×
Medicine

Security Lessons from the Change Healthcare Ransomware Catastrophe (csoonline.com) 7

The $22 million paid by Change Healthcare's parent company to unlock its systems "may have emboldened bad actors to further target the vulnerable industry," writes Axios: There were 44 attacks against the health care sector in April, the most that [cybersecurity firm] Recorded Future has seen in the four years it's been collecting data. It was also the second-largest month-over-month jump, after 30 ransomware attacks were recorded in March. There were 32 attacks in February and May.
But an analysis by the security-focused magazine CSO says the "disastrous" incident also "starkly illustrated the fragility of the healthcare sector, prompting calls for regulatory action." In response to the attack, US politicians have called for mandated baseline cybersecurity standards in the health sector, as well as better information sharing. They have also raised concerns that industry consolidation is increasing cyber risk.
So what went wrong? The attackers used a set of stolen credentials to remotely access the company's systems. But the article also notes Change Healthcare's systems "suffered from a lack of segmentation, which enables easy lateral movement of the attack" — and that the company's acquisition may have played a role: Mergers and acquisitions create new cyber threats because they involve the integration of systems, data, and processes from different organizations, each with its own security protocols and potential vulnerabilities. "During this transition, cybercriminals can exploit discrepancies in security measures, gaps in IT governance, and the increased complexity of managing merged IT environments," Aron Brand, CTO of CTERA told CSOonline. "Additionally, the heightened sharing of sensitive information between parties provides more opportunities for data breaches."
And "In the end, paying the ransom failed to protect UHG from secondary attempts at extortion." In April, cybercriminals from the RansomHub group threatened to leak portions of 6TB of sensitive data stolen from the breach of Change Healthcare, and obtained through Nichy, according to an analysis by security vendor Forescout. An estimated one in three Americans had their sensitive data exposed as a result of the attack. Such secondary scams are becoming increasingly commonplace and healthcare providers are particularly at risk, according to compliance experts... The US Department of Health and Human Services (HHS) is investigating whether a breach of protected health information occurred in assessing whether either UHG or Change Healthcare violated strict healthcare sector privacy regulations.
Thanks to Slashdot reader snydeq for sharing the article.
Beer

Researchers Find No Amount of Alcohol is Healthy For You (nytimes.com) 39

The New York Times magazine remembers that once upon a time, in the early 1990s, "some prominent researchers were promoting, and the media helped popularize, the idea that moderate drinking...was linked to greater longevity.

"The cause of that association was not clear, but red wine, researchers theorized, might have anti-inflammatory properties that extended life and protected cardiovascular health..." More recently, though, research has piled up debunking the idea that moderate drinking is good for you. Last year, a major meta-analysis that re-examined 107 studies over 40 years came to the conclusion that no amount of alcohol improves health; and in 2022, a well-designed study found that consuming even a small amount brought some risk to heart health. That same year, Nature published research stating that consuming as little as one or two drinks a day (even less for women) was associated with shrinkage in the brain — a phenomenon normally associated with aging...

[M]ore people are now reporting that they consume cannabis than alcohol on a daily basis. Some governments are responding to the new research by overhauling their messaging. Last year, Ireland became the first country to pass legislation requiring a cancer warning on all alcohol products sold there, similar to those found on cigarettes: "There is a direct link between alcohol and fatal cancers," the language will read. And in Canada, the government has revised its alcohol guidelines, announcing: "We now know that even a small amount of alcohol can be damaging to health." The guidelines characterize one to two drinks a week as carrying "low risk" and three to six drinks as carrying "moderate risk." (Previously the guidelines suggested that women limit themselves to no more than two standard drinks most days, and that men place that limit at three.)

AI

OpenAI CEO Says Company Could Become a For-Profit Corporation Like xAI, Anthropic (reuters.com) 8

Wednesday The Information reported that OpenAI had doubled its annualized revenue — a measure of the previous month's revenue multiplied by 12 — in the last six months. It's now $3.4 billion (which is up from around $1 billion last summer, notes Engadget).

