Security

new-windows-11-build-adds-self-healing-“quick-machine-recovery”-feature

New Windows 11 build adds self-healing “quick machine recovery” feature

Security, Tech, Windows 11, windows 11 24h2, windows 11 25h2 / /

Preview build 27898 also includes a features that will shrink Taskbar items if you’ve got too many pins or running apps for everything to fit at once, changes the pop-up that apps use to ask for access to things like the system webcam or microphone, and allows you to add words to the dictionary used for the speech-to-text voice access features, among a handful of other changes.

It’s hard to predict when any given Windows Insider feature will roll out to the regular non-preview versions of Windows, but we’re likely just a few months out from the launch of Windows 11 25H2, this year’s “annual feature update.” Some of these updates, like last year’s 24H2, are fairly major overhauls that make lots of under-the-hood changes. Others, like 2023’s 23H2, mostly exist to change the version number and reset Microsoft’s security update clock, as each yearly update is only promised new security updates for two years after release.

The 25H2 update looks like one of the relatively minor ones. Microsoft says that the two versions “use a shared servicing branch,” and that 25H2 features will be “staged” on PCs running Windows 11 24H2, meaning that the code will be installed on systems via Windows Update but that they’ll be disabled initially. Installing the 25H2 “update” when it’s available will merely enable features that were installed but dormant.

New Windows 11 build adds self-healing “quick machine recovery” feature Read More »

pro-basketball-player-and-4-youths-arrested-in-connection-to-ransomware-crimes

Pro basketball player and 4 youths arrested in connection to ransomware crimes

Biz & IT, crime, lapsus$, law enforcement, ransomware, scattered spider, Security / /

Authorities in Europe have detained five people, including a former Russian professional basketball player, in connection with crime syndicates responsible for ransomware attacks.

Until recently, one of the suspects, Daniil Kasatkin, played for MBA Moscow, a basketball team that’s part of the VTB United League, which includes teams from Russia and other Eastern European countries. Kasatkin also briefly played for Penn State University during the 2018–2019 season. He has denied the charges.

Unrelated ransomware attacks

The AFP and Le Monde on Wednesday reported that Kasatkin was arrested and detained on June 21 in France at the request of US authorities. The arrest occurred as the basketball player was at the de Gaulle airport while traveling with his fiancée, whom he had just proposed to. The 26-year-old has been under extradition arrest since June 23, Wednesday’s news report said.

US prosecutors accuse Kasatkin of having negotiated ransom payments with organizations that had been hacked by an unnamed ransomware syndicate responsible for 900 different breaches. A US arrest warrant said he is wanted for “conspiracy to commit computer fraud” and “computer fraud conspiracy.”

An attorney for Kasatkin said his client is innocent of all charges.

“He bought a second-hand computer,” the attorney told reporters. The attorney continued:

He did absolutely nothing. He’s stunned. He’s useless with computers and can’t even install an application. He didn’t touch anything on the computer. It was either hacked, or the hacker sold it to him to act under the cover of another person.

US authorities are currently in the process of extraditing Kasatkin.

Pro basketball player and 4 youths arrested in connection to ransomware crimes Read More »

browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots

Browser extensions turn nearly 1 million browsers into website-scraping bots

Biz & IT, Browsers, extensions, privacy, Security / /

Extensions installed on almost 1 million devices have been overriding key security protections to turn browsers into engines that scrape websites on behalf of a paid service, a researcher said.

The 245 extensions, available for Chrome, Firefox, and Edge, have racked up nearly 909,000 downloads, John Tuckner of SecurityAnnex reported. The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers. The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions.

Intentional weakening of browsing protections

Tuckner and critics say the monetization works by using the browser extensions to scrape websites on behalf of paying customers, which include advertisers. Tuckner reached this conclusion after uncovering close ties between MellowTel and Olostep, a company that bills itself as “the world’s most reliable and cost-effective Web scraping API.” Olostep says its service “avoids all bot detection and can parallelize up to 100K requests in minutes.” Paying customers submit the locations of browsers they want to access specific webpages. Olostep then uses its installed base of extension users to fulfill the request.

“This seems very similar to the scraping instructions we saw while watching the MellowTel library in action,” Tuckner wrote after analyzing the MellowTel code. “I believe we have good reason to think that scraping requests from Olostep are distributed to any of the active extensions which are running the MellowTel library.”

