Breach Notification , Cybercrime , Fraud Management & Cybercrime
Breach Roundup: Microsoft Tries Again With Windows Recall
Also: Africa Busts Cybercrime Suspects; Many Smart Devices Lack Update TransparencyEvery week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Microsoft previews its latest attempt to introduce AI-enabled Windows Recall - now with added privacy features; over 1,000 cybercrime suspects busted in Africa; regulators report "smart" device update promises often missing; Florida IT professional caught spying for China; and more.
See Also: Value Drivers for an ASM Program
Microsoft Previews Fresh Recall
Remember Windows Recall? After months of delays, Microsoft has unveiled a first-look preview of its latest attempt to bring the beleaguered feature to market.
First announced in May and delayed three times since then, Recall is designed to take periodic screenshots of active windows, analyze them using on-device artificial intelligence and store them in an SQLite database. Users can retrieve snapshots using natural language queries.
The tool is intended to allow users to employ AI to easily search these snapshots of their PC activities.
In response to earlier versions, multiple researchers detailed extensive privacy and security concerns, such as collected information being a natural target for attackers. This prompted Microsoft to delay rollout as well as promise that Recall would be opt-in. Would-be users will now also have to first enable BitLocker full-disk encryption, activate Secure Boot and enroll in Windows Hello access controls, making their system tougher to hack.
Recall is designed to avoid capturing sensitive information such as passwords and credit card details. Users can also delete snapshots and exclude specific apps and websites from data capture. Microsoft says the tool can also be uninstalled.
Enterprise devices will ship with Recall disabled by default, requiring IT admins to decide whether or not to give users access.
Since the first version, Microsoft has added other safeguards, such as anti-hammering and rate limiting to guard against brute-force attacks. Stored data remains encrypted locally, and Microsoft said it cannot access it. The technology giant said it also plans to enable users to back-up their Recall data recovery keys, although this feature is not yet available.
The latest preview includes "Click to Do," which analyzes Recall snapshots to suggest inline actions or link users to relevant apps. Microsoft said the feature is intended to be a productivity enhancer as well as address privacy concerns.
This first-look preview is so far only available to individuals who have signed up for the Windows Insider Program for Developers and will only run on Qualcomm Snapdragon X Elite and Copilot+ PCs with Windows 11 Insider Preview Build 26120.2415 installed. Support for Intel and AMD Copilot+ devices is due to follow.
Microsoft said it's gathering feedback through its Insider Program before giving its latest attempt at Recall a wider release.
Most Smart Devices Lack Clear Update Policies
How long can consumers expect their internet-enabled hearing aids, security cameras, door locks and other "smart" products to receive updates that keep them secure, as well as ensure they continue to function?
The U.S. Federal Trade Commission on Tuesday said that nearly 90% of studied smart devices' websites fail to disclose for how long they will receive critical software updates or make this information easily accessible.
"Consumers stand to lose a lot of money if their smart products stop delivering the features they want," said Samuel Levine, director of FTC's Bureau of Consumer Protection.
The FTC reviewed 184 smart products, examining manufacturers' websites for information on update support, and found 161 products lacked clear details about update durations. Through basic internet searches, researchers only uncovered support timelines for about one-third of devices.
The agency said this lack of transparency may violate the Magnuson-Moss Warranty Act, which mandates pre-sale disclosure of warranty terms, and could also breach the FTC Act if manufacturers misrepresent product usability.
Florida IT Worker Sentenced for Spying for China
A U.S. district court judge sentenced a Florida IT worker, Ping Li, to serve four years in prison for acting as an agent of China's Ministry of State Security. Li, who's a 59-year-old U.S. citizen from Wesley Chapel, Florida, pleaded guilty to conspiring with the MSS, was fined $250,000 and is set to also serve three years of supervised release.
Since at least 2012, Li provided sensitive information, including data on Chinese dissidents, Falun Gong members and cybersecurity training materials, to the MSS, prosecutors said. Li, a former Verizon employee who later joined Infosys, acted as a "cooperative contact" who assisted MSS intelligence officers in a variety of ways, they said.
Prosecutors said that in May 2021, Li shared details pertaining to hack attacks against the U.S., including the SolarWinds cyberattack, just days after the MSS requested it. He also leaked internal cybersecurity training materials from his employer in 2022. MSS handlers further sought information on hacking tactics through emails and during Li's visits to China.
The U.S. Department of Justice said Li shared personal data on dissidents, including a Florida-based Falun Gong member and a Chinese refugee who lived in the U.S. After being arrested in July 2022, Li initially denied his actions but confessed after being confronted with evidence of his communications, prosecutors said.
African Cybercrime Takedown Arrests 1,000 Suspects
In an international operation coordinated by INTERPOL and the African Union's AFRIPOL, African law enforcement agencies arrested over 1,000 individuals suspected of being involved in various types of cybercrime, who allegedly caused nearly $193 million in global financial losses tied to 35,000 victims.
