It’s not often that you see a new strain of Mac-targeted ransomware, but this week researchers dug into ThiefQuest, also called EvilQuest, a malware strain that keeps on giving—or taking, as it were. ThiefQuest appears to be Mac ransomware, but it doesn’t seem like its developers have any intention of decrypting victims’ files. Likely that points to a cash grab, since ThiefQuest also has a whole other set of malicious functionality that installs a persistent backdoor on victims’ computers, exfiltrates data, wields a keylogger, and scans for financial data like cryptocurrency wallets. The spyware/ransomware combo is being distributed through pirated software, so stick to legitimate app purveyors and you’ll avoid it.

Meanwhile, we took a look at the low bar for cybersecurity defenses in K-12 school systems around the United States and how the Covid-19 pandemic has put them at even greater risk. The emergency pivot to distance learning opened up new exposure for many schools, and compounded existing issues. Jaggar Henry, who graduated from high school last year in Polk County, Florida, presented a slew of (now fixed) vulnerabilities in his district’s systems at a school board hearing last summer. He also found and reported similar flaws to two private Florida universities. All of those findings motivated him to pursue a cybersecurity career in the education technology industry.

If you want a little privacy project for the holiday weekend, we’ve got you covered. As part of its macOS Big Sur announcement last week, Apple promised some big privacy improvements for the new version of Safari. For everyone out there who doesn’t use Macs or doesn’t want to transition to Safari, though, we made a guide to replicating as many of the privacy bumps as possible in Chrome or Firefox. Take a minute to change your settings and you’ll reduce how often you’re tracked across the web, improve your password security, and lower your risk of threats from extensions. Not bad for a few clicks.

And if you’re a real glutton for punishment, take a look back at the biggest hacks and breaches of the year so far. Troubling to think that 2020 may only just be getting warmed up! Plus, read on for even more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which was introduced to the Senate in March, passed a Judiciary Committee vote unanimously on Thursday. The bipartisan bill purports to focus on eliminating child sexual abuse material from digital platforms like social networks, but security and privacy experts as well as digital rights advocates have argued that in the process, EARN IT also creates major disincentives for companies to offer end-to-end encryption. The bill also comes as the Department of Justice ramps up its campaign to demand that tech companies provide encryption backdoors for law enforcement access. EARN IT was amended this week, but privacy advocates say that it still poses a substantial threat to encryption. The highly regarded end-to-end encrypted chat app Signal announced at the beginning of April that it would be forced to exit the US market if the EARN IT Act becomes law.

An investigation by French and Dutch police, Europol, and the United Kingdom’s National Crime Agency resulted in 746 arrests of prominent criminals across Europe and the seizure of guns, more than two tons of drugs, and more than $67 million. The law enforcement operation lasted more than three months and was made possible through police access to a secure communications platform called EncroChat, which offered encrypted messaging, disappearing messages, and an emergency data wiping feature. EncroChat, which has now been taken down, was only available on specially modified versions of Android. Law enforcement says that criminals used EncroChat as an illicit marketplace for hawking weapons and coordinating drug sales around the world. Police started accessing data from the platform on April 1 after reportedly cracking its encryption in March.

State-sponsored hacking groups around the world will likely exploit a critical security vulnerability disclosed this week, according to an alert from US Cyber Command. The bug is in the PAN-OS operating system, which runs in network equipment, like VPN hardware and firewalls, from the enterprise giant Palo Alto Networks. The vulnerability would allow attackers to access target networks as administrators. From there, they would have broad system control. The vulnerability only occurs in certain device configurations, limiting the number of potentially vulnerable networks to a degree. But when the bug is present it is both remotely accessible and trivial for attackers to exploit—the worst combination. “Please patch all devices affected by CVE-2020-2021 immediately,” Cyber Command warned. “Foreign APTs will likely attempt exploit soon.”

Twenty-five apps, all made by the same developer and together downloaded more than 2.3 million times, were caught stealing users’ Facebook usernames and passwords. Google removed them from the Play Store this month and disabled the apps on users’ phones. The cybersecurity firm Evina first disclosed findings about the malicious apps to Google. The apps offered legitimate services like wallpaper generators, flashlight features, games, step counters, and image editors, but they were also designed to detect when a user opened the Facebook app. At that point, the malicious apps would launch a web browsing window with a fake Facebook login page on top of the Facebook app and prompt users to enter their credentials.


More Great WIRED Stories