Booking.com confirmed Monday that hackers may have accessed customers’ personal data, including names, emails, physical addresses, phone numbers, and booking details. The global travel and hotel reservation giant notified customers this past week of the breach, according to several online posts.
“We’re writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation,” read the notificaiton to customers, according to one user’s post on Reddit. Several other Reddit users replying to the post said they received the same notification. The message from the company included the aforementioned types of compromised data, as well as “anything that you may have shared with the accommodation.”
The user who posted the notification on Reddit told TechCrunch that they received a phishing message via WhatsApp two weeks ago that included “booking details and personal information.” That suggests hackers are leveraging the stolen information to target Booking.com customers.
Booking.com spokesperson Courtney Camp told TechCrunch that the company “noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.”
The spokesperson declined to answer TechCrunch’s specific questions, including how many customers were affected by this incident and then notified.
The company told The Guardian that “financial information was not accessed”.
In 2024, TechCrunch reported that hackers had infected several hotels’ computers with consumer-grade spyware, or stalkerware. In one case, a victim was logged into their Booking.com administration portal when the PcTattleTale stalkerware took a screenshot of their screen.
Techcrunch event
San Francisco, CA | October 13-15, 2026
According to the company’s website, 6.8 billion customers have booked hotel rooms and homes since 2010.
As US PresidentDonald Trump threatens wholesale demolition of Iran’s infrastructure in the midst of an escalating war, Iran now appears to have already reciprocated with its own form of infrastructure sabotage: A hacking campaign hitting industrial control systems across the United States, including energy and water utilities, that US agencies say has had disruptive and costly effects.
In a joint advisory published Tuesday, a group of US agencies including the FBI, the National Security Agency, the Department of Energy, and the Cybersecurity and Infrastructure Security Agency warned that a group of hackers affiliated with the Iranian government has targeted industrial control devices used in a series of critical infrastructure targets including in the energy sector, water and wastewater utilities, and unspecified “government facilities.” According to the agencies, the hackers have targeted programmable logic controllers (PLCs)—a type of device designed to allow digital control of physical machinery—in those facilities, including those sold by industrial tech firm Rockwell Automation, with the apparent intention of sabotaging their systems.
By compromising those PLCs, the advisory warns, the hackers sought to change information on the displays of industrial control systems, which can in some scenarios cause system downtime, damage, or even dangerous conditions. “In a few cases, this activity has resulted in operational disruption and financial loss,” it reads.
When WIRED reached out to Rockwell Automation, a company spokesperson responded in a statement that it “takes seriously the security of its products and solutions and has been closely coordinating with government agencies in connection with” Tuesday’s advisory, and pointed to documents it has published for customers on how to better secure their PLCs.
Though the advisory doesn’t specify a particular group responsible for the hacking campaign, it notes that the attacks are similar to those carried out in by the Iran-linked group known as CyberAv3ngers, or the Shahid Kaveh Group, starting in late 2023. That team of hackers, believed to work in the service of the Iranian Revolutionary Guard Corps, inflicted several waves of attacks against Israeli and US targets in recent years, including gaining access to more than a hundred devices sold by industrial control system technology firm Unitronics and most commonly used in water and wastewater utilities.
This is a developing story, please check back for updates.
It’s the end of the year. That means it’s time for us to celebrate the best cybersecurity stories we didn’t publish. Since 2023, TechCrunch has looked back at the best stories across the board from the year in cybersecurity.
If you’re not familiar, the idea is simple. There are now dozens of journalists who cover cybersecurity in the English language. There are a lot of stories about cybersecurity, privacy, and surveillance that are published every week. And a lot of them are great, and you should read them. We’re here to recommend the ones we liked the most, so keep in mind that it’s a very subjective and, at the end of the day, incomplete list.
Anyway, let’s get into it. — Lorenzo Franceschi-Bicchierai.
Every once in a while, there’s a hacker story that as soon as you start reading, you think it could be a movie or a TV show. This is the case with Shane Harris’ very personal tale of his months-long correspondence with a top Iranian hacker.
In 2016, The Atlantic’s journalist made contact with a person claiming to work as a hacker for Iran’s intelligence, where he claimed to have worked on major operations, such as the downing of an American drone and the now-infamous hack against oil giant Saudi Aramco, where Iranian hackers wiped the company’s computers. Harris was rightly skeptical, but as he kept talking to the hacker, who eventually revealed his real name to him, Harris started to believe him. When the hacker died, Harris was able to piece together the real story, which somehow turned out to be more incredible than the hacker had led Harris to believe.
The gripping story is also a great behind-the-scenes look at the challenges cybersecurity reporters face when dealing with sources claiming to have great stories to share.
In January, the U.K. government secretly issued Apple with a court order demanding that the company must build a backdoor so police can access iCloud data of any customer in the world. Due to a worldwide gag order, it was only because The Washington Post broke news that we learned the order existed to begin with. The demand was the first of its kind, and — if successful — would be a major defeat for tech giants who have spent the past decade locking themselves out of their users’ own data so they can’t be compelled to provide it to governments.
Apple subsequently stopped offering its opt-in end-to-end encrypted cloud storage to its customers in the U.K. in response to the demand. But by breaking the news, the secret order was thrust into the public eye and allowed both Apple and critics to scrutinize U.K. surveillance powers in a way that hasn’t been tested in public before. The story sparked a months-long diplomatic row between the U.K. and the United States, prompting Downing Street to drop the request — only to try again several months later.
This story was the sort of fly-on-the-wall access that some reporters would dream of, but The Atlantic’s editor-in-chief got to play out in real-time after he was unwittingly added to a Signal group of senior U.S. government officials by a senior U.S. government official discussing war plans from their cell phones.
‘We are currently clean on OPSEC,” said Secretary of Defense Pete Hegseth. they were not. Image Credit: The Atlantic (Screenshot)
Reading the discussion about where U.S. military forces should drop bombs — and then seeing news reports of missiles hitting the ground on the other side of the world — was confirmation that Jeffrey Goldberg needed to know that he was, as he suspected, in a real chat with real Trump administration officials, and this was all on-the-record and reportable.
And so he did, paving the way for a months-long investigation (and critique) of the government’s operational security practices, in what was called the biggest government opsec mistake in history. The unraveling of the situation ultimately exposed security lapses involving the use of a knock-off Signal clone that further jeopardized the government’s ostensibly secure communications.
Brian Krebs is one of the more veteran cybersecurity reporters out there, and for years he has specialized in following online breadcrumbs that lead to him revealing the identity of notorious cybercriminals. In this case, Krebs was able to find the real identity behind a hacker’s online handle Rey, who is part of the notorious advanced persistent teenagers‘ cybercrime group that calls itself Scattered LAPSUS$ Hunters.
Krebs’ quest was so successful that he was able to talk to a person very close to the hacker — we won’t spoil the whole article here — and then the hacker himself, who confessed to his crimes and claimed he was trying to escape the cybercriminal life.
Independent media outlet 404 Media has accomplished more impact journalism this year than most mainstream outlets with vastly more resources. One of its biggest wins was exposing and effectively shuttering a massive air travel surveillance system tapped by federal agencies and operating in plain sight.
404 Media reported that a little-known data broker set up by the airline industry called the Airlines Reporting Corporation was selling access to five billion plane tickets and travel itineraries, including names and financial details of ordinary Americans, allowing government agencies like ICE, the State Department, and the IRS to track people without a warrant.
ARC, owned by United, American, Delta, Southwest, JetBlue, and other airlines, said it would shut down the warrantless data program following 404 Media’s months-long reporting and intense pressure from lawmakers.
The killing of UnitedHealthcare CEO Brian Thompson in December 2024 was one of the biggest stories of the year. Luigi Mangione, the chief suspect in the killing, was soon after arrested and indicted on charges of using a “ghost gun,” a 3D-printed firearm that had no serial numbers and built in private without a background check — effectively a gun that the government has no idea exists.
Wired, using its past reporting experience on 3D-printed weaponry, sought to test how easy it would be to build a 3D-printed gun, while navigating the patchwork legal (and ethical) landscape. The reporting process was exquisitally told, and the video that goes along with the story is both excellent and chilling.
