An anonymous reader shares a report: Relations between Russia and Germany were already tense, with Germany providing military support to Ukraine in its ongoing war with Russia. German Foreign Minister Annalena Baerbock said Russian state hackers were behind a cyberattack last year that targeted the Social Democrats, the leading party in the governing coalition. "Russian state hackers attacked Germany in cyberspace," she said at a news conference in the Australian city of Adelaide. "We can attribute this attack to the group called APT28, which is steered by the military intelligence service of Russia."

"This is absolutely intolerable and unacceptable and will have consequences," she said. The Russian Embassy in Germany on Friday denied Moscow was involved in a 2023 cyberattack. In a statement the embassy said its envoy "categorically rejected the accusations that Russian state structures were involved in the given incident ... as unsubstantiated and groundless." The Council of the EU later said that Czechia's institutions have also been a target of the cyber campaign. In a statement by the EU's top diplomat, Josep Borrell, the bloc's nations said they "strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia." Further reading: EU and NATO Condemn Russian Cyber Attacks Against Germany and Czechia.

Microsoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. The Verge: After a scathing report from the US Cyber Safety Review Board recently concluded that "Microsoft's security culture was inadequate and requires an overhaul," it's doing just that by outlining a set of security principles and goals that are tied to compensation packages for Microsoft's senior leadership team. Last November, Microsoft announced a Secure Future Initiative (SFI) in response to mounting pressure on the company to respond to attacks that allowed Chinese hackers to breach US government email accounts.

Just days after announcing this initiative, Russian hackers managed to breach Microsoft's defenses and spy on the email accounts of some members of Microsoft's senior leadership team. Microsoft only discovered the attack nearly two months later in January, and the same group even went on to steal source code. These recent attacks have been damaging, and the Cyber Safety Review Board report added fuel to Microsoft's security fire recently by concluding that the company could have prevented the 2023 breach of US government email accounts and that a "cascade of security failures" led to that incident. "We are making security our top priority at Microsoft, above all else -- over all other features," explains Charlie Bell, executive vice president for Microsoft security, in a blog post today. "We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones."

Plumpaquatsch writes: Investigators teamed up with colleagues from the Balkans and Lebanon in raids set up by months of intense surveillance. Authorities say the operation thwarted over 10 million euro in damages and led to 21 arrests.

Dubbed 'Operation Pandora,' the sting began in Germany in December 2023, after a suspicious bank teller contacted police when a 76-year-old customer from Freiburg sought to hurriedly withdraw 120,000 euro ($128,232) from her savings account to hand over to a fake police officer. When real police investigators tracked the internet-based telephone number that had been used to lure the woman, they discovered a veritable goldmine.

Rather than shutting down the number, authorities instead went on the offensive, setting up their own call center in which hundreds of officers from Baden-Wurttemberg, Bavaria, Berlin and Saxony worked around the clock monitoring some 1.3 million calls in real time, as the number from the initial scam was tied to an entire network of fraud call centers. Police were able to trace and record data from the calls, as well as warn potential victims of what was in fact happening, in turn winning valuable time to put together the April 18 sting.

Police say their efforts allowed them to thwart some 10 million euro in damages in roughly 6,000 cases of attempted fraud.

samleecole writes: Utah set up an online form for people to accuse other citizens and public establishments of violating the state's recently-enacted transphobic "bathroom bill." The submission form is being flooded with memes and troll comments, and the auditor also left the submissions database open to the public -- without a password, authentication, or any other protections that would keep anyone from viewing other people's submissions.

After 404 Media contacted the auditor's office for comment, they changed the permissions to require authentication. The form link has been posted to Twitter, and people have repeatedly posted screenshots of themselves uploading memes. In the database, those included photos of Barry Wood, characters from Bee Movie, and Shutterstock images of bull testicles. Twitter users have also found a link to the database that the form is connected to, which is hosted on a public Google cloud console bucket that as of Thursday, required no authentication to view. I tested the form, and found that my submission -- a photo of the yelling table cat meme -- appeared instantly in the Google Console bucket. The submission form offers anonymity with the option for the state auditor to contact submitters for more details. I haven't seen names and contact information shared in the database, but comments and image attachments were easily viewable.

A Miami-based CEO will serve over six years in prison for selling counterfeit Cisco equipment to numerous buyers on Amazon and eBay, with some of the shoddy hardware ending up in sensitive US government systems. From a report: On Wednesday, 40-year-old Onur Aksoy was sentenced to six years and six months in prison for raking in at least $100 million from the counterfeit sales. Aksoy committed the fraud from at least 2013 to 2022 -- the year he was arrested -- by buying the fake Cisco equipment from suppliers in China. The counterfeits were then resold as legitimate Cisco products for an estimated retail value of over $1 billion.