MellowTel’s founder, for his part, has said the purpose of the library is “sharing [users’] bandwidth (without stuffing affiliate links, unrelated ads, or having to collect personal data).” He went on to say that the “primary reason why companies are paying for the traffic is to access publicly available data from websites in a reliable and cost-effective way.” The founder said extension developers receive 55 percent of the revenue, and MellowTel pockets the rest.

Browser extensions turn nearly 1 million browsers into website-scraping bots Read More »

critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks

Critical CitrixBleed 2 vulnerability has been under active exploit for weeks

Biz & IT, citrix, citrixbleed, hacking, Security, vulnerabilities / /

A critical vulnerability allowing hackers to bypass multifactor authentication in network management devices made by Citrix has been actively exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild exploitation.

Tracked as CVE-2025-5777, the vulnerability shares similarities with CVE-2023-4966, a security flaw nicknamed CitrixBleed, which led to the compromise of 20,000 Citrix devices two years ago. The list of Citrix customers hacked in the CitrixBleed exploitation spree included Boeing, Australian shipping company DP World, Commercial Bank of China, and the Allen & Overy law firm. A Comcast network was also breached, allowing threat actors to steal password data and other sensitive information belonging to 36 million Xfinity customers.

Giving attackers a head start

Both CVE-2025-5777 and CVE-2023-4966 reside in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. The vulnerability causes vulnerable devices to leak—or “bleed”—small chunks of memory contents after receiving modified requests sent over the Internet.

By repeatedly sending the same requests, hackers can piece together enough data to reconstruct credentials. The original CitrixBleed had a severity rating of 9.8. CitrixBleed 2 has a severity rating of 9.2.

Citrix disclosed the newer vulnerability and released a security patch for it on June 17. In an update published nine days later, Citrix said it was “currently unaware of any evidence of exploitation.” The company has provided no updates since then.

Researchers, however, say that they have found evidence that CitrixBleed 2, as the newer vulnerability is being called, has been actively exploited for weeks. Security firm Greynoise said Monday that a search through its honeypot logs found exploitation as early as July 1. On Tuesday, independent researcher Kevin Beaumont said telemetry from those same honeypot logs indicates that CitrixBleed 2 has been exploited since at least June 23, three days before Citrix said it had no evidence of such attacks.

Citrix’s failure to disclose active exploitation is only one of the details researchers say was missing from the advisories. Last week, security firm watchTowr published a post titled “How Much More Must We Bleed? – Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777).” It criticized Citrix for withholding indicators that customers could use to determine if their networks were under attack. On Monday, fellow security firm Horizon3.ai said much the same thing. Company researchers wrote:

Critical CitrixBleed 2 vulnerability has been under active exploit for weeks Read More »

unless-users-take-action,-android-will-let-gemini-access-third-party-apps

Unless users take action, Android will let Gemini access third-party apps

AI, android, Biz & IT, Gemini, Google, Security / /

Starting today, Google is implementing a change that will enable its Gemini AI engine to interact with third-party apps, such as WhatsApp, even when users previously configured their devices to block such interactions. Users who don’t want their previous settings to be overridden may have to take action.

An email Google sent recently informing users of the change linked to a notification page that said that “human reviewers (including service providers) read, annotate, and process” the data Gemini accesses. The email provides no useful guidance for preventing the changes from taking effect. The email said users can block the apps that Gemini interacts with, but even in those cases, data is stored for 72 hours.

An email Google recently sent to Android users.

An email Google recently sent to Android users.

No, Google, it’s not good news

The email never explains how users can fully extricate Gemini from their Android devices and seems to contradict itself on how or whether this is even possible. At one point, it says the changes “will automatically start rolling out” today and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” A few sentences later, the email says, “If you have already turned these features off, they will remain off.” Nowhere in the email or the support pages it links to are Android users informed how to remove Gemini integrations completely.

Compounding the confusion, one of the linked support pages requires users to open a separate support page to learn how to control their Gemini app settings. Following the directions from a computer browser, I accessed the settings of my account’s Gemini app. I was reassured to see the text indicating no activity has been stored because I have Gemini turned off. Then again, the page also said that Gemini was “not saving activity beyond 72 hours.”

