$1.5B Bybit hack, UK E2E pulled, PayPal phishing emails
In today’s cybersecurity news…
Hacker steals nearly $1.5 billion from Bybit crypto wallet
Undoubtedly the top cyber news story developing over the weekend stemmed from the Bybit crypto exchange’s announcement on Friday that an unknown attacker stole over $1.46 billion in crypto from one of its ETH cold wallets. This makes the incident the largest cryptocurrency hack to date, almost doubling the previous record. Bybit said the attackers altered a wallet transaction, “through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic.”? According to crypto fraud investigator ZachXBT, the perpetrator has already split a small percentage of the stolen ETH (10,000 ETH out of the roughly 401,346 ETH ) across 48 addresses. Bybit’s CEO, Ben Zhou said all other cold wallets and funds are fully secure and safe, and that the exchange remains both solvent and operational. He added that even if the stolen assets are not recovered, all client assets will be backed 1 to 1. Researchers at Arkham Intelligence said its analysis showed “definitive proof” that the Bybit hack was the work of the North Korean Lazarus Group.
(Bleeping Computer and The Block)
Apple pulls iCloud end-to-end encryption in the UK
In the latest development in a story we’ve been following on Cyber Security Headlines, Apple has made iCloud end-to-end encryption unavailable in the United Kingdom. The move stems from the UK government’s request for encryption backdoor access under its Investigatory Powers Act. End-to-end encryption is an optional setting for most iCloud data, including iCloud Backup, Photos, and Notes, ensuring only users can access their data even in the event of a cloud breach. Even after this update, Apple’s communication services (iMessage and FaceTime) and Health and iCloud Keychain data will remain end-to-end encrypted. The Washington Post said the British government’s mandate, “has no known precedent in major democracies.” Apple said they are “gravely disappointed” that these data protections will not be available to UK customers given the continued rise of data breaches and privacy threats.
PayPal “New Address” feature abused to send phishing emails
Over the past month, some PayPal users have received emails stating, “This is just a quick confirmation that you added an address in your PayPal account.” The email also claims to be a purchase confirmation for a MacBook M4, and provides a phone number to call if the user did not authorize the purchase. The emails are being sent directly from PayPal’s mail server using the [email protected] account, allowing the emails to bypass DKIM email security checks and spam filters. Testing by BleepingComputer suggests attackers are somehow abusing PayPal’s “gift addresses” feature that allows users to add addresses to their PayPal profile, which seemingly triggers legitimate emails from PayPal’s email server. The researchers say because PayPal doesn’t limit the number of characters in the address form fields, threat actors are able to inject their scam message. PayPal has been made aware of the issue but has yet to comment.
U.S. AI Safety Institute faces staffing cuts
According to multiple reports, the National Institute of Standards and Technology (NIST) could soon terminate as many as 500 staffers. Axios reported last week that the U.S. AI Safety Institute (AISI) and Chips for America, both part of NIST, would be “gutted” by layoffs and Bloomberg reported that some staffers have already received verbal termination notices. The AISI was established last year by the Biden administration, and tasked with studying AI risks and developing related standards. President Trump repealed that order on his first day in office, and AISI’s director departed earlier in February. Jason Green-Lowe, executive director of the Center for AI Policy, said, “These cuts, if confirmed, would severely impact the government’s capacity to research and address critical AI safety concerns at a time when such expertise is more vital than ever.”
Thanks to today’s episode sponsor, Conveyor
House Republicans query public for ideas on data privacy law
On Friday, Brett Guthrie (R-Ky.) and John Joyce (R-Pa.), both part of a Republican working group on data privacy, issued a Request for Information seeking input from the American public on long-awaited national data privacy and security standards. The request includes inquiries about personal data collection and use, data use disclosures, and what lessons can be learned from privacy frameworks in other countries. It also queries how a comprehensive data privacy law might coexist with other major privacy statutes, like the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Rule. The public have until April 7 to provide their input, which can be done by sending an email to [email protected].??
SpyLend malware in Google Play Store?
Predatory loan app malware, called SpyLend, is targeting Android users in India and has been downloaded over 100,000 times. The malware is deployed to user devices by apps that promise quick and easy loans. The apps also claim to be registered Non-Banking Financial Companies (NBFCs), which researchers say is untrue. Upon installation, the apps request excessive device permissions, allowing the apps to steal user contacts, call logs, SMS messages, photos, and device location. The? harvested information is then used to harass, extort, and blackmail users. Users who suspect their device is infected, should remove the apps, reset permissions, change their bank account passwords, and perform a device scan. Users should also consider enabling Google’s Play Protect tool which detects and blocks known predatory apps.
Apiiro unveils free scanner to detect malicious code merges
Security researchers at Apiiro have released two free, open-source tools designed to detect and block malicious code before they are added to software projects. The two tools use comprehensive static analysis rulesets for Semgrep and Opengrep and leverage a GitHub-integrated scanner called PRevent, that alerts on suspicious code in pull requests (PRs). The researchers say the tools have a minimal false positive detection rate, making them valuable in real-world practice. Users should use these new tools at their own risk.
Google adds quantum-resistant digital signatures to cloud KMS
Google has revealed plans to implement new post-quantum cryptography (PQC) standards from the National Institute of Standards and Technology (NIST). The tech giant plans to start by adding the two NIST quantum-resistant digital signature algorithms (FIPS 204 and FIPS 205) to its Cloud Key Management Service (KMS). Google Cloud KMS lets customers manage cryptographic keys throughout the Google Cloud ecosystem. The new PQC digital signature capability is now available in preview. Google plans to add support for NIST’s asymmetric cryptography standard (FIPS 203) later this year.?