And now an anonymous reader shares a new report from The Information: OpenAI CEO Sam Altman recently told some shareholders that the artificial intelligence developer is considering changing its governance structure to a for-profit business that OpenAI's nonprofit board doesn't control, according to a person who heard the comments. One scenario Altman said the board is considering is a for-profit benefit corporation, which rivals such as Anthropic and xAI are using, this person said. Such a change could open the door to an eventual initial public offering of OpenAI, which currently sports a private valuation of $86 billion, and may give Altman an opportunity to take a stake in the fast-growing company, a move some investors have been pushing.
More from Reuters: The restructuring discussions are fluid and Altman and his fellow directors could ultimately decide to take a different approach, The Information added. In response to Reuters' queries about the report, OpenAI said: "We remain focused on building AI that benefits everyone. The nonprofit is core to our mission and will continue to exist."
Is that a classic non-denial denial?

Note that the nonprofit's "continuing to exist" does not in any way preclude OpenAI from becoming a for-profit business — with a spin-off nonprofit, continuing to exist...
Space

Have Scientists Found 'Potential Evidence' of Dyson Spheres? (cnn.com) 37

Have scientists discovered infrared radiation, evidence of waste heat generated by the energy-harvesting star-surrounding spheres first proposed by British American physicist Freeman Dyson? CNN reports: [A] new study that looked at 5 million stars in the Milky Way galaxy suggests that seven candidates could potentially be hosting Dyson spheres — a finding that's attracting scrutiny and alternate theories... Using historical data from telescopes that pick up infrared signatures, the research team looked at stars located within less than 1,000 light-years from Earth: "We started with a sample of 5 million stars, and we applied filters to try to get rid of as much data contamination as possible," said lead study author Matías Suazo, a doctoral student in the department of physics and astronomy of Uppsala University in Sweden. "So far, we have seven sources that we know are glowing in the infrared but we don't know why, so they stand out...."

Among the natural causes that could explain the infrared glow are an unlucky alignment in the observation, with a galaxy in the background overlapping with the star, planetary collisions creating debris, or the fact that the stars may be young and therefore still surrounded by disks of hot debris from which planets would later form...

An earlier study, published in March and using data from the same sources as the new report, had also found infrared anomalies among a sample dataset of 5 million stars in our galaxy. "We got 53 candidates for anomalies that cannot be well explained, but can't say that all of them are Dyson sphere candidates, because that's not what we are specifically looking for," said Gabriella Contardo, a postdoctoral research fellow at the International School for Advanced Studies in Trieste, Italy, who led the earlier study. She added that she plans to check the candidates against Suazo's model to see how many tie into it. "You need to eliminate all other hypotheses and explanations before saying that they could be a Dyson sphere," she added. "To do so you need to also rule out that it's not some kind of debris disk, or some kind of planetary collision, and that also pushes the science forward in other fields of astronomy — so it's a win-win."

Both Contardo and Suazo agree that more research is needed on the data, and that ultimately they could turn to NASA's James Webb Space Telescope for more information, as it is powerful enough to observe the candidate stars directly. However, because of the lengthy, competitive procedures that regulate use of the telescope, securing access might take some time.


CNN adds that "A May 23 paper published in response to the one by Suazo and his colleagues suggests that at least three of the seven stars have been 'misidentified' as Dyson spheres and could instead be 'hot DOGs' — hot dust-obscured galaxies — and that the remaining four could probably be explained this way as well."

But "As for Dyson himself, if he were still alive, he also would be highly skeptical that these observations represent a technological signature, his son George argued: 'But the discovery of new, non-technological astronomical phenomena is exactly why he thought we should go out and look.' "
Programming

Rust's Foundation Announces a New 'Safety-Critical Rust Consortium' (rust-lang.org) 9

This week the Rust Foundation jointly announced "the Safety-Critical Rust Consortium" with industry partners including Arm, AdaCore, Lynx Software Technologies, and Toyota's mobility tech subsidiary Woven. Its goal is supporting "responsible use" of Rust "in safety-critical software — systems whose failure can impact human life or cause severe environmental or property harm."

