Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. "A Docker command was received..." they write, "that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server's root directory..." Typically, this is exploited to write out a job for the Cron scheduler to execute... In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.

The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker's Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server... To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh
"Multiple user mode rootkits are deployed to hide malicious processes," they note. And one of the shell scripts "makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker's session from being appended to the history file... Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn't appear in the shell history once a new session has been spawned."

The same script also inserts "an attacker-controlled SSH key to maintain access to the compromised host," according to the article, retrieves a miner for the Monero cryptocurrency and then "registers persistence in the form of systemd services" for both the miner and an open source Golang reverse shell utility named Platypus.

It also delivers "various utilities," according to the blog Security Week, "including 'masscan' for host discovery." Citing CADO's researchers, they write that the shell script also "weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents." The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet... ["For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," the researchers writes.]

"This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers," Cado notes. "It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments."

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.

An anonymous reader quotes a report from Ars Technica: Security researchers are tracking what they say is the "mass exploitation" of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open source file-sharing server app. The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing "mass exploitation" in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they're configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week's disclosure, ownCloud officials said that in containerized configurations -- such as those using the Docker virtualization tool -- the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn't sufficient to lock down a vulnerable server. [...]

To fix the ownCloud vulnerability under exploitation, ownCloud advised users to: "Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.

We also advise to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key"

72-year-old Bjarne Stroustrup invented C++ (first released in 1985). 38 years later, he gave a short interview for Honeypot.io (which calls itself "Europe's largest tech-focused job platform") offering his own advice for life: Don't overspecialize. Don't be too sure that you know the future. Be flexible, and remember that careers and jobs are a long-term thing. Too many young people think they can optimize something, and then they find they've spent a couple of years or more specializing in something that may not have been the right thing. And in the process they burn out, because they haven't spent enough time building up friendships and having a life outside computing.

I meet a lot of sort of — I don't know what you call them, "junior geeks"? — that just think that the only thing that matters is the speciality of computing — programming or AI or graphics or something like that. And — well, it isn't... And if they do nothing else, well — if you don't communicate your ideas, you can just as well do Sudoku... You have to communicate. And a lot of sort of caricature nerds forget that. They think that if they can just write the best code, they'll change the world. But you have to be able to listen. You have to be able to communicate with your would-be users and learn from them. And you have to be able to communicate your ideas to them.

So you can't just do code. You have to do something about culture and how to express ideas. I mean, I never regretted the time I spent on history and on math. Math sharpens your mind, history gives you some idea of your limitations and what's going on in the world. And so don't be too sure. Take time to have a balanced life.

And be ready for the opportunity. I mean, a broad-based education, a broad-based skill set — which is what you build up when you educate, you're basically building a portfolio of skills — means that you can take advantage of an opportunity when it comes along. You can recognize it sometimes. We have lots of opportunities. But a lot of them, we either can't take advantage of, or we don't notice. It was my fairly broad education — I've done standard computer science, I've done compilers, I've done multiple languages... I think I knew two dozen at the time. And I have done machine architecture, I've done operating systems. And that skill set turned out to be useful.
At the beginning of the video, Stroustrup jokes that it's hard to give advice — and that it's at least as difficult as it is to take advice.

Earlier this year, Bjarne also told the same site the story of how he became a programmer by mistake — misreading a word when choosing what to study afer his high school exams. Stroustrup had thought he was signing up for an applied mathematics course, which instead turned to be a class in computer science...

An anonymous reader quotes a report from TechCrunch: Imagine being able to sit behind a hacker and observe them take control of a computer and play around with it. That's pretty much what two security researchers did thanks to a large network of computers set up as a honeypot for hackers. The researchers deployed several Windows servers deliberately exposed on the internet, set up with Remote Desktop Protocol, or RDP, meaning that hackers could remotely control the compromised servers as if they were regular users, being able to type and click around. Thanks to these honeypots, the researchers were able to record 190 million events and 100 hours of video footage of hackers taking control of the servers and performing a series of actions on them, including reconnaissance, installing malware that mines cryptocurrencies, using Android emulators to conduct click fraud, brute-forcing passwords for other computers, hiding the hackers' identities by using the honeypot as a starting point for another attack, and even watching porn. The researchers said a hacker successfully logging into its honeypot can generate "tens of events" alone.