Unless users take action, Android will let Gemini access third-party apps Read More »

provider-of-covert-surveillance-app-spills-passwords-for-62,000-users

Provider of covert surveillance app spills passwords for 62,000 users

android, Apps, Biz & IT, privacy, Security, surveillance / /

The maker of a phone app that is advertised as providing a stealthy means for monitoring all activities on an Android device spilled email addresses, plain-text passwords, and other sensitive data belonging to 62,000 users, a researcher discovered recently.

A security flaw in the app, branded Catwatchful, allowed researcher Eric Daigle to download a trove of sensitive data, which belonged to account holders who used the covert app to monitor phones. The leak, made possible by a SQL injection vulnerability, allowed anyone who exploited it to access the accounts and all data stored in them.

Unstoppable

Catwatchful creators emphasize the app’s stealth and security. While the promoters claim the app is legal and intended for parents monitoring their children’s online activities, the emphasis on stealth has raised concerns that it’s being aimed at people with other agendas.

“Catwatchful is invisible,” a page promoting the app says. “It cannot be detected. It cannot be uninstalled. It cannot be stopped. It cannot be closed. Only you can access the information it collects.”

The promoters go on to say users “can monitor a phone without [owners] knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.”

Provider of covert surveillance app spills passwords for 62,000 users Read More »

at&t-rolls-out-wireless-account-lock-protection-to-curb-the-sim-swap-scourge

AT&T rolls out Wireless Account Lock protection to curb the SIM-swap scourge

Biz & IT, fraud, Security, sim swap, wireless carrier / /

AT&T is rolling out a protection that prevents unauthorized changes to mobile accounts as the carrier attempts to fight a costly form of account hijacking that occurs when a scammer swaps out the SIM card belonging to the account holder.

The technique, known as SIM swapping or port-out fraud, has been a scourge that has vexed wireless carriers and their millions of subscribers for years. An indictment filed last year by federal prosecutors alleged that a single SIM swap scheme netted $400 million in cryptocurrency. The stolen funds belonged to dozens of victims who had used their phones for two-factor authentication to cryptocurrency wallets.

Wireless Account Lock debut

A separate scam from 2022 gave unauthorized access to a T-Mobile management platform that subscription resellers, known as mobile virtual network operators, use to provision services to their customers. The threat actor gained access using a SIM swap of a T-Mobile employee, a phishing attack on another T-Mobile employee, and at least one compromise of an unknown origin.

This class of attack has existed for well over a decade, and it became more commonplace amid the irrational exuberance that drove up the price of bitcoin and other cryptocurrencies. In some cases, scammers impersonate existing account holders who want a new phone number for their account. At other times, they simply bribe the carrier’s employees to make unauthorized changes.

AT&T rolls out Wireless Account Lock protection to curb the SIM-swap scourge Read More »

us-critical-infrastructure-exposed-as-feds-warn-of-possible-attacks-from-iran

US critical infrastructure exposed as feds warn of possible attacks from Iran

cyberattack, Iran, Iranian Revolutionary Guard, islamic state, Security / /

Hackers working on behalf of the Iranian government are likely to target industrial control systems used at water treatment plants and other critical infrastructure to retaliate against recent military strikes by Israel and the US, federal government agencies are warning. One cybersecurity company says many US-based targets aren’t adequately protected against the threat.

“Based on the current geopolitical environment, Iranian-affiliated cyber actors may target US devices and networks for near-term cyber operations,” an advisory jointly published by the The Cybersecurity and Infrastructure Security Agency, FBI, Department of Defense Cyber Crime Center, and the National Security Agency stated. “Defense Industrial Base (DIB) companies, particularly those possessing holdings or relationships with Israeli research and defense firms, are at increased risk.”

Easy targets

Of particular interest to the would-be hackers are control systems that automate industrial processes inside water treatment plants, dams, and other critical infrastructure, particularly when those systems are manufactured by Israel-based companies. Between November 2023 and January 2024, near the onset of the conflict between Israel and Hamas, federal agencies said hackers affiliated with the Iranian Islamic Revolutionary Guard Corps actively targeted and compromised Israeli-made programmable-logic controllers and human-machine interfaces used in multiple sectors, Including US Water and Wastewater Systems Facilities. At least 75 devices, including at least 34 in US-based water facilities, were compromised.

