Cybersecurity

The fallout from the malicious tj-actions/changed-files is still being investigated. It is fortuitous that this malicious commit was identified fairly quickly, as further compromise of major OSS components and projects could lead to a kind of chain reaction.

• https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
• https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

#infosec #cybersecurity

#Cisco #IOSXR vulnerability lets attackers crash #BGP on routers

https://www.bleepingcomputer.com/news/security/cisco-vulnerability-lets-attackers-crash-bgp-on-ios-xr-routers/

#cybersecurity

#ClickFix: How to Infect Your #PC in Three Easy Steps

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

#malware #cybersecurity #Windows

Elon Musk’s X has been hit by three waves of outages since this morning, which the billionaire claims was due to a cyberattack. Experts say it's too early to tell the cause. Read more at @CNN. #X #Twiter #Cybersecurity #Cyberattack #ElonMusk https://flip.it/LM01E-

Google's newest AI model can peruse your search history to improve its understanding of you as a person. @[email protected] asks: What could go wrong? #Google #AI #Gemeni #Cybersecurity #Tech #Technology https://flip.it/afRE32

A 55-year-old software developer faces up to 10 years in prison for deploying malicious code that sabotaged his former employer's network. Via @ArsTechnica. #Malware #Tech #Technology #Cybersecurity https://flip.it/QhHHuG

"ARTICLE 19’s new report reveals how China is expanding its digital authoritarian model of cybersecurity governance across the Indo-Pacific, posing a grave threat to people’s rights – regionally and globally.

Through its Digital Silk Road, China is not only developing digital infrastructure, but also aggressively promoting its own norms for governing these technologies. One area where this is most pronounced is in the promotion of cybersecurity norms. The success of China’s digital norms-setting in this critical realm of internet governance risks supercharging digital authoritarianism regionally – and normalising Beijing’s model internationally – at the expense of human rights, internet freedom, and democracy.

Cybersecurity with Chinese Characteristics establishes a baseline understanding of China’s repressive cybersecurity norms and reveals how it is smuggling them, via the Trojan Horse of digital development, into 3 Indo-Pacific countries: Indonesia, Pakistan, and Vietnam. It also presents a compelling alternative model of cybersecurity governance: Taiwan’s transparent, rights-based, multi-stakeholder approach."

https://www.article19.org/resources/china-taiwan-cybersecurity/

#CyberSecurity #China #Taiwan #DigitalAuthoritarianism #HumanRights #DigitalRights #DigitalSilkRoad

🏅 Already earned the essential certs? Take your career to the next level!

With 20+ vendor-neutral certifications, you can specialize in:
✳️ Cloud & infrastructure observability
✳️ Digital trust
✳️ Finance
✳️ Cybersecurity & more!

Explore all certifications: 🔗 https://training.linuxfoundation.org/certification-catalog/

#CloudNative #DigitalTrust #Finance #Cybersecurity

ShadowDragon, a contractor for ICE and other government agencies, has developed a tool that lets analysts more easily pull an individual’s publicly available data from a wide array of sites, social networks, apps, and services across the web. @404media has the story. #ICE #SocialMedia #ShadowDragon #Tech #Technology #CyberSecurity https://flip.it/Rjm1ZI

"Signal President Meredith Whittaker warned Friday that agentic AI could come with a risk to user privacy.

Speaking onstage at the SXSW conference in Austin, Texas, the advocate for secure communications referred to the use of AI agents as “putting your brain in a jar,” and cautioned that this new paradigm of computing — where AI performs tasks on users’ behalf — has a “profound issue” with both privacy and security.

Whittaker explained how AI agents are being marketed as a way to add value to your life by handling various online tasks for the user. For instance, AI agents would be able to take on tasks like looking up concerts, booking tickets, scheduling the event on your calendar, and messaging your friends that it’s booked.

“So we can just put our brain in a jar because the thing is doing that and we don’t have to touch it, right?,” Whittaker mused.

Then she explained the type of access the AI agent would need to perform these tasks, including access to our web browser and a way to drive it as well as access to our credit card information to pay for tickets, our calendar, and messaging app to send the text to your friends."

https://techcrunch.com/2025/03/07/signal-president-meredith-whittaker-calls-out-agentic-ai-as-having-profound-security-and-privacy-issues/

#CyberSecurity #Privacy #AI #AIAgents #GenerativeAI

"The U.K. government appears to have quietly scrubbed encryption advice from government web pages, just weeks after demanding backdoor access to encrypted data stored on Apple’s cloud storage service, iCloud.

