We have provided an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM. As we said at that time, our investigation was ongoing, and we would provide additional details as appropriate.

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised. It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.

IBM has announced the official opening of the new IBM X-Force Cyber Range in Washington, DC. The range includes new custom training exercises specifically designed to help U.S. federal agencies, their suppliers and critical infrastructure organizations more effectively respond to persistent and disruptive cyberattacks, and threats posed by AI. The state-of-the-art facility is designed to help everyone from legal and mission-critical leaders, to the C-Suite and technical security leaders prepare for a real-world cyber incident. According to IBM's 2023 Cost of a Data Breach report the global average cost of a data breach reached $4.45 million, with the US facing the highest breach costs across all regions. Organizations that formed an incident response (IR) team and tested their IR plan experienced faster incident response times and lower costs than organizations that did neither. In fact, the report found that high levels of IR planning and testing saved industry and government nearly $1.5 million in breach costs and 54 days from the data breach lifecycle.

"From national security threats to supply chain disruptions impacting the goods and services we rely on every day, cyberattacks on government and critical infrastructure can have ramifications that go far beyond the balance sheet," said Alice Fakir, Partner, Lead of Cybersecurity Services, US Federal Market for IBM Consulting. "The elite and highly customizable cyber response training we provide at our new DC range helps organizations and federal agencies better defend against existing and emerging threats, and also addresses federal mandates like those in the Biden Administration's Executive Order 14028 focused on improving the nation's cybersecurity."

Today, McAfee Corp., a global leader in online protection, announced the launch of its new McAfee Privacy & Identity Guard product available at Staples stores nationwide. McAfee's Privacy & Identity Guard will help Staples customers safeguard their identity and privacy online. In the U.S. 70% of adults are concerned about their ability to keep their information private. And more than half (52%) of U.S. adults want to be more in control of personal information and data online. Therefore, regaining control of personal data, and the data often most sought after by cybercriminals, has never been more important.

Staples customers will have access to McAfee Privacy & Identity Guard and will be able to proactively monitor and remove data online to help prevent potential identity theft and fraud. With an industry-leading set of features, McAfee Privacy & Identity Guard provides visibility into the risky places personal information is available, including the dark web, data broker sites, and sites that hold data tied to unused or old accounts. Customers can then take action to reduce the amount of personal data online and, in turn, lower the risk of identity theft.

According to a report published by Bleeping Computer last week and research conducted by the Doctor Web team, nefarious online organizations are distributing Windows 10 ISO files laced with extremely dangerous clipper malware variants. Microsoft ceased direct sales of licenses for its last gen operating system earlier this year, and a select bunch of folks are resorting to grabbing copies (for free) from pirate sources. The Doctor Web alert states: "(we) discovered a malicious clipper program in a number of unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 (USD)."

It continues: "At the end of May 2023, a customer contacted Doctor Web with their suspicion that their Windows 10 computer was infected. The analysis our specialists carried out confirmed the presence of trojan applications in the system. These were Trojan.Clipper.231 stealer malware as well as the Trojan.MulDrop22.7578 dropper and Trojan.Inject4.57873 injector, which were used to launch the clipper. Doctor Web's virus laboratory successfully localized all these threats and neutralized them." It seems that hackers are hiding cryptocurrency hijackers within Extensible Firmware Interface (EFI) partitions, thus evading detection by antivirus software(s).

MSI suffered a massive data breach at the start of April and the Taiwanese electronics company promptly alerted its customers about the cyberattack on its "information systems." A few days later it emerged that a relatively young ransomware group "Money Message" was behind the hacking effort - these cybercriminals stated that they had infiltrated MSI's internal network. Gang members proceeded to acquire sensitive company files, database information and source code. At the time, Money Message demanded that MSI pay them a ransom of $4 million, with the added threat of stolen data getting leaked to the general public on the internet (in the event of MSI failing to pay up).

Money Message has this week claimed that MSI has refused to meet their demands - as a result, an upload of stolen data started on Thursday with files appearing on the group's own website, and spreading to the dark web soon after. Binarly, a cybersecurity firm, has since analyzed the leaked files and discovered the presence of many private code signing keys within the breached data dump. Alex Matrosov, Binarly's CEO states via Twitter: "Recently, MSI USA announced a significant data breach. The data has now been made public, revealing a vast number of private keys that could affect numerous devices. FW Image Signing Keys: 57 products (and) Intel Boot Guard BPM/KM Keys: 166 products." Binary has provided a list of affected MSI devices (gaming laptops & mobile workstations) on their GitHub page.

