Android malware can factory-reset phones after draining bank accounts

Android malware can factory-reset phones after draining bank accounts

Enlarge (credit: Getty Images)

A banking-fraud trojan that has been targeting Android users for three years has been updated to create even more grief. Besides draining bank accounts, the trojan can now activate a kill switch that performs a factory reset and wipes infected devices clean.

Brata was first documented in a post from security firm Kaspersky, which reported that the Android malware had been circulating since at least January 2019. The malware spread primarily through Google Play but also through third-party marketplaces, push notifications on compromised websites, sponsored links on Google, and messages delivered by WhatsApp or SMS. At the time, Brata targeted people with accounts from Brazil-based banks.

Covering its malicious tracks

Now Brata is back with a host of new capabilities, the most significant of which is the ability to perform a factory reset on infected devices to erase any trace of the malware after an unauthorized wire transfer has been attempted. Security firm Cleafy Labs, which first reported the kill switch, said other features recently added to Brata include GPS tracking, improved communication with control servers, the ability to continuously monitor victims’ bank apps, and the ability to target the accounts of banks located in additional countries. The trojan now works with banks located in Europe, the US, and Latin America.

Read 6 remaining paragraphs | Comments

#android, #bank-fraud, #biz-it, #factory-reset, #malware

A bug lurking for 12 years gives attackers root on every major Linux distro

A laptop screen filled with stylized illustration of cybercrime.

Enlarge (credit: Getty Images)

Linux users on Tuesday got a major dose of bad news—a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running any major distribution of the open source operating system.

Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.

Trivial to exploit and 100 percent reliable

Like most OSes, Linux provides a hierarchy of permission levels that controls when and what apps or users can interact with sensitive system resources. The design is intended to limit the damage that can happen if the app is hacked or malicious or if a user isn’t trusted to have administrative control of a network.

Read 8 remaining paragraphs | Comments

#biz-it, #exploits, #linux-security, #vulnerabilities

Booby-trapped sites delivered potent new backdoor trojan to macOS users

Close-up photograph of a Macintosh laptop keyboard.

Enlarge (credit: Getty Images)

Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website.

The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include:

  • victim device fingerprinting
  • screen capture
  • file download/upload
  • execute terminal commands
  • audio recording
  • keylogging

Deep pockets, top-notch talent

Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy—as well as the exploit chain used to install it—is impressive. It also doesn’t appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual.

Read 15 remaining paragraphs | Comments

#backdoor, #biz-it, #exploits, #macos, #malware

Starlink preps rugged user terminal that may avoid “thermal shutdown” problem

A Starlink satellite dish mounted on a roof.

Enlarge / The current Starlink user terminal. Images of the planned ruggedized terminal aren’t available yet. (credit: Starlink)

SpaceX’s Starlink division is planning a new ruggedized satellite dish that can operate in hotter and colder temperatures. This is the second ruggedized Starlink dish the company has revealed—the first is designed for vehicles, ships, and aircraft, while the newer one is a fixed earth station that would provide broadband to buildings.

SpaceX asked the Federal Communications Commission for permission to deploy the “high-performance fixed earth stations” (or “HP terminals”) in an application filed Friday. PCMag wrote an article about the application yesterday.

“Compared to other user terminals SpaceX Services has been authorized to deploy, the HP model has been ruggedized to handle harsher environments so that, for example, it will be able to continue to operate at greater extremes of heat and cold, will have improved snow/ice melt capabilities, and will withstand a greater number of thermal cycles,” SpaceX told the FCC. SpaceX said its application should be approved because the terminals will extend the Starlink network to “a range of much more challenging environments.”

Read 8 remaining paragraphs | Comments

#biz-it, #spacex, #starlink

Dark Souls servers taken down following discovery of critical vulnerability

Dark Souls servers taken down following discovery of critical vulnerability

Enlarge (credit: The_Grim_Sleeper)

Bandai Namco, publisher of the Dark Souls role-playing game series, has taken down its player-versus-player servers while it investigates reports of a serious vulnerability that allows players to execute malicious code on the PCs of fellow players.

Word of the critical remote-code-execution flaw emerged over the weekend in Reddit threads here and here. An exploit that hit a user named The_Grim_Sleeper was captured in a video stream posted over the weekend. Starting around 1:20:22, the user’s game crashed, and a robotic voice mocked his gameplay and maturity level.

“What the fuck,” The_Grim_Sleeper said in response. “My game just crashed, and immediately Powershell opened up and started narrating a fucking” screed. “I didn’t even know that shit was possible.”

Read 6 remaining paragraphs | Comments

#biz-it, #dark-souls, #exploit, #games, #hack, #vulnerability

AT&T announces multi-gigabit fiber: $110 a month for 2Gbps, $180 for 5Gbps

Illustration of Internet data.

Enlarge (credit: Getty Images | zf L)

AT&T has started offering 2Gbps and 5Gbps symmetrical Internet speeds over its fiber-to-the-home network, the telecom company announced today. The multi-gigabit speeds are available to “nearly 5.2 million customer locations in parts of more than 70 metro areas, such as LA, Atlanta, and Dallas,” AT&T said.

AT&T is charging $110 per month plus taxes for its 2Gbps home-Internet plan and $180 per month plus taxes for the 5Gbps home-Internet plan. Business fiber prices are $225 per month for 2Gbps and $395 for 5Gbps. Base prices for other fiber home-Internet plans are $55 for 300Mbps, $65 for 500Mbps, and $80 for 1Gbps. The fine print notes that a “$99 installation fee may apply.”

AT&T imposes data caps on lower-end home-Internet plans but provides unlimited data on tiers with speeds of 100Mbps and above. AT&T’s announcement said its new fiber plans have “no equipment fees, no annual contract, no data caps, and no price increase at 12 months.” The 1Gbps and multi-gigabit plans also include HBO Max access.

Read 12 remaining paragraphs | Comments

#att, #biz-it, #fiber

Hactivists say they hacked Belarus rail system to stop Russian military buildup

Servicemen of Russia's Eastern Military District units attend a welcoming ceremony as they arrive in Belarus to take part in joint military exercises. Russia's military is combining its own means of transport with train travel.

Enlarge / Servicemen of Russia’s Eastern Military District units attend a welcoming ceremony as they arrive in Belarus to take part in joint military exercises. Russia’s military is combining its own means of transport with train travel. (credit: Getty Images)

Hacktivists in Belarus said on Monday they had infected the network of the country’s state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine.

Referring to the Belarus Railway, a group calling itself Cyber ​​Partisans wrote on Telegram:

BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the “Peklo” cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed.

Dozens of databases have been cyberattacked, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, pass.rw.by, uprava, IRC, etc.

⚠ Automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations.

The group also announced the attack by Twitter.

Read 11 remaining paragraphs | Comments

#belarus, #biz-it, #hacktivism, #policy, #ransomware, #russia

A white supremacist website got hacked, airing all its dirty laundry

Patriot Front members spray painting in Springfield, IL.

Enlarge / Patriot Front members spray painting in Springfield, IL. (credit: Unicornriot.ninja)

Chat messages, images, and videos leaked from the server of a white supremicist group called the Patriot Front purport to show its leader and rank-and-file members conspiring in hate crimes, despite their claims that they were a legitimate political organization.

Patriot Front, or PF, formed in the aftermath of the 2017 Unite the Right rally, a demonstration in Charlottesville, Virginia where one of the attendees rammed his car into a crowd of counter-protesters, resulting in one death and 35 injuries. PF founder Thomas Rousseau started the group after an image posted online showed the now-convicted killer, James Alex Fields, Jr., posing with members of white supremacist group Vanguard America shortly before the attack. Vanguard America soon dissolved, and Rousseau rebranded it as PF with the goal of hiding any involvement in violent acts.

Since then, PF has strived to present itself as a group of patriots who are aligned with the ideals and values of the founders who defeated the tyranny of the British in the 18th century and paved the way for the United States to be born. In announcing the the formation of PF in 2017, Rousseau wrote:

Read 8 remaining paragraphs | Comments

#biz-it, #data-breach, #leaks, #patriot-front

This 22-year-old builds chips in his parents’ garage

Sam Zeloof completed this homemade computer chip with 1,200 transistors, seen under a magnifying glass, in August 2021.

Enlarge / Sam Zeloof completed this homemade computer chip with 1,200 transistors, seen under a magnifying glass, in August 2021. (credit: Sam Kang)

In August, chipmaker Intel revealed new details about its plan to build a “mega-fab” on US soil, a $100 billion factory where 10,000 workers will make a new generation of powerful processors studded with billions of transistors. The same month, 22-year-old Sam Zeloof announced his own semiconductor milestone. It was achieved alone in his family’s New Jersey garage, about 30 miles from where the first transistor was made at Bell Labs in 1947.

With a collection of salvaged and homemade equipment, Zeloof produced a chip with 1,200 transistors. He had sliced up wafers of silicon, patterned them with microscopic designs using ultraviolet light, and dunked them in acid by hand, documenting the process on YouTube and his blog. “Maybe it’s overconfidence, but I have a mentality that another human figured it out, so I can too, even if maybe it takes me longer,” he says.

Read 20 remaining paragraphs | Comments

#biz-it, #chipmaking, #gaming-culture, #maker, #tech, #x86

Supply chain attack used legitimate WordPress add-ons to backdoor sites

Supply chain attack used legitimate WordPress add-ons to backdoor sites

Enlarge (credit: Getty Images)

Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on “quite a few” sites running the open source content management system.

The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

Unknowingly providing access to the attacker

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean.

Read 7 remaining paragraphs | Comments

#backdoors, #biz-it, #malware, #supply-chain-attack

Red Cross implores hackers not to leak data for 515k “highly vulnerable people”

Red Cross implores hackers not to leak data for 515k “highly vulnerable people”

Enlarge (credit: Getty Images)

The Red Cross on Wednesday pleaded with the threat actors behind a cyberattack that stole the personal data of about 515,000 people who used a program that works to reunite family members separated by conflict, disaster or migration.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director-general of the International Committee for the Red Cross, said in a release. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

Wednesday’s release said the personal data was obtained through the hack of a Switzerland-based subcontractor that stores data for the Red Cross. The data was compiled by at least 60 different Red Cross and Red Crescent National Societies worldwide. The ICRC said it has no “immediate indications as to who carried out this cyber-attack” and is so far unaware of any of the compromised information being leaked or shared publicly.

Read 3 remaining paragraphs | Comments

#biz-it, #cyberattack, #data-breach, #hacking, #red-cross

If you like the data on your WD My Cloud OS 3 device, patch it now

If you like the data on your WD My Cloud OS 3 device, patch it now

Enlarge (credit: Western Digital)

Western Digital has patched three critical vulnerabilities—one with a severity rating of 9.8 and another with a 9.0—that make it possible for hackers to steal data or remotely hijack storage devices running version 3 of the company’s My Cloud OS.

CVE-2021-40438, as one of the vulnerabilities is tracked, allows remote attackers with no authentication to make devices forward requests to servers of the attackers’ choosing. Like the other two flaws Western Digital fixed, it resides in the Apache HTTP Server versions 2.4.48 and earlier. Attackers have already successfully exploited it to steal hashed passwords from a vulnerable system, and exploit code is readily available.

The vulnerability with a severity rating of 9 out of a maximum 10 stems from a Server-Side Request Forgery. This class of bug lets attackers funnel malicious requests to internal systems that are behind firewalls or otherwise not accessible outside a private network. It works by inducing server-side applications to make HTTP requests to an arbitrary domain of the attacker’s choosing.

Read 5 remaining paragraphs | Comments

#biz-it, #exploits, #my-cloud-os, #vulnerabilities, #western-digital

FAA clears Boeing 777 and other planes after 5G warning halted some flights

A Boeing 777 flying above the clouds.

Enlarge / A Boeing 777. (credit: Boeing)

The Federal Aviation Administration today said it has cleared 62 percent of US commercial airplanes to perform low-visibility landings at airports where AT&T and Verizon are deploying 5G on C-band spectrum this week.

Several international airlines previously canceled some flights to the US after Boeing issued a recommendation to not fly the 777 into airports where carriers are deploying 5G on the C-band. However, the 777 planes—or at least those that have altimeters capable of filtering out C-band transmissions—were on the FAA’s new list of cleared aircraft. The FAA has been granting Alternate Means of Compliance (AMOCs) to operators with altimeters that are safe to use.

“Airplane models with one of the five cleared altimeters include some Boeing 717, 737, 747, 757, 767, 777, MD-10/-11 and Airbus A300, A310, A319, A320, A330, A340, A350 and A380 models,” the FAA said in a statement issued shortly after 2 pm EST today. These airplanes are now authorized “to perform low-visibility landings at airports where wireless companies deployed 5G C-band,” the FAA said. The word “some” indicates that not every plane with the mentioned model numbers has an approved altimeter.

Read 20 remaining paragraphs | Comments

#5g, #altimeters, #att, #biz-it, #boeing, #c-band, #faa, #policy, #verizon

Microsoft fixes Patch Tuesday bug that broke VPN in Windows 10 and 11

Microsoft fixes Patch Tuesday bug that broke VPN in Windows 10 and 11

Enlarge (credit: Aurich Lawson)

Microsoft’s monthly Patch Tuesday updates for Windows are generally meant to fix problems, but that isn’t how it always goes. January’s updates, released last week, caused a handful of problems for businesses in particular. The most serious, especially for people still dealing with pandemic-driven remote-work setups, was a bug that broke certain kinds of VPN connections. Microsoft has provided fixes for this and other issues as of today, a few days after acknowledging the problem on its Known Issues page.

According to Microsoft’s documentation and reporting from Bleeping Computer, the VPN connection issues affected “IPSEC connections which contain a Vendor ID,” as well as L2TP and IPSEC IKE VPN connections in Windows 10, Windows 11, and Windows Server versions 2022, 20H2, 2019, and 2016. Windows’ built-in VPN client seems to be the most commonly affected, but third-party VPN clients using these kinds of connections could also run into the error.

The latest round of Patch Tuesday updates also caused some problems for Windows Server, including unexpected reboots for domain controllers and failed boots for Hyper-V virtual machines. These problems have all been resolved by other out-of-band patches, though not before causing problems for beleaguered IT admins.

Read 1 remaining paragraphs | Comments

#biz-it, #microsoft, #patch-tuesday, #tech

Safari and iOS users: Your browsing activity is being leaked in real time

Safari and iOS users: Your browsing activity is being leaked in real time

Enlarge (credit: Getty Images)

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin—meaning the protocol, domain name, and port of a given webpage or app—from interacting with resources from other origins. Without this policy, malicious sites—say, badguy.example.com—could access login credentials for Google or another trusted site when it’s open in a different browser window or tab.

Obvious privacy violation

Since September’s release of Safari 15 and iOS and iPadOS 15, this policy has been broken wide open, research published late last week found. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites.

Read 9 remaining paragraphs | Comments

#apple, #biz-it, #ios, #ipados, #privacy, #safari

Microsoft warns of destructive disk wiper targeting Ukraine

Microsoft warns of destructive disk wiper targeting Ukraine

Enlarge (credit: Getty Images)

Over the past few months, geopolitical tensions have escalated as Russia amassed tens of thousands of troops along Ukraine’s border and made subtle but far-reaching threats if Ukraine and NATO don’t agree to Kremlin demands.

Now, a similar dispute is playing out in cyber arenas, as unknown hackers late last week defaced scores of Ukrainian government websites and left a cryptic warning to Ukrainian citizens who attempted to receive services.

Be afraid and expect the worst

“All data on the computer is being destroyed, it is impossible to recover it,” said a message, written in Ukrainian, Russian, and Polish, that appeared late last week on at least some of the infected systems. “All information about you has become public, be afraid and expect the worst.”

Read 16 remaining paragraphs | Comments

#biz-it, #diskwiper, #microsoft, #policy, #russia, #ukraine, #whispergate

Backdoor for Windows, macOS, and Linux went undetected until now

Backdoor for Windows, macOS, and Linux went undetected until now

Enlarge (credit: Jeremy Brooks / Flickr)

Researchers have uncovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines.

Researchers from security firm Intezer said they discovered SysJoker—the name they gave the backdoor—on the Linux-based Webserver of a “leading educational institution.” As the researchers dug in, they found SysJoker versions for both Windows and macOS as well. They suspect the cross-platform malware was unleashed in the second half of last year.

The discovery is significant for several reasons. First, fully cross-platform malware is something of a rarity, with most malicious software being written for a specific operating system. The backdoor was also written from scratch and made use of four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for previously unseen Linux malware to be found in a real-world attack.

Read 4 remaining paragraphs | Comments

#backdoors, #biz-it, #cross-platform, #malware

North Korean hackers stole nearly $400 million in crypto last year

North Korean hackers stole nearly $400 million in crypto last year

Enlarge

The past year saw a breathtaking rise in the value of cryptocurrencies like Bitcoin and Ethereum, with Bitcoin gaining 60 percent in value in 2021 and Ethereum spiking 80 percent. So perhaps it’s no surprise that the relentless North Korean hackers who feed off that booming crypto economy had a very good year as well.

North Korean hackers stole a total of $395 million worth of crypto coins last year across seven intrusions into cryptocurrency exchanges and investment firms, according to blockchain analysis firm Chainalysis. The nine-figure sum represents a nearly $100 million increase over the previous year’s thefts by North Korean hacker groups, and it brings their total haul over the past five years to $1.5 billion in cryptocurrency alone—not including the uncounted hundreds of millions more the country has stolen from the traditional financial system. That hoard of stolen cryptocurrency now contributes significantly to the coffers of Kim Jong-un’s totalitarian regime as it seeks to fund itself—and its weapons programs—despite the country’s heavily sanctioned, isolated, and ailing economy.

Read 12 remaining paragraphs | Comments

#biz-it, #cryptocurrency, #hacking, #north-korea, #policy

Russia says it has neutralized the cutthroat REvil ransomware gang

Skull and crossbones in binary code

Enlarge (credit: Getty Images)

Russian law enforcement authorities said on Friday that they have arrested 14 people associated with REvil, a top ransomware group that has disrupted critical operations of wealthy targets and held their data hostage.

The action, carried out by Russia’s FSB, the successor agency to the KGB, is a rare example of the country’s government cracking down on cybercrime by its citizens. The US and Russia have no extradition treaty in place, and critics have said the Kremlin routinely harbors cybercriminals as long as they don’t target organizations located in the former Soviet Union. The arrests come as tensions between Russia and the US escalate over a standoff involving Ukraine.

Big-game hunter neutralized

“The FSB of Russia established the full composition of the criminal community ‘REvil’ and the involvement of its members in the illegal circulation of means of payment and documented illegal activities,” Russian officials wrote. “In order to implement the criminal plan, these persons developed malicious software and organized the theft of funds from the bank accounts of foreign citizens and their cashing, including by purchasing expensive goods on the Internet.”

Read 5 remaining paragraphs | Comments

#biz-it, #ransomware, #revil, #russia

Ukraine says government websites hit by “massive cyber attack”

A Ukrainian Military Forces serviceman watches through a spyglass in a trench on the frontline with Russia-backed separatists near Avdiivka, southeastern Ukraine, on January 9, 2022.

Enlarge / A Ukrainian Military Forces serviceman watches through a spyglass in a trench on the frontline with Russia-backed separatists near Avdiivka, southeastern Ukraine, on January 9, 2022. (credit: Anatolii Stepanov | Getty Images)

Ukraine said it was the target of a “massive cyber attack” after about 70 government websites ceased functioning.

On Friday morning targets included websites of the ministerial cabinet, the foreign, education, agriculture, emergency, energy, veterans affairs, and environment ministries. Also out of service were the websites of the state treasury and the Diia electronic public services platform, where vaccination certificates and electronic passports are stored.

“Ukrainians! All your personal data has been uploaded to the public network,” read a message temporarily posted on the foreign ministry’s website. “All data on your computer is being erased and won’t be recoverable. All information about you has become public, fear and expect the worst.”

Read 20 remaining paragraphs | Comments

#biz-it, #cyberattack, #cyberwarfare, #hacking, #policy, #russa, #ukraine

New Chrome security measure aims to curtail an entire class of Web attack

Extreme close-up photograph of finger above Chrome icon on smartphone.

Enlarge (credit: Getty Images)

For more than a decade, the Internet has remained vulnerable to a class of attacks that uses browsers as a beachhead for accessing routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.

Starting in Chrome version 98, the browser will begin relaying requests when public websites want to access endpoints inside the private network of the person visiting the site. For the time being, requests that fail won’t prevent the connections from happening. Instead, they’ll only be logged. Somewhere around Chrome 101—assuming the results of this trial run don’t indicate major parts of the Internet will be broken—it will be mandatory for public sites to have explicit permission before they can access endpoints behind the browser.

The planned deprecation of this access comes as Google enables a new specification known as private network access, which permits public websites to access internal network resources only after the sites have explicitly requested it and the browser grants the request. PNA communications are sent using the CORS, or Cross-Origin Resource Sharing, protocol. Under the scheme, the public site sends a preflight request in the form of the new header Access-Control-Request-Private-Network: true. For the request to be granted, the browser must respond with the corresponding header Access-Control-Allow-Private-Network: true.

Read 8 remaining paragraphs | Comments

#biz-it, #chrome, #cross-site-requests-forgery, #csrf, #google

Developer sabotages his own apps, then claims Aaron Swartz was murdered

Stock photo of the lit fuse of a stick of dynamite or firework.

Enlarge (credit: James Brey / iStockPhoto / Getty Images)

The developer who sabotaged two of his own open source code libraries, causing disruptions for thousands of apps that used them, has a colorful past that includes embracing a QAnon theory involving Aaron Swartz, the well-known hacktivist and programmer who died by suicide in 2013.

Marak Squires, the author of two JavaScript libraries with more than 21,000 dependent apps and more than 22 million weekly downloads, updated his projects late last week after they remained unchanged for more than a year. The updates contained code to produce an infinite loop that caused dependent apps to spew gibberish, prefaced by the words “Liberty Liberty Liberty.” The update sent developers scrambling as they attempted to fix their malfunctioning apps.

What really happened with Aaron Swartz?

Squires provided no reason for the move, but in a readme file accompanying last week’s malicious update, he included the words “What really happened with Aaron Swartz?”

Read 8 remaining paragraphs | Comments

#aaron-swartz, #biz-it, #foss, #free-and-open-source-software, #open-source

Patch systems vulnerable to critical Log4j flaws, UK and US officials warn

Patch systems vulnerable to critical Log4j flaws, UK and US officials warn

Enlarge (credit: Getty Images)

Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, the UK’s publicly funded healthcare system is warning.

CVE-2021-44228 is one of the most severe vulnerabilities to come to light in the past few years. It resides in Log4J, a system-logging code library used in thousands if not millions of third-party applications and websites. That means there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install Web shells, which provide a command window for executing highly privileged commands on hacked servers.

The remote-code execution flaw in Log4J came to light in December after exploit code was released before a patch was available. Malicious hackers quickly began actively exploiting CVE-2021-44228 to compromise sensitive systems.

Read 11 remaining paragraphs | Comments

#biz-it, #ftc, #log4j, #log4shell, #nhs

5 months on, Apple has yet to fix iOS bug that sends devices into a crash spiral

5 months on, Apple has yet to fix iOS bug that sends devices into a crash spiral

Enlarge (credit: Getty Images)

Apple has been taking its time fixing an iOS bug that makes it easy for miscreants to completely disable an iOS device unless the victim performs a factory restore and follows other cumbersome steps, a researcher said.

HomeKit is an Apple-designed communication protocol that allows people to use their iPhones or iPads to control lights, TVs, alarms, and other home or office appliances. Users can configure their devices to automatically discover appliances on the same network, and they can also share those settings with other people so they can use their own iPhones or iPads to control the appliances. The sharing feature makes it easy to allow new people—say, a housesitter or babysitter—to control a user’s appliances.

Trevor Spiniolas, a self-described programmer and “beginning security researcher,” said recently that a bug in the feature allows someone to send an iOS device into an unending crash spiral. It can be triggered by using an extremely long name—up to 500,000 characters in length—to identify one of the smart devices and then getting a user to accept an invitation to that network.

Read 5 remaining paragraphs | Comments

#biz-it, #denial-of-service, #dos, #ios

Coming to a laptop near you: A new type of security chip from Microsoft

Promotional image of new laptop computer.

Enlarge (credit: Lenovo)

In November 2020, Microsoft unveiled Pluton, a security processor the company designed to thwart some of the most sophisticated types of hack attacks. On Tuesday, AMD said it would integrate the chip into its upcoming Ryzen CPUs for use in Lenovo’s ThinkPad Z Series of laptops.

Microsoft already used Pluton to secure Xbox Ones and Azure Sphere microcontrollers against attacks that involve people with physical access opening device cases and performing hardware hacks that bypass security protections. Such hacks are usually carried out by device owners who want to run unauthorized games or programs for cheating.

Now, Pluton is evolving to secure PCs against malicious physical hacks designed to install malware or steal cryptographic keys or other sensitive secrets. While many systems already have trusted platform modules or protections such as Intel’s Software Guard Extensions to secure such data, the secrets remain vulnerable to several types of attacks.

Read 11 remaining paragraphs | Comments

#amd, #biz-it, #lenovo, #pluton, #ryzen, #security, #thinkpad

Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email worldwide

Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email worldwide

Enlarge (credit: Getty Images)

Microsoft has released a fix for a harebrained Exchange Server bug that shut down on-premises mail delivery around the world just as clocks were chiming in the new year.

The mass disruption stemmed from a date check failure in Exchange Server 2016 and 2019 that made it impossible for servers to accommodate the year 2022, prompting some to call it the Y2K22 bug. The mail programs stored dates and times as signed integers, which max out at 2147483647, or 231 – 1. Microsoft uses the first two numbers of an update version to denote the year it was released. As long as the year was 2021 or earlier, everything worked fine.

“What in the absolute hell Microsoft?”

When Microsoft released version 2201010001 on New Year’s Eve, however, on-premises servers crashed because they were unable to interpret the date. Consequently, messages got stuck in transport queues. Admins around the world were left frantically trying to troubleshoot instead of ringing in the New Year with friends and family. All they had to go on were two cryptic log messages that looked like this:

Read 4 remaining paragraphs | Comments

#2022, #biz-it, #bugs, #exchange-server, #microsoft

Noblewoman’s tomb reveals new secrets of ancient Rome’s highly durable concrete

The Tomb of Caecilia Metella is a mausoleum located just outside Rome at the three mile marker of the Via Appia.

Enlarge / The Tomb of Caecilia Metella is a mausoleum located just outside Rome at the three mile marker of the Via Appia. (credit: ivioandronico2013/CC BY-SA 4.0)

Among the many popular tourist sites in Rome is an impressive 2000-year-old mausoleum along the Via Appia known as the Tomb of Caecilia Metella, a noblewoman who lived in the first century CE. Lord Byron was among those who marveled at the structure, even referencing it in his epic poem Childe Harold’s Pilgrimage  (1812-1818). Now scientists have analyzed samples of the ancient concrete used to build the tomb, describing their findings in a paper published in October in the Journal of the American Ceramic Society.

“The construction of this very innovative and robust monument and landmark on the Via Appia Antica indicates that [Caecilia Metella] was held in high respect,” said co-author Marie Jackson, a geophysicist at the University of Utah.  “And the concrete fabric 2,050 years later reflects a strong and resilient presence.”

Like today’s Portland cement (a basic ingredient of modern concrete), ancient Roman concrete was basically a mix of a semi-liquid mortar and aggregate. Portland cement is typically made by heating limestone and clay (as well as sandstone, ash, chalk, and iron) in a kiln. The resulting clinker is then ground into a fine powder, with just a touch of added gypsum—the better to achieve a smooth, flat surface. But the aggregate used to make Roman concrete was made up fist-size pieces of stone or bricks

Read 16 remaining paragraphs | Comments

#12-days-of-christmas, #ancient-rome, #archaeology, #biz-it, #gaming-culture, #geology, #geophysics, #history, #materials-science, #roman-concrete, #science

End of the line finally coming for BlackBerry devices

The Blackberry Torch, the company's first touchscreen phone, is held for display during its debut in New York in 2010.

Enlarge / The Blackberry Torch, the company’s first touchscreen phone, is held for display during its debut in New York in 2010. (credit: Bloomberg | Getty Images)

BlackBerry, the company that once dominated smart mobile devices, recently announced that it was finally discontinuing key services that support its phones. As of January 4th, the phones will no longer be provided with provisioning services, meaning that they will gradually lose the ability to join networks, including the cellular network.

It may seem difficult to imagine if you weren’t using cell phones at the time, but BlackBerry once dominated the smartphone market. Its keyboard-based hardware was widely adopted in corporate settings, in part because the services it provided typically ran through BlackBerry servers, allowing for high levels of security and control. An indication of its importance is that early internal builds of Android looked like a cheap BlackBerry knockoff, rather than the cheap iPhone knockoff that was eventually released.

Unlike the people who developed Android, BlackBerry’s leadership was blindsided by the iPhone’s popularity. It dismissed on-screen keyboards, and counted on its stranglehold on corporate services to maintain its market. It took over a year after the iPhone’s release for the company to come out with its own touch screen phone, and its software remained an awkward mix of old and new for some time after. In the mean time, corporate users fell in love with their Apple and Android phones, and compelled their IT departments to support them.

Read 4 remaining paragraphs | Comments

#biz-it, #blackberry, #end-of-life, #software

AWS suffers third outage of the month

3D Amazon logo hangs from a convention center ceiling.

Enlarge (credit: Chesnot | Getty Images)

December has been a rough month for Amazon—at least for Amazon Web Services. The massively popular cloud computing platform suffered its third outage of the month Wednesday, affecting Slack, the Epic Games Store, and several other services. 

The AWS Service Health Dashboard shows the problem lies within a data center in northern Virginia and affects customers in the US-EAST-1 Availability Zone. The first outage was reported at 7:35 am EST. 

Slack users began seeing problems shortly after the outage, and the Epic Games Store noted that the AWS outage was causing problems “affecting logins, library, purchases, etc.”

Read 3 remaining paragraphs | Comments

#amazon, #aws, #biz-it, #slack

The secret Uganda deal that has brought NSO to the brink of collapse

A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel.

Enlarge / A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel. (credit: Amir Levy | Getty Images)

In February 2019, an Israeli woman sat across from the son of Uganda’s president and made an audacious pitch—would he want to secretly hack any phone in the world?

Lt. General Muhoozi Kainerugaba, in charge of his father’s security and a long-whispered successor to Yoweri Museveni, was keen, said two people familiar with the sales pitch.

After all, the woman, who had ties to Israeli intelligence, was pitching him Pegasus, a piece of spyware so powerful that Middle East dictators and autocratic regimes had been paying tens of millions for it for years.

Read 28 remaining paragraphs | Comments

#0day, #biz-it, #black-hat, #hacking, #israel, #nso-group, #policy

YouTube TV loses ESPN, ABC, and all other Disney-owned channels

Photo illustration showing the YouTube TV logo on a smartphone.

Enlarge (credit: Getty Images | SOPA Images)

YouTube TV customers have lost access to all Disney-owned channels including ESPN and ABC, as the companies failed to agree on a new contract before the previous one expired last night. YouTube TV customers will automatically get a $15-per-month discount for as long as the Disney channels remain blacked out, reducing the base plan cost from $65 to $50.

“Members, we worked hard to avoid this but were unable to reach a fair deal with Disney,” YouTube TV said. “We regret to share that as of December 17, all Disney-owned channels are unavailable on YouTube TV. While Disney content remains off our platform, we’ll decrease our price by $15/month. We know how frustrating it is to lose channels like ESPN and your local ABC station, and will continue conversations with Disney in hopes of restoring their content for you.”

