Monthly Archives: December 2025

Brickstorm used to backdoor into critical US networks for over a year

Posted on by

Chinese cyberspies maintained long-term access to critical networks – sometimes for years – and used this access to infect computers with malware and steal data, according to Thursday warnings from government agencies and private security firms.

PRC-backed goons infected at least eight government services and IT organizations with Brickstorm backdoors, according to a joint security alert from the US Cybersecurity and Infrastructure Security Agency, the US National Security Agency, and the Canadian Cyber Security Centre.

However, “it’s a logical conclusion to assume that there are additional victims out there until we have not yet had the opportunity to communicate with,” CISA’s Nick Andersen, executive assistant director for cybersecurity, told reporters on Thursday, describing Brickstorm as a “terribly sophisticated piece of malware.”

The backdoor works across Linux, VMware, and Windows environments, and while Andersen declined to attribute the malware infections to a specific People’s Republic of China cyber group, he said it illustrates the threat PRC crews pose to US critical infrastructure.

“State-sponsored actors are not just infiltrating networks,” Andersen said. “They’re embedding themselves to enable long term access, disruption, and potential sabotage.”

In one incident that CISA responded to, the PRC goons gained access to the organization’s internal network in April 2024, uploaded Brickstorm to an internal VMware vCenter server, and used the backdoor for persistent access until at least September 3.

While in the victim’s network, the crew also gained access to two domain controllers and an Active Directory Federation Services server, which they used to steal cryptographic keys.

Dozens of organizations in the US have been impacted by Brickstorm, not including downstream victims

Google Threat Intelligence, which first sounded the alarm on Brickstorm in a September report, “strongly” recommended organizations run the open-source scanner that Google-owned Mandiant published on GitHub to help detect the backdoor on their appliances.

“We believe dozens of organizations in the US have been impacted by Brickstorm, not including downstream victims,” Google Threat Intelligence Group principal analyst Austin Larsen told The Register. “These actors are still actively targeting US organizations and are evolving Brickstorm and their techniques after our September report.”

[…]

Source: PRC spies Brickstormed their way into critical US networks • The Register

Cloudflare suffers second outage in as many months

Posted on by

Routine Cloudflare maintenance went awry this morning, knocking over the company’s dashboard and API and sending sites around the world into error screens.

Cloudflare was working through its scheduled servicing when things went sideways. Maintenance was in progress in its Chicago datacenter from 0700 UTC, with work due to begin in its Detroit datacenter at 0900 UTC when red lights began flashing at administrators around the world.

Cloudflare status

Cloudflare status this morning

The content delivery network giant admitted a problem with its service at 0856 UTC, rolled out a fix shortly after, and seemed to be back up and running by 0930 UTC. It has, however, now reported issues with Workers (the serverless functions, not the employees likely frantically trying to stop the company’s systems from falling over again).

Cloudflare on Down Detector

Cloudflare on Down Detector

We’ve asked the company for more information, and will update this piece should an explanation be forthcoming.

Cloudflare proudly proclaims that “20 percent of all websites are protected by Cloudflare.” Unfortunately, this also means that 20 percent of all websites could catch a cold should Cloudflare sneeze. Two outages in two months is less than ideal, and could cause affected customers to take a hard look at their dependencies.

[…]

A spokesperson at Cloudflare sent us a statement after publication:

“A change made to how Cloudflare’s Web Application Firewall parses requests impacted the availability of Cloudflare’s network at approximately 8:47 GMT and concluded approximately 9:13 GMT. This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components.”

Source: Cloudflare suffers second outage in as many months • The Register

New hotness in democracy: if the people say no to mass surveillance, do it again right after you have said you won’t do it. Not EU this time: it’s India

Posted on by

You know what they say: If at first you don’t succeed at mass government surveillance, try, try again. Only two days after India backpedaled on its plan to force smartphone makers to preinstall a state-run “cybersecurity” app, Reuters reports that the country is back at it. It’s said to be considering a telecom industry proposal with another draconian requirement. This one would require smartphone makers to enable always-on satellite-based location tracking (Assisted GPS).

The measure would require location services to remain on at all times, with no option to switch them off. The telecom industry also wants phone makers to disable notifications that alert users when their carriers have accessed their location.

