Webtagr - Technology News Summarizer

WinRAR 7.10 Released: Dark Mode and Enhanced Privacy

2025-02-21

WinRAR 7.10 has been released, boasting numerous improvements including larger memory pages for performance boosts, a much-requested dark mode, and a redesigned settings interface. A standout feature is its enhanced privacy controls. Users can now fine-tune how information from the Mark-of-the-Web (MoTW) is propagated, with a default setting that only retains the security zone value, stripping potentially revealing URLs and IP addresses from extracted files. While this might impact digital forensics, it's a welcome addition for privacy-conscious users.

(www.bleepingcomputer.com)

Hardware

Brave Browser's New Custom Scriptlets: Take Control of Your Browsing Experience

2025-02-11

Brave Browser version 1.75 introduces 'custom scriptlets' for desktop users, allowing advanced users to inject their own JavaScript into websites for deep customization. Similar to Tampermonkey and Greasemonkey, this feature enables users to create scripts modifying website functionality. Initially developed for debugging Brave's ad blocker, its value led to its release. Custom scriptlets enhance privacy, security, and usability by blocking trackers, customizing appearance, and improving accessibility. However, caution is advised as untrusted scripts pose risks. The feature is located in `brave://settings/shields/filters` and requires enabling 'Developer mode'.

(www.bleepingcomputer.com)

Development Brave Browser Custom Scriptlets

Apple Patches Zero-Day Vulnerability Used in Sophisticated Attacks

2025-02-10

Apple has released emergency security updates to address a zero-day vulnerability (CVE-2025-24200) exploited in targeted, sophisticated attacks. The vulnerability could bypass USB Restricted Mode on locked devices, potentially allowing data extraction. This mode was designed to prevent forensic software from accessing data on locked iOS devices. Apple urges users to update immediately to mitigate potential ongoing attacks. This incident highlights the importance of regular software updates and mobile device security.

(www.bleepingcomputer.com)

Tech Apple security update zero-day vulnerability iOS security

Massive Healthcare Data Breach at Medusind Impacts 360,000+

2025-02-02

Medusind, a healthcare billing provider, disclosed a data breach affecting over 360,000 individuals. The December 2023 breach exposed sensitive information including health insurance details, payment information, medical records, government IDs, and personal data. Medusind is offering two years of free identity monitoring services to affected individuals and urging them to monitor their accounts for suspicious activity. This incident follows proposed HIPAA updates by HHS aimed at bolstering healthcare cybersecurity in response to a recent surge in major data breaches.

(www.bleepingcomputer.com)

Tech

Critical Apple CPU Side-Channel Flaws Steal Browser Data

2025-01-28

Researchers have uncovered new side-channel vulnerabilities, FLOP and SLAP, in Apple's M-series and A-series processors. These flaws allow remote attackers to steal sensitive data from web browsers via malicious websites, bypassing browser sandboxing. The vulnerabilities stem from faulty speculative execution, exploiting the CPU's mispredictions to leak information like emails, location history, and more. Apple is aware and plans to address the issue, but patches aren't yet available. Disabling JavaScript is a temporary mitigation, but impacts website functionality.

(www.bleepingcomputer.com)

Tech Apple CPU Side-channel attack Security vulnerability

Pwn2Own Automotive 2025: Hackers Awarded $886,250 for 49 Zero-Days

2025-01-27

The Pwn2Own Automotive 2025 hacking contest concluded with security researchers earning a total of $886,250 for discovering 49 zero-day vulnerabilities. Targets included EV chargers, car operating systems (Android Automotive OS, Automotive Grade Linux, BlackBerry QNX), and in-vehicle infotainment systems. Summoning Team's Sina Kheirkhah took home the top prize, earning $222,250 and 30.5 Master of Pwn points. The event highlighted significant security flaws in automotive software, emphasizing the ongoing need for improved security in the industry.

(www.bleepingcomputer.com)

Tech zero-day vulnerabilities

Hacker Infects 18,000 'Script Kiddies' with Fake Malware Builder

2025-01-25

A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly installed a backdoor to steal data and take over computers. Security researchers at CloudSEK report that the malware infected 18,459 devices globally, mostly in Russia, the US, India, Ukraine, and Turkey. The malware, a trojanized XWorm RAT builder, was distributed through various channels including GitHub, file hosting sites, Telegram, YouTube, and websites. While many infections were cleaned via a kill switch, some remain compromised. The malware stole data like Discord tokens, system information, and location data, and allowed remote control of infected machines.