The law enforcement "Operation Serengeti" took place between September and October and particularly focused on combating ransomware-wielding attackers, business email compromise schemers, as well as other forms of digital extortion and online scams.
Authorities said 19 African countries participated in the operation, leading to the dismantling of thousands of attacker-controlled networks and sites and the confiscation of approximately $44 million in stolen funds.
DOJ Unveils Money Laundering Charges
A U.S. federal grand jury has indicted nine individuals in connection with a multi-state money laundering scheme tied to internet fraud, including business email compromise scams. The group allegedly laundered over $20 million in fraudulent proceeds.
The indictment alleges that since 2016, the group recruited money mules to funnel fraud proceeds through sham companies, disguising the funds to enrich themselves. The scheme spanned Tennessee, Texas and other states, targeting businesses and individuals both in the U.S. and abroad, according to the Department of Justice.
If convicted, each defendant faces up to 20 years in prison.
NIVIDIA Patches High-Severity Flaw
NVIDIA has released a firmware update to fix a critical improper-authentication vulnerability, tracked as CVE-2024-0130, that attackers could use to steal data and otherwise compromise systems.
The chipmaker said the flaw is present in various versions of its UFM Enterprise and UFM Cyber-AI products.
The affected products "contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the ethernet management interface," it said, adding that in many cases, this interface will not be public-facing, in which case attackers would not be able to directly exploit it.
"A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service and information disclosure," it said.
Google Play's Malicious Loan Apps
Cybersecurity firm McAfee said it found "spyloan" Android apps on the Google Play Store masquerading as financial loan services that were instead designed to steal users' personal data.
The malicious apps - targeting users in Mexico, Colombia, Indonesia and various English-speaking countries - often mimic legitimate financial institutions and promise low-interest loans, often failing to deliver, or provide smaller amounts with exorbitant fees and hidden charges, McAfee said.
The malicious apps demand users to grant them excessive permissions, after which they harvest sensitive information, including banking details, IDs, call logs, SMS messages and even contacts, researchers said. The app developers have used this data to blackmail victims, sending fake photos or threatening messages to contacts, with victims reporting harassment, foul language and even death threats from scammers, they said.
While Google removed many of the apps, others remain active in various forms after attackers made minor modifications, researchers said.
Pirate Streaming Service Scuppered
An international law enforcement operation dismantled a major pirate streaming network accused of serving over 22 million users worldwide and generating $264 million per month for its administrators.
Italy's Postal and Cybersecurity Police Service led the operation, codenamed "Taken Down," working with Eurojust, Europol and law enforcement from European and other countries.
The operation targeted a criminal organization responsible for illegally capturing and reselling content from platforms such as Netflix, Amazon Prime, Sky and Disney Plus. Authorities said the disruption stands as the largest operation against "audiovisual piracy" that's ever been conducted, and said the illicit business appeared to be run by masterminds based in Italy and the Netherlands.
As part of the operation, more than 270 officers carried out 89 searches in Italy, along with 14 additional raids in the U.K., the Netherlands, Sweden, Switzerland, Romania, Croatia and China, arresting in total 102 individuals.
Authorities seized servers and shut down numerous illegal channels, including nine in Romania and Hong Kong tied to the majority of illicit streaming in Europe, and confiscated cryptocurrency worth $1.7 million, plus $42,000 in cash.
The suspects face various charges, including unauthorized system access, computer fraud and money laundering. The investigation, which began two years ago, found suspects used encrypted apps, fake identities and forged documents to try and evade efforts to track their activities.
Man Accused of Hacking Health Club
A U.S. federal grand jury has indicted Nicholas Michael Kloster, 31, for hacking into computer networks to promote his cybersecurity services. Kloster, a 31-year-old from Kansas City, Missouri, allegedly breached the systems of a health club business and a nonprofit organization.
Prosecutors have accused Kloster of accessing the health club's network on April 26 and emailing one of its owners, claiming responsibility for the hack while offering his security consulting services. He allegedly manipulated the gym's systems, reduced his membership fee to $1, deleted his photo from its database and even stole a staff member's name tag. He also shared a screenshot of the gym's security cameras on social media.
A few weeks later, Kloster allegedly accessed a nonprofit's restricted area, used a boot disk to bypass security and installed a VPN on its system, resulting in around $5,000 in damages. He's also been accused of using stolen credit card information from a previous employer to buy hacking tools.
Kloster faces up to 15 years in prison if convicted, including charges for unauthorized access, reckless damage and theft, as well as potential fines.
HDFC Life Investigates Data Breach
India's HDFC Life Insurance told customers Monday that someone with apparently malicious intent has shared "certain data fields of our customers with us." The financial services firm said it has launched "an information security assessment and data log analysis" to investigate the apparent data leak.