[…]

Source: India is reportedly considering another draconian smartphone surveillance plan

Looks like the Indians took a page out of the Danish playbook for Chat Control and turning the EU into a 1984 Brave New World

Kohler Can Access Data and Pictures from Toilet Camera It Describes as “End-to-End Encrypted”

Posted on by

In October Kohler launched Dekota, a $600 (plus monthly subscription) device that attaches to the rim of your toilet and collects images and data from inside, promising to track and provide insights on gut health, hydration, and more. To allay the obvious privacy concerns, the company emphasizes the sensors are only pointed down, into the bowl, and assures potential buyers that the data collected by the device and app are protected with “end-to-end encryption”.

Kohler Health’s homepage, the page for the Kohler Health App, and a support page all use the term “end-to-end encryption” to describe the protection the app provides for data. Many media outlets included the claim in their articles covering the launch of the product.

However, responses from the company make it clear that—contrary to common understanding of the term—Kohler is able to access data collected by the device and associated application. Additionally, the company states that the data collected by the device and app may be used to train AI models.

[…]

emails exchanged with Kohler’s privacy contact clarified that the other “end” that can decrypt the data is Kohler themselves: “User data is encrypted at rest, when it’s stored on the user’s mobile phone, toilet attachment, and on our systems.  Data in transit is also encrypted end-to-end, as it travels between the user’s devices and our systems, where it is decrypted and processed to provide our service.”

They additionally told me “We have designed our systems and processes to protect identifiable images from access by Kohler Health employees through a combination of data encryption, technical safeguards, and governance controls.”

What Kohler is referring to as E2EE here is simply HTTPS encryption between the app and the server, something that has been basic security practice for two decades now, plus encryption at rest.

[…]

Source: Kohler Can Access Data and Pictures from Toilet Camera It Describes as “End-to-End Encrypted” – /var/log/simon

Subaru Owners Are Ticked About In-Car Pop-Up Ads for SiriusXM

Posted on by

I’ve written about Stellantis brands doing this twice already in 2025, and this time, it’s Subaru sending pop-up ads for SiriusXM to owners’ infotainment screens.

The Autopian ran a story on the egregious push notifications on Monday, and it only took a short search to find more examples. It happened right around Thanksgiving, as the promotion urged drivers to “Enjoy SiriusXM FREE thru 12/1.” That day has come and gone, but not before it angered droves of Subaru owners.

“I have got this Sirius XM ad a few times over the last couple of years,” the caption on the embedded Reddit thread reads. “This last time was the final straw as I almost wrecked because of it. My entire infotainment screen changed which caused me to take my eyes off the road and since I was going 55mph in winter I swerved a bit and slid and almost went off into a ditch. Something that would not have happened had this ad not popped up.

[…]

At least one 2024 Crosstrek owner reported that the pop-up took over their screen even though they were using Apple CarPlay. To force-close an application that’s in use, solely for the sake of in-car advertising, is especially egregious.

[…]

Reddit posts dating back as far as 2023 show owners complaining about in-car notifications.

[…]

 

Source: Subaru Owners Are Ticked About In-Car Pop-Up Ads for SiriusXM

New Baldness Drug Boosted Hair Growth by 168% – 539% in Trials

Posted on by

[…] On Wednesday, Cosmo Pharmaceuticals announced the results of its two phase III trials testing out the topical drug clascoterone for AGA. Compared to placebo, people on clascoterone gained back significantly more hair—with one trial showing a roughly 500% improvement in hair restoration. The results will pave the way for a potential FDA approval next year, which could make clascoterone the first truly novel treatment for pattern baldness seen in decades.

First-in-class

Male pattern baldness is primarily caused by having genes that make a person’s hair follicles overly sensitive to androgens (male-related sex hormones), particularly the hormone dihydrotestosterone (DHT).

There are effective medications for AGA, such as minoxidil (the active ingredient in Rogaine) and finasteride, as well as other interventions like hair transplants. But these treatments have all their potential drawbacks (including cost) or may not work for everyone.

Cosmo is hoping that clascoterone can become the first of a new class of hair loss drugs. The topical drug is an androgen receptor inhibitor, meaning it directly targets the hormones that help cause the loss of hair follicles in AGA. The Dublin-based company also argues that clascoterone isn’t systemically absorbed by the body, minimizing the risk of potential side effects.

Its two pivotal trials involved nearly 1,500 male patients diagnosed with AGA. The volunteers were randomized to receive a placebo or a topical clascoterone 5% solution on affected parts of their scalp. Both trials met their primary goal. In one, clascoterone users experienced a 539% improvement in the amount of hair grown relative to placebo, while in the other, there was a 168% improvement. According to the company, however, the absolute amount of regrown hair seen during the trials was similar between the two treatment groups. Clascoterone also appeared to be safe and tolerable, the company said, with most adverse events recorded during the studies not related to the drug itself.