The "Rangers," according to the two, carefully explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it at that. "Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later," the researchers wrote in a blog post published on Wednesday to accompany their talk. The "Barbarians" use the compromised honeypot computers to try and bruteforce into other computers using known lists of hacked usernames and passwords, sometimes using tools such as Masscan, a legitimate tool that allows users to port-scan the whole internet, according to the researchers. The "Wizards" use the honeypot as a platform to connect to other computers in an attempt to hide their trails and the actual origin of their attacks. According to what Bergeron and Bilodeau wrote in their blog post, defensive teams can gather threat intelligence on these hackers, and "reach deeper into compromised infrastructure."

According to Bergeron and Bilodeau, the "Thieves" have the clear goal of monetizing their access to these honeypots. They may do that by installing crypto miners, programs to perform click fraud or generate fake traffic to websites they control, and selling access to the honeypot itself to other hackers. Finally, the "Bards" are hackers with very little or almost no skills. These hackers used the honeypots to use Google to search for malware, and even watch porn. These hackers sometimes used cell phones instead of desktop or laptop computers to connect to the honeypots. Bergeron and Bilodeau said they believe this type of hacker sometimes uses the compromised computers to download porn, something that may be banned or censored in their country of origin. In one case, a hacker "was downloading the porn and sending it to himself via Telegram. So basically circumventing a country-level ban on porn," Bilodeau told TechCrunch. "What I think [the hacker] does with this then is download it in an internet cafe, using Telegram, and then he can put it on USB keys, and he can sell it." These types of honeypots could be useful for law enforcement or cybersecurity defensive teams. "Law enforcement could lawfully intercept the RDP environments used by ransomware groups and collect intelligence in recorded sessions for use in investigations," the researchers wrote in the blog post. "Blue teams for their part can consume the [Indicators of Compromise] and roll out their own traps in order to further protect their organization, as this will give them extensive documentation of opportunistic attackers' tradecraft."

Moreover, if hackers start to suspect that the servers they compromise may be honeypots, they will have to change strategies and decide whether the risks of being caught are worth it, "leading to a slow down which will ultimately benefit everyone," according to the researchers.

An anonymous reader quotes a report from The Guardian: The federal government is considering a "roadmap" on how to restrict access to online pornography to those who can prove they are 18 or older, but there are warnings that any system could come at the cost of Australians' privacy online. On Friday, the eSafety commissioner provided a long-awaited roadmap to the government for how to verify users' ages online, which was commissioned by the former Morrison government nearly two years ago. The commissioner's office said the roadmap "explores if and how age verification and other measures could be used to prevent and mitigate harm to children from online pornography" but that any action taken will be a decision of government.

There were a variety of options to verify people's ages considered during the consultation for the roadmap, such as the use of third-party companies, individual sites verifying ages using ID documents or credit card checks, and internet service providers or mobile phone operators being used to check users' ages. Digital rights groups have raised concerns about the potential for any verification system to create a honeypot of people's personal information. But the office said any technology-based solution would need to strike the right balance between safety, privacy and security, and must be coupled with education campaigns for children, parents and educators. [...]

It comes as new industry codes aimed at tackling restricted-access content online, developed by groups representing digital platforms, and software, gaming and telecommunications companies were submitted to the eSafety commissioner for approval. The content covered includes child sexual abuse material, terrorism, extreme crime and violence, and drug-related content. The commissioner, Julie Inman Grant, will now decide whether the voluntary codes meet her expectations or whether she needs to enforce mandatory codes. [...] The second phase of the codes will set out how the platforms restrict access to pornography on their sites -- separate from the use of age verification systems.

Long-time Slashdot reader destinyland writes: They say "always be learning" — but do podcasts actually help? I've been trying to find podcasts that discuss programming, and I've enjoyed Lex Fridman's interviews with language creators like Guido van Rossum, Chris Lattner, and Brendan Eich (plus his long interviews with Donald Knuth). Then I discovered that GitHub, Red Hat, Stack Overflow, and the Linux Foundation all have their own podcast.

There's a developer podcast called "Corecursive" that I like with the tagline "the stories behind the code," plus a whole slew of (sometimes language-specific) podcasts at Changelog (including an interview with Brian Kernighan). And it seems like there's an entirely different universe of content on YouTube — like the retired Microsoft engineer doing "Dave's Garage," Software Engineering Daily, and the various documentaries by Honeypot.io. Computerphile has also scored various interviews with Brian Kernighan, and if you search YouTube enough you'll find stray interviews with Steve Wozniak.

