Go programming language arrives at security warnings that are useful
The open source Go programming language, developed by Google, has added support for vulnerability management in a way designed to preserve programmers’ patience. The Go team recently set up a website at vuln.go.dev to host a selection of known vulnerabilities in packages that can be imported from public Go modules. These chosen vulnerabilities have been curated and reviewed by the Go security team, based on CVEs, GitHub Security Advisories, and reports from maintainers. Presumably, this results in a high-quality database of flaws because the inconsequential issues have been filtered out. But there’s more to it than selectivity.
Mandiant ‘highly confident’ foreign cyberspies will target US midterm elections
Mandiant is “highly confident” that foreign cyberspies will target US election infrastructure, organizations, and individuals in the run-up to the November midterm elections. Based on recent activity by various threat groups, as well as previous election targeting, the security firm expects nation-state backed gangs in Russia, China, and Iran will attempt to pull off cyberespionage against US government and election-related outfits. “We have tracked activity from groups associated with Russia, China, Iran, North Korea, and other nations targeting organizations and individuals related to elections in the US and/or other nations with apparent goals ranging from information collection and establishing footholds or stealing data for later activity to one known case of a destructive attack against critical election infrastructure,” the Mandiant team said in research published today.
State Department bounty program for cybercriminal tips has ‘born fruit,’ top FBI official says
The State Department’s program offering rewards of up to $10 million for tips leading to the apprehension of cybercriminals is paying off, FBI Assistant Director for Cyber Bryan Vorndran said Wednesday. “Recently the US government has also started to leverage something that was traditionally used in counterterrorism, Rewards for Justice,” Vorndran said. “It’s essentially incentivizing individuals who have intimate knowledge of a criminal conspiracy, whether nation-state or not, to report to the U.S. government. … That has actually born fruit at this point.” The FBI declined to elaborate on Vorndran’s comment, which he made at the Billington Cybersecurity Summit in Washington on Wednesday afternoon. State also declined to comment and has a blanket policy forbidding confirmation of such payouts, a spokesperson said.
Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts
A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. “This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information,” it said. BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others. The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It’s been addressed in version 8.7.5 released on September 2, 2022.
US seizes $30 million in stolen cryptocurrency from North Korean hackers
The FBI and private investigators have seized about $30 million worth of cryptocurrency stolen by North Korean government-linked hackers from a video game company in March, according to Chainalysis, a US firm that said it worked with the FBI to claw back the stolen money. It’s the latest example of a concerted effort from US law enforcement to recover some of the hundreds of millions of dollars that Pyongyang’s hackers have allegedly plundered from cryptocurrency firms in recent months — money that US officials worry is used to fund North Korean’s nuclear weapons programs. The $30 million recovered is just a fraction of the equivalent of more than $600 million that the FBI said the North Korean hackers originally stole from Sky Mavis, a company with an office in Vietnam that makes a popular video game that allows users to earn digital money. But the seizure is still a breakthrough for law enforcement, and investigators are actively trying to recover some of the remaining loot, according to Erin Plante, Chainalysis’ senior director of investigations.