[…]

Source: New Baldness Drug Boosted Hair Growth by 539% in Trials

Build Your Own Glasshole Detector

Posted on by

Connected devices are ubiquitous in our era of wireless chips heavily relying on streaming data to someone else’s servers. This sentence might already start to sound dodgy, and it doesn’t get better when you think about today’s smart glasses, like the ones built by Meta (aka Facebook).

[sh4d0wm45k] doesn’t shy away from fighting fire with fire, and shows you how to build a wireless device detecting Meta’s smart glasses – or any other company’s Bluetooth devices, really, as long as you can match them by the beginning of the Bluetooth MAC address.

[sh4d0wm45k]’s device is a mini light-up sign saying “GLASSHOLE”, that turns bright white as soon as a pair of Meta glasses is detected in the vicinity. Under the hood, a commonly found ESP32 devboard suffices for the task, coupled to two lines of white LEDs on a custom PCB. The code is super simple, sifting through packets flying through the air, and lets you easily contribute with your own OUIs (Organizationally Unique Identifier, first three bytes of a MAC address). It wouldn’t be hard to add such a feature to any device of your own with Arduino code under its hood, or to rewrite it to fit a platform of your choice.

We’ve been talking about smart glasses ever since Google Glass, but recently, with Meta’s offerings, the smart glasses debate has reignited. Due to inherent anti-social aspects of the technology, we can see what’d motivate one to build such a hack. Perhaps, the next thing we’ll see is some sort of spoofed packets shutting off the glasses, making them temporarily inoperable in your presence in a similar way we’ve seen with spamming proximity pairing packets onto iPhones.

Source: Build Your Own Glasshole Detector | Hackaday

Shopify goes down: Cyber Monday outage disrupting your online shopping

Posted on by

Here’s hoping the retailers offering tasty Cyber Monday deals that caught your eye aren’t having trouble with Shopify. The ecommerce platform is experiencing some issues. According to a support page, some merchants were having trouble logging into the Shopify platform, which was experiencing outages with the checkout and admin systems. Shopify’s point-of-sale (POS), API and mobile and support systems also saw “degraded performance.”

“We are continuing to investigate and apply mitigations for the issues with accessing Admins and POS systems,” Shopify wrote in an update at 12:39PM ET. “Some merchants may also see an issue with POS checkouts, due to not being able to access POS systems.”

At 2:31PM ET, the company posted an update to its status page, saying “We have found and fixed an issue with our login authentication flow, and are seeing signs of recovery for admin and POS login issues now. We are continuing to monitor recovery.” You might start to see some services go back to normal, and it should hopefully not impact your holiday shopping too much.

Shopify said in a blog post just last week that it powers 12 percent of ecommerce in the US. Brands including Netflix, Mattel, Supreme, Glossier and Converse are among those that use the platform.

When asked for more details about the outage, Shopify directed Engadget to its status page as well as a tweet posted at 10AM that read, “We’re aware of an issue with Admins impacting selected stores, and are working to resolve it.”

[…]

Source: Shopify is down: Updates on the Cyber Monday outage disrupting your online shopping

Netflix Is Killing Casting From Your Phone

Posted on by

[…]

Among other methods, like plugging a laptop directly into the TV, many people still enjoying casting their content from small screens to big screens. For years, this has been a reliable way to switch from watching Netflix on your smartphone or tablet to watching on your TV—you just tap the cast button, select your TV, and in a few moments, your content is beamed to the proper place. Your device becomes its own remote, with search built right-in, and it avoids the need to sign into Netflix on TVs outside your home, such as when staying in hotels.

At least it did, but Netflix no longer wants to let you do it.

Netflix no longer supports casting on most devices

While you can still cast to your TV from other streaming platforms, there’s bad news for Netflix fans: The company has abruptly dropped casting support for most devices. Android Authority was the first to report on the change, though you might have stumbled upon the development yourself when looking for the cast button in the Netflix app. In fact, Netflix has prepared for your confusion, as you can see from this Netflix Help Center page titled “Can’t find ‘Cast’ button in Netflix app.” This page might offer a glimmer of hope at first, as you think “Oh good, Netflix has a solution if the Cast button is missing.” Unfortunately, the response isn’t going to make you happy: “Netflix no longer supports casting shows from a mobile device to most TVs and TV-streaming devices. You’ll need to use the remote that came with your TV or TV-streaming device to navigate Netflix.”

