breached Lush’s systems.
*   **Ransomware attack:** The company’s operations could be held hostage by malicious actors demanding payment to unlock vital data.
*   **Disruption of operations:** Production, distribution, and sales channels could be thrown into disarray, impacting both employees and customers.

Experts caution against complacency, urging users to remain vigilant towards suspicious emails or communications claiming to be from Lush.

“It hasn’t been confirmed what type of attack Lush is facing, but it does sound like ransomware,” said William Wright, CEO of Closed Door Security. “The threat is used to take an organisation’s data hostage, so a big part of recovery is working on containing the attack and limiting its spread.”

“More details should be released around the attack, but the most worrying issue with the incident is the type of data criminals could potentially have access to. Whether it be company data, or sensitive customer information, given the popularity of Lush it will undoubtedly be a gold mine for criminals,” Wright warned.

While the investigation unfolds, Lush customers can take proactive steps:

*   **Change passwords:** Update credentials for any online accounts associated with Lush as a precautionary measure.
*   **Beware phishing:** Approach emails and communications claiming to be from Lush with caution. Avoid clicking links or opening attachments unless their legitimacy is certain.
*   **Monitor credit reports:** Keep an eye out for suspicious activity that could signal unauthorized access to financial information.

Should Lush decide to disclose additional information about the cyber attack, Hackread.com will update this article accordingly. However, one certainty remains: the United Kingdom has been experiencing an unprecedented surge in cyber attacks over the past few months.

Earlier this month, it was reported that hackers launched a calculated cyber attack on the UK’s Nuclear Waste Services through LinkedIn. A few months before that, in November 2023, Samsung disclosed a data breach in which hackers stole customer data in the UK.

In October 2023, UK power and data manufacturer Volex fell victim to a cyber attack. During the same month, reports surfaced that Vietnamese DarkGate malware targeted META accounts nationwide.

****_RELATED ARTICLES_****

1.  **UK Royal Family Website Hit by DDoS Attack from KillNet**
2.  **UK Air Traffic Control System Collapses, Causing Travel Chaos**
3.  **Cyberattack on UK IT Firm Swan Retail Affects up to 300 Retailers**
4.  **UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released**
5.  **UK Electoral Commission Admits Major Data Breach Spanning Over a Year**

British Cosmetics Retailer Lush Investigating Cyber Attack

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.
The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it

Vulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

"This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser's security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called "Opera Touch Background," which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally\_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns "\*.flow.opera.com" and ".flow.op-test.net" – both controlled by the browser vendor itself.

"This exposes the messaging API to any page that matches the URL patterns you specify," Google notes in its documentation. "The URL pattern must contain at least a second-level domain."

Guardio Labs said it was able to unearth a "long-forgotten" version of the My Flow landing page hosted on the domain "web.flow.opera.com" using the urlscan.io website scanner tool.

"The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the \[content security policy\] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check," the company said.

"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API."

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim's computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

"Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries," the company told The Hacker News.

"This underscores the need for internal design changes at Opera and improvements in Chromium's infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome's web store, is recommended but has not yet been implemented by Opera."

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it's taking steps to prevent such issues from happening again.

"Our current structure uses an HTML standard, and is the safest option that does not break key functionality," the company said. "After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future."

"We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac