Ticketmaster shot down claims made on the dark web that hackers have access to working ticket barcodes for several upcoming Taylor Swift concerts and other events.

On Friday, a hacker allegedly offered for sale event barcodes for Taylor Swift’s Eras Tour concert dates in New Orleans, Miami and Indianapolis.

The barcodes are typically scanned at the entrance for events. In total, the hacker offered about 170,000 barcodes for sale, with about 20,000 for sale at each show.

The hacker also threatened Ticketmaster with more leaks if they are not paid $2 million — claiming to have 30 million more barcodes for NFL games, Sting concerts and more.

A spokesperson for Ticketmaster debunked the claims made in the post in comments to Recorded Future News.

“Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” the spokesperson said.

“This is just one of many fraud protections we implement to keep tickets safe and secure.”

The spokesperson also shot down allegations made in media reports that they engaged the hacker in ransom negotiations, saying that they never engaged with the hacker and never offered the person money.

Ticketmaster’s parent company Live Nation confirmed last month that the company’s account on data storage platform Snowflake had been breached.

Hackers on the dark web claimed to have a 1.3 terabyte database of information on about 560 million Ticketmaster users that included names, addresses, emails and phone numbers as well as event details and information on specific orders.

The theft was part of a larger campaign of thefts targeting about 165 customers of Snowflake. Some of the data stolen from those companies was offered for sale by the same hacker behind this most recent post about event barcodes.

Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government.

In an update on Sunday evening, TeamViwer said a Kremlin-backed group tracked as APT29 was able to copy employee directory data like names, corporate contact information and the encrypted passwords, which were for the company’s internal IT environment.

The company reaffirmed that the hackers were not able to gain access to the company's product environment or customer data, and that the breach, first reported last week, appears to be contained.

“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” the company said.

TeamViewer said it has contacted authorities about the incident. APT29 — associated with Russia’s foreign intelligence service, the SVR — is one of the Kremlin’s highest-profile hacking operations.

“We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state,” the statement said.

TeamViewer’s remote access and remote control software is used to remotely manage fleets of devices. The company has previously faced attacks by alleged Chinese hackers and its products have often been deployed maliciously by hackers themselves during security incidents.

Multiple organizations published warnings last week about the APT29 breach, urging TeamViewer customers to take a range of actions — including reviewing logs for any unusual remote desktop traffic and enabling two-factor authentication. A healthcare security organization urged members to “use the allowlist and blocklist to control who can connect to their devices.”

TeamViewer has not responded to questions about what APT29 appeared to be looking for during the incident.

The theft of encrypted passwords by APT29 matches another incident earlier this year where the same group infiltrated Microsoft’s systems and stole authentication details, credentials and emails from the tech giant’s senior leaders.

Australia's Federal Police (AFP) has charged a man with running a fake Wi-Fi network on at least one commercial flight and using it to harvest flier credentials for email and social media services.

The man was investigated after an airline "reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight."

The AFP subsequently arrested a man who was found with "a portable wireless access device, a laptop and a mobile phone" in his hand luggage.

That haul led the force to also search the 42-year-old's home – after securing a warrant – and then to his arrest and charging.

It's alleged the accused's collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment. Airport Wi-Fi was also targeted, and the AFP also found evidence of similar activities "at locations linked to the man's previous employment."

Wherever the accused's rig ran, when users logged in to the network, they were asked to provide credentials.

The AFP alleges that details such as email addresses and passwords were saved to the suspect's devices.

The charges laid against the man concern unauthorized access to devices and dishonest dealings. None of the charges suggest the accused used the data he allegedly accessed.

However, three charges of "possession or control of data with the intent to commit a serious offence" suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes.

AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account.

Perhaps curiously, she advocated users of public Wi-Fi should "install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet." She also recommended disabling file sharing, avoiding sensitive apps like banking while using public networks, and manually forgetting connections after use so that devices don't automatically reconnect to naughty networks.

The accused appeared before a magistrate last week and was released on bail on condition he restrict his use of the internet in certain ways.

An international coalition of law enforcement agencies have taken action against hundreds of installations of the Cobalt Strike software, a penetration testing tool notoriously abused by both state-sponsored and criminal hackers involved in the ransomware ecosystem.

Britain’s National Crime Agency (NCA) announced on Wednesday that it coordinated global action against the tool, tackling 690 IP addresses hosting illegal instances of the software in 27 countries.

Cobalt Strike, now owned by a company called Fortra, was developed in 2012 to simulate how hackers break into victims’ networks. However, it works so well — easing the processes involved in trying to break into a victim’s network — that pirated versions of the tool have been widely deployed by real malicious actors over the last decade.

The action comes as law enforcement agencies continue to tackle ransomware gangs by targeting the ecosystem’s weak points — hitting the links in the chain that could have cascading effects, such as the seizure of bulletproof hosting provider LolekHosted.

Alongside its legitimate users and those in the ransomware space, Cobalt Strike has also been used by hackers linked to the Russian, Chinese and North Korean governments.

“Since the mid 2010s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to deploy ransomware at speed and at scale,” stated the NCA.

Most commonly, the unlicensed versions of Cobalt Strike are used in spear phishing emails that aim to install a beacon on the target’s device. This beacon then allows the attacker to profile and remotely access the victim’s network.

However its multifunctional nature, including a framework for managing the hackers' command and control infrastructure, makes the tool “the Swiss army knife of cybercriminals and nation state actors,” as described by Don Smith, the vice president of threat research at Secureworks Counter Threats Unit.

“Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation state actors, e.g. Russian and Chinese – to facilitate intrusions in cyber espionage campaigns. Used as a foothold, it has proven to be highly effective at providing the back door to victims to facilitate intrusions in cyber espionage campaigns,” Smith said.

According to the NCA, the action tackling the rogue uses of the software took place last week and involved server takedowns as well as sending “abuse notifications” to ISPs to warn them that they could be hosting malware.

Paul Foster, the director of threat leadership at the NCA, stressed that Cobalt Strike was “a legitimate piece of software,” but that “sadly cybercriminals have exploited its use for nefarious purposes.”

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” Foster said.

“International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations,” added the NCA director.

Despite the law enforcement action, “the threat from ransomware remains omnipresent and whilst this disruption is to be welcomed, criminals and nation state actors will almost certainly have a Plan B,” said Secureworks’ Smith.

Fortra has pledged to continue to work with law enforcement to identify and remove older versions of its software from the internet. The NCA retracted an earlier statement that the company had released a new version of the software with “enhanced security measures.”

“Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol stated.

“However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.”

Local authorities in Crimea are warning of internet disruptions from distributed denial-of-service (DDoS) attacks targeting telecommunication providers.

The “massive” DDoS attacks, which overwhelm targeted networks with a flood of junk internet traffic, were launched against Crimean telecom companies on Wednesday and are still ongoing, according to Crimean officials.

“Work is underway to repel attacks. There may be interruptions in providing internet services,” said Oleg Kryuchkov, the advisor to the Crimea region, which has been occupied by Russian forces since 2014.

In Crimea’s largest city, Sevastopol, the attackers mostly targeted local internet provider Miranda Media, which is connected to Russian national telecom provider Rostelecom. Miranda Media was sanctioned by the European Union in 2023 for providing services to illegal authorities and institutions in Crimea in the interests of Russia.

Several local subscribers complained on the company’s Telegram channel that their internet connection has been “terrible” for the past two days, but Miranda Media hasn’t released an official statement about the disruptions. The company did not respond to a request for comment.

“The enemy attacks this particular operator for a reason,” a spokesperson for Sevastopol’s government said on Telegram. Miranda Media provides “core communication channels” for the city’s emergency call center, they added.

The attack temporarily disrupted the call center's operations, but local authorities announced on Thursday that they have restored its functionality.

Ukraine’s military intelligence (HUR) claimed responsibility on Wednesday for the cyberattacks on “several of Russia's largest internet providers” operating in Crimea but did not provide additional details.

An anonymous source at HUR told the Ukrainian public broadcaster that the agency "systematically" attacks Russian digital infrastructure, including internet providers.

In May, Ukraine’s military hackers claimed responsibility for an attack on a major internet provider in the Russian city of Belgorod, located about 20 miles north of the Ukrainian border. The targeted company allegedly provides services to state and military institutions.

The attacks on Russian internet providers are also carried out by other Ukraine-linked hacker groups. Last October, a group of cyber activists known as the IT Army claimed responsibility for bringing down Miranda Media and two other Russian internet providers operating in Crimea.

At that time, Miranda Media stated that the attack was "carefully planned by cybercriminals."

A new vulnerability affecting Linux systems has caused alarm over the last 48 hours among security researchers, although some experts have cast doubts about whether widespread exploitation of the bug is likely.

On Monday, researchers from cybersecurity firm Qualys unveiled a report on CVE-2024-6387 — colloquially known as “RegreSSHion.” A patch is available to resolve the issue.

The vulnerability is found in OpenSSH’s server in glibc-based Linux systems.

Saeed Abbasi, product manager of vulnerability research at Qualys, told Recorded Future News the best way to understand the issue is to imagine a very secure lock on your front door that only lets people in if they have the right key.

“This lock is used in many houses worldwide because it is very safe. However, we’ve discovered a flaw in this lock — a hidden way to open it without a key, and someone could sneak in without you noticing,” he said.

Matt Moore, the chief technology officer at the security company Chainguard, explained that OpenSSH is a free open source collection of networking tools used predominantly by system administrators to manage remote systems across platforms.

It is also used for securely transferring files and for accessing services in the cloud without exposing a local machine's ports to the Internet, he said. OpenSSH encrypts all traffic between client and server to prevent eavesdropping, connection hijacking, and other attacks.

“In simpler terms, this is the equivalent of a bank vault being already unlocked during a robbery, attackers can use this to gain access and then laterally move to where the most important information is,” Moore said.

If exploited, the vulnerability would allow for a full system takeover where an attacker could install malware, manipulate data and create backdoors for persistent access. The researchers found that it is actually a version of a bug that was previously resolved — CVE-2006-5051 — and then reintroduced after recent code changes.

Qualys’s Abbasi explained that searches on tools like Censys and Shodan show potentially 14 million internet-facing server instances that may be vulnerable to the bug, although Moore said it appears the blast radius for the bug is smaller than the entirety of the ecosystem using OpenSSH.

Abbasi said the bug was particularly concerning because it affects the default configuration of OpenSSH and doesn't require user interaction.

The ubiquity of OpenSSH as a secure communication method “significantly broadens the potential repercussions of this vulnerability,” he added.

“Within an enterprise setting, OpenSSH is utilized across various platforms, such as on-premise servers, cloud infrastructures, development environments, workstations, laptops, containerized environments, and network devices. This extensive deployment highlights the widespread impact a vulnerability could have,” he said.

Questions about exploitation

While most experts said concerns about the bug were justified, others cast doubt on its severity.

Moore noted the exploits for the vulnerability appear to only be viable for a certain kind of Linux server, most of which are relegated to 15-year-old systems.

While it is not difficult to install the patch, the larger issue according to Moore is identifying what instances are using vulnerable versions. Organizations should focus on upgrading to the latest version of OpenSSH, with a priority placed on publicly exposed instances.

Some tools identifying vulnerable systems have been created to help those in need.

Experts at the cybersecurity firms Wiz and Palo Alto Networks said widespread exploitation is unlikely. Wiz said an attacker would need to know the version of Linux they are targeting in order to tailor the exploit, making the bug “inappropriate for widespread opportunistic exploitation.”

Palo Alto Networks said proof of concept code released on Monday has not worked in their exploit attempts, and as of Tuesday they have seen no exploit attempts in the wild.

Contrast Security co-founder Jeff Williams added that attacks involving the vulnerability are “a bit noisy” and may take thousands of attempts to succeed — allowing defenders to detect and prevent the attacks before they are successful. Wiz echoed that assessment, explaining that successful exploitation “usually takes several hours of login attempts in total.”

“No need to hit the panic button at this time,” said Ben Lister, threat research engineer at NetSPI.

“Due to its complexity, it would take an attacker between six hours and a week of persistent effort to successfully exploit the condition and gain a root shell — making it highly unlikely that we’ll experience mass exploitation, as we've seen with similar vulnerabilities. However, organizations should remain proactive and vigilant against the exploit.”

Summary

In this proof-of-concept report, Recorded Future's Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how infostealer logs can aid investigators in tracking CSAM activities on the dark web. Data was escalated to law enforcement for further action.

Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers

Background

Infostealer malware steals sensitive user information such as login credentials, cryptocurrency wallets, payment card data, OS information, browser cookies, screenshots, and autofill data. Common distribution methods include phishing, spam campaigns, fake update websites, SEO poisoning, and malvertising. A popular infection vector is “cracked” software marketed to users seeking to obtain licensed software illegally. Stolen data, known as “infostealer logs,” often ends up on dark web sources where cybercriminals can purchase it, potentially gaining access to networks or systems.

The anonymity provided by Tor-based websites with .onion domains fosters the production and consumption of CSAM. Studies show that although only a small percentage of .onion websites host CSAM, the majority of dark web browsing activity targets these sites.

Methodology

In this proof-of-concept report, Recorded Future's Identity Intelligence leveraged infostealer malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and uncover geographic and behavioral trends. Our high-confidence assessments stem from the nature of the infostealer log data and subsequent research.

Sample investigations of three individuals with accounts on multiple CSAM sources suggest that having multiple CSAM accounts may indicate a higher likelihood of committing crimes against children. This study demonstrates that infostealer logs can help law enforcement track child exploitation on the dark web, a challenging area to trace. All relevant findings have been reported to authorities.

Our research involved creating a list of known high-fidelity CSAM domains and querying Recorded Future Identity Intelligence data to identify users with credentials to these domains. Collaborating with non-profit organizations like World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative (ATII), Insikt Group expanded this list by querying the Recorded Future Intelligence Cloud. This iterative process helped identify additional CSAM sources.

Insikt Group then queried Recorded Future’s Identity Intelligence, which offers real-time access to infostealer log information, for authentication records linked to known CSAM sources from February 2021 to February 2024. De-duplication was performed by comparing OS usernames and PC names.

Findings

Insikt Group identified 3,324 unique credentials used to access known CSAM websites. This data allowed us to gather statistics on individual sources and users, including their usernames, IP addresses, and system information. This granular data helps law enforcement understand the infrastructure of CSAM websites, uncover techniques used by CSAM consumers to mask their identities, and identify potential CSAM consumers and producers.

In three case studies, Insikt Group used the data contained in infostealer logs and open-source intelligence (OSINT) to identify two individuals and found further digital artifacts, including cryptocurrency addresses, belonging to a third individual.

The PoC study showcases that infostealer logs can be used to identify CSAM consumers and new sources and trends in CSAM communities.

As the cybercriminal demand for infostealer logs and malware-as-a-service (MaaS) ecosystems continues to grow, Insikt Group anticipates that infostealer log datasets will continue to provide current and evolving insights into CSAM consumers.

To read the entire analysis, click here to download the report as a PDF.

Polish prosecutors are investigating a suspected Russian cyberattack on the country’s state news agency.

The likely goal of the May attack on the Polish Press Agency, or PAP, was disinformation “aimed at causing serious disturbances in the system or economy of the Republic of Poland by an undetermined person or persons involved in or acting on behalf of foreign intelligence,” a spokesperson for the Warsaw District Prosecutor's Office told the state outlet.

This offense is punishable by no fewer than eight years in prison under local law. The probe has been assigned to the Internal Security Agency.

During the attack, hackers published fake news on the PAP website claiming the country’s authorities had announced a partial mobilization of 200,000 men who were to be sent to fight in a war in Ukraine.

After the article was deleted by PAP, the hackers reposted it. Polish authorities blamed the attack on Russia.

"Everything indicates that we are dealing with a cyberattack that was directed from the Russian side," Poland’s Digital Affairs Minister Krzysztof Gawkowski said following the incident.

According to him, the hackers got into the news agency’s system by infecting the device of one of PAP's employees with malware. Gawkowski said that the attack was “targeted” and intended to cause panic and "shake up the system."

Poland is “on the frontline of the cyber fight against Russia,” he added.

PAP chief executive officer Marek Błoński condemned the attack, saying it was likely designed to interfere with the European Parliament election in June, echoing the statement of Prime Minister Donald Tusk, who called the incident “another very dangerous hacker attack” that “illustrates Russia's destabilization strategy on the eve of the European elections."

The Russian embassy in Warsaw told Reuters that it was not aware of the incident and declined to comment.

Poland has experienced an increase in Russian cyberattacks over the past few months, leading it to announce a $760 million investment in cyber defenses.

In June, it also signed a deal with the U.S. to strengthen their cooperation against “foreign information manipulation,” including from Russia.

Suspected Russian hackers have previously used legitimate news websites to spread propaganda. In February, they attacked several popular Ukrainian media outlets, posting fake news related to the war.

Russian hacker groups targeting Ukrainian media include notorious state-controlled threat actors like Sandworm, according to Ukraine's Computer Emergency Response Team (CERT-UA).

A 4chan user claims to have leaked 270GB of internal New York Times data, including source code, via the notorious image board.

According to the unnamed netizen, the information includes "basically all source code belonging to The New York Time Company," amounting to roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks. Details on how to get the files were shared by the poster on 4chan.

While The Register has seen what's said to be a list of files in the purported leak, we have not yet verified the legitimacy of the leak, and the newspaper did not respond to inquiries about the case.

Of the code listed - whose filenames indicate everything from the blueprints to Wordle to email marketing campaigns and ad reports - "less than 30" are "encrypted," the 4channer claimed. Again, take this with a healthy dose of salt considering the source — an unnamed 4chan user.

The Register will update this story if and when we receive a response from The Times. But if true, the theft could potentially cause a huge headache for the newspaper, given the list of stolen data. There's a lot of JavaScript and TypeScript in there, judging by the filenames, plus some personal information. It might be largely scraped from the public site, it might actually be stolen.

In 2013 The New York Times and other media outlets saw their operations come under attack by a bunch of miscreants calling themselves the Syrian Electronic Army. During these incidents, which occurred over a period of months, readers were unable to visit some publications' websites at times; at other times, pages were defaced by intruders.

The Register was targeted, too, by the gang in a failed spear-phishing attack. At least one of our vultures was sent an email claiming to be from a senior editor, with a link to a fake copy of our publishing system to phish their credentials; the giveaway was that the message was far too cheery for that editor to be real. It also prompted us to introduce mandatory multi-factor authentication at work.

A few years later, in 2016, suspected Russian cyber-spies broke into email inboxes belonging to The New York Times and other American news organizations.

The U.S. service Docker Hub, widely used for developing software, has suspended its operations in Russia without giving advance notice to local users, according to media reports.

Russian users lost access to Docker Hub repositories on Thursday and couldn’t access the service even through virtual private networks (VPNs), reported Russian news website Kommersant.

Developers use the cloud-based platform to store, share and manage their container images — digital packages that include everything needed to run an application.

Docker Hub stated in a message displayed to those trying to access the platform from Russia that it is blocking services in Cuba, Iran, North Korea, Sudan, Syria and Russian-annexed Crimea to “adhere to U.S. export control rules.” Russia itself wasn’t included in the message.

At the time of publication, the platform’s operator, Docker Inc., hasn’t responded to a request for comment.

Russian legal expert Maria Udodova told Kommersant that the blocking could be linked to the new proposed rule introduced by the Department of Commerce in January to protect cloud services from foreign cyberthreats to national security. Recorded Future News couldn’t verify this claim.

In an interview with Russian media, several local tech businesses complained that due to the blocking, they cannot upload or save their projects from the repository. They said that Docker Hub was popular among Russian companies involved in cybersecurity.

Following the service suspension, Russian developers took to the Docker Hub forum and Reddit to voice their complaints.

“It’s not me who invaded Ukraine, it’s not millions of developers and software engineers either, but we have to suffer the consequences. Thanks a lot, Docker!” one user said on Reddit.

“Please consider keeping Docker Hub available for Russians — they’re oppressed by their own government they didn’t choose. The regime will have access to any technology anyway, and have resources to keep their infrastructure running,” another user wrote on the Docker community forum.

Industry experts admitted to Kommersant that Docker Hub restrictions could deal a blow to tech businesses, which now have to quickly find an alternative. This is not easy since other similar services, including GitHub, suspended some of their services in Russia when it invaded Ukraine.

In 2022, Docker said in a statement that the company “stands with Ukraine” and will not do business with Russian and Belarusian businesses or accept payments from these locations during the war.

The company also said that it removed the ability to purchase and renew Docker subscriptions from Russia and Belarus.

Slow exits

The fact that Docker Hub was still generally available in Russia until this week, despite the company’s previous statements, isn’t unusual.

With the start of the war in Ukraine two years ago, many Western tech firms announced that they would quit the Russian market or suspend selling their products there — either for moral reasons or due to economic sanctions imposed on Russia by the EU or the U.S.

Big tech companies that served many clients in Russia didn’t exit the market immediately. Only this August, Microsoft, for example, announced that it would stop renewing licenses for its products to Russian companies and would not process payments via wire transfer to local bank accounts.

In March, Russians received a notification from Microsoft saying that it would suspend access to its cloud services for local users as a result of European sanctions imposed on Russia after its invasion of Ukraine.

Earlier in January, Czech antivirus developer Avast suspended selling its software in Russia. In the initial months of the war, the company announced that it would stop renewing licenses for its products for Russian and Belarusian users.

A strain of malware named Chalubo wrecked over 600,000 routers for small offices and homes in the U.S. last year.

In a new report from Lumen Technologies’ Black Lotus Labs, researchers described a “destructive” incident between October 25-27 in which hundreds of thousands of routers made by Sagemcom and ActionTec were rendered permanently inoperable.

Chalubo was first discovered in 2018 by researchers from Sophos, which said it was used to infect devices and add them to powerful botnets that could perform distributed denial of service (DDoS) attacks.

Black Lotus Labs did not name the internet service provider (ISP) that deployed the routers but Reuters said an analysis of news coverage indicated it was likely Arkansas-based Windstream, which did not respond to requests for comment.

Further research revealed that the routers were destroyed by a firmware update sent out to the devices that had already been compromised by Chalubo.

“At this time, we do not have an overlap between this activity and any known nation-state activity clusters,” the researchers explained. “We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ISP’s autonomous system number (ASN).”

A survey of complaints on internet forums and outage detectors revealed that most people were complaining about issues with router models Sagemcom F5380, ActionTec T3200s and ActionTec T3260s.

Users who contacted ActionTec’s support center were told the entire router would need to be replaced. To check whether those models were the only ones affected, the researchers used internet scanning tool Censys and found that between October 27 and October 28, there was a 179,000 drop in IP addresses connected to ActionTec devices and a decrease of 480,000 devices associated with Sagemcom.

Lumen researchers noted that the Chalubo malware family continues to be active and found that more than 330,000 IP addresses communicated with tools connected to the malware, indicating that “while the Chalubo malware was used in this destructive attack, it was not written specifically for destructive actions.”

'Rural or underserved communities'

The researchers do not know what exploit was used to gain initial access to compromised devices. They could not find vulnerabilities for the specific models impacted, “suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface.”

“We suspect the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit,” they said.

The researchers noted that “a sizeable portion of this Internet Service Provider’s service area covers rural or underserved communities,” potentially making recovery more difficult.

The outage affected “places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records,” they said.

Chalubo is a sophisticated malware family that its creators went to great lengths to conceal. The malicious code removes all of its files and renames itself after something already present on the device.

All of the communication with command and control (C2) servers is encrypted — which Lumen said contributed to the lack of previous research on the malware.

There has been significant law enforcement focus this week on malware that affects routers. International law enforcement agencies announced Thursday that they took several of the most influential malware families offline in the “largest ever operation against botnets.”

The FBI and international partners dismantled another massive botnet on Wednesday that infected more than 19 million IP addresses across 200 countries and was used for years to conceal cybercrime.

A bipartisan pair of House lawmakers is pressing for more details about the breach of a water facility in Texas that was carried out by a group with suspected ties to the Russian government.

In an April 23 letter, Reps. Pat Fallon (R-TX) and Ruben Gallego (D-AZ) asked Homeland Security Secretary Alejandro Mayorkas for a briefing on the January incident, which caused a tank at a water facility in Muleshoe, Texas, to overflow.

The Google-owned security firm Mandiant later issued a report that said the group purportedly behind the attack, the Cyber Army of Russia, is linked to a Russian state actor, Sandworm — which has gained global notoriety for its past, and present, digital assaults on Ukraine.

The group has since claimed credit for a cyberattack on an Indiana water plant.

“As you may know, much of the American West is experiencing a historic, long-term drought that makes fortifying water supplies from vulnerabilities like adversary disruption efforts all the more important,” the duo wrote.

“Should a hack similar to the Texas incident occur in Arizona or other states that may lack sufficient water supply, it could disrupt operations across the region with devastating effects,” they added.

The pair asked Mayorkas to answer a series of questions, including what DHS is doing to respond to the incident; how the agency is coordinating with international, state and local partners; and if it needs additional authorities to protect the nation’s water supply,

Gallego and Rep. Jim Banks (R-IN) — both of whom are running for Senate — sent a similar letter to Mayorkas late last year after the Irank-linked Cyber Av3ngers group claimed responsibility for striking a water authority in Pennsylvania.

A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.

In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.

He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).

Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.

A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.

In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.

He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).

Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.

Only there was one problem: he was talking to an undercover FBI agent.

Dalke and the FBI agent then arranged a time and place to hand over the documents. On September 28, the former NSA worker took his laptop to Union Station in Denver and sent the documents to the FBI agent over the internet. Dalke also included a letter in Russian that said, among other things, "My friends! I am very happy to finally provide this information to you… I look forward to our friendship and shared benefit."

Of course, the FBI agent was not his friend and the whole thing was a sting operation, and the former NSA employee was arrested just after he sent the classified materials. Dalke pleaded guilty from the outset.

"This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI," Attorney General Merrick Garland said. "This sentence demonstrates that those who seek to betray our country will be held accountable for their crimes."

A former NSA employee has been sentenced to 262 months in prison for attempting to freelance as a Russian spy.

In his trial yesterday, Jareh Sebastian Dalke pleaded guilty to six counts of attempted transmission of top-secret info to a foreign agent as announced by the US Department of Justice.

He had worked at the NSA as an information systems security designer for just under a month from June to July 2022, making quick work of the short period by accumulating top secret documents with national defense information (NDI).

Between August and September that year, shortly after leaving the NSA, Dalke made contact with a person he thought was a Russian agent. To prove his "legitimate access and willingness to share," he then emailed the apparent spy snippets of three top secret, classified documents with NDI. Dalke then said he'd be willing to sell the full documents and more for just $85k.

Only there was one problem: he was talking to an undercover FBI agent.

Dalke and the FBI agent then arranged a time and place to hand over the documents. On September 28, the former NSA worker took his laptop to Union Station in Denver and sent the documents to the FBI agent over the internet. Dalke also included a letter in Russian that said, among other things, "My friends! I am very happy to finally provide this information to you… I look forward to our friendship and shared benefit."

Of course, the FBI agent was not his friend and the whole thing was a sting operation, and the former NSA employee was arrested just after he sent the classified materials. Dalke pleaded guilty from the outset.

"This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI," Attorney General Merrick Garland said. "This sentence demonstrates that those who seek to betray our country will be held accountable for their crimes."

Sentencing law is somewhat complex, but assuming Dalke can't serve any of his counts concurrently and that he doesn't get out early, he'll be getting out in January 2046, and he'll be 53 or 54.

The NSA employee turned failed Russian informant was remarkably unsuccessful in his attempt to give Russia a helping hand, though it is a little concerning that Dalke had NDI material in his possession at all. The incident isn't unlike the Teixeira leaks from last month, especially since both Dalke and Teixeira were seemingly completely incompetent in leaking info. Maybe the US government should review who gets access to classified materials, as it seems neither person had any real business handling these docs.

NATO will establish a new cyber center at its military headquarters in Mons, Belgium, a senior official confirmed to Recorded Future News on Wednesday. The new facility, details about which have not previously been reported, marks the fruition of a significant doctrinal shift in how the alliance approaches operations in cyberspace.

The shift, as officially set out in NATO’s Strategic Concept (2022), states that “cyberspace is contested at all times,” meaning it cannot just be a concern for the military alliance during moments of crisis or conflict. NATO needs to constantly engage with adversaries on computer networks — not just when Article 4 or Article 5 are triggered by allies.

Although allies last year endorsed the creation of a NATO cyber center during the cyber defense conference in Berlin, at that time the exact plan was unclear. Suggestions ranged from an institution that would help develop cyber competencies among allies through to a tactical-level command for combined operations, similar to NATO’s maritime (MARCOM), air (AIRCOM), and land (LANDCOM) command centers.

Speaking to Recorded Future News at the ENISA Cybersecurity Policy Conference in Brussels, James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid and cyber, said the structural changes that are being made flow from that doctrine about cyberspace. He said the model for the center was the United Kingdom’s National Cyber Security Centre — where civilian experts could work alongside those from industry, the military, and NATO’s political corps — to address potential threats.

The working name for the new facility is the NATO Integrated Cyber Centre (NICC).

The idea is the NICC would physically co-locate personnel in Mons to provide the Supreme Allied Commander Europe (SACEUR) — effectively NATO’s most senior military official, historically always a senior U.S. military officer — with 24/7 visibility over both NATO enterprise networks and other networks beyond where incidents risk impacting military operations in Europe.

SACEUR “needs to have visibility over what cyberspace looks like for him at all times. That’s the logic behind this, and that’s where we will get to in time for the summit, which is in only a few weeks,” explained Appathurai.

Delivering his keynote to the conference, Appathurai said: “For example, a port in Europe has been under a sustained cyberattack to try to lock the locks. So we have ships transiting through, [the attackers] try to lock it and drain the water to drop the ship inside of the lock, which would damage the ship and block the port.”

Appathurai did not name the port and did not confirm the port when asked by Recorded Future News. But for a major seaport such as Rotterdam, the potential impact of such an attack could severely disrupt the supply of critical military and civilian materiel. Officials in the United States are warning that cyberattacks pose a significant threat to ports.

“There is a lot more risk and a lot more capabilities out there. So what are we doing about it? First we have to recognise and act on it,” said Appathurai.

“We need to break down, in the NATO sense, bureaucratic barriers. For us, we have the military, we have the civilians, we have the intelligence world, we have industry. We are working on bringing them all together.

“I would commend for an example the U.K. National Cyber Security Centre, where they have everybody together in one building, with a less secure and then a more secure tier. And industry is there full-time with everybody else, with information on their networks, providing it and receiving intelligence or other forms of support. So aggregating what is disaggregated, and breaking down the barriers between the two,” he said.

No delineation between peacetime and conflict

Acknowledging that “cyberspace is contested at all times” was “the most fundamental shift we’ve made in the last year,” said Appathurai. “Allies have now codified the understanding that unlike in other environments, you cannot have a clear delineation between peacetime, crisis, and conflict [in cyberspace].”

The concept is a comfortable one for some of NATO’s more mature cyber powers, particularly the United States has proactively conducted what it calls persistent engagement for a number of years — alongside similar operational activities by the United Kingdom and the Netherlands.

But among some allies, the prescription that the concept calls for — engaging with adversaries in cyberspace — remains controversial. Appathurai said that key to understanding the prescription, and to understanding the risk facing Europe in general, was the conflict in Ukraine.

“It’s really important that people understand how important cyberdefense has been for Ukrainians. Without it, their military command and control wouldn’t work. Their civilian communications would not work. They would not have banks operating and providing people money. People wouldn’t know where to go and what to do when something happens. And President Zelensky would not be on the air motivating us to provide weapons — which we need to do faster — helping his people to have courage in this situation.”

Cyberdefense “underpins everything in our doctrine,” said the NATO official. This was also why the new cyber center would not be a command in the style of MARCOM or LANDCOM, because cyber underpins the other domains.

The ultimate structure of the center hasn’t been finalized, Appathurai told Recorded Future News, explaining that the plan was to get everything completed ahead of the summit in Washington in July, adding that “literally this morning was another meeting of our committee that’s looking at our political-military advice.”

“The direction we’ve already been given is clear, that we have to integrate political and military tools to give us a better picture of military and civilian networks, that this should be for deterrence and defense, so that’s very much the framework in which it’s in,” he explained.

“But also that this will parallel and complement a separate track of decisions that we’re taking in time for the summit, to give NATO a stronger role when it comes to, for example, enforcing cyber norms when it comes to allies, allies being able to work in other international bodies, to strengthen standards. So there’s a political aspect that will be strengthened as well as this very practical center, or whatever we end up calling it.”

“We’re working on the mechanics of the center. How exactly staff will relate to each other, who exactly, which parts exactly, but this is all mechanics and it can be worked out so there’s no problem there. So I’m actually 100% confident that we will arrive at a good solution.

“Then there’s the implementation. That’s always a bureaucratic struggle, but we’ll get through it, and we’ll get through it pretty fast because it’s NATO and you can give orders,” he said.

Intel CPU cores remain vulnerable to Spectre data-leaking attacks, say academics at VU Amsterdam.

We're told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors' speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other areas of RAM that should be off limits.

The boffins say they have developed a tool called InSpectre Gadget that can find snippets of code, known as gadgets, within an operating system kernel that on vulnerable hardware can be abused to obtain secret data, even on chips that have Spectre protections baked in.

InSpectre Gadget was used, as an example, to find a way to side-step FineIBT, a security feature built into Intel microprocessors intended to limit Spectre-style speculative execution exploitation, and successfully pull off a Native Branch History Injection (Native BHI) attack to steal data from protected kernel memory.

"We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations," the VU Amsterdam team said this week. "As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec."

A quick video demonstrating that Native BHI-based attack to grab the /etc/shadow file of usernames and hashed passwords out of RAM on a 13th-gen Intel Core processor is below. We're told the technique, tagged CVE-2024-2201, will work on any Intel CPU core.

The VU Amsterdam team — Sander Wiebing, Alvise de Faveri Tron, Herbert Bos and Cristiano Giuffrida — have now open sourced InSpectre Gadget, an angr-based analyzer, plus a database of gadgets found for Linux Kernel 6.6-rc4 on GitHub.

"Our efforts led to the discovery of 1,511 Spectre gadgets and 2,105 so-called 'dispatch gadgets,'" the academics added. "The latter are very useful for an attacker, as they can be used to chain gadgets and direct speculation towards a Spectre gadget."

These numbers suggest a "nontrivial attack surface," said the researchers, who pointed to an Intel security advisory that includes updated software-level mitigations for these kinds of Native BHI attacks.

As we understand things, Intel in 2022 addressed BHI attacks with hardware and software-level protections as well as recommendations like not allowing unprivileged eBPF use.

Now an updated exploit, dubbed Native BHI, was developed using InSpectre Gadget that defeats those defense mechanisms, leading to the x86 titan issuing updated advice for developers and patches for the Linux kernel to block exploitation of CVE-2024-2201 – we assume other operating systems will need fixing up, too.

"External academic researchers reported new techniques to identify BHI sequences that could allow a local attacker who can already execute code to possibly infer the contents of Linux kernel memory," an Intel spokesperson told The Register today.

"Intel has previously shared mitigation guidance for BHI and intra-mode BTI attacks. In light of this new report, Intel is releasing updated guidance to assist in broader deployment of these mitigations."

AMD and Arm cores are not vulnerable to Native BHI, according to the VU Amsterdam team. AMD has since confirmed this in an advisory

History lesson

InSpectre Gadget, and the related research and Native BHI exploit, builds on the boffins' earlier work exploiting the Spectre variant BHI.

Spectre emerged in public in early 2018, along the related Meltdown design blunder, which The Register first reported. Over the years various variants of Spectre have been found, prompting engineers to shore up the security around performance-boosting speculative execution units.

After the aforementioned steps were taken to shut down BHI-style attacks, "this mitigation left us with a dangling question: 'Is finding 'native' Spectre gadgets for BHI, ie, not implanted through eBPF, feasible?'" the academics asked.

The short answer is yes. A technical paper [PDF] describing Native BHI is due to be presented at the USENIX Security Symposium.

Apple has sent a new batch of threat notifications to users in 92 countries who may have been targeted by mercenary spyware attacks, according to several media reports.

The alerts were sent on Wednesday, warning users that attackers tried to remotely compromise their iPhones. On the same day, Apple also updated its support page, explaining how threat notifications work and what targeted users should do if they receive one.

In previous alerts, the company described such incidents as “state-sponsored,” but according to its updated policy, it will now refer to them as “mercenary spyware attacks.” Common sources of spyware include private companies such as NSO Group and Cytrox.

According to Reuters, Apple's removal of the term "state-sponsored" from its description of threat notifications comes after it repeatedly faced pressure from the Indian government because of linking such breaches to nation-state actors. Sources told Reuters that Apple held extensive talks with Indian officials before releasing the latest set of alerts.

Spyware attacks affect a very small number of specific individuals — often journalists, activists, politicians, and diplomats — and are extremely costly, sophisticated and hard to detect, Apple explained. Since 2021, the company has sent threat notifications to users in over 150 countries.

Apple didn't reveal who was on the list of targets in the latest set of alerts, but sources told The Economic Times, an Indian English-language newspaper, that Indian users were among those included.

Last October, Apple warned over half a dozen Indian lawmakers from Prime Minister Narendra Modi’s main opposition party about spyware attacks. These attacks were reportedly part of an espionage campaign preceding this year’s general elections, held in seven phases between April 19 and June 1.

The company stated that it relies solely on internal threat intelligence to detect such attacks. Other organizations, such as the Canada-based Citizen Lab, also produce reports about spyware infections on Apple devices.

“Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack, and should be taken very seriously,”' the company said in an update.

Apple typically notifies users multiple times a year in two ways: by displaying an alert at the top of the page after the user signs into their Apple ID, or by sending an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

The company said that it cannot provide more information about what causes the company to send this notification, as that may help attackers adapt their behavior to evade detection in the future.

Earlier in February, Poland’s prime minister stated that he had uncovered documents confirming that the prior administration illegally deployed Pegasus spyware. Poland’s investigators claimed that the country’s 2019 elections were unfair due to the deployment of Pegasus, which is sold to governments worldwide by the Israel-based NSO Group. The company says it only supports lawful use of its products.

In September, the phones of prominent Russian journalists and critics of the Kremlin were infected with Pegasus spyware. Among the targets was Galina Timchenko, owner of the Russian independent media outlet Meduza.

She was infected with Pegasus while in Berlin for a private conference with other Russian independent journalists living in exile. This marked the first documented case of a Pegasus infection targeting a Russian citizen.

Cybersecurity giant Palo Alto Networks is alerting customers that a zero-day vulnerability in its firewall tool is being exploited by hackers.

The company released an advisory on Friday morning about CVE-2024-3400 — a vulnerability in the popular GlobalProtect VPN product that was unknown to researchers until this week. The bug carries the highest severity score possible of 10.

Palo Alto Networks said that it “is aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

The company did not respond to requests for comment about how many customers were affected, where they are based or who was behind the attacks.

A patch will be available to customers by Sunday, the advisory said. In the meantime, Palo Alto Networks provided several mitigations customers can take to protect themselves.

The bug was discovered by researchers at cybersecurity firm Volexity. That company’s president, Steven Adair, said Friday on social media that it discovered the initial attacks two days ago.

The Cybersecurity and Infrastructure Security Agency (CISA) added the GlobalProtect flaw to its list of known exploited vulnerabilities almost immediately, signaling urgency in the need for federal agencies to patch the bug.

In a rare move, CISA gave federal civilian agencies just seven days to apply mitigations, a shortened timeline compared to the three weeks given to most bugs.

VPN products have become frequent targets for attack by threat actors in recent years due to the expansion of remote work and the widespread use of the tools among governments.

Palo Alto was previously affected by a vulnerability affecting its firewall product in 2022 that was used in a distributed denial-of-service (DDoS) attack.

Polish prosecutors are now actively building a case against current and former government officials believed to have deployed powerful commercial spyware against opposition party members and their allies in a rapidly unfolding spyware investigation.

In recent days, prosecutors have asked 31 victims whom they believe were likely targeted by Pegasus spyware to share their stories. Senior government officials have said the investigation could lead to arrests.