Hackers in those operations targeted Unitronics Vision Series devices that automate processes inside water facilities. After gaining control of the devices, the hackers interfered with their ability to function normally. The actors also introduced changes that prevented the devices from being remotely accessed by administrators. The hacked devices were either protected by default passwords or no password at all, making them easy targets.

US critical infrastructure exposed as feds warn of possible attacks from Iran Read More »

drug-cartel-hacked-fbi-official’s-phone-to-track-and-kill-informants,-report-says

Drug cartel hacked FBI official’s phone to track and kill informants, report says

Biz & IT, cartel, fbi, mexico, Security / /

The Sinaloa drug cartel in Mexico hacked the phone of an FBI official investigating kingpin Joaquín “El Chapo” Guzmán as part of a surveillance campaign “to intimidate and/or kill potential sources or cooperating witnesses,” according to a recently published report by the Justice Department.

The report, which cited an “individual connected to the cartel,” said a hacker hired by its top brass “offered a menu of services related to exploiting mobile phones and other electronic devices.” The hired hacker observed “’people of interest’ for the cartel, including the FBI Assistant Legal Attache, and then was able to use the [attache’s] mobile phone number to obtain calls made and received, as well as geolocation data, associated with the [attache’s] phone.”

“According to the FBI, the hacker also used Mexico City’s camera system to follow the [attache] through the city and identify people the [attache] met with,” the heavily redacted report stated. “According to the case agent, the cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses.”

The report didn’t explain what technical means the hacker used.

Existential threat

The report said the 2018 incident was one of many examples of “ubiquitous technical surveillance” threats the FBI has faced in recent decades. UTS, as the term is abbreviated, is defined as the “widespread collection of data and application of analytic methodologies for the purpose of connecting people to things, events, or locations.” The report identified five UTS vectors, including visual and physical, electronic signals, financial, travel, and online.

Credit: Justice Department

While the UTS threat has been longstanding, the report authors said, recent advances in commercially available hacking and surveillance tools are making such surveillance easier for less sophisticated nations and criminal enterprises. Sources within the FBI and CIA have called the threat “existential,” the report authors said

A second example of UTS threatening FBI investigations occurred when the leader of an organized crime family suspected an employee of being an informant. In an attempt to confirm the suspicion, the leader searched call logs of the suspected employee’s cell phone for phone numbers that might be connected to law enforcement.

Drug cartel hacked FBI official’s phone to track and kill informants, report says Read More »

microsoft-changes-windows-in-attempt-to-prevent-next-crowdstrike-style-catastrophe

Microsoft changes Windows in attempt to prevent next CrowdStrike-style catastrophe

microsoft, Security, Tech, Windows, Windows 10, Windows 11, windows 11 24h2 / /

Working with third-party companies to define these standards and address those companies’ concerns seems to be Microsoft’s way of trying to avoid that kind of controversy this time around.

“We will continue to collaborate deeply with our MVI partners throughout the private preview,” wrote Weston.

Death comes for the blue screen

Microsoft is changing the “b” in BSoD, but that’s less interesting than the under-the-hood changes. Credit: Microsoft

Microsoft’s post outlines a handful of other security-related Windows tweaks, including some that take alternate routes to preventing more CrowdStrike-esque outages.

Multiple changes are coming for the “unexpected restart screen,” the less-derogatory official name for what many Windows users know colloquially as the “blue screen of death.” For starters, the screen will now be black instead of blue, a change that Microsoft briefly attempted to make in the early days of Windows 11 but subsequently rolled back.

The unexpected restart screen has been “simplified” in a way that “improves readability and aligns better with Windows 11 design principles, while preserving the technical information on the screen for when it is needed.”

But the more meaningful change is under the hood, in the form of a new feature called “quick machine recovery” (QMR).

If a Windows PC has multiple unexpected restarts or gets into a boot loop—as happened to many systems affected by the CrowdStrike bug—the PC will try to boot into Windows RE, a stripped-down recovery environment that offers a handful of diagnostic options and can be used to enter Safe Mode or open the PC’s UEFI firmware. QMR will allow Microsoft to “broadly deploy targeted remediations to affected devices via Windows RE,” making it possible for some problems to be fixed even if the PCs can’t be booted into standard Windows, “quickly getting users to a productive state without requiring complex manual intervention from IT.”

