According to researchers at the mobile security company Oversecured, several public and popular libraries that have been abandoned but are still used in Java and Android applications are vulnerable to a new software supply chain attack method called MavenGate. Access to projects can be hijacked through domain name purchases, and because most default build configurations are vulnerable, determining whether an attack is taking place would be difficult, if not impossible.

Trezor recently issued a security alert after identifying a data breach on January 17 due to unauthorized access to their third-party support ticketing portal.  The popular hardware cryptocurrency wallet vendor stated that the investigation into the incident is ongoing, but it found no evidence so far that users' digital assets were compromised in the incident.  The company stressed that none of its user's funds had been compromised through the incident.

Russian state hackers recently managed to compromise the email accounts of some of Microsoft’s senior leadership team members using basic brute-force techniques.  Microsoft revealed on Friday that the “Midnight Blizzard” group (aka Nobelium, APT29, Cozy Bear) was detected on its systems on January 12.  The fact that brute-force tactics worked indicates that the compromised email accounts were not protected with multi-factor authentication (MFA).  Password spray attacks involve threat actors trying commonly used and easy-to-guess passwords to unlock multiple accounts at once.

Conor Brian Fitzpatrick, the owner of the infamous cybercrime website BreachForums, was recently sentenced to time served and 20 years of supervised release.  Conor Brian Fitzpatrick of Peekskill, New York, known online as "Pompompurin," was arrested in March 2023.  In April, he pleaded guilty to conspiracy to commit device fraud, access device fraud, and possession of child pornography.  Launched in 2022 and also known as Breached, BreachForums had become a top hacker marketplace when it was taken down in March 2023.

Lending giant LoanDepot recently announced that roughly 16.6 million individuals were impacted by a ransomware attack disclosed earlier this month.  In a Form 8-K filing with the Securities and Exchange Commission (SEC) on January 4th, the company said it “has determined that the unauthorized third party activity included access to certain company systems and the encryption of data.”  Affected individuals will be notified soon and offered free credit monitoring and identity protection services.  

A team of researchers in China has introduced a novel approach to improving privacy for cross-border e-commerce users. The presented encryption algorithm is based on social network analysis, which could help users maintain security when transferring sensitive information during international transactions. The team has implemented a multifaceted strategy, initially using a logical inference mapping method for blockchain to encode public and private keys with asymmetric encryption.

The US Justice Department recently announced separate charges against two Russian nationals accused of being involved in cybercriminal activities, including a man allegedly involved in the 2013 hacking of retailers Michaels and Neiman Marcus.  According to the DoJ, one indicted individual is Aleksey Timofeyevich Stroganov, also known as Aleksei Stroganov, Flint, Flint24, Gursky Oleg, and Oleg Gurskiy.  He and his accomplices allegedly hacked into the computers of companies and individuals in an effort to steal personal information, including credit and debit card data.

The "Science of Security (SoS) Program Review: 2011-2023" report is now available.