NY AG Discovered Credential Stuffing Attacks Targeting Top Online Retailers, 1.1 Million Accounts

New Mexico county crippled by ransomware attack, Maricopa County demolishes AZ Senate's election audit, Elephant Beetle threat actors steals millions of dollars, FBI arrests manuscript thief, more

Jan 6

New York Attorney General Letitia James said her office notified 17 well-known online retailers, restaurant chains, and food delivery services they have been the victims of credential stuffing attacks affecting more than 1.1 million customer accounts, all of which appeared to have been compromised.

James said her office discovered the breaches after spendings months monitoring several online communities dedicated to credential stuffing. James released a “Business Guide for Credential Stuffing Attacks” that details the attacks. (Catalin Cimpanu / The Record)

Maricopa County, AZ released a 93-page, point-by-point report debunking the Senate’s $4 million audit of the 2020 election conducted by a previously little-known firm known as Cyber Ninjas that erroneously called into question the legitimacy of more than 53,000 votes.

The county’s report found few instances of fraud and debunked claims of irregularities in the county’s voting systems. The county found 37 cases of potential voter fraud and 50 cases in which a ballot may have been counted twice, slim numbers that would have made no difference in the 2020 election outcome in the county. (Rosalind S. Helderman / Washington Post)

Related: Maricopa County, Washington Post, CNN, AZ Central

Government buildings in Bernalillo County, New Mexico, were closed to the public Wednesday in response to what appears to be the first ransomware attack this year against a local government in the United States. The county’s websites appear to be offline too.

Officials say the county took the systems offline in response to the incident, which has not been attributed to any known malicious actor. A ransom demand has not been identified either. (Benjamin Freed / Statescoop)

Related: KQRE, Associated Press, The Record

Researchers at Sygnia discovered that a financially-motivated actor dubbed Elephant Beetle is stealing millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts.

After months of studying the victim’s environment, the actors inject fraudulent transactions into the network and steal small amounts over long periods, leading to the widespread theft of millions of dollars. They lay low for a while and return through a different system if spotted. (Bill Toulas / Bleeping Computer)

Honda and Acura cars have been hit with the Year 2022 bug, or Y2K22, that resets the navigation system's clock to January 1st, 2002, with no way to change it.

Honda and Acura car owners report that the Y2K22 bug affects almost all older cars, including Honda Pilot, Odyssey, CRV, Ridgeline, Odyssey and Acura MDX, RDX, CSX, and TL models. An update for the navigation system will likely be released to resolve the issue. (Lawrence Abrams / Bleeping Computer)

Related: Ars Technica, The Hacker News, TechTimes

On the heels of the RSA postponing its conference until June, two more security conferences have been postponed in the face of a rising wave of COVID-19 infections.

ShmooCon, a conference initially scheduled to be held on January 14-16, was postponed to March 24-26, while S4, the security conference that hosts the Pwn2Own ICS hacking contest, has announced plans to reschedule its initial January 25-27 event to a date later this spring. (Catalin Cimpanu / The Record)

Related: Shmoocon

Zero Day Initiative @thezdi

#Pwn2Own Miami will also be postponed until #S4x22 can be rescheduled. We will update specific dates once we have them. We still look forward to seeing everyone in Miami this year.

Dale Peterson @digitalbond

#S4x22 is postponed from Jan 25 - 27 to a late spring date we are working on, see https://t.co/7AXKaja1GE 3-days, 5-venues is taking a bit of work to get new dates. Will let you know as soon as we get it all arranged. Details on tickets, hotel block, etc. in the article.

Security firm ZecOps said that it found a way to block and then simulate an iOS restart operation, a technique they believe could be advantageous to attackers who may want to trick users into thinking they rebooted their device and, as a result, maintain access for their malware on that infected system.

The researchers developed a technique they called NoReboot that taps into SpringBoard (the Apple iOS UI app, also known as the Home Screen) and Backboardd (the daemon behind SpringBoard) to detect and intercept a phone restart command (such as pressing the Volume Down + Power buttons) and then disabling the SpringBoard UI instead of shutting down the entire OS. The technique effectively leaves the iPhone screen with no UI, mimicking the state a device is usually in when it is turned off but leaving the device still powered on without a user interface. However, no iOS malware has been seen or publicly documented using a trick resembling NoReboot. (Catalin Cimpanu / The Record)

Related: ZecOps

The Facebook page of the Tripler Army Medical Center in Hawaii was defaced, and its location was temporarily updated to London, England.