Western Digital has declared that its My Cloud online service has been compromised by a group of hackers late last month: "On March 26, 2023, Western Digital identified a network security incident involving Western Digital's systems. In connection with the ongoing incident, an unauthorized third party gained access to a number of the Company's systems. Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts. This investigation is in its early stages and Western Digital is coordinating with law enforcement authorities."

The statement, issued on April 4, continues: "The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate. As part of its remediation efforts, Western Digital is actively working to restore impacted infrastructure and services. Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data. While Western Digital is focused on remediating this security incident, it has caused and may continue to cause disruption to parts of the Company's business operations."

Genesis Market, an online-fraud-facilitation website and marketplace, has today been closed by an international joint effort coordinated by various police forces. Law enforcement agencies around the world took part in synchronized raids, including at locations in the UK and USA. 208 searches have been carried out, beginning at dawn on Tuesday 4 April, and a total of 119 suspected individuals have been arrested. This operation was spearheaded by the FBI in the US and the Dutch National Police. Consequently, users of the genesis.market website have been greeted with a boastful message and infographic on the home and login pages: "Operation Cookie Monster. This website has been seized."

Sophos, a leading software and hardware security vendor, has previously identified genesis.market as: "an invitation-only marketplace" from which buyers can acquire stolen credentials, cookies, and digital fingerprints that are gathered from compromised systems." According to the company's research, the illegal marketplace was also identified as an Initial Access Broker (IAB) - a business that compromises systems and services, steals data, and sells it. Genesis Market has special engagement capabilities in the field of illegally acquiring "credentials, cookies, and digital fingerprints". This stolen data was often sold on under individual lots, but the site also offered a longer term supply of data packages via a subscription service. This would offer the customer an up-to-date information trail, be it the tracking of an individual person or a collective.

The latest episode in the saga of the cyberattacks on NVIDIA servers that unleashed the motherlode of confidential information, the group behind the hack made its second set of demands. The first one was for a ransom to prevent public-disclosure, which NVIDIA possibly didn't meet. The second one is a demand for making GeForce proprietary drivers open-source on all platforms. Failing this, the group plans to release its next chunk of the leak public.

This, the group claims, includes sensitive files related to the company's silicon design, including Verilog (.v) files, and VG files. They also claim to be in possession of files related to upcoming hardware, including the elusive RTX 3090 Ti, and upcoming revisions of existing silicon. The group sets until 4th March (Friday) to meet its demand.

A few days ago, we found out that NVIDIA corporation has been hacked and that attackers managed to steal around 1 TB of sensitive data from the company. This includes various kinds of files like GPU driver and GPU firmware source codes and something a bit more interesting. The LAPSUS$ hacking group responsible for the attack is now threatening to "help mining and gaming community" by releasing a bypass solution for the Lite Hash Rate (LHR) GPU hash rate limiter. As the group notes, the full LHR V2 workaround for anything between GA102-GA104 is on sale and is ready for further spreading.

Additionally, the hacking group is making blackmailing claims that the company should remove the LHR from its software or share details of the "hw folder," presumably a hardware folder with various confidential schematics and hardware information. NVIDIA did not respond to these claims and had no official statement regarding the situation other than acknowledging that they are investigating an incident.Update 01:01 UTC: The hackers have released part of their files to the public. It's a 18.8 GB RAR file, which uncompresses to over 400,000 (!) files occupying 75 GB, it's mostly source code.

In a chilling reminder of just why system software should always be manually updated and never automatically, Vice Motherboard citing Kaspersky Labs reports that hackers have compromised the Live Update servers of ASUS, making them push malware to thousands of computers configured to fetch and install updates automatically. These include not just PC motherboards, but also pre-builts such as notebooks and desktops by ASUS. Smartphones and IoT devices by ASUS are also affected. Hackers have managed to use valid ASUS digital certificates to masquerade their malware as legitimate software updates from ASUS.

Kaspersky Labs says that as many as half a million devices have fallen prey to malware pushed to them by ASUS. The cybersecurity firm says it discovered the malware in January 2019 when implementing a new supply-chain detection technology, and informed ASUS by late-January. Kaspersky even sent a technically-sound representative to meet with ASUS in February. Kaspersky claims that ASUS has since been "largely unresponsive since then and has not notified ASUS customers about the issue." ASUS is already drowning in bad-rep from the PC enthusiast community for its Armoury Crate feature that lets motherboard BIOS push software to a Windows installation through an ACPI table dubbed "the vendor's rootkit," which ASUS enabled by default on new motherboards. Who knows what recent motherboard BIOS updates have pushed into your PC through this method.