DOGE, or the Department of Government Efficiency, was one of the biggest running stories of the year, as the gang of Elon Musk’s lackeys ripped through the federal government, tearing down security protocols and red tape, as part of the mass-grab of citizens’ data. NPR had some of the best investigative reporting uncovering the resistance movement of federal workers trying to prevent the pilfering of the government’s most sensitive data.
In one story detailing a whistleblower’s official disclosure as shared with members of Congress, a senior IT employee in the National Labor Relations Board told lawmakers that as he was seeking help investigating DOGE’s activity, he “found a printed letter in an envelope taped to his door, which included threatening language, sensitive personal information and overhead pictures of him walking his dog, according to the cover letter attached to his official disclosure.”
Any story that starts with a journalist saying they found something that made them “feel like shitting my pants,” you know it’s going to be a fun read. Gabriel Geiger found a dataset from a mysterious surveillance company called First Wap, which contained records on thousands of people from around the world whose phone locations had been tracked.
The dataset, spanning 2007 through 2015, allowed Geiger to identify dozens of high profile people whose phones were tracked, including a former Syrian first lady, the head of a private military contractor, a Hollywood actor, and an enemy of the Vatican. This story explored the shadowy world of phone surveillance by exploiting Signalling System No. 7, or SS7, an obscurely named protocol long known to allow malicious tracking.
Swatting has been a problem for years. What started as a bad joke has become a real threat, which has resulted in at least one death. Swatting is a type of hoax where someone — often a hacker — calls the emergency services and tricks the authorities into sending an armed SWAT team to the home of the hoaxer’s target, often pretending to be the target themselves, and pretending they are about to commit a violent crime.
In this feature, Wired’s Andy Greenberg put a face on the many characters who are part of these stories such as the call operators who have to deal with this problem. And he also profiled a prolific swatter, known as Torswats, who for months tormented the operators and schools all over the country with fake — but extremely believable — threats of violence, as well as a hacker who took it upon himself to track Torswats down.
South Korea is world-famous for its blazing-fast internet, near-universal broadband coverage, and as a leader in digital innovation, hosting global tech brands like Hyundai, LG, and Samsung. But this very success has made the country a prime target for hackers and exposed how fragile its cybersecurity defenses remain.
The country is reeling from a string of high-profile hacks, affecting credit card companies, telecoms, tech startups, and government agencies, impacting vast swathes of the South Korean population. In each case, ministries and regulators appeared to scramble in parallel, sometimes deferring to one another rather than moving in unison.
Critics argue that South Korea’s cyber defenses are hindered by a fragmented system of government ministries and agencies, often resulting in slow and uncoordinated responses, per local media reports.
“The government’s approach to cybersecurity remains largely reactive, treating it as a crisis management issue rather than as critical national infrastructure,” Brian Pak, the chief executive of Seoul-based cybersecurity firm Theori, told TechCrunch.
Pak, who also serves as an advisor to SK Telecom’s parent company’s special committee on cybersecurity innovations, told TechCrunch that because government agencies tasked with cybersecurity work in silos, developing digital defenses and training skilled workers often get overlooked.
The country is also facing a severe shortage of skilled cybersecurity experts.
“[That’s] mainly because the current approach has held back workforce development. This lack of talent creates a vicious cycle. Without enough expertise, it’s impossible to build and maintain the proactive defenses needed to stay ahead of threats,” Pak continued.
Political deadlock has fostered a habit of seeking quick, obvious “quick fixes” after each crisis, said Pak, all the while the more challenging, long-term work of building digital resilience continues to be sidelined.
This year alone, there has been a major cybersecurity incident in South Korea almost every month, further mounting concerns over the resilience of South Korea’s digital infrastructure.
January 2025
GS Retail, the operator of convenience stores and grocery markets across South Korea, confirmed a data breach that exposed the personal details of about 90,000 customers after its website was attacked between December 27 and January 4. The stolen information included names, birth dates, contact details, addresses, and email addresses.
February 2025
April and May 2025
South Korea’s part-time job platform Albamon was hit by a hacking attack on April 30. The breach exposed the resumes of more than 20,000 users, including names, phone numbers, and email addresses.