The message read, “Who the fuck runs this page as you’ve hacked my bank and stolen $400 from a single parent who just tried to do her shopping and can’t cause you scammed her bank account but somehow have now linked your account to mine.” The Facebook page’s banner also noted the supposed grift that had been committed, reading “SCAM.” (Max Hauptman / Task and Purpose)

Related: Stars and Stripes

Tripler Army Medical Center @tripleramc

Our Facebook account has been hacked, we are working on it. Meanwhile, we will continue to post information here and via our Instagram page. Thank you for your patience. Login • InstagramWelcome back to Instagram. Sign in to check out what your friends, family & interests have been capturing & sharing around the world.instagram.com

Google issued updates to its Chrome web browser for 2022 to fix 37 security issues. One of them is rated Critical in severity and could be exploited to pass arbitrary code and gain control over a victim's system.

The critical flaw, CVE-2022-0096, relates to a use-after-free bug in the Storage component, which could have devastating effects ranging from corruption of valid data to the execution of malicious code on a compromised machine. Security researcher Yangkang of Qihoo 360 ATA is credited with discovering the flaw. (Ravie Lakshmanan / The Hacker News)

Related: Security Week, ZDNet, CISA

The FBI arrested a man, Filippo Bernardini, a rights coordinator for Simon & Schuster UK, who the Bureau says “impersonated, defrauded, and attempted to defraud, hundreds of individuals” over five or more years, obtaining hundreds of unpublished manuscripts in the process. Bernardini was arrested after landing at John F. Kennedy International Airport and charged with wire fraud and aggravated identity theft in the U.S. District Court for the Southern District of New York.

According to the indictment, Bernardini would send emails impersonating real people in the publishing industry using fake email addresses that used slightly tweaked domain names like penguinrandornhouse.com instead of penguinrandomhouse.com to trick writers into sending him their manuscripts. He also allegedly targeted a New York City-based literary scouting company by setting up impostor login pages that prompted his victims to enter their usernames and passwords, which gave him broad access to the scouting company’s database. Works by high-profile writers and celebrities like Margaret Atwood and Ethan Hawke were targeted in the scam along with the works of first-time writers. (Elizabeth A. Harris / New York Times)

Related: The Guardian

Nicole Perlroth @nicoleperlroth

Our book thief CAUGHT. A 29 year old Simon & Schuster UK employee, Filippo Bernardini, has been arrested in connection with the theft of unpublished manuscripts in the mystery @Liz_A_Harris and I covered in 2020 nytimes.com/2022/01/05/boo… For background:

F.B.I. Arrests Man Accused of Stealing Unpublished Book ManuscriptsFilippo Bernardini, an Italian citizen who worked in publishing, was charged with wire fraud and identity theft for a scheme that prosecutors said affected hundreds of people over five or more years.nytimes.com

France's data privacy watchdog CNIL said it had fined Alphabet's Google a record 150 million euros ($169 million) for making it difficult for internet users to refuse online trackers known as cookies. Meta Platforms' Facebook was also fined 60 million euros ($67.9 million) for the same reason.

In its statement, the watchdog said it had found that the facebook.com, google.fr, and youtube.com websites didn't allow the refusal of cookies easily, citing Google's video-streaming platform. (Mathieu Rosemain / Reuters)

In a Series B venture funding round, critical infrastructure security company Xage raised $30 million.

Piva led the round with participation from Momenta, Valor Equity Partners, and OurCrowd, along with existing investors March Capital, City Light Capital, Saints Capital, and Saudi Aramco Energy Ventures. (Ron Miller / TechCrunch)

Related: SiliconANGLE, Globe Newswire, Axios, Pitchbook

Cybersecurity risk management platform startup Fortifydata raised $7 million in a seed and seed extension venture funding round.

TechSquare Ventures led the round with the participation of Panoramic Ventures, SoftBank’s SB Opportunity Fund, and Oval Park Capital. (Erin Schilling / Atlanta Inno)

Related: WRAL Tech Wire

TrojAI, a cybersecurity platform for AI Solutions, raised $2.4 million in a seed funding round.

Build Ventures and Flying Fish Venture led the round. (FinSMEs)

Related: BetaKit, Benzinga, Country.94