In today's world, data breaches, phishing attacks, malware, and exploits are a daily occurrence. We are all familiar with the typical phishing emails that grace our inbox day in day out. You might even get a phone call from a fake Microsoft tech support employee, who attempts to gain access to your system. However, in our always-online world, it is a bit surprising to hear about hackers that would decide to use snail mail. In what will likely elicit a few giggles, U.S. state and local government agencies, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued an alert, in what I can only describe as an attack from the stone age; malware infested CDs.

The world's most popular ride hailing app, Uber, was hit by a cyberattack late-2016, with the attackers making away with user-data on over 57 million riders registered with the service. The worst part? Uber allegedly bribed the hackers to keep the hack concealed from the public for a year. The company allegedly paid them over $100,000 to keep the hack hidden, and to "destroy the stolen data."

The cyber-attack compromised personal information such as "home" and "work" physical addresses (which you may have saved with Uber), e-mail addresses, full-names, and phone numbers of over 57 million Uber riders; and even more detailed information, such as driving license numbers, of the over 600,000 drivers worldwide, subscribed to the service. It's not known at this point, if the stolen data includes more sensitive details, such as credit-card numbers of the riders, or bank account details of the drivers.

Security software maker Symantec confirmed to the press that the group of hackers that obtained source code of its pcAnywhere software were holding it to ransom. The group claims to be linked to Anonymous. The group allegedly demanded US $50,000 from Symantec in return for destroying the source code it stole, on failing to pay it, the group threatened it would leak the source code to the public, which would expose the software to malware writers and competitors.

Symantec has apparently been in negotiations with the hacker group over preventing the leak, it even agreed to pay the group its "ransom", provided it could do so in monthly installments. The group declined, and the negotiations fell through. A transcript of this email conversation was posted on Pastebin (can be accessed here). The hackers claimed to have posted the source code of pcAnywhere (in a 2.3 GB RAR archive), on a popular bit-torrent site. In our opinion, extorting money is very un-Anonymous. Anonymous, being the self-proclaimed hacktivist group that it is, would post the source code "just for the lulz", without even getting into negotiations with Symantec.

If online gaming wasn't hard enough a game-hacking site called Artificial Aiming has some members that are now targeting innocent players for Punkbuster bans in Battlefield 3. They were able to do this by corrupting a streaming Punkbuster ban list shared by certain server admins. A junior member from the Artificial Aiming forums that took the lead on this attack is focusing on servers that use GGC-Stream. He is are quoted as saying,

"We have selected ggc-stream as the target since they have the most streaming bf3 servers and makes it very easy to add fake bans. In 2011 we hit them with a mass ban wave and now were are banning real players from battlelog while ggc-stream is totally unaware. We have framed 150+ bf3 players alone"

Three weeks ago, we brought you news that researchers had apparently found serious vulnerabilities in the firmware of HP printers that can allow hackers to cause the fuser to overheat and almost make the paper inside catch fire. HP dismissed these claims as exaggerated, but said that they would look into it. Three days later, we reported that some enterprising New Yorker called David Goldblatt sued HP, alleging that he would not have bought their printers had he known about this problem beforehand, which seems a bit unlikely when you consider that HP is the number one printer brand by a mile. Now HP have released patches for these vulnerabilities and issued the following press release:

Following on from the hack into Square Enix's (Deus Ex, Tomb Raider franchises) servers last week, the Japanese company has been sending out an email to its members, updating them on the situation. They explain that no personal information was lifted, but have suspended their member's service while investigations continue. This rather reassuring explanation is in stark contrast to initial reports that up to 1.8 million accounts (1M in Japan, 800K in America) had had personal information lifted, such as names, phone numbers and email addresses. However, it does appear that no personal, login or credit card info was accessed in the end, the company reports (hopefully honestly). Here is that Square Enix email in full:

Three days ago, we brought you news of how researchers have made proof-of-concept attacks on HP printers by reprogramming their firmware. Among other things, these attacks could deliberately cause the fuser in a printer to overheat and singe the paper, until shut down by a built-in unoverridable thermal switch, preventing a fire. Now, in light of this, a lawsuit has been filed by David Goldblatt of New York, seeking damages for fraudulent and deceptive business practices and is looking for class action status: "As a result of HP's failure to require the use of digital signatures to authenticate software upgrades, hackers are able to reprogram the HP Printers' software with malicious software without detection," the suit says. "Once the HP printers' software is maliciously reprogrammed, the HP printers can be remotely controlled by computer hackers over the Internet, who can then steal personal information, attack otherwise secure networks, and even cause physical damage to the HP printers, themselves." Note that HP has used digital signatures since 2009 to authenticate the firmware updates, helping to mitigate this potential problem in recent models.