"This is exciting," said Rust creator Graydon Hoare in a statement. "I am truly pleased to see the Rust Foundation and anyone in the safety-critical space coming together on this topic."

From the announcement: "Safety is our foremost priority in vehicle software development. Traditionally, achieving the highest levels of safety has been a complex and lengthy endeavor, requiring the use of specialized tools and processes beyond the programming language," said JF Bastien, Distinguished Engineer at Woven by Toyota. "We are therefore pleased to collaborate with leading experts in the safety industry to integrate new tools such as Rust into our safety-critical systems...." Industries that are particularly concerned with functional safety include transportation (such as automotive, aviation, space), energy, life sciences, and more. Because of their potential impacts, these industries are often regulated, have liability considerations, and are guided by standards... These industries have decades of experience delivering products, learning from iterating based on real-world feedback, and improving processes. An ecosystem of tools and tool vendors have evolved, and best practices have been learned to create a safety culture around tooling.

Rust offers particular advantages in terms of developer ergonomics, productivity and software quality; however, it lacks a deep and established well of safety-processes and collective industry knowledge of safety-critical systems. Without closing this gap, a developer must primarily rely on best practices and normative precautions, which can limit innovation. Rust developers who stray from the well-trod path can find themselves facing an inquiry were an accident to occur. In these circumstances, anything that seems unusual will be investigated for fault.

This risk creates a disincentive to widespread Rust adoption, leaving developers unable to reap all its advantages while potentially facing financial, reputational and moral costs. The gap in safety-critical resources within the Rust programming language ecosystem is also an exciting opportunity. By rapidly incorporating lessons learned from years of careful development and past mistakes in the wider open source ecosystem, Rust can become a valuable component of a safety toolkit adaptable to various safety-critical industries and severity levels.

"Work under the consortium will begin with the creation of a public charter and goals," according to the announcement, with a scope possibly including "the development of guidelines, linters, libraries, static analysis tools, formal methods and language subsets to meet industrial and legal requirements. The group may further shepherd Rust Foundation-funded implementation work, including grants to existing academic teams or FOSS projects... The group will further attempt to coordinate with and expand on existing safety-critical projects and standards including SAE JA1020.
The group will maintain communication with the larger Rust Project, and "The Consortium's deliverables will be developed and licensed in a manner compatible with other Rust Project endeavors."
Power

Solar Modules Deployed In France In 1992 Still Provide 79.5% of Original Output (pv-magazine.com) 37

French photovoltaics group Hespul tested solar panels installed in 1992, reports PV Magazine: The testing showed that the modules still produce on average 79.5% of their initial power after 31 years of operation. In a previous testing carried out 11 years ago, the panels were found to produce 91.7% of their initial power. "This result exceeds the performance promised by the manufacturers who said the panels would have maintained 80% of their output after 25 years," said Hespul.

The drop in performance is on average 20.5%, or 0.66% per year over 31 years, and 1.11% per year over the last 11 years... Another more recent study carried out by the US Department of Energy's National Renewable Energy Laboratory (NREL) on 1,700 American sites totaling 7.2 GW of power, showed a median degradation of around -0.75%/year. Moveover, another research study focused on 4,300 residential installations in operation in Europe and used different data processing methodologies. Depending on the methods, a median loss of -0.36% to -0.67%/year was obtained.

Thanks to long-time Slashdot reader storkus for sharing the news.
Linux

Linux vs Windows 11 Copilot+ PCs? TUXEDO Unveils Snapdragon X Elite ARM Notebook (betanews.com) 19

Slashdot reader BrianFagioli shares his report from BetaNews: The PC community is abuzz with Qualcomm's recent announcement of its Snapdragon X Elite SoC, a powerhouse chipset that promises to revolutionize the performance and energy efficiency of laptops and tablets. While Windows 11 Copilot+ PCs are set to feature this advanced processor, Linux enthusiasts have reasons to celebrate as well. You see, TUXEDO Computers is bringing this cutting-edge technology to the Linux world with its upcoming ARM notebook, positioning it as a strong competitor to Windows 11 Copilot+ devices.