The list of channels no longer on YouTube TV includes all local ABC channels, ABC News Live, Disney Channel, Disney Junior, Disney XD, Freeform, FX, FXX, FXM, National Geographic, National Geographic Wild, ESPN, ESPN2, ESPNU, ESPNEWS, SEC Network, and ACC Network. YouTube TV posted details on how credits will be issued on this webpage.

Read 5 remaining paragraphs | Comments

#abc, #biz-it, #disney, #espn, #policy, #youtube-tv

Google warns that NSO hacking is on par with elite nation-state spies

A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel.

Enlarge / A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel. (credit: Amir Levy | Getty Images)

The Israeli spyware developer NSO Group has shocked the global security community for years with aggressive and effective hacking toolsthat can target both Android and iOS devices. The company’s products have been so abused by its customers around the world that NSO Group now faces sanctions, high-profile lawsuits, and an uncertain future. But a new analysis of the spyware maker’s ForcedEntry iOS exploit—deployed in a number of targeted attacks against activists, dissidents, and journalists this year—comes with an even more fundamental warning: Private businesses can produce hacking tools that have the technical ingenuity and sophistication of the most elite government-backed development groups.

Google’s Project Zero bug-hunting group analyzed ForcedEntry using a sample provided by researchers at the University of Toronto’s Citizen Lab, which published extensively this year about targeted attacks utilizing the exploit. Researchers from Amnesty International also conducted important research about the hacking tool this year. The exploit mounts a zero-click, or interactionless, attack, meaning that victims don’t need to click a link or grant a permission for the hack to move forward. Project Zero found that ForcedEntry used a series of shrewd tactics to target Apple’s iMessage platform, bypass protections the company added in recent years to make such attacks more difficult, and adroitly take over devices to install NSO’s flagship spyware implant Pegasus.

Apple released a series of patches in September and October that mitigate the ForcedEntry attack and harden iMessage against future, similar attacks. But the Project Zero researchers write in their analysis that ForcedEntry is still “one of the most technically sophisticated exploits we’ve ever seen.” NSO Group has achieved a level of innovation and refinement, they say, that is generally assumed to be reserved for a small cadre of nation-state hackers.

Read 8 remaining paragraphs | Comments

#biz-it, #forced-entry, #security, #wired

Google Play app with 500,000 downloads sent user contacts to Russian server

A robotic hand tries to activate a smartphone.

Enlarge (credit: Getty Images)

An Android app with more than 500,000 downloads from Google Play has been caught hosting malware that surreptitiously sends users’ contacts to an attacker-controlled server and signs up users to pricey subscriptions, a security firm reported.

The app, named Color Message, was still available on Google servers at the time this post was being prepared. Google removed it more than three hours after I asked the company for comment.

Ostensibly, Color Message enhances text messaging by doing things such as adding emojis and blocking junk texts. But according to researchers at Pradeo Security said on Thursday, Color Message contains a family of malware known as Joker, which has infected millions of Android devices in the past.

Read 5 remaining paragraphs | Comments

#android, #biz-it, #google-play, #joker, #malware

Backdoor gives hackers complete control over federal agency network

Backdoor gives hackers complete control over federal agency network

Enlarge (credit: Jeremy Brooks / Flickr)

A US federal agency has been hosting a backdoor that can provide total visibility into and complete control over the agency network, and the researchers who discovered it have been unable to engage with the administrators responsible, security firm Avast said on Thursday.

The US Commission on International Freedom, associated with international rights, regularly communicates with other US agencies and international governmental and nongovernmental organizations. The security firm published a blog post after multiple attempts failed to report the findings directly and through channels the US government has in place. The post didn’t name the agency, but a spokeswoman did in an email.

Members of Avast’s threat intelligence team wrote:

Read 6 remaining paragraphs | Comments

#backdoors, #biz-it, #malware, #us-government

Comcast delays data caps in Northeast US for at least another year

A Comcast gateway modem-and-router device labeled with the Xfinity brand name.

Enlarge / Comcast’s xFi Advanced Gateway. (credit: Getty Images | Jeff Fusco )

Comcast says it won’t deploy data caps in the Northeast US in 2022, giving another year’s reprieve to 12 states and a few other areas where Comcast customers don’t face overage fees. “We don’t have plans to implement our data usage plan in our Northeast markets in 2022 at this time,” Comcast said, according to a Light Reading article.

Comcast confirmed that quote to Ars today but declined to provide any further statement when asked about plans for 2023 and beyond. Comcast’s statement came after Massachusetts state Rep. Andy Vargas, a Democrat, told WHAV that “the latest we have is that they have no intention of reintroducing the data caps at all, which is a huge win.”

Vargas and 70 other Massachusetts lawmakers slammed Comcast a year ago when it announced a plan to start enforcing the data cap in the Northeast starting in January 2021.

Read 9 remaining paragraphs | Comments

#biz-it, #comcast, #data-cap, #policy

Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit

Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit

Enlarge (credit: Wikimedia Commons/Alex E. Proimos)

Last Thursday, the world learned of an in-the-wild exploitation of a critical code-execution zero-day in Log4J, a logging utility used by just about every cloud service and enterprise network on the planet. Open-source developers quickly released an update that patched the flaw and urged all users to install it immediately.

Now, researchers are reporting that there are at least two vulnerabilities in the patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets who have already applied the update. The researchers are urging organizations to install a new patch, released as version 2.16.0, as soon as possible to fix the vulnerability, which is tracked as CVE-2021-45046.

The earlier fix, researchers said on late Tuesday, “was incomplete in certain non-default configurations” and made it possible for attackers to perform denial-of-service attacks, which typically make it easy to take vulnerable services completely offline until victims reboot their servers or take other actions.

Read 6 remaining paragraphs | Comments

#biz-it

Ajit Pai and Tom Wheeler agree: The FAA is behaving badly in battle against FCC

Then-Federal Communications Commission Chairman Tom Wheeler and FCC Commissioner Ajit Pai smiling and talking to each other before a Congressional hearing.

Enlarge / Then-Federal Communications Commission Chairman Tom Wheeler (L) and FCC Commissioner Ajit Pai talk before testifying to the House Judiciary Committee on March 25, 2015 in Washington, DC. (credit: Getty Images | Chip Somodevilla )

Six former chairs of the Federal Communications Commission yesterday criticized the Federal Aviation Administration’s fight against a new 5G rollout on spectrum that the FCC has studied and deemed safe to use. Republicans Ajit Pai and Michael Powell joined with Democrats Tom Wheeler, Mignon Clyburn, Julius Genachowski, and Michael Copps in writing a letter describing their concerns about how the FAA has tried to undermine public confidence in the FCC’s decision-making process.