But I wanted to ask Slashdot's readers: Do you listen to podcasts about computer science? And if so, which ones? (Because I'm always stumbling across new programming podcasts, which makes me worry about what else I've been missing out on.) Maybe I should also ask if you ever watch coding livestreams on Twitch — although that gets into the more general question of just how much content we consume that's related to our profession.
Fascinating discussions, or continuing work-related education? (And do podcasts really help keep your skills fresh? Are coding livestreams on Twitch just a waste of time?) Most importantly, does anyone have a favorite geek podcast that they're listening to? Share your own experience and opinions in the comments...

What's the best podcast about computer science?

An anonymous reader quotes a report from The Verge: Over 40,000 Dota 2 accounts have been permanently banned in the last few weeks after they were caught red-handed using third-party software to cheat the game. In a blog post published on Tuesday, Valve revealed that it had recently patched a known issue used by third-party software to cheat in Dota while simultaneously setting a honeypot trap to catch players using the exploit. According to Valve, the cheating software gave its users an unfair advantage by accessing information used internally by the Dota client that shouldn't be visible during gameplay. After investigating how it worked, the developer then decided to identify and remove the "bad actors" from the active Dota playerbase.

"We released a patch as soon as we understood the method these cheats were using," Valve said. "This patch created a honeypot: a section of data inside the game client that would never be read during normal gameplay, but that could be read by these exploits." Valve claims that all 40,000 of the now-banned accounts had accessed this hidden section of data, and that it had "extremely high confidence that every ban was well-deserved." Valve highlighted that the number of accounts banned was especially significant due to how prevalent this particular family of cheating clients is, and that the action taken is just one step in an ongoing campaign to tackle those abusing the popular MOBA game. "While the battle against cheaters and cheat developers often takes place in the shadows, we wanted to make this example visible, and use it to make our position clear: If you are running any application that reads data from the Dota client as you're playing games, your account can be permanently banned from playing Dota," warned Valve.

An anonymous reader shares a report: KmsdBot, a cryptomining botnet that could also be used for denial-of-service (DDOS) attacks, broke into systems through weak secure shell credentials. It could remotely control a system, it was hard to reverse-engineer, didn't stay persistent, and could target multiple architectures. KmsdBot was a complex malware with no easy fix. That was the case until researchers at Akamai Security Research witnessed a novel solution: forgetting to put a space between an IP address and a port in a command. And it came from whoever was controlling the botnet.

With no error-checking built in, sending KmsdBot a malformed command -- like its controllers did one day while Akamai was watching -- created a panic crash with an "index out of range" error. Because there's no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot's functions. It is, as Akamai notes, "a nice story" and "a strong example of the fickle nature of technology." KmsdBot is an intriguing modern malware. It's written in Golang, partly because Golang is difficult to reverse-engineer. When Akamai's honeypot caught the malware, it defaulted to targeting a company that created private Grand Theft Auto Online servers. It has a cryptomining ability, though it was latent while the DDOS activity was running. At times, it wanted to attack other security companies or luxury car brands.

The FBI operation in which the agency intercepted messages from thousands of encrypted phones around the world was powered by cobbled together code. From a report: Motherboard has obtained that code and is now publishing sections of it that show how the FBI was able to create its honeypot. The code shows that the messages were secretly duplicated and sent to a "ghost" contact that was hidden from the users' contact lists. This ghost user, in a way, was the FBI and its law enforcement partners, reading over the shoulder of organized criminals as they talked to each other.

Last year, the FBI and its international partners announced Operation Trojan Shield, in which the FBI secretly ran an encrypted phone company called Anom for years and used it to hoover up tens of millions of messages from Anom users. Anom was marketed to criminals, and ended up in the hands of over 300 criminal syndicates worldwide. The landmark operation has led to more than 1,000 arrests including alleged top tier drug traffickers and massive seizures of weapons, cash, narcotics, and luxury cars. Motherboard has obtained this underlying code of the Anom app and is now publishing sections of it due to the public interest in understanding how law enforcement agencies are tackling the so-called Going Dark problem, where criminals use encryption to keep their communications out of the hands of the authorities. The code provides greater insight into the hurried nature of its development, the freely available online tools that Anom's developers copied for their own purposes, and how the relevant section of code copied the messages as part of one of the largest law enforcement operations ever.

Long-time Slashdot reader UnderAttack writes: After Microsoft patched and went public with CVE-2022-26809, the recent Remote Procedure Call vulnerability, the SANS Internet Storm Center set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. But so far, while it has seen thousands of attacks against SMB a day, nothing yet for the new RPC vulnerability....