In a recent update, TUXEDO Computers revealed its ambitious project of developing an ARM notebook powered by the Snapdragon X Elite SoC from Qualcomm. This announcement has generated significant excitement, as it presents a viable alternative to traditional x86 notebooks, offering comparable performance with lower energy consumption, directly challenging the dominance of Windows 11 Copilot+... Benchmarks suggest that the Snapdragon X Elite can not only rival but potentially surpass Apple's M2 SoCs, boasting higher energy efficiency. TUXEDO's preliminary tests confirm these impressive claims, setting the stage for a fierce competition with Windows 11 Copilot+ PCs.

"We recently presented a prototype of the ARM notebook we are working on at the Computex computer trade fair in Taiwan," according to TUXEDO's announcement.

"On the software side, a port of TUXEDO OS with KDE Plasma to the ARM platform is our goal for this project running internally under the working title Drako...

"It is quite conceivable that an ARM notebook from TUXEDO will be under your Christmas tree in 2024... If you have subscribed to our newsletter, you will be the first to know."
AI

An AI-Generated Candidate Wants to Run For Mayor in Wyoming (futurism.com) 41

An anonymous reader shared this report from Futurism: An AI chatbot named VIC, or Virtually Integrated Citizen, is trying to make it onto the ballot in this year's mayoral election for Wyoming's capital city of Cheyenne.

But as reported by Wired, Wyoming's secretary of state is battling against VIC's legitimacy as a candidate — and now, an investigation is underway.

According to Wired, VIC, which was built on OpenAI's GPT-4 and trained on thousands of documents gleaned from Cheyenne council meetings, was created by Cheyenne resident and library worker Victor Miller. Should VIC win, Miller told Wired that he'll serve as the bot's "meat puppet," operating the AI but allowing it to make decisions for the capital city.... "My campaign promise," Miller told Wired, "is he's going to do 100 percent of the voting on these big, thick documents that I'm not going to read and that I don't think people in there right now are reading...."

Unfortunately for the AI and its — his? — meat puppet, however, they've already made some political enemies, most notably Wyoming Secretary of State Chuck Gray. As Gray, who has challenged the legality of the bot, told Wired in a statement, all mayoral candidates need to meet the requirements of a "qualified elector." This "necessitates being a real person," Gray argues... Per Wired, it's also run amuck with OpenAI, which says the AI violates the company's "policies against political campaigning." (Miller told Wired that he'll move VIC to Meta's open-source Llama 3 model if need be, which seems a bit like VIC will turn into a different candidate entirely.)

The Wyoming Tribune Eagle offers more details: [H]is dad helped him design the best system for VIC. Using his $20-a-month ChatGPT subscription, Miller had an 8,000-character limit to feed VIC supporting documents that would make it an effective mayoral candidate...

While on the phone with Miller, the Wyoming Tribune Eagle also interviewed VIC itself. When asked whether AI technology is better suited for elected office than humans, VIC said a hybrid solution is the best approach. "As an AI, I bring unique strengths to the role, such as impartial decision-making, data-driven policies and the ability to analyze information rapidly and accurately," VIC said. "However, it's important to recognize the value of human experience and empathy and leadership. So ideally, an AI and human partnership would be the most beneficial for Cheyenne...." The artificial intelligence said this unique approach could pave a new pathway for the integration of human leadership and advanced technology in politics.

Python

Python 'Language Summit' 2024: Security Workflows, Calendar Versioning, Transforms and Lightning Talks (blogspot.com) 16

Friday the Python Software Foundation published several blog posts about this year's "Python Language Summit" May 15th (before PyCon US), which featured talks and discussions by core developers, triagers, and Python implementation maintainers.

