UK Government Bans TikTok on Official Mobile Phones
Following in the footsteps of the US and European Commission, the UK government has prohibited the use of the Chinese-owned TikTok app on work mobile phones of ministers and civil servants. This marks a significant shift in the UK’s stance on the app and comes shortly after Washington ordered ByteDance, TikTok’s parent company, to sell the app or face a potential ban in the US.
Microsoft Releases Out-of-Band Update for Snipping Tool Flaw
Microsoft has issued an emergency security update for the Windows 10 and Windows 11 Snipping tool to fix the Acropalypse privacy vulnerability (CVE-2023-28303). The flaw arises when image editors fail to remove cropped data when overwriting the original file, affecting both Google Pixel’s Markup Tool and the Windows Snipping Tool.
Vice Society Ransomware Gang Targets Puerto Rico Aqueduct and Sewer Authority
The Puerto Rico Aqueduct and Sewer Authority (PRASA) is investigating a cyberattack that occurred two weeks ago, with the Vice Society ransomware gang claiming responsibility. While the agency has not confirmed the attackers’ identity, customer and employee information was accessed during the breach. However, critical infrastructure operations remained unaffected.
Near-Ultrasound Inaudible Trojan (NUIT) Attack Threatens Voice Assistant Devices
Researchers from the University of Texas in San Antonio and the University of Colorado have developed a novel attack called NUIT that can silently target devices with voice assistants, such as smartphones, smart speakers, and IoT devices. The attack leverages the fact that microphones in smart devices can respond to near-ultrasound waves, which humans cannot hear, enabling stealthy attacks using conventional speaker technology.
Panera Bread Implements Palm-Scanning Tech Amid Privacy Concerns
Panera Bread is introducing palm scanners developed by Amazon to link customers’ handprints to their loyalty accounts, raising concerns among privacy advocates. The company claims the biometric technology will provide a frictionless and personalized experience, while critics fear the potential for data misuse by federal agencies or hackers.
UK National Crime Agency Sets Up Fake DDoS-for-Hire Sites
The UK’s National Crime Agency (NCA) has revealed its strategy of creating fake DDoS-for-hire sites to infiltrate the online criminal underground. Users who registered for the sites were not granted access to cybercrime tools; instead, their data was collected by investigators to target low-level criminals.
New MacStealer Malware Targets iCloud Keychain Data on macOS Devices
A new information-stealing malware called MacStealer is targeting Apple’s macOS operating system to exfiltrate sensitive data from compromised devices. The malware uses Telegram as a command-and-control platform and primarily affects macOS Catalina and later versions running on M1 and M2 CPUs.
3-Year JavaScript Injection Campaign Hits 51,000 Websites
Unit 42 researchers have been tracking a widespread malicious JavaScript injection campaign that has targeted over 51,000 websites since 2020. The campaign redirects victims to malicious content like adware and scam pages, using obfuscation, benign append attacks, and multistep injections to bypass detection.