QMR will be enabled by default on Windows 11 Home, while the Pro and Enterprise versions will be configurable by IT administrators. The QMR functionality and the black version of the blue screen of death will both be added to Windows 11 24H2 later this summer. Microsoft plans to add additional customization options for QMR “later this year.”

Microsoft changes Windows in attempt to prevent next CrowdStrike-style catastrophe Read More »

actively-exploited-vulnerability-gives-extraordinary-control-over-server-fleets

Actively exploited vulnerability gives extraordinary control over server fleets

AMI MegaRAC, baseboard management controllers, Biz & IT, bmcs, exploits, Security / /

On Wednesday, CISA added CVE-2024-54085 to its list of vulnerabilities known to be exploited in the wild. The notice provided no further details.

In an email on Thursday, Eclypsium researchers said the scope of the exploits has the potential to be broad:

  • Attackers could chain multiple BMC exploits to implant malicious code directly into the BMC’s firmware, making their presence extremely difficult to detect and allowing them to survive OS reinstalls or even disk replacements.
  • By operating below the OS, attackers can evade endpoint protection, logging, and most traditional security tools.
  • With BMC access, attackers can remotely power on or off, reboot, or reimage the server, regardless of the primary operating system’s state.
  • Attackers can scrape credentials stored on the system, including those used for remote management, and use the BMC as a launchpad to move laterally within the network
  • BMCs often have access to system memory and network interfaces, enabling attackers to sniff sensitive data or exfiltrate information without detection
  • Attackers with BMC access can intentionally corrupt firmware, rendering servers unbootable and causing significant operational disruption

With no publicly known details of the ongoing attacks, it’s unclear which groups may be behind them. Eclypsium said the most likely culprits would be espionage groups working on behalf of the Chinese government. All five of the specific APT groups Eclypsium named have a history of exploiting firmware vulnerabilities or gaining persistent access to high-value targets.

Eclypsium said the line of vulnerable AMI MegaRAC devices uses an interface known as Redfish. Server makers known to use these products include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm. Some, but not all, of these vendors have released patches for their wares.

Given the damage possible from exploitation of this vulnerability, admins should examine all BMCs in their fleets to ensure they aren’t vulnerable. With products from so many different server makers affected, admins should consult with their manufacturer when unsure if their networks are exposed.

Actively exploited vulnerability gives extraordinary control over server fleets Read More »

ubuntu-disables-intel-gpu-security-mitigations,-promises-20%-performance-boost

Ubuntu disables Intel GPU security mitigations, promises 20% performance boost

Biz & IT, intel gpu, Security, Ubuntu / /

Ubuntu users could see up to a 20 percent boost in graphics performance on Intel-based systems under a change that will turn off security mitigations for blunting a class of attacks known as Spectre.

Spectre, you may recall, came to public notice in 2018. Spectre attacks are based on the observation that performance enhancements built into modern CPUs open a side channel that can leak secrets a CPU is processing. The performance enhancement, known as speculative execution, predicts future instructions a CPU might receive and then performs the corresponding tasks before they are even called. If the instructions never come, the CPU discards the work it performed. When the prediction is correct, the CPU has already completed the task.

By using code that forces a CPU to execute carefully selected instructions, Spectre attacks can extract confidential data that the CPU would have accessed had it carried out the ghost instructions. Over the past seven years, researchers have uncovered multiple attack variants based on the architectural flaws, which are unfixable. CPU manufacturers have responded by creating patches in both micro code and binary code that restrict speculative execution operations in certain scenarios. These restrictions, of course, usually degrade CPU performance.

When the investment costs more than the return

Over time, those mitigations have degraded graphics processing performance by as much as 20 percent, a member of the Ubuntu development team recently reported. Additionally, the team member said, Ubuntu will integrate many of the same mitigations directly into its Kernel, specifically in the Questing Quokka release scheduled for October. In consultation with their counterparts at Intel, Ubuntu security engineers have decided to disable the mitigations in the device driver for the Intel Graphics Compute Runtime.

“After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level,” Ubuntu developer Shane McKee wrote. He continued:

At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.

McKee went on to say that as a result, “Users can expect up to 20% performance improvement.”

Ubuntu disables Intel GPU security mitigations, promises 20% performance boost Read More »