But still, attackers are heavily hitting other vulnerabilities like of course still ETERNALBLUE
From the article: Should you stop rushing out the April patch? Absolutely not. I hope you are already done applying the patch. But the April Windows patch had several additional gems, not just patches for RPC. Chatter about CVE-2022-26809 has died down, but as they say: Sometimes the quiet ones are the dangerous ones, and people able to exploit this vulnerability may not broadcast what they are doing on social media.
The article is credited to Johannes B. Ullrich, Ph.D. , Dean of Research at the security site SANS.edu.

Interestingly, Ullrich's byline is hyperlinked to a Google+ profile which has been unavailable for nearly three years.

Chainalysis is a software for tracing cryptocurrency, "to turn the digital underworld's preferred means of exchange into its Achilles' heel," writes Wired.

This week they describe what happened when that company's co-founder discovered that for two yeras, hundreds of users of a child pornography-trading site — and its administrators — "had done almost nothing to obscure their cryptocurrency trails..." and "seemed to be wholly unprepared for the modern state of financial forensics on the blockchain." Over the previous few years, [Internal Revenue Service criminal investigator Chris] Janczewski, his partner Tigran Gambaryan, and a small group of investigators at a growing roster of three-letter American agencies had used this newfound technique, tracing a cryptocurrency that once seemed untraceable, to crack one criminal case after another on an unprecedented, epic scale. But those methods had never led them to a case quite like this one, in which the fate of so many people, victims and perpetrators alike, seemed to hang on the findings of this novel form of forensics.... Janczewski thought again of the investigative method that had brought them there like a digital divining rod, revealing a hidden layer of illicit connections underlying the visible world....

When Bitcoin first appeared in 2008, one fundamental promise of the cryptocurrency was that it revealed only which coins reside at which Bitcoin addresses — long, unique strings of letters and numbers — without any identifying information about those coins' owners. This layer of obfuscation created the impression among many early adherents that Bitcoin might be the fully anonymous internet cash long awaited by libertarian cypherpunks and crypto-anarchists: a new financial netherworld where digital briefcases full of unmarked bills could change hands across the globe in an instant. Satoshi Nakamoto, the mysterious inventor of Bitcoin, had gone so far as to write that "participants can be anonymous" in an early email describing the cryptocurrency. And thousands of users of dark-web black markets like Silk Road had embraced Bitcoin as their central payment mechanism.

But the counterintuitive truth about Bitcoin, the one upon which Chainalysis had built its business, was this: Every Bitcoin payment is captured in its blockchain, a permanent, unchangeable, and entirely public record of every transaction in the Bitcoin network. The blockchain ensures that coins can't be forged or spent more than once. But it does so by making everyone in the Bitcoin economy a witness to every transaction. Every criminal payment is, in some sense, a smoking gun in broad daylight. Within a few years of Bitcoin's arrival, academic security researchers — and then companies like Chainalysis — began to tear gaping holes in the masks separating Bitcoin users' addresses and their real-world identities.
The article describes some investigative techniques — like pressuring exchanges for identities, tying a transaction to a known identity, or even performing an undercover transaction themselves. "Thanks to tricks like these, Bitcoin had turned out to be practically the opposite of untraceable: a kind of honeypot for crypto criminals that had, for years, dutifully and unerasably recorded evidence of their dirty deals.

"By 2017, agencies like the FBI, the Drug Enforcement Agency, and the IRS's Criminal Investigation division had traced Bitcoin transactions to carry out one investigative coup after another, very often with the help of Chainalysis.

"The cases had started small and then gained a furious momentum...."

Thanks to long-time Slashdot reader Z00L00K for sharing the article.

According to data collected by Microsoft's network of honeypot servers, most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters. From a report: "I analysed the credentials entered from over -- million brute force attacks against SSH. This is around 30 days of data in Microsoft's sensor network," said Ross Bevington, a security researcher at Microsoft. "77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases," said Bevington, who works as Head of Deception at Microsoft, a position in which he's tasked with creating legitimate-looking honeypot systems in order to study attacker trends.

An anonymous reader quotes a report from Ars Technica: Oculus consulting CTO John Carmack has been bullish on the idea of "the metaverse" for a long time, as he'll be among the first to point out. But the id Software co-founder spent a good chunk of his wide-ranging Connect keynote Thursday sounding pretty skeptical of plans by the newly rebranded Meta (formerly Facebook) to actually build that metaverse. "I really do care about [the metaverse], and I buy into the vision," Carmack said, before quickly adding, "I have been pretty actively arguing against every single metaverse effort that we have tried to spin up internally in the company from even pre-acquisition times." The reason for that seeming contradiction is a somewhat ironic one, as Carmack puts it: "I have pretty good reasons to believe that setting out to build the metaverse is not actually the best way to wind up with the metaverse."