A probe into abuse of powers and dereliction of duties began on March 18 and is homing in on how officials used Pegasus from 2017 to 2022, according to Polish news reports citing a spokesperson for the prosecutor’s office.

The prior Polish ruling party, known as Law and Justice (PiS), is said to have targeted opposition leaders and others with the spyware, including amid the country’s election season. The spyware scandal has rocked the country since it first came to light in December 2021.

In September, Poland's Senate released the results of a special commission’s probe into the spyware’s usage, paying particular attention to the hack of an opposition politician in 2019, describing "gross violations of constitutional standards.”

The commission revealed at the time that it had alerted prosecutors to the potential for criminal charges against former and current Polish ministers for using or abetting the use of spyware.

Current Polish President Andrzej Duda is a former PiS member who is thought to remain loyal to the party, but the country has elected the leader of a different and more centrist party, Donald Tusk, as its new prime minister. Duda has served as president since 2015.

Tusk, who became prime minister in December, said in February that he can prove state authorities used the powerful spyware to monitor a “very long” list of individuals.

The prime minister also revealed at the time that he had found documents which “confirm 100%” the prior administration illegally used Pegasus, according to local news reporting at the time.

Spyware has long been a scourge in Europe with prior scandals enveloping Spain, Greece, Hungary and Serbia. Mercenary spyware is also used on a global scale. On Wednesday, Apple sent alerts to users in 92 countries, warning they may have been targeted by foreign commercial surveillance tools like Pegasus, primarily through attempts to compromise iPhones from afar.

John Scott-Railton, a security researcher at the Canada-based Citizen Lab who helped surface the Polish spyware problem, said he is watching the proceedings carefully.

“Poland has gone from being a troubling centerpiece in EU spyware scandals to showing clear signs of a concerted effort towards accountability,” Scott-Railton said via text message, citing the country’s recent decision to join a White House-led coalition of 17 countries working to fight the spread and use of spyware. “The recent developments would have been deeply unthinkable until the election.”

He added that Poland’s quest for accountability has “already gone further than most investigations in the EU.”

Scott-Railton said the fact that opposition party leader Krzysztof Brejza was hit with Pegasus during parliamentary elections in which he played a key role in setting strategy is an “ominous sign of potential election interference.”

The Polish scandal and the aftermath of its investigation will send an important signal across the continent, he said.

“As authoritarianism grows and dangers to EU democracy fueled by Russia increase, ensuring that European democracies are free from the danger of spyware abuse could not be more critical,” he said.

A second expert, white-hat hacker Runa Sandvik, said the 31 victims called to appear as witnesses may represent just a small fraction of the total scale of spyware abuse in Poland.

“It’s important to remember that this number — 31 — is the number the National Prosecutor’s Office has decided to release,” said Sandvik, who founded Granitt, a startup focused on helping journalists, human rights activists and other vulnerable populations targeted by spyware.

Sandvik said she believes the Polish government also likely used spyware to investigate crime, corruption and terrorism meaning the total number of people hit with Pegasus could be much higher.

“The number on its own does not tell us how many people were targeted, or for what purpose,” Sandvik said via email. “I hope the investigation will help shed some light on this.”

Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned. If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.

According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions.

There is a legit huggingface-cli, installed using pip install -U "huggingface_hub[cli]".

But the huggingface-cli distributed via the Python Package Index (PyPI) and required by Alibaba's GraphTranslator – installed using pip install huggingface-cli – is fake, imagined by AI and turned real by Lanyado as an experiment.

He created huggingface-cli in December after seeing it repeatedly hallucinated by generative AI; by February this year, Alibaba was referring to it in GraphTranslator's README instructions rather than the real Hugging Face CLI tool. Study

Lanyado did so to explore whether these kinds of hallucinated software packages – package names invented by generative AI models, presumably during project development – persist over time and to test whether invented package names could be co-opted and used to distribute malicious code by writing actual packages that use the names of code dreamed up by AIs.

The idea here being that someone nefarious could ask models for code advice, make a note of imagined packages AI systems repeatedly recommend, and then implement those dependencies so that other programmers, when using the same models and getting the same suggestions, end up pulling in those libraries, which may be poisoned with malware.

Last year, through security firm Vulcan Cyber, Lanyado published research detailing how one might pose a coding question to an AI model like ChatGPT and receive an answer that recommends the use of a software library, package, or framework that doesn't exist.

"When an attacker runs such a campaign, he will ask the model for packages that solve a coding problem, then he will receive some packages that don’t exist," Lanyado explained to The Register. "He will upload malicious packages with the same names to the appropriate registries, and from that point on, all he has to do is wait for people to download the packages." Dangerous assumptions

The willingness of AI models to confidently cite non-existent court cases is now well known and has caused no small amount of embarrassment among attorneys unaware of this tendency. And as it turns out, generative AI models will do the same for software packages.

As Lanyado noted previously, a miscreant might use an AI-invented name for a malicious package uploaded to some repository in the hope others might download the malware. But for this to be a meaningful attack vector, AI models would need to repeatedly recommend the co-opted name.

That's what Lanyado set out to test. Armed with thousands of "how to" questions, he queried four AI models (GPT-3.5-Turbo, GPT-4, Gemini Pro aka Bard, and Command [Cohere]) regarding programming challenges in five different programming languages/runtimes (Python, Node.js, Go, .Net, and Ruby), each of which has its own packaging system.

It turns out a portion of the names these chatbots pull out of thin air are persistent, some across different models. And persistence – the repetition of the fake name – is the key to turning AI whimsy into a functional attack. The attacker needs the AI model to repeat the names of hallucinated packages in its responses to users for malware created under those names to be sought and downloaded.

Lanyado chose 20 questions at random for zero-shot hallucinations, and posed them 100 times to each model. His goal was to assess how often the hallucinated package name remained the same. The results of his test reveal that names are persistent often enough for this to be a functional attack vector, though not all the time, and in some packaging ecosystems more than others.

With GPT-4, 24.2 percent of question responses produced hallucinated packages, of which 19.6 percent were repetitive, according to Lanyado. A table provided to The Register, below, shows a more detailed breakdown of GPT-4 responses.

With GPT-3.5, 22.2 percent of question responses elicited hallucinations, with 13.6 percent repetitiveness. For Gemini, 64.5 of questions brought invented names, some 14 percent of which repeated. And for Cohere, it was 29.1 percent hallucination, 24.2 percent repetition.

Even so, the packaging ecosystems in Go and .Net have been built in ways that limit the potential for exploitation by denying attackers access to certain paths and names.

"In Go and .Net we received hallucinated packages but many of them couldn't be used for attack (in Go the numbers were much more significant than in .Net), each language for its own reason," Lanyado explained to The Register. "In Python and npm it isn't the case, as the model recommends us with packages that don’t exist and nothing prevents us from uploading packages with these names, so definitely it is much easier to run this kind of attack on languages such Python and Node.js." Seeding PoC malware

Lanyado made that point by distributing proof-of-concept malware – a harmless set of files in the Python ecosystem. Based on ChatGPT's advice to run pip install huggingface-cli, he uploaded an empty package under the same name to PyPI – the one mentioned above – and created a dummy package named blabladsa123 to help separate package registry scanning from actual download attempts.

The result, he claims, is that huggingface-cli received more than 15,000 authentic downloads in the three months it has been available.

"In addition, we conducted a search on GitHub to determine whether this package was utilized within other companies' repositories," Lanyado said in the write-up for his experiment.

"Our findings revealed that several large companies either use or recommend this package in their repositories. For instance, instructions for installing this package can be found in the README of a repository dedicated to research conducted by Alibaba."

Alibaba did not respond to a request for comment.

Lanyado also said that there was a Hugging Face-owned project that incorporated the fake huggingface-cli, but that was removed after he alerted the biz.

So far at least, this technique hasn't been used in an actual attack that Lanyado is aware of.

"Besides our hallucinated package (our package is not malicious it is just an example of how easy and dangerous it could be to leverage this technique), I have yet to identify an exploit of this attack technique by malicious actors," he said. "It is important to note that it’s complicated to identify such an attack, as it doesn’t leave a lot of footsteps."

