We hope everyone is recovered from a great holiday period (here in the Cayman Islands) and have two week’s worth of news to catch up on! What’s in store? Lots of data breaches, open source tools to identify backdoors in affected XZ libraries, and money laundering via cryptocurrencies.
XZ backdoor scanner released
Links: Bleeping Computer
Security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, also known as CVE-2024-3094. For those unaware, last month, a Microsoft engineer discovered the backdoor in the XZ Utils package while investigating unusually slow SSH logins. The backdoor was introduced by a trusted contributor.
Ransomware targeting VMware
Links: Bleeping Computer
Ransomware attacks are always targeting virtual infrastructure, but a Chilean hosting provider noticed new attacks targeting LATAM-based virtual machine. In the trend of the most recent ransomware attacks, Panera and Omni Hotels were suffering outages sourced to ransomware attacks.
KuCoin charged with AML violations
Links: Bleeping Computer
The US Department of Justice (DoJ) has charged global cryptocurrency exchange KuCoin and two of its founders for failing to adhere to anti-money laundering (AML) requirements. The DoJ claimed that KuCoin knowingly allowed US-based traders to use the platform without collecting the appropriate KYC documentation. While not unheard of, the DoJ also states that KuCoin advertised that KYC wasn’t required to use the platform, allowing $9 billion in crypto to potentially be laundered.
AT&T states 70 million leaked records aren’t from their systems
Links: Bleeping Computer
AT&T has announced that the leaked records of 71 million people didn’t originate from their systems, contrary to what ShinyHunters (the group responsible for selling the data) stated when trying to sell the data for $200,000 USD. For those reading and keeping track of how much their data is worth, that comes to $355 per user. However, last week, a hacker known as MajorNelson has released it for free, containing the Social Security Number and Date of Birth for the 71 million records.
Google to delete records of data they said weren't being recorded
Links: The Hacker News
Google has agreed to delete billions of records collected from users while using their Incognito feature, following a class-action lawsuit from 2020. There’s not much else to say about this one other than we’re sure Google will completely be compliant moving forward and won’t find another way to capture your data and sell it.