Enlarge (credit: Aurich Lawson | Getty Images)

Federal authorities, tech pundits, and news outlets want you to be on the lookout for a scary cyberattack that can hack your phone when you do nothing more than plug it into a public charging station. These warnings of “juice jacking,” as the threat has come to be known, have been circulating for more than a decade.

Earlier this month, though, juice jacking fears hit a new high when the FBI and Federal Communications Commission issued new, baseless warnings that generated ominous-sounding news reports from hundreds of outlets. NPR reported that the crime is "becoming more prevalent, possibly due to the increase in travel." The Washington Post said it's a “significant privacy hazard” that can identify loaded webpages in less than 10 seconds. CNN warned that just by plugging into a malicious charger, "your device is now infected." And a Fortune headline admonished readers: "Don’t let a free USB charge drain your bank account."

The Halley’s Comet of cybersecurity scares

The scenario for juice jacking looks something like this: A hacker sets up equipment at an airport, shopping mall, or hotel. The equipment mimics the look and functions of normal charging stations, which allow people to recharge their mobile phones when they're low on power. Unbeknownst to the users, the charging station surreptitiously sends commands over the charging cord’s USB or Lightning connector and steals contacts and emails, installs malware, and does all kinds of other nefarious things.

Enlarge / One of the chips Team Xecuter offered for sale to alter the Switch's boot process, allowing for custom firmware and, yes, piracy. (credit: Team Xecuter)

Gary Bowser, a member of the notorious Team Xecuter Switch modding group, will soon be allowed to return to his home country of Canada. He will not, however, be able to avoid the $14.5 million in repayment Nintendo will likely be pulling from him for the rest of his life.

Bowser, a key figure in the nominative determinism hypothesis, is often described as a "hacker" but mainly worked in sales and promotion for Team Xecuter (or TX) as "kind of a PR guy." The group developed and sold jailbreaking devices dating back to the original Xbox under various brand and release names. While these devices opened up systems for homebrew, Linux, and other uses, they also made it simple to load pirated ROMs onto devices. Team Xecuter benefited from the open source work of Switch hackers, sold devices at a profit to help others hack their Switches, and were far more explicit about the piracy aspects of their exploits than other groups.

That's why the arrest of Bowser and other TX members shocked the console hacking scene when their indictments came down in October 2020. The Department of Justice arranged for the arrest and extradition of Gary "GaryOPA" Bowser in the Dominican Republic and Max "MaxiMiLiEN" Louarn in France (eventually found in Tanzania but not yet extradited ), and it pursued Yuanning "100+1" Chen in Shenzen, China. Charging for products—and being brazen about their piracy uses—seemed to spur Nintendo to action, which in turn pushed the DOJ.

Enlarge / Locked out. (credit: Sean Gladwell / Getty Images )

Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine, using attacks that attempt to compromise their email accounts, researchers from security firm Proofpoint said.

The campaign, which also targets officials of European nations, uses malicious JavaScript that’s customized for individual webmail portals belonging to various NATO-aligned organizations, a report Proofpoint published Thursday said. The threat actor—which Proofpoint has tracked since 2021 under the name TA473—employs sustained reconnaissance and painstaking research to ensure the scripts steal targets’ usernames, passwords, and other sensitive login credentials as intended on each publicly exposed webmail portal being targeted.

Tenacious targeting

“This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe,” Proofpoint threat researcher Michael Raggi wrote in an email. “Since late 2022, TA473 has invested an ample amount of time studying the webmail portals of European government entities and scanning publicly facing infrastructure for vulnerabilities all in an effort to ultimately gain access to emails of those closely involved in government affairs and the Russia-Ukraine war.”

Enlarge / A BATM sold by General Bytes. (credit: General Bytes)

Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.

The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that aren’t entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface.

Going, going, gone

Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASes operated by the company and by customers. To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application. The actor then drained various hot wallets of about 56 BTC, worth roughly $1.5 million. General Bytes patched the vulnerability 15 hours after learning of it, but due to the way cryptocurrencies work, the losses were unrecoverable.

Enlarge

In 2009, the computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them.

The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013. Firmware is the low-level code that coordinates hardware and software on a computer. The vulnerability stems from a basic error in how the cryptography is implemented, but Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip. As a result, Siemens says it has no fix planned for any of the 122 S7-1500 PLC models that the company lists as being vulnerable.