“The FAA should work with the FCC and the National Telecommunications and Information Administration (NTIA)… to assess and resolve the FAA’s concerns expeditiously, but this debate should not be fought publicly in a way that undermines consumer confidence in the process, nor should it require months of additional delays,” said the six former chairs’ letter, which was sent to FCC Chairwoman Jessica Rosenworcel and NTIA acting Administrator Evelyn Remaley.

The “FAA position threatens to derail the reasoned conclusions reached by the FCC after years of technical analysis and study,” the former chairs also wrote.

Read 15 remaining paragraphs | Comments

#5g, #altimeters, #biz-it, #faa, #fcc, #policy

YouTube TV warns it may lose all Disney-owned channels amid contract dispute

YouTube app icon on a TV screen.

Enlarge (credit: Getty Images | Chris McGrath )

YouTube TV yesterday warned that it could lose all Disney-owned channels after Friday because of a contract dispute and said it will temporarily reduce its price by $15 a month if that happens.

“We’re now in negotiations with Disney to continue distributing their content on YouTube TV so you can continue watching everything from your favorite teams on ESPN to The Bachelor to Good Morning America. Our deal expires on Friday, December 17, and we haven’t been able to reach an equitable agreement yet, so we wanted to give you an early heads up so that you can understand your choices,” the Google-owned YouTube wrote in a blog post.

“[I]f we are unable to reach a deal by Friday, the Disney-owned channels will no longer be available on YouTube TV and we will decrease our monthly price by $15, from $64.99 to $49.99 (while this content remains off our platform),” the blog post said. YouTube noted that users can pause or cancel their YouTube TV subscriptions at any time and subscribe to the Disney Bundle for $13.99 a month.

Read 5 remaining paragraphs | Comments

#biz-it, #policy, #tech

Hackers launch over 840,000 attacks through Log4J flaw

Hackers launch over 840,000 attacks through Log4J flaw

Enlarge (credit: Matejmo | Getty Images)

Hackers including Chinese state-backed groups have launched more than 840,000 attacks on companies globally since last Friday, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.

Cyber security group Check Point said the attacks relating to the vulnerability had accelerated in the 72 hours since Friday, and that at some points its researchers were seeing more than 100 attacks a minute.

Perpetrators include “Chinese government attackers,” according to Charles Carmakal, chief technology officer of cyber company Mandiant.

Read 11 remaining paragraphs | Comments

#biz-it, #china, #hacking, #log4j, #security

As Log4Shell wreaks havoc, payroll service reports ransomware attack

As Log4Shell wreaks havoc, payroll service reports ransomware attack

Enlarge (credit: Getty Images)

As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest payroll processors is reporting a ransomware attack that has taken its systems offline for at least the next several weeks. So far, it’s not saying if that vulnerability was the means hackers used to breach the systems.

The company said on Sunday that services using the Kronos Private Cloud had been unavailable for the past day, with the attack taking down Kronos’ UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” Kronos representative Leo Daley wrote. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”

Read 6 remaining paragraphs | Comments

#biz-it, #log4shell, #ransomware

The Log4Shell zeroday 4 days on. What is it and how bad is it really?

The Log4Shell zeroday 4 days on. What is it and how bad is it really?

Enlarge (credit: Getty Images / Bill Hinton)

Log4Shell is the name given to a critical zeroday vulnerability that surfaced on Thursday when it was exploited in the wild in remote-code compromises against Minecraft servers. The source of the vulnerability was Log4J, a logging utility used by thousands if not millions of apps, including those used inside just about every enterprise on the planet. The Minecraft servers were the proverbial canary in the coal mine.

In the four days since, it’s clear Log4Shell, also known as LogJam, is every bit as grave a threat as I claimed, with the list of cloud services affected reading like a who’s who of biggest names on the Internet. Threat analysts and researchers are still assessing the damage so far and the outlook over the next weeks and months. Here’s what you need to know for now.

What’s Log4J and what makes Log4Shell such a big deal? Log4J is an open-source Java-based logging tool available from Apache. It has the ability to perform network lookups using the Java Naming and Directory Interface to obtain services from the Lightweight Directory Access Protocol. The end result: Log4j will interpret a log message as a URL, go and fetch it, and even execute any executable payload it contains with the full privileges of the main program. Exploits are triggered inside text using the ${} syntax, allowing them to be included in browser user agents or other commonly-logged attributes.

Read 7 remaining paragraphs | Comments

#biz-it, #log4j, #log4shell, #vulnerabilities

The Internet’s biggest players are all affected by critical Log4Shell 0-day

The Internet’s biggest players are all affected by critical Log4Shell 0-day

Enlarge (credit: Kevin Beaumont)

The list of services with Internet-facing infrastructure that is vulnerable to a critical zero-day vulnerability in the open source Log4j logging utility is immense and reads like a who’s who of the biggest names on the Internet, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

The vulnerability, now going by the name Log4Shell, came to light on Thursday afternoon, when several Minecraft services and news sites warned of actively circulating attack code that exploited the vulnerability to execute malicious code on servers and clients running the world’s bestselling game. Soon, it became clear that Minecraft was only one of likely thousands of big-name services that can be felled by similar attacks.

A compilation of screenshots posted online documents how some of the world’s most popular and trusted cloud-based services react when they are fed parameters used in the attack. To wit:

Read 5 remaining paragraphs | Comments

#biz-it, #exploits, #log4j, #log4shell, #vulnerabilities

Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet

Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet

Enlarge (credit: Getty Images)

Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that’s used in countless apps, including those used by large enterprise organizations and also in Java versions of Minecraft, several website reported on last Thursday.

Word of the vulnerability first came to light on sites catering to users of Minecraft, the best-selling game of all time. The sites warned that hackers could execute malicious code on Minecraft servers or clients by manipulating log messages, including from things typed in chat messages. The picture became more dire still as the Log4j was identified as the source of the vulnerability and exploit code was discovered posted online.

A big deal

“The Minecraft side seems like a perfect storm, but I suspect we are going to see affected applications and devices continue to be identified for a long time,” HD Moore, founder and CTO of network discovery platform Rumble, said. “This is a big deal for environments tied to older Java runtimes: Web front ends for various network appliances, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for mod compatibility.”