The exception here is for “older” Chromecast devices or TVs that work with Google Cast—but only if you pay for an ad-free Netflix plan. If you took Netflix up on its lower-cost subscription offer, those ads not only cost you extra watch time, but also your ability to cast—assuming you even have the older hardware to cast to.

[…]

Source: Netflix Is Killing Casting From Your Phone | Lifehacker

Korea’s Coupang says data breach exposed nearly 34M customers’ personal information

Posted on by

South Korean e-commerce platform Coupang over the weekend said nearly 34 million Korean customers’ personal information had been leaked in a data breach that had been ongoing for more than five months.

The company said it first detected the unauthorized exposure of 4,500 user accounts on November 18, but a subsequent investigation revealed that the breach had actually compromised about 33.7 million customer accounts in South Korea.

The breach affected customers’ names, email addresses, phone numbers, shipping addresses, and certain order histories, per Coupang. More sensitive data like payment information, credit card numbers, and login credentials was not compromised and remains secure, the company said.

Coupang said it has reported the incident to the Korea Internet & Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency.

One of South Korea’s biggest e-commerce platforms, Coupang also offers an online commerce service called “Rocket Delivery” in the country, and also operates its marketplace in Taiwan. A Coupang spokesperson told TechCrunch that the investigation has found no evidence that consumer data from Coupang Taiwan or Rocket Now, its food delivery service in Japan, was affected in the data breach.

“According to the investigation so far, it is believed that unauthorized access to personal information began on June 24, 2025, via overseas servers,” the company said. “Coupang blocked the unauthorized access route, strengthened internal monitoring, and retained experts from a leading independent security firm.”

Police have reportedly identified at least one suspect, a former Chinese Coupang employee now abroad, after launching an investigation following a November 18 complaint.

[…]

Source: Korea’s Coupang says data breach exposed nearly 34M customers’ personal information | TechCrunch

India demands smartphone makers install government app

Posted on by

India’s government has issued a directive that requires all smartphone manufacturers to install a government app on every handset in the country and has given them 90 days to get the job done – and to ensure users can’t remove the code.

The app is called “Sanchar Saathi” and is a product of India’s Department of Telecommunications (DoT).

On Google Play and Apple’s App Store, the Department describes the app as “a citizen centric initiative … to empower mobile subscribers, strengthen their security and increase awareness about citizen centric initiatives.”

The app does those jobs by allowing users to report incoming calls or messages – even on WhatsApp – they suspect are attempts at fraud. Users can also report incoming calls for which caller ID reveals the +91 country code, as India’s government thinks that’s an indicator of a possible illegal telecoms operator.

Users can also block their device if they lose it or suspect it was stolen, an act that will prevent it from working on any mobile network in India.

Another function allows lookup of IMEI numbers so users can verify if their handset is genuine.

Spam and scams delivered by calls or TXTs are pervasive around the world, and researchers last year found that most Indian netizens receive three or more dodgy communiqués every day. This app has obvious potential to help reduce such attacks.

An announcement from India’s government states that cybersecurity at telcos is another reason for the requirement to install the app.

“Spoofed/ Tampered IMEIs in telecom network leads to situation where same IMEI is working in different devices at different places simultaneously and pose challenges in action against such IMEIs,” according to the announcement. “India has [a] big second-hand mobile device market. Cases have also been observed where stolen or blacklisted devices are being re-sold. It makes the purchaser abettor in crime and causes financial loss to them. The blocked/blacklisted IMEIs can be checked using Sanchar Saathi App.”

That motive is likely the reason India has required handset-makers to install Sanchar Saathi on existing handsets with a software update.

The directive also requires the app to be pre-installed, “visible, functional, and enabled for users at first setup.” Manufacturers may not disable or restrict its features and “must ensure the App is easily accessible during device setup.”

Those functions mean India’s government will soon have a means of accessing personal info on hundreds of millions of devices.

Apar Gupta, founder and director of India’s Internet Freedom Foundation, has criticized the directive on grounds that Sanchar Saathi isn’t fit for purpose. “Rather than resorting to coercion and mandating it to be installed the focus should be on improving it,” he wrote.

[…]

Source: India demands smartphone makers install government app • The Register