In April, South Korea’s telecom giant SK Telecom was hit by a major cyberattack. Hackers stole the personal data of about 23 million customers — nearly half the country’s population. Much of the aftermath of the cyberattack lasted through May, in which millions of customers were offered a new SIM card following the breach.
June 2025
Yes24, South Korea’s online ticketing and retail platform, was hit by a ransomware attack on June 9, which knocked its services offline. The disruption lasted for about four days, with the company back online by mid-June.
A North Korea-backed hacking group, Kimsuky, used AI-generated deepfake images in a July spear-phishing attempt against a South Korean military organization, according to Genians Security Center. The group has also targeted other South Korean institutions.
Seoul Guarantee Insurance (SGI), a Korean financial institution, was hit by a ransomware attack around July 14, which disrupted its core systems. The incident knocked key services offline, including the issuing and verification of guarantees, leaving customers in limbo.
Hackers broke into South Korean financial services company Lotte Card, which issues credit and debit cards, between July 22 and August. The breach exposed around 200GB of data and is believed to have affected roughly 3 million customers. The breach remained unnoticed for approximately 17 days, until the company discovered it on August 31.
Welcome Financial: In August 2025, Welrix F&I, a lending arm of Welcome Financial Group, was hit by a ransomware attack. A Russian-linked hacking group claimed it stole over a terabyte of internal files, including sensitive customer data, and even leaked samples on the dark web.
North Korea-linked hackers, believed to be the Kimsuky group, have been spying on foreign embassies in South Korea for months by disguising their attacks as routine diplomatic emails. According to Trellix, the campaign has been active since March and has targeted at least 19 embassies and foreign ministries in South Korea.
September 2025
KT, one of South Korea’s biggest telecom operators, has reported a cyber breach that exposed subscriber data from more than 5,500 customers. The attack was linked to illegal “fake base stations” that tapped into KT’s network, enabling hackers to intercept mobile traffic, steal information like IMSI, IMEI, and phone numbers, and even make unauthorized micro-payments.
In September 2025, the National Security Office announced that it would implement “comprehensive” cyber measures through an interagency plan, led by the South Korean president’s office. Regulators also signaled a legal change giving the government power to launch probes at the first sign of hacking — even if companies haven’t filed a report. Both steps aim to address the lack of a first responder that has long hindered South Korea’s cyber defenses.
But South Korea’s fragmented system leaves accountability weak, placing all authority in a presidential “control tower” could risk “politicization” and overreach, according to Pak.
A better path may be balance: a central body to set strategy and coordinate crises, paired with independent oversight to keep power in check. In a hybrid model, expert agencies like KISA would still handle the technical work — just with more straightforward rules and accountability, Pak told TechCrunch.
When reached for comment, a spokesperson for the South Korea’s Ministry of Science in ICT said the ministry, with KISA and other relevant agencies, is “committed to addressing increasingly sophisticated and advanced cyber threats.”
“We continue to work diligently to minimize potential harm to Korean businesses and the general public,” the spokesperson added.
This article was originally published on September 30.
Former U.S. Army soldier Cameron John Wagenius pleaded guilty to hacking telecommunication companies and attempting to extort them by threatening to release stolen files, the Department of Justice announced on Tuesday.
According to the DOJ, Wagenius, who went online with the nickname “kiberphant0m,” conspired to defraud 10 victim companies by stealing their login credentials, using brute force attacks and other techniques, and then used Telegram group chats to transfer the stolen credentials and discusses hacks.
Wagenius and his conspirators also attempted to extort their victims in private and in public, including on hacking forums such as the notorious BreachForums. They sold some of the stolen data and also used the stolen credentials to commit other frauds, including SIM swapping victims.
Earlier this year, Wagenius had already pleaded guilty to hacking AT&T and Verizon, a breach that led to him stealing a massive amount of call records.
Wagenius’ sentencing is scheduled for October 6, and he faces 20 years in prison, according to the press release.