The change was spotted by security expert Alec Muffett, who wrote in a blog post on Wednesday that the U.K.’s National Cyber Security Centre (NCSC) is no longer recommending that high-risk individuals use encryption to protect their sensitive information.

The NCSC in October published a document titled “Cybersecurity tips for barristers, solicitors & legal professionals,” that advised the use of encryption tools such as Apple’s Advanced Data Protection (ADP).

ADP allows users to turn on end-to-end encryption for their iCloud backups, effectively making it impossible for anyone, including Apple and government authorities, to view data stored on iCloud."

https://techcrunch.com/2025/03/06/uk-quietly-scrubs-encryption-advice-from-government-websites/

#UK #CyberSecurity #Encryption #Surveillance #Apple #iCloud

"The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking more than 100 American organizations, including the U.S. Treasury, over the course of a decade.

The charged individuals all played a “key role” in China’s hacker-for-hire ecosystem, a senior DOJ official said on a background call with reporters, including TechCrunch, on Wednesday. The official added that those charged, which includes contract hackers and Chinese law enforcement officials, targeted organizations in the U.S. and worldwide for the purposes of “suppressing free speech and religious freedoms.”

The DOJ also confirmed that two of the indicted individuals are linked to the China government-backed hacking group APT27, or Silk Typhoon."

https://techcrunch.com/2025/03/05/justice-department-charges-chinese-hackers-for-hire-linked-to-treasury-breach/

#USA #CyberSecurity #DoJ #China #StateHacking #APT27 #SilkTyphoon

Thomas Caspers ist seit dem 1. März unser neuer BSI-Vizepräsident. 😃 In unserem StackTalk löchert ihn Tobi aus unserem Social-Media-Team mit Fragen.❓️Schaut rein und erfahrt, ob er einen grünen Daumen hat, welche Serie er momentan am liebsten schaut oder was seine erste Handlung als #Vizepräsident sein wird.

#Cybersicherheit #Cybersecurity #itsicherheit #bsi

The UK, led by absolute donkeys, probably thinks just because they speak with a different accent from the USians means Chinese state hackers aren't salivating at redoing what they did, which is to exploit the government's own backdoor to telcos.

Worse, they made me support Apple.

https://arstechnica.com/tech-policy/2025/03/apple-appeals-uks-secret-demand-for-backdoor-access-to-encrypted-user-data/ #UKpol #CyberSecurity

VMSA-2025-0004: #VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

VMCI heap-overflow vulnerability (CVE-2025-22224): A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

VMware ESXi arbitrary write vulnerability (CVE-2025-22225): A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

HGFS information-disclosure vulnerability (CVE-2025-22226): A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

#CVE_2025_22224 #CVE_2025_22225 #CVE_2025_22226 #infosec #cybersecurity

U.S. Defense Secretary Pete Hegseth reportedly orders a halt to offensive cyber operations against Russia.

NBC News reports: "Russia has intensified cyber operations against Ukraine and NATO countries, according to previous U.S. intelligence and private sector reports."

https://flip.it/TA.5hT

#Hegseth #Russia #News #Trump #Putin #Cybersecurity #NATO

"A federal judge has ordered Trump administration officials involved in Elon Musk’s “opaque” Department of Government Efficiency to testify under oath in one of the sprawling lawsuits seeking to block DOGE’s access to sensitive government databases.

U.S. District Judge John Bates agreed Thursday that “very limited” efforts to question officials connected to DOGE would help clarify what exactly the group is doing and whether it poses the risks to sensitive data that government employees fear. Bates’ order will allow unions and liberal groups suing to question four officials: one from DOGE’s White House headquarters and one each from the Labor Department, the Department of Health and Human Services and the Consumer Financial Protection Bureau.

While the bureaucracy-slashing DOGE effort has sparked more than a dozen lawsuits, the order from Bates is the first that would force people involved in the project to answer questions from lawyers outside the government.