Today, Carmack said, "The most obvious path to the metaverse is that you have one single universal app, something like Roblox." That said, Carmack added, "I doubt a single application will get to that level of taking over everything." That's because a single bad decision by the creators of that walled-garden metaverse can cut off too many possibilities for users and makers. "I just don't believe that one player -- one company -- winds up making all the right decisions for this," he said. The idea of the metaverse, Carmack says, can be "a honeypot trap for 'architecture astronauts.'" Those are the programmers and designers who "want to only look at things from the very highest levels," he said, while skipping the "nuts and bolts details" of how these things actually work.

These so-called architecture astronauts, Carmack said, "want to talk in high abstract terms about how we'll have generic objects that can contain other objects that can have references to these and entitlements to that, and we can pass control from one to the other." That kind of high-level hand-waving makes Carmack "just want to tear [his] hair out... because that's just so not the things that are actually important when you're building something." "But here we are," Carmack continued. "Mark Zuckerberg has decided that now is the time to build the metaverse, so enormous wheels are turning and resources are flowing and the effort is definitely going to be made."

The Tech Support Scams YouTube channel, operated by host and creator Jim Browning, was deleted after a tech support scam convinced Browning that the only way to secure his account was to delete it. The Register reports: "So to prove that anyone can be scammed," Browning announced via Twitter following the attack, "I was convinced to delete my YouTube channel because I was convinced I was talking [to YouTube] support. I never lost control of the channel, but the sneaky s**t managed to get me to delete the channel. Hope to recover soon." To fool Browning, the ruse must have been convincing: "I track down the people who scam others on the Internet," he writes on his Patreon page. "This is usually those 'tech support' call frauds using phone calls or pop-ups. I explain what I do by guiding others in how to recognize a scam and, more importantly, how to turn the tables on scammers by tracking them down."

Browning has made a name for himself with self-described "scam baiting" videos, in which he sets up honeypot systems and pretends to fall for scams in which supposed support staffers need remote access to fix a problem or remove a virus -- in reality scouring the hard drive for sensitive files or planting malware of their own. "I am hoping that YouTube Support can recover the situation by 29th July," Browning wrote in a Patreon update, "and I can get the channel back, but they've not promised anything as yet. I just hope it is recoverable."

Whether Browning is able to recover the account, and the 3.28 million subscribers he had gathered over his career as a scam-baiter, he's hoping to turn his misfortune into another lesson. "I will make a video on how all of this went down," he pledged, "but suffice to say, it was pretty convincing until the very end."

Motherboard bought an FBI "Anom" phone that the agency secretly sells to criminals to monitor their communications. Joseph Cox reports: The sleek, black phone seems perfectly normal. Unlocking the Google Pixel 4a with a PIN code reveals some common apps: Tinder, Instagram, Facebook, Netflix, and even Candy Crush. But none of those apps work, and tapping their icons doesn't do anything. Resetting the phone and typing in another PIN opens up an entirely different section of the device, with a new background and new apps. Now in place of the old apps sit a clock, a calculator, and the device's settings. Clicking the calculator doesn't open a calculator -- it opens a login screen.

"Enter Anom ID" and a password, the screen reads. Hidden in the calculator is a concealed messaging app called Anom, which last month we learned was an FBI honeypot. On Anom, criminals believed they could communicate securely, with the app encrypting their messages. They were wrong: an international group of law enforcement agencies including the FBI were monitoring their messages and announced hundreds of arrests last month. International authorities have held press conferences to tout the operation's success, but have provided few details on how the phones actually functioned.

Motherboard has obtained and analyzed an Anom phone from a source who unknowingly bought one on a classified ads site. On that site, the phone was advertised as just a cheap Android device. But when the person received it, they realized it wasn't an ordinary phone, and after being contacted by Motherboard, found that it contained the secret Anom app. When booting up the phone, it displays a logo for an operating system called "ArcaneOS." Very little information is publicly available on ArcaneOS. It's this detail that has helped lead several people who have ended up with Anom phones to realize something was unusual about their device. Most posts online discussing the operating system appear to be written by people who have recently inadvertently bought an Anom device, and found it doesn't work like an ordinary phone. After the FBI announced the Anom operation, some Anom users have scrambled to get rid of their device, including selling it to unsuspecting people online. The person Motherboard obtained the phone from was in Australia, where authorities initially spread the Anom devices as a pilot before expanding into other countries.