Back in October, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) admitted that they were looking into “the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” These bad actors, collectively called “Salt Typhoon,” allegedly targeted US officials and staffers for the recently concluded presidential elections. A few days later, though, The Wall Street Journal reported that the group had access to a lot more people than originally thought. Basically, the hackers could have accessed the data of any American who’s a customer of AT&T and Verizon. That list of carriers has grown just a bit longer, because according to a new report by The Journal and Reuters, Salt Typhoon had also infiltrated T-Mobile’s network.
The hackers are believed to have exploited various vulnerabilities, such as those plaguing Cisco Systems routers, to get inside the carriers’ network. They also used AI and machine learning, The Journal said, and stayed inside some of the systems they infiltrated for over eight months. That’s enough time to get away with a bunch of sensitive data — they were allegedly able to access the phone lines of US senior national security officials, as well as the call logs and unencrypted texts of their targets. The hackers were also reportedly able to access the information collected by carriers to comply with surveillance requests from the American authorities.
A company spokesperson told The Journal that T-Mobile is “closely monitoring” the attacks and said that its systems and data “have not been impacted in any significant way.” They also said that the carrier didn’t find evidence that its customers’ information has been compromised in the security breach.
Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.
While state-backed actors were emboldened following Russia’s meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.
The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED’s requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.
“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure.”
According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.
In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn’t inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.
The Internet Archive and Wayback Machine went down on Tuesday following a sustained cyber attack. In addition, the Archive’s user data has been compromised. If you’ve ever logged into the site to pore over its ample archives, it’s time to change your passwords.
On October 8, it was obvious something was wrong. “DDOS on a Tuesday? Last time it was a Monday,” Internet Archive founder Brewster Kahle said in a post on X. On Tuesday, things had gotten worse. The site was down and someone had defaced it. Pulling up the site prompted a JavaScript alert.
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” The little alert said.
“HIBP” is Have I Been Pwned, a website where you can check an email address against data breaches to see if it’s been compromised. In a post on X, HIBP said that 54% of the emails contained in the IA breach were in the database before this latest breach occurred.
HIBP founder Troy Hunt told BleepingComputer that the hackers shared the Internet Archive’s authentication database with him 10 days ago. The SQL file contained email addresses, screen names, password change timestamps, and Bcrypt-hashed passwords of the Archive’s registered users.
In a post on X, Hunt described the timeline of events.
Let me share more on the chronology of this:
30 Sep: Someone sends me the breach, but I’m travelling and didn’t realise the significance 5 Oct: I get a chance to look at it – whoa! 6 Oct: I get in contact with someone at IA and send the data, advising it’s our goal to load…
Kahle followed up on October 9. “What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords,” he said in a post on X. “What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”
The next morning, the Archive was back offline. “Sorry, but DDOS folks are back and knocked archive.org and openlibrary.org offline,” Kahle said in a follow-up post on X. “[Archive] is being cautious and prioritizing keeping data safe at the expense of service availability.”
A pro-Palestenian hacktivist group called SN_BLACKMETA has taken responsibility for the hack on X and Telegram. “They are under attack because the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of ‘Israel,’” the group said on X when someone asked them why they’d gone after the Archive.
The group elaborated on its reasoning in a now-deleted post on X. Jason Scott, an archivist at the Archive, screenshotted it and shared it. “Everyone calls this organization ‘non-profit’, but if its roots are truly in the United States, as we believe, then every ‘free’ service they offer bleeds millions of lives. Foreign nations are not carrying their values beyond their borders. Many petty children are crying in the comments and most of those comments are from a group of Zionist bots and fake accounts,” the post said.
SN_BLACKMETA also claimed responsibility for a six-day DDoS attack on the Archive back in May. “Since the attacks began on Sunday, the DDoS intrusion has been launching tens of thousands of fake information requests per second. The source of the attack is unknown,” Chris Freeland, Director of Library Services at the Archive said in a post about the attacks back in May.
SN_BLACKMETA launched its Telegram channel on November 23 and has claimed responsibility for a number of other attacks including a six-day DDoS run at Arab financial institutions and various attacks on Israeli tech companies in the spring.