Those depositions will be capped at eight hours in total, ruled Bates, a Washington-based appointee of President George W. Bush."

https://www.politico.com/news/2025/02/27/doge-depositions-union-lawsuits-00206542

#USA #Trump #Musk #DOGE #CyberSecurity #Privacy #DataProtection

Just two months into 2025, we’ve already seen several data breaches affecting the personal information of millions of people, setting up what could be a year unlike any we’ve seen. @Techcrunch breaks down each of the biggest breaches (Yes, DOGE’s access of U.S. federal government data makes the list):

https://flip.it/v0gym6

#Tech #CyberSecurity #Security #DataBreach #Data

"A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group, a leading French telecommunications operator and digital service provider.

The threat actor published on a hacker forum details about the stolen data after trying to extort the company unsuccessfully.

Orange confirmed the breach to BleepingComputer saying that it occurred on a non-critical application. The company intiated an investigation and is working to minimize the impact of the incident.

According to the threat actor, who uses the alias Rey and is a member of the HellCat ransomware group, the stolen data is mostly from the Romanian branch of the company and includes 380,000 unique email addresses, source code, invoices, contracts, customer and employee information."

https://www.bleepingcomputer.com/news/security/orange-group-confirms-breach-after-hacker-leaks-company-documents/

#CyberSecurity #Romania #Orange #Jira #DataBreaches #Hacking

Encryption backdoors are like leaving the door open for a totalitarian society... I don't see why people are unable to understand this...

"If they're going to cave into Zuck's demand to facilitate spying on Instagram users, do we really think they'll resist Kier Starmer's demands to remove Signal – and any other app that stands up to the Snooper's Charter – from the App Store?

It goes without saying that the "bad guys" the UK government claims it wants to target will be able to communicate in secret no matter what Apple does here. They can just use an Android phone and sideload a secure messaging app, or register an iPhone in Ireland or any other country and bring it to the UK. The only people who will be harmed by the combination of the British government's reckless disregard for security, and Apple's designs that trade the security of its users for the security of its shareholders are millions of law-abiding Britons, whose most sensitive data will be up for grabs by anyone who hacks their accounts."

https://pluralistic.net/2025/02/25/sneak-and-peek/

#CyberSecurity #UK #Apple #Encryption #Backdoors #Privacy #Totalitarianism #iCloud

"The furor after Apple removed full iCloud security for U.K. users may feel a long way from American users this weekend. But it’s not — far from it. What has just shocked the U.K. is exactly what the FBI told me it also wants in the U.S. “Lawful access” to any encrypted user data. The bureau’s quiet warning was confirmed just a few weeks ago.

The U.K. news cannot be seen in isolation and follows years of battling between big tech and governments over warranted, legal access to encrypted messages and content to fuel investigations into serious crimes such as terrorism and child abuse.

As I reported in 2020, “it is looking ever more likely that proponents of end-to-end security, the likes of Facebook and Apple, will lose their campaign to maintain user security as a priority.” It has taken five years, but here we now are.

The last few weeks may have seemed to signal a unique fork in the road between the U.S. and its primary Five Eyes ally, the U.K. But it isn’t. In December, the FBI and CISA warned Americans to stop sending texts and use encrypted platforms instead. And now the U.K. has forced open iCloud to by threatening to mandate a backdoor. But the devil’s in the detail — and we’re fast approaching a dangerous pivot."

https://www.forbes.com/sites/zakdoffman/2025/02/24/fbis-new-iphone-android-security-warning-is-now-critical/

#USA #FBI #CyberSecurity #Encryption #Privacy #UK #CISA #Apple #Backdoor

LockBit's alleged leader claims to have stolen FBI-damaging data in a birthday message to Trump's FBI pick, Kash Patel.

#LockBit #cybersecurity #FBI #Trump #ransomware #cybercrime

https://cnews.link/lockbit-ransomware-gang-claims-fbi-kash-patel-birthday-2/

DISA Global Solutions reported a breach last spring exposing 3.3M records for over two months.

#DISA #databreach #cybersecurity #cybercrime #datasecurity

https://cnews.link/disa-breach-3m-employee-exposed-1/

A few reports offer an early glimpse into the largest-ever crypto hack, even though the exact details remain unclear.

#crypto #hack #cybersecurity #NorthKorea

https://cnews.link/bybit-hack-lazarus-group-1/

▪ @[email protected] research ▪ Movistar Costa Rica, a major telecommunications company, leaked hundreds of thousands of IDs, creating a potential goldmine for cybercriminals.

#Movistar #datasecurity #dataprivacy #cybersecurity #infosec

https://cnews.link/movistar-data-leak-3/