To spy on rival Snapchat and get data on how the app was being used, Meta – when it was operating as Facebook – allegedly initiated a program called Project Ghostbusters, which intercepted data traffic from mobile apps. And it used that data to harm its competitors' ad business.

The name of the program was "an apparent reference to Snapchat's corporate logo, a white ghost on a yellow background," according to a recently unsealed court document [PDF].

Project Ghostbusters was run by Onavo, acquired by Facebook in 2013 and described by the US Federal Trade Commission as a "user surveillance company." Onavo offered a notional VPN service that was shut down in 2019 for – ironically – its lack of privacy.

The Snapchat data-interception scheme is described in that newly unsealed court document as a "man-in-the-middle" approach, in which Facebook essentially paid people to snoop on their mobile phones.

Facebook ran low-key studies with groups of willing participants – from teenagers to adults – who were rewarded for installing an Onavo-made research app that monitored their smartphone usage [PDF] to give the tech giant a better idea of how folks used their devices. That app, it's alleged, installed a root Certificate Authority allowing Facebook to intercept and analyze panel participants' internet usage.

Not only did it enable Facebook to issue itself digital certificates to intercept people's encrypted SSL/TLS connections, it also quietly redirected Snapchat analytics traffic (and subsequently Amazon and YouTube analytics) to Onavo's servers. Once there, the data could be decrypted and analyzed for commercial gain, then re-encrypted and passed back to Snapchat without the pic-sharing app maker's knowledge, according to the complaint.

If this sounds familiar, it's because that's why the Onavo VPN was ultimately shut down: the team behind it built Facebook's own research apps that snaffled panel participants' internet usage data. And when this all came to light in 2019 and sparked outrage, the tech giant was forced to pull the plug on the operation.

It's all part of a four-year-old lawsuit [PDF] brought against Meta in California by Facebook advertisers who allege, among other things, that Meta/Facebook's anticompetitive behavior – including data interception and arrangements with other companies – increased prices for ads and harmed competition.

That suit was filed six days before the US Federal Trade Commission sued Facebook [PDF] on December 9, 2020 alleging years of anticompetitive conduct to monopolize the social media advertising market. Both lawsuits remain ongoing, with the advertiser case likely to reach trial by 2025 if there's no prior settlement.

In a June 9, 2016 email, surfaced by the advertisers' legal challenge, Facebook CEO Mark Zuckerberg directed Alex Schultz, presently chief marketing officer and VP of analytics, and COO Javier Olivan, to figure out how to get reliable analytics from Snapchat – which had become a serious competitive threat in the eyes of some executives.

In a letter [PDF] to Judge James Donato, dated May 31, 2023, the plaintiffs' co-lead counsel Brian J Dunne explained: "In July 2016, the Onavo team's proposed solution was presented to senior management, including now-COO Javier Olivan: Facebook developed 'kits' that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage."

The passage Dunne quoted about the "kits" is from an email that Danny Ferrante – then director of core data science and growth research at Facebook – wrote to Olivan. The email went on to describe how Facebook planned to distribute these kits under other brands in a way that wouldn't reveal the involvement of The Social Network™️.

"Our plan is to work with a third party – like GFK, SSI, YouGov, uTest, etc – who will recruit panelists and distribute kits under their own branding," the email read. "We already have proposals from several of these providers. The panelists won't see Onavo in the NUX [new user experience] or in the phone settings. They could see Onavo using specialized tools (eg Wireshark)."

It's claimed this data collection scheme was one element in a larger initiative – described as Facebook's In-App Action Panel (IAAP) program – which allegedly ran from June 2016 through May 2019. As a note cited in Dunne's letter observed, the Android research app, for example, "currently includes SSL decryption giving us the capability to read all traffic on device."

"The company’s highest-level engineering executives thought the IAAP Program was a legal, technical, and security nightmare," wrote Dunne in a June 15, 2023 letter [PDF]. He cited remarks to this effect attributed to Pedro Canahuati, then-head of security engineering: "I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn't know how this stuff works."

Nonetheless, according to Dunne's May letter, during this period Facebook "expanded its IAAP program to also intercept, decrypt, and analyze encrypted analytics from YouTube and Amazon."

Dunne argued that on the evidence Meta/Facebook's actions should be considered criminal wiretapping. "Meta's IAAP program didn't just harm competition, but criminally violated 18 U.S.C. § 2511(1)(a) and (d) by intentionally intercepting SSL-protected analytics traffic addressed to secure Snapchat, YouTube, and Amazon servers," he explained in a footnote.

n a separate letter [PDF], Dunne alleged that Meta's IAAP competitive intelligence program – which may also have captured Twitter data – raised prices for advertisers.

"The intelligence Meta gleaned from this project was described both internally and externally as devastating to Snapchat's ads business," he wrote, "allowing Meta to hike North American ad prices companywide 60 percent between 2016 and 2018."

Meta's use of machine learning and AI is also "central" to the advertisers' case, according to another unsealed letter [PDF] from attorney Yavar Bathaee of Bathaee Dunne LLP.

"Advertisers will prove at trial, among other things, that Meta (a) changed the data sources for its neural network models as part of agreements with eBay and with Netflix, including in ways that were technically and economically irrational but for the anticompetitive effect of the agreements; (b) gathered and integrated signals/features/user data from across its business, including from WhatsApp and Instagram, into F3 [an internal AI data repository], all while contemporaneously misleading the FTC to avoid divestiture; and (c) used sensitive data deceptively taken from users' mobile devices to validate Meta's offsite identity-matching AI/ML systems."

The claim here is that Meta was not only tracking online activities but using its AI systems to identify people.

The GoFetch vulnerability found on Apple M-series and Intel Raptor Lake CPUs has been further unpacked by the researchers who first disclosed it.

GoFetch is a security exploit that takes advantage of data memory-dependent prefetchers (DMPs), not unlike speculative execution vulnerabilities such as Spectre. Essentially, data can be leaked out of a core's cache when DMP is enabled, creating a potential attack vector for hackers.

DMPs are present on all Apple M-series CPUs and Intel's Raptor Lake processors, and the dedicated website for GoFetch now shows how exactly the exploit is carried out. Within minutes (the footage is sped up so it's hard to say exactly how many), 560 bits of data was leaked from an RSA-protected server.

The GoFetch exploit isn't earth-shattering, as it's in a similar vein to Spectre, Meltdown, and other vectors that rely on a CPU's performance-boosting prediction features. Normally, there are software-based patches for chips that have hardware-level exploits, and usually that just involves disabling the speculative feature (and thus decreasing performance), but in the case of M1 and M2 CPUs, researchers say that's not possible.

The researchers address the common question of whether DMP can be disabled, explaining that yes, but only on some processors. "We observe that the DIT bit set on M3 CPUs effectively disables the DMP. This is not the case for the M1 and M2." So, GoFetch can be solved with a software patch for M3 and Raptor Lake CPUs, but not for M1 and M2 chips since DMP will run no matter what.

It's never good when a feature that increases performance has to be disabled because it leaks potentially sensitive data, but not being able to disable that feature at all is even worse. One workaround is to just blind the DMP to sensitive data whenever it's being stored to or loaded from memory, but the GoFetch paper [PDF] says this would require broad code rewrites and performance penalties in some cases.

However, there is one workaround that doesn't require any code rewrites. Like many modern CPUs, Apple's M-series have two types of cores: big Firestorm cores and little Icestorm cores. The DMP-based GoFetch exploit only works on Firestorm cores, including for M1 and M2 CPUs, and the GoFetch paper suggests all cryptographic work should solely be run on the Icestorm cores for the time being. Running anything on the efficiency-focused Icestorm cores is bound to be slower, but at least it should be secure.

Even this approach might not be foolproof though. If Apple comes out with a future M processor with DMP enabled in its efficiency cores, then there's nowhere that code can be run without potentially exposing sensitive data. Of course, given that DMP is not entirely secure, we'd hope that Apple either fixes it, removes it, or finds an alternative feature before making its next generation CPUs even more vulnerable.

The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

ArchLinux and most rolling release distro are affected.

Debian Testing/Sid/Experimental are affected, Debian Stable ISN'T AFFECTED.

Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.

Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4

More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92

The lawmakers say that numerous modems with no known function were uncovered from ship-to-shore (STS) cranes, which are used to unload cargo at the nation’s largest ports.

