The North Korean advanced persistent threat (APT) actor Lazarus was caught exploiting a zero-day vulnerability in Chrome to steal cryptocurrency from the visitors of a fake game website, Kaspersky reports. Also referred to as Hidden Cobra and active since at least 2009, Lazarus is believed to be backed by the North Korean government and to have orchestrated numerous high-profile heists to generate funds for the Pyongyang regime. READ MORE...
In the final days of the 2024 US election season, Russian state-backed actors are pushing enormous amounts of fake news disguised as information from reputable news outlets with the intention of flooding the American news ecosphere with enough garbage to influence who eventually wins the White House. The Kremlin's full-scale propaganda push, named Operation Overload by researchers at Recorded Future who uncovered the effort, is pretty basic. READ MORE...
Four tax preparation software companies failed to comply with government rules that require the sharing of tax-related info to be done only with specific disclosures and full tax-payer consent, according to an audit released by the Treasure Inspector General for Tax Administration (TIGTA) in the United States. The Internal Revenue Service (IRS) partners with tax professionals and other entities that assist taxpayers in meeting their tax obligations. READ MORE...
A data thief calling themselves Satanic claims to have purloined the records of around 350 million customers of fashion retailer Hot Topic. Israeli security shop Hudson Rock reports that the criminal says they have hacked the loyalty account of the fashion megachain, harvesting 350 million customers' PII, including names, emails, physical addresses, and dates of birth. It appears that the leak possibly came from an employee at Robling, a retail analytics business. READ MORE...
Microsoft's social network for professionals, LinkedIn, is an important platform for job recruiters and seekers alike. It's also a place where criminals go to find new potential victims. Like other social media platforms, LinkedIn is no stranger to bots attracted to special keywords and hashtags. Think "I was laid off", "I'm #opentowork" and similar phrases that can wake up a swarm of bots hungry to scam someone new. READ MORE...
Over $350,000 was paid out on the second day of Pwn2Own Ireland 2024, including for an exploit targeting the Samsung Galaxy S24. With the $516,250 earned by participants on the first day of the event, the total payout at the hacking contest organized by Trend Micro's Zero Day Initiative (ZDI) has already reached nearly $850,000, and there are two more days left. One of the most noteworthy exploits on the second day targeted a Samsung Galaxy S24 smartphone. READ MORE...
You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. Reston, Virginia-located Babel Street is the little-known firm behind Location X, a service with the capability to track the locations of hundreds of millions of phone users over sustained periods of time. READ MORE...
Scammers, rejoice. OpenAI's real-time voice API can be used to build AI agents capable of conducting successful phone call scams for less than a dollar. There have been concerns that letting AI models interact with convincing, simulated voices might lead to abuse. OpenAI in June delayed its advanced Voice Mode in ChatGPT, which supports real-time conversation between human and model, over safety concerns. READ MORE...
Fortinet has finally made public information about CVE-2024-47575, a critical FortiManager vulnerability that attackers have exploited as a zero-day. CVE-2024-47575 is a vulnerability stemming from missing authentication for a critical function in FortiManager's fgfmd daemon. Remote, unauthenticated attackers could exploit the flaw to execute arbitrary code or commands via specially crafted requests. READ MORE...
A high-severity flaw in Microsoft SharePoint, tracked as CVE-2024-38094, is under active exploit. The bug is a deserialization vulnerability, which is often used as attack vectors by malicious cyber actors and poses a serious threat to federal enterprises. If successfully exploited, it could give threat actors remote code execution capabilities. The vulnerability has earned a CVSS score of 7.2 out of 10. READ MORE...