Read 11 remaining paragraphs | Comments

#biz-it, #log4j, #minecraft, #open-source, #vulnerability

300,000 MikroTik routers are ticking security time bombs, researchers say

300,000 MikroTik routers are ticking security time bombs, researchers say

Enlarge (credit: Getty Images)

As many as 300,000 routers made by Latvia-based MikroTik are vulnerable to remote attacks that can surreptitiously corral the devices into botnets that steal sensitive user data and participate in Internet-crippling DDoS attacks, researchers said.

The estimate, made by researchers at security firm Eclypsium, is based on Internet-wide scans that searched for MikroTik devices using firmware versions known to contain vulnerabilities that were discovered over the past three years. While the manufacturer has released patches, the Eclypsium research shows that a significant proportion of users has yet to install them.

“Given the challenges of updating MikroTik, there are large numbers of devices with these 2018 and 2019 vulnerabilities,” Eclypsium researchers wrote in a post. “Collectively, this gives attackers many opportunities to gain full control over very powerful devices, positioning them to be able to target devices both behind the LAN port as well as target other devices on the Internet.”

Read 5 remaining paragraphs | Comments

#biz-it, #miktotik, #routers, #vulnerabilities

Malicious packages sneaked into NPM repository stole Discord tokens

Malicious packages sneaked into NPM repository stole Discord tokens

Enlarge (credit: Getty Images)

Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.

This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that’s a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.

Read 9 remaining paragraphs | Comments

#biz-it, #malware, #open-source, #repositories

Tor is under threat from Russian censorship and Sybil attacks

A red line has been drawn through a cartoon megaphone.

Enlarge (credit: Getty Images)

The Tor anonymity service and anticensorship tool has come under fire from two threats in recent weeks: The Russian government has blocked most Tor nodes in that country, and hundreds of malicious servers have been relaying traffic.

Russia’s Federal Service for Supervision of Communications, Information Technology, and Mass Media, known as Roskomnadzor, began blocking Tor in the country on Tuesday. The move left Tor users in Russia—said by Tor Project leaders to number about 300,000, or about or 15 percent of Tor users—scrambling to find ways to view sites already blocked and to shield their browsing habits from government investigators.

“Illegal content”

Tor Project managers on early Tuesday said some ISPs in Russia began blocking Tor nodes on December 1 and that Roskomnadzor had threatened to block the main Tor site. A few hours later, the Russian government body made good on those threats.

Read 13 remaining paragraphs | Comments

#anonymity, #biz-it, #sybil-attacks, #the-onion-router, #tor

Verizon overrides users’ opt-out preferences in push to collect browsing history

A Verizon logo.

Enlarge (credit: Getty Images | Scott Olson)

Verizon is automatically enrolling customers in a new version of a program that scans mobile users’ browser histories—even when those same users previously opted out of the program when it had a different name.

The carrier announced changes to its “Verizon Selects” program along with a new name a few days ago. “Verizon Custom Experience Plus is the new name of our Verizon Selects program,” Verizon said in an FAQ. Verizon is ignoring the previous opt-out preferences for at least some customers by enrolling them in “Custom Experience,” which collects browser and app-usage history but doesn’t use device location data and other personal information collected in “Custom Experience Plus.”

Verizon says it does not sell the information collected in either version of Custom Experience and that the program “no longer supports third party advertising.” But Verizon does share the data with “service providers who work for us” and says it uses the data to “personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services, and offers that are more appealing to you. For example, if we think you like music, we could present you with a Verizon offer that includes music content or provide you with a choice related to a concert in our Verizon Up reward program.”

Read 15 remaining paragraphs | Comments

#biz-it, #policy, #verizon

Microsoft seizes domains used by “highly sophisticated” hackers in China

A motherboard has been photoshopped to include a Chinese flag.

Enlarge / Computer chip with Chinese flag, 3d conceptual illustration. (credit: Steve McDowell / Agefotostock)

Microsoft said it has seized control of servers that a China-based hacking group was using to compromise targets that align with that country’s geopolitical interests.

The hacking group, which Microsoft has dubbed Nickel, has been in Microsoft’s sights since at least 2016, and the software company has been tracking the now-disrupted intelligence-gathering campaign since 2019. The attacks—against government agencies, think tanks, and human rights organizations in the US and 28 other countries—were “highly sophisticated,” Microsoft said, and used a variety of techniques, including exploiting vulnerabilities in software that targets had yet to patch

Down but not out

Late last week, Microsoft sought a court order to seize websites Nickel was using to compromise targets. The court, in the US District of Court for the Eastern District of Virginia, granted the motion and unsealed the order on Monday. With control of Nickel’s infrastructure, Microsoft will now “sinkhole” the traffic, meaning it’s diverted away from Nickel’s servers and to Microsoft-operated servers, which can neutralize the threat and obtain intelligence about how the group and its software work.

Read 10 remaining paragraphs | Comments

#biz-it, #domain-seizure, #hackers, #microsoft

SolarWinds hackers have a whole bag of new tricks for mass compromise attacks

SolarWinds hackers have a whole bag of new tricks for mass compromise attacks

Enlarge

Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.

Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.

Abusing trust

One of the things that made Nobelium so formidable was the creativity of its TTPs, hacker lingo for tactics, techniques, and procedures. Rather than breaking into each target one by one, the group hacked into the network of SolarWinds and used the access, and the trust customers had in the company, to push a malicious update to roughly 18,000 of its customers.

Read 15 remaining paragraphs | Comments

#biz-it, #nobelium, #solarwinds, #unc2652, #unc3004

iPhones of US diplomats hacked using “0-click” exploits from embattled NSO

iPhones of US diplomats hacked using “0-click” exploits from embattled NSO

Enlarge (credit: Getty Images)

The iPhones of nine US State Department officials were infected by powerful and stealthy malware developed by NSO Group, the Israeli exploit seller that has come under increasing scrutiny for selling its wares to journalists, lawyers, activists, and US allies.

The US officials, either stationed in Uganda or focusing on issues related to that country, received warnings like this one from Apple informing them their iPhones were being targeted by hackers. Citing unnamed people with knowledge of the attacks, Reuters said the hackers used software from NSO.

No clicking required

As previously reported, NSO software known as Pegasus uses exploits sent through messaging apps that infect iPhones and Android devices without requiring targets to click links or take any other action. From there, the devices run hard-to-detect malware that can download photos, contacts, text messages, and other data. The malware also allows the operator to listen to audio and view video in real time.

Read 3 remaining paragraphs | Comments

#biz-it, #iphone, #nso-group, #security