All of the cranes in question were manufactured by Shanghai Zhenhua Heavy Industries (ZPMC), a subsidiary of the state-owned China Communications Construction Co.

Relatedly, the lawmakers noted that ZPMC’s manufacturing facility is located adjacent to China’s most advanced ship-making facility, where the regime builds its aircraft carriers and houses advanced intelligence capabilities.

In a letter (pdf) addressed to the president and chairman of ZPMC, the lawmakers demand to know the purpose of the cellular modems discovered on crane components and in a U.S. seaport’s server room that houses firewall and networking equipment.

“These components do not contribute to the operation of the STS cranes or maritime infrastructure and are not part of any existing contract between ZPMC and the receiving U.S. maritime port,” the letter said.

“The Committees have serious concerns that this proximity to the [Chinese military’s] main shipyard provides malicious CCP [Chinese Communist Party] entities, including its intelligence agencies and security services, with ample opportunity to modify U.S.-bound maritime equipment, exploit it to malfunction, or otherwise facilitate cyber espionage thereby compromising U.S. maritime critical infrastructure.”

U.S. Coast Guard Rear Adm. John Vann, who leads the Coast Guard’s Cyber Command, told reporters last month that there were over 200 China-manufactured cranes operating across U.S. ports and regulated facilities.

At that time, Coast Guard cyber protection teams had assessed the cybersecurity or hunted for threats on 92 of those cranes, he said.

The discovery comes amid an ongoing congressional investigation into the operation of cranes manufactured in China and operating at U.S. ports.

Though the investigation is still ongoing, the committees identified serious concerns regarding ZPMC’s relationship with the CCP, particularly given the recent discovery of Chinese malware on vital infrastructure related to the port system.

As part of another cybersecurity investigation, some of the modems in question were also found to have active connections to the operational components of the STS cranes, suggesting they could be remotely controlled by a device no one previously knew was there.

Speaking to reporters last month, White House Deputy National Security Adviser Anne Neuberger said the cranes were designed to be serviceable from a remote location, which leaves them open to such exploitation.

“By design, these cranes may be controlled, serviced, and programmed from remote locations,” Ms. Neuberger said. “These features potentially leave [China]-manufactured cranes vulnerable to exploitation.

As such, the letter suggests that every U.S. seaport with ZPMC cranes could already be, or is at risk of being, compromised by the CCP.

Retired Army Col. John Mills told The Epoch Times that the cranes were effectively an extension of the CCP’s global cybercrime operation, which could be used during an invasion of Taiwan to sow chaos in the United States.

“Those container cranes are not cranes,” Mr. Mills said. “They’re IP endpoints on a worldwide intelligence collection system.”

To that end, he said that the cranes’ operational and safety features could likely be overridden remotely. This would allow the CCP to potentially trick one of the giant cranes into shifting its counterbalance in such a way that would cause it to crash into ships or containers in the nation’s busiest ports.

Complicating the issue all the more, he said, was the fact that the niche nature of the cargo cranes and their programming means it is unlikely a tailored cyber response to secure the systems will be created anytime soon.

To counter the threat in the long term, he added, the United States would need to ensure that it manufactured such vital equipment in its own territory.

“As things play out, they’re [the CCP] going to start initiating the hitting of target sets in cyber. The port cranes are a perfect example,” Mr. Mills said.

“This is the importance of making things here. If you want to reduce the Chinese threat, start making things here.”

North Korean hackers exploited a previously unknown vulnerability in a Windows security feature, allowing them to gain the highest level of access to targeted systems.

A zero-day flaw in AppLocker — a service that helps administrators control which applications are allowed to run on a system — was discovered by researchers at the Czech cybersecurity firm Avast and patched by Microsoft earlier this month.

By exploiting this bug, tracked as CVE-2024-21338, hackers with administrative privileges could escalate their access to the kernel level — the highest level of access in the operating system, reserved for performing critical system functions.

“With kernel-level access, an attacker might disrupt security software, conceal indicators of infection, turn off mitigations, and more,” Avast said.

To carry out malicious activities within the victim’s system, hackers believed to be a part of North Korea’s infamous Lazarus group used the FudModule rootkit — a type of malware designed to provide unauthorized access to a computer while concealing its presence.

Researchers said that the hackers improved the rootkit's functionality, making it stealthier. Some of the malware techniques, for example, were designed to evade detection and disable security protections, including Windows Defender, CrowdStrike Falcon and HitmanPro.

Avast said that the FudModule rootkit is “one of the most complex tools Lazarus holds in their arsenal.” Recent updates to the malware also show Lazarus’ commitment to keep actively developing the rootkit, researchers said.

The report does not mention which organizations were targeted in the latest Lazarus campaign or how successful it was.

Lazarus remains among “the most prolific and long-standing” advanced hacker groups, according to Avast. “Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication,” researchers said.

Earlier this week, Japanese researchers discovered that Lazarus targeted software developers with malicious open-source software packages uploaded to a repository used by the Python community. The malicious packages were downloaded hundreds of times, according to researchers.

Earlier in February, Germany and South Korea's intelligence agencies issued a joint advisory, warning of an ongoing North Korean cyber-espionage operation targeting the global defense sector. Lazarus was among the threat actors mentioned in the advisory. The report emphasized that the techniques used by the group to target the defense sector were similar to those employed in attacks against cryptocurrency firms and software developers.

Lazarus was also targeting the judicial system in South Korea. In February, South Korean police confiscated servers from the country's Supreme Court that were allegedly hacked by Lazarus last year. The servers are still under investigation.

According to the latest report by crypto analytics firm Chainalysis, North Korean hackers, including Lazarus, hacked more crypto platforms than ever last year, with the number of stolen assets reaching $1 billion.

A malware distribution campaign that began last May with a handful of malicious software packages uploaded to the Python Package Index (PyPI) has spread to GitHub and expanded to reach at least 100,000 compromised repositories.

According to security firm Apiiro, the campaign to poison code involves cloning legitimate repos, infecting them with malware loaders, uploading the altered files to GitHub under the same name, then forking the poisoned repo thousands of times and promoting the compromised code in forums and on social media channels.

Developers looking for useful code may therefore find a repo that’s describes as useful and at first glance appears appropriate, only to have their personal data pilfered by a hidden payload that runs malicious Python code and a binary executable.

"The malicious code (largely a modified version of BlackCap-Grabber) would then collect login credentials from different apps, browser passwords and cookies, and other confidential data," said Matan Giladi, security researcher, and Gil David, head of AI, in a report. "It then sends it back to the malicious actors' C&C (command-and-control) server and performs a long series of additional malicious activities."

A Trend Micro analysis of the malicious code describes how it employs clever techniques to conceal its true nature. For example, the code hides its use of the exec function – for dynamically executing code – through a technique dubbed “exec smuggling”.

Such attacks add hundreds of whitespace characters (521 of them) to push the exec function offscreen as a defense against manual scrutiny.

GitHub says it's aware that not all's well.

"GitHub hosts over 100 million developers building across over 420 million repositories, and is committed to providing a safe and secure platform for developers," a spokesperson told The Register.

"We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our Acceptable Use Policies. We employ manual reviews and at-scale detections that use machine learning and constantly evolve and adapt to adversarial tactics. We also encourage customers and community members to report abuse and spam."

Awareness and automated scanning is all very well – but Apiiro’s Giladi and David observed that GitHub missed many automated repo forks, as well as the manually uploaded ones.

"Because the whole attack chain seems to be mostly automated on a large scale, the one percent that survive still amount to thousands of malicious repos," the authors wrote, adding that if you count removed repos in the total, the campaign probably involved millions of malicious clones and forks.

They also point out that the scale of the attack is large enough to benefit from network effects, specifically developers who fork malicious repos without intending to use the software and don't realize they're validating and propagating malware.

GitHub, the researchers say, presents an effective way to compromise the software supply chain due to its support for the automatic generation of accounts and repos, its friendly APIs and soft rate limits, and its size.

The Biden administration had pushed for stronger software supply chain security through the National Institute of Standards and Technology's Cybersecurity Framework 2.0 and efforts to get organizations to publish their software bill of materials. But clearly there's work left to do.