(www.bleepingcomputer.com)

Tech

North Korean Hackers Extort US Companies After Stealing Source Code

2025-01-24

The FBI issued a warning about North Korean hackers posing as IT workers to infiltrate US companies, steal source code, and extort ransoms. These hackers use various methods, including AI face-swapping technology, to conceal their identities. After gaining access, they copy code to personal accounts and threaten to leak information for ransom. The FBI advises companies to strengthen hiring processes, limit permissions, and monitor network traffic to prevent such attacks. A joint statement from the US, South Korea, and Japan revealed that North Korean state-sponsored hacking groups stole over $659 million in cryptocurrency in 2024.

(www.bleepingcomputer.com)

Tech North Korean Hackers

Pwn2Own Automotive 2025: 16 Zero-Days Exploited on Day One

2025-01-23

On the first day of Pwn2Own Automotive 2025, security researchers successfully exploited 16 unique zero-day vulnerabilities, earning a total of $382,750 in prize money. Fuzzware.io took the lead, hacking Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 EV chargers. The competition highlighted critical vulnerabilities in EV chargers, in-vehicle infotainment systems, and car operating systems, underscoring the importance of cybersecurity in the automotive industry.

(www.bleepingcomputer.com)

Tech zero-day automotive security

US Sanctions Chinese Hacker and Firm Behind Treasury and Telecom Hacks

2025-01-17

The US Treasury Department sanctioned Yin Kecheng, a Shanghai-based hacker, and Sichuan Juxinhe Network Technology Co., Ltd. for their roles in the recent breach of the Treasury Department and attacks on US telecommunication companies. Yin Kecheng, linked to China's Ministry of State Security (MSS), was involved in the Treasury Department breach, exploiting a zero-day vulnerability. Sichuan Juxinhe is associated with the Salt Typhoon hacking group, responsible for spying on high-profile targets through compromised telecom providers. The sanctions freeze their US assets and prohibit transactions with US entities. This action underscores the US commitment to combating Chinese cyber espionage.

(www.bleepingcomputer.com)

Tech sanctions hacking Sanctions Chinese Hackers

Pastor Indicted for $5.9M Crypto Scam He Claimed Came From a Dream

2025-01-16

A pastor from a Pasco, Washington church has been indicted on 26 counts of fraud for allegedly running a cryptocurrency scam that defrauded investors of at least $5.9 million between 2021 and 2023. Francier Obando Pinillo, 51, reportedly used his position to lure investors into 'Solano Fi,' a fraudulent cryptocurrency venture he claimed came to him in a dream, promising guaranteed returns. He utilized Facebook and a Telegram group to expand his reach, attracting over 1,500 victims. The indictment alleges Pinillo misappropriated funds, displaying fake balances on a web app and employing tactics like extortion to keep the scheme going. He now faces up to 20 years in prison.

(www.bleepingcomputer.com)

Misc cryptocurrency fraud financial fraud

Over 3.1 Million Fake GitHub Stars Used to Promote Malware

2024-12-31

A recent study revealed over 3.1 million fake "stars" on GitHub, used to artificially inflate the popularity of scam and malware repositories. Researchers used a tool called StarScout to analyze massive datasets, identifying 278,000 accounts responsible for these fake stars across 15,835 repositories. This deceptive practice, particularly rampant in 2024, allows malicious projects to appear legitimate and reach unsuspecting users. While GitHub has removed many of the implicated accounts and repositories, the problem persists. Users are urged to carefully evaluate project quality and exercise caution when downloading software from GitHub.

(www.bleepingcomputer.com)

Development Fake Stars

New 'OtterCookie' Malware Targets Developers in Fake Job Offers

2024-12-29

Cybersecurity firms have uncovered a new malware, OtterCookie, used in the 'Contagious Interview' campaign by North Korean threat actors. This campaign lures software developers with fake job offers containing malware, including OtterCookie and previously seen malware like BeaverTail. OtterCookie is delivered through Node.js projects or npm packages, establishing communication with a command and control server via Socket.IO. It steals sensitive data, such as cryptocurrency wallet keys, documents, and images, and performs reconnaissance on the infected system. Experts warn developers to carefully vet job offers and avoid running untrusted code.

(www.bleepingcomputer.com)

Tech Malware