"Aksoy sold hundreds of millions of dollars' worth of counterfeit computer networking equipment that ended up in US hospitals, schools, and highly sensitive military and other governmental systems, including platforms supporting sophisticated US fighter jets and military aircraft," Principal Deputy Assistant Attorney General Nicole Argentieri said in a statement.

Dan Goodin reports via Ars Technica: A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn't have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account.

While exploits required no user interaction, hijackings worked only against accounts that weren't configured to use multi-factor authentication. Even with MFA, accounts remained vulnerable to password resets. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of a possible 10. The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2021, infecting more than 18,000 of its customers. Other recent examples of supply chain attacks are here, here, and here. These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all. According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. In order to protect your system, you should enable MFA and install the latest patch. "GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits," notes Goodin.

Ecobee, the company that pioneered smart thermostats with its Ecobee Smart in 2008, has announced it will end online support for the device and its commercial counterpart, the Ecobee Energy Management System, on July 31, 2024. The move will disable internet-dependent features such as web portal control, smart integrations, and weather-related functionality, while basic HVAC control and scheduling will remain operational.

Microsoft is fully rolling out passkey support for all consumer accounts today. From a report: After enabling them in Windows 11 last year, Microsoft account owners can also now generate passkeys across Windows, Android, and iOS. This makes it effortless to sign in to a Microsoft account without having to type a password in every time.

An anonymous reader quotes a report from Bloomberg: Dropbox said its digital-signature product, Dropbox Sign, was breached by hackers, who accessed user information including emails, user names and phone numbers. The software company said it became aware of the cyberattack on April 24, sought to limit the incident and reported it to law enforcement and regulatory authorities. "We discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and user names, in addition to general account settings," Dropbox said Wednesday in a regulatory filing. "For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication."

Dropbox said there is no evidence hackers obtained user accounts or payment information. The company said it appears the attack was limited to Dropbox Sign and no other products were breached. The company didn't disclose how many customers were affected by the hack. The hack is unlikely to have a material impact on the company's finances, Dropbox said in the filing. The shares declined about 2.5% in extended trading after the cyberattack was disclosed and have fallen 20% this year through the close.

Microsoft has confirmed that the April 2024 Windows security updates break VPN connections across client and server platforms. From a report: The company explains on the Windows health dashboard that "Windows devices might face VPN connection failures after installing the April 2024 security update or the April 2024 non-security preview update."

"We are investigating user reports, and we will provide more information in the coming days," Redmond added. The list of affected Windows versions includes Windows 11, Windows 10, and Windows Server 2008 and later.

An anonymous reader shares a report: Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it's still unclear how many Americans were impacted by the cyberattack. Last month, Andrew Witty, the CEO of Change Healthcare's parent company UnitedHealth Group, said that the stolen files include the personal health information of "a substantial proportion of people in America." On Wednesday, during a House hearing, when Witty was pushed to give a more definitive answer, testifying that the breach impacted "I think, maybe a third [of Americans] or somewhere of that level."

Windows 11's market share dropped in April 2024, falling below 26% after reaching an all-time high of 28.16% in February. According to Statcounter, Windows 11 lost 0.97 points, while Windows 10 gained 0.96 points, crossing the 70% mark for the first time since September 2023. Neowin adds: Some argue that Windows 11 still offers little to no benefits for upgrading, especially in light of Microsoft killing some of the system's unique features, such as Windows Subsystem for Android. Add to that the ever-increasing number of ads, some of which are quite shameless, and you get an operating system that has a hard time winning hearts and minds, and retaining its customers.

LastPass, the password manager company, has officially separated from its parent company, GoTo, following a series of high-profile hacks in recent years. The company will now operate under a shareholder holding company called LMI Parent.

LastPass -- owned by private equity firms Francisco Partners and Elliott Management -- has faced criticism for its handling of the breaches, which resulted in the theft of customer data and encryption keys. The company has since enforced a 12-character minimum for master passwords to improve security.

An anonymous reader quotes a report from TechCrunch: The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG). UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system. This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare's systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a "substantial proportion of people in America."

According to Witty's testimony, the criminal hackers "used compromised credentials to remotely access a Change Healthcare Citrix portal." Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks. Witty did not elaborate on how the credentials were stolen. However, Witty did say the portal "did not have multifactor authentication," which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee's trusted device, such as their phone. It's not known why Change did not set up multifactor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer's systems. "Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data," said Witty. Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach. Last week, the medical firm admitted that it paid the ransomware hackers roughly $22 million via bitcoin.

Meanwhile, UnitedHealth said the total costs associated with the ransomware attack amounted to $872 million. "The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time, potentially including the reported $22 million payment made [to the hackers]," notes The Register.

Apple has confirmed reports [video link] of a software glitch causing some iPhone alarms to fail to play a sound.