It’s been a hard year for the Internet Archive. In July, the site went down due to “environmental factors” during a major heat wave in the U.S. Last month it lost an appeal in the lawsuit Hachette and other major publishers launched against it.
“If our patrons around the globe think this latest situation is upsetting, then they should be very worried about what the publishing and recording industries have in mind,” Kahle said in a post about the DDoS attack in May. “I think they are trying to destroy this library entirely and hobble all libraries everywhere. But just as we’re resisting the DDoS attack, we appreciate all the support in pushing back on this unjust litigation against our library and others.”
The Internet Archive did not return Gizmodo’s request for comment.
After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.
Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.
The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.
The researchers continued:
As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.
All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.
By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.
People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.
Even those of you who do everything you can to secure those secrets can find yourself vulnerable—especially if you’re using a YubiKey 5 authentication token. The multifactor authentication devices can be cloned thanks to a cryptographic flaw that can’t be patched. The company has rolled out some mitigation measures—and the attack itself is relatively difficult to pull off. But it may be time to invest in a new dongle.
That’s not all, folks. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
At the end of August, cybercriminals from the ransomware group RansomHub appear to have hacked into the systems of Planned Parenthood’s Montana branch. The organization this week confirmed it had suffered from a “cybersecurity incident” on August 28 and said its staff immediately took parts of its network offline, reporting the incident to law enforcement.
Days after the incident took place, RansomHub claimed to be behind the attack, posting Planned Parenthood on its leak website. The criminal group said it would publish 93 GB of data. It is unclear what, if anything, the ransomware group has obtained, but Planned Parenthood clinics can hold a huge array of highly sensitive data about patients, including information on abortion appointments. (Around 400,000 Planned Parenthood patients in Los Angeles were impacted following a similar ransomware incident in 2021.)
In recent months, RansomHub has emerged as one of the most active ransomware-as-a-service groups, following the law enforcement disruption of LockBit. According to an FBI and Cybersecurity and Infrastructure Security Agency alert at the end of August, the group is “efficient and successful” and has stolen data from at least 210 victims since it formed in February. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims,” the alert said.
The Nigeria-based scammers known as the Yahoo Boys run almost every scam in the playbook—from romance scams to pretending to be FBI agents. Yet there’s little-more devious than the increase in sextortion cases linked to the West African scammers. This week, Nigerian brothers Samuel Ogoshi and Samson Ogoshi were sentenced to more than 17 years in US jail for running sextortion scams, following their extradition earlier this year. It is the first time Nigerian scammers have been prosecuted for sextortion in the US, the BBC reported.
The Ogoshi brothers, who pleaded guilty in April, have been linked to the death of 17-year-old Jordan DeMay, who took his life six hours after he started talking to the scammers, who posed as a girl, on Instagram. The teenager had been duped into sending the brothers explicit images, and after he had done so, they threatened to post the images online unless he paid them hundreds of dollars. US prosecutors said the brothers sexually exploited and extorted more than 100 victims, with at least 11 of them being minors. There has been a huge spikein sextortion cases in recent years.
In June, the US Commerce Department banned the sale of Kaspersky’s antivirus tools over national security concerns about its links to the Russian government. (Kaspersky has, for years, denied connections). The firm later fired its workers and said it was closing its US business. This week, cybersecurity company Pango Group announced it is purchasing Kaspersky Lab’s US antivirus customers, according to Axios. This equates to around 1 million customers, who will be transitioned to Pango’s antivirus software Ultra AV. Ahead of the Kaspersky deal, parent company Aura also announced it was spinning out Pango Group into its own business. Pango’s president said customers would not need to take any action and that it would allow subscribers to continue to receive updates after September 29, when Kaspersky updates will stop.
For years, the EU has been trying to introduce new child protection laws that would require private chats to be scanned for child sexual abuse material—something that would potentially undermine encrypted messaging apps that provide everyday privacy to billions of people. The plans have been highly controversial and were shelved earlier this year. However, the proposed law, which has been dubbed “chat control,” reappeared in legislators’ in-trays this week. The Council of the EU, which is currently chaired by Hungary, wants to pass legislation by October, but reports say strong resistance to the plans still remain.