Despite this though, HP still intends to patch the firmware to eliminate threats from this hack, which exploits bugs in the firmware. As these attacks have only actually been demonstrated in the lab and no actual losses have been incurred by Goldblatt, it makes one wonder if he is just using the prevailing American "victim culture" to try and make a quick buck off HP. HP are the top printer brand, mainly because their products are excellent, performing well and lasting a long time, plus other companies' printers and embedded devices have the same problems, so it seems unlikely that he would really not have bought HP printers.

Gabe Newell of Valve has issued a statement that the forum hack they experienced over the weekend actually goes much deeper than they thought. The criminals accessed the main database containing such goodies as user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. Apparently, no personally identifying information was taken - but we await the result of the full investigation before breathing a sigh of relief. Due to this serious breach, TechPowerUp advises all Steam users to change their account password immediately. People starting up their Steam client will now see the following message from Gabe Newell about this:

Valve, a company that operates solely online, takes its security pretty seriously and has a good reputation in this area. However, at the time of writing, its Steam forums are down, having suffered a hack attack earlier today. Visit the forums now and you see a message saying "The Steam Forums are temporarily offline for maintenance. Your patience is appreciated." This attack was apparently done by hackers who want to offer free game cheats (but one should be wary of stealthy malware payloads) since before the forums were taken down, they had planted this message:

Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks?

The rest of the message then recommends a website where one can obtain all sorts of illegal game cheats, hack tools and porn. Some Steam forum users even received an email with this text, such as this NeoGAF user. There's no indication that any user's account information has been compromised. However, if you haven't yet set up Steam Guard, now is a good time to do so, along with changing your password when the forums come back online. Also, be sure to use different a password for every login. Of course, many other gaming forums have been hacked in the past and just this year saw many hacks against such big names as Nintendo, Sega, BioWare, Epic Games and of course Sony, which was hacked many times over in protest at their business practices, such as removing the OtherOS feature from their PS3 console.

Rice University and Duke University are the latest in a long line of educational institutions to fund research on the effect of using restrictive Digital Rights Management (DRM) to try and control levels of so-called "piracy", which is allegedly reducing sales of content-only, infinite goods/virtual products, such as music, movies, computer games and books. (Some observers writing about DRM replace the word "Rights", giving us the phrase Digital Restrictions Management, which seems a more accurate description of what it's really about and removes the veneer of legitimacy from it. When buying DRM'd content, you are buying digital handcuffs, nothing more, nothing less.) The universities sponsored a study called Music Downloads and the Flip Side of Digital Rights Management Protection and what it found is that contrary to popular belief amongst the big content companies, removing DRM can actually decrease levels of piracy and increase sales. The fact is that DRM is always broken by hackers and pretty quickly too, often within a day or two (there isn't a single one still standing) leaving legal users who work within its confinements with all the restrictive hassles that it imposes, while the pirates get an unencumbered product to do with as they please. How is this progress?

Readers might want to take care when visiting PowerColor's website for the next couple of days as it looks like the site has been hacked by someone with the alias DaRKHuNTeR. From a quick look the only noticeable alteration is that the news story titles have been modified, which shouldn't be too dangerous. However, the more worrying thing is what else might have been changed. For example the hacker may have potentially added malicious downloads and links, so it's probably best to avoid PowerColor's site for a while.

Hackers have succeeded in breaking into the computer systems of two of the U.S.' most important science labs, the Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Laboratory in New Mexico. In what a spokesperson for the Oak Ridge facility described as a "sophisticated cyber attack," it appears that intruders accessed a database of visitors to the Tennessee lab between 1990 and 2004, which included their social security numbers and dates of birth. Three thousand researchers reportedly visit the lab each year, a who's who of the science establishment in the U.S.

Xbox 360 Hacked

A Hacker under the nickname SeventhSon has discovered a method to alter both the DVD key and game region code on Microsoft's Xbox 360, at least for the Hypervisor exploitable 4532 and 4548 kernels. A great part of this hack also involves desoldering your Xbox flash chip something that only the technologically handy will try.

Information from the U.S. Department of Transportation and several U.S. companies was stolen by hackers who seduced employees with fake job-listings on advertisements and e-mail, a computer security firm said. The companies include consulting firm Booz Allen, computer services company Unisys Corp, computer maker Hewlett- Packard Co and satellite network provider Hughes Network Systems, a unit of Hughes Communications Inc, said Mel Morris, chief executive of British Internet security provider Prevx Ltd.