An anonymous reader shares a report: In an award-winning paper presented at the USENIX security conference this week, a team of academics from North Carolina State University presented a list of findings from operating a massive telephony honeypot for 11 months for the sole purpose of tracking, identifying, and analyzing the robocalling phenomenon in the US. NCSU researchers said they ran 66,606 telephone lines between March 2019 and January 2020, during which time they said to have received 1,481,201 unsolicited calls -- even if they never made their phone numbers public via any source.

The research team said they usually received an unsolicited call every 8.42 days, but most of the robocall traffic came in sudden surges they called "storms" that happened at regular intervals, suggesting that robocallers operated using a tactic of short-burst and well-organized campaigns. In total, the NCSU team said it tracked 650 storms over 11 months, with most storms being of the same size.

DesScorp writes: In an effort to better understand the latest threats to IT systems, antivirus and security company Trend Micro created a fake tech company, complete with AI-generated photos of fake employees, in order to build a honeypot environment that looked like an actual, working tech factory environment. "Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware, cryptocurrency miners -- and in some cases they're actively looking to shut down or disrupt systems," reports ZDNet. "All of these incidents were spotted by researchers at cybersecurity company Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target."

The report adds: "To help make the honeypot as convincing as possible, researchers linked the desktops, networks and servers to a false company they called MeTech and created a website detailing how the manufacturer served clients in high-tech sectors including defense and aerospace -- popular targets for hacking. The website even featured images and bios of people who supposedly worked for the false brand, with headshots generated by artificial intelligence in an effort to make the honeypot look as much like a legitimate company as possible." Trend Micro even leaked details of system vulnerabilities in things like Virtual Network Computing (VNC) access to further lure criminals in. The fake company was attacked by everyone from ransomware actors to cryptocurrency miners, to hackers that did "recon" to look for possible industrial espionage data.

"The U.S. is recommending a 12.5 year prison sentence for Paul Hansmeier, one of the lead attorneys of the controversial law firm Prenda," reports TorrentFreak: Last summer, Hansmeier admitted that he is guilty of conspiracy to commit mail fraud and wire fraud, as well as conspiracy to commit money laundering. With the final decision coming up, the Government and the defendant have now issued their sentencing recommendations. According to the Government, it is clear that Hansmeier was the driving force behind the entire scheme.... "Paul Hansmeier selected the pornographic movies for his brother to upload based upon how attractive they would be to BitTorrent users, thus deliberately encouraging the piracy Hansmeier pretended to hate," the Government writes...

With the IP-addresses that were obtained through this honeypot scheme, Prenda requested subpoenas to obtain the names and addresses of Internet subscribers. These people were then threatened into settling for figures up to $3,000. Whether they were guilty or not appeared to be irrelevant. "Hansmeier was generally content to take this step without investigating whether the subscriber was, in fact, the infringer. Hansmeier thus inflicted plenty of pain on persons who did not, in fact, download his pornographic bait," the Government writes.

In total, Prenda Law generated roughly $3,000,000 from the fraudulent copyright lawsuits they filed at courts throughout the United States. While it is by no means illegal to go after file-sharers, the Prenda attorneys crossed a line by repeatedly lying to or misleading the courts. Hansmeier also filmed and produced many videos himself, leading the court to believe that these were from a third-party company... Also, the court was led to believe that pirates caused financial damage, even though the videos were never commercially distributed.
Arguing for a sentence of 150 months, the government writes that Hansmeier "was greedy, arrogant, devious, mendacious, and consistently positioned other people to be damaged by his conduct, even as he enjoyed the proceeds of the scheme he orchestrated." Hansmeier's attorney counters that his client should spend no more than 87 months in prison, with an additional three years of supervision -- and that there should be no fine, since restitution will be paid to those damaged by his scheme.

"Either way," writes TorrentFreak, "it is clear that the Prenda attorney will likely spend several years in prison."

Dream Market, today's top dark web marketplace, today announced plans to shut down on April 30. From a report: The announcement came on the same day Europol, FBI, and DEA officials announced tens of arrests and a massive crackdown on dark web drug trafficking. The timing of the four announcements immediately sent most of Dream Market's users and dark web threat intel analysts into a frenzy of theories that law enforcement might have already seized the site and are now running a honeypot operation. Their fears are based on a similar event from June 2017 when Dutch police took over Hansa Market and ran the site for a month while collecting evidence on the portal's users. Law enforcement later used passwords collected from Hansa Market users to gain access to accounts on other dark web marketplaces.