There were several lightning talks. One talk came from the maintainer of the PyO3 project, offering Rust bindings for the Python C API (which requires mapping Rust concepts to Python — leaving a question as to how to map Rust's error-handling panic! macro). There was a talk on formalizing the PEP prototype process, and a talk on whether the Python team should have a more official presence in the Apple App Store (and maybe the Google Play Store). One talk suggested changing the formatting of error messages for assert statements, and one covered a "highly experimental" project to support structured data sharing between Python subinterpreters. One talk covered Python's "unsupported build" warning and how it should behave on platforms beyond Python's officially supported list.

Python Foundation blog posts also covered some of the longer talks, including one on the idea of using type annotations as a mechanism for transformers. One talk covered the new interactive REPL interpreter coming to Python 3.13.

And one talk focused on Python's security model after the xz-utils backdoor: Pablo Galindo Salgado, Steering Council member and the release manager for Python 3.10 and 3.11, brought this topic to the Language Summit to discuss what could be done to improve Python's security model... Pablo noted the similarities shared between CPython and xz-utils, referencing the previous Language Summit's talk on core developer burnout, the number of modules in the standard library that have one or zero maintainers, the high ratio of maintainers to source code, and the use of autotools for configuration. Autotools was used by [xz's] Jia Tan as part of the backdoor, specifically to obscure the changes to tainted release artifacts. Pablo confirmed along with many nods of agreement that indeed, CPython could be vulnerable to a contributor or core developer getting secretly malicious changes merged into the project.

For multiple reasons like being able to fix bugs and single-maintainer modules, CPython doesn't require reviewers on the pull requests of core developers. This can lead to "unilateral action", meaning that a change is introduced into CPython without the review of someone besides the author. Other situations like release managers backporting fixes to other branches without review are common.

Much discussion ensued about the possibility of altering workflows (including pull request reviews), identity verification, and the importance of post-incident action plans. Guido van Rossum suggested a "higher bar" for granting write access, but in the end "Overall it was clear there is more discussion and work to be done in this rapidly changing area."

In another talk, Hugo van Kemenade, the newly announced Release Manager for Python 3.14 and 3.15, "started the Language Summit with a proposal to change Python's versioning scheme. The perception of Python using semantic versioning is a source of confusion for users who don't expect backwards incompatible changes when upgrading to new versions of Python. In reality almost all new feature releases of Python include backwards incompatible changes such as the removal of "dead batteries" where PEP 594 marked 19 modules for removal in Python 3.13. Calendar Versioning (CalVer) encompasses a wide array of different versioning schemes that have one property in common: using the release date as part of a release's version... Hugo offered multiple proposed versioning schemes, including:

- Using the release year as minor version (3.YY.micro, "3.26.0")
- Using the release year as major version (YY.0.micro, "26.0.0")
- Using the release year and month as major and minor version (YY.MM.micro, "26.10.0")

[...] Overall the proposal to use the current year as the minor version was well-received, Hugo mentioned that he'd be drafting up a PEP for this change.

NASA

Voyager 1 Returns To Normal Science Operations (theregister.com) 44

wgoodman shares a report from The Register: NASA's Voyager 1 spacecraft is back in action and conducting normal science operations for the first time since the veteran probe began spouting gibberish at the end of 2023. All four of the spacecraft's remaining operational instruments are now returning usable data to Earth, according to NASA. Some additional work is needed to tidy up the effects of the issue. Engineers need to resynchronize the timekeeping software of Voyager 1's three onboard computers to ensure that commands are executed at the correct times. Maintenance will also be performed on the digital tape recorder, which records some data from the plasma instrument for a six-monthly downlink to Earth.

Voyager 1's woes began in November 2023, when the spacecraft stopped transmitting usable data back to Earth. Rather than engineering and science data, NASA found itself faced with a repeating pattern of ones and zeroes, as though the spacecraft was somehow stalled. Engineers reckoned the issue lay with the Flight Data System (FDS) and in March sent a command -- dubbed a "poke" -- to get the FDS to try some other software sequences and thus circumvent whatever was causing the problem. The result was a complete memory dump from the computer, which allowed engineers to pinpoint where the corruption had occurred. It appeared that a single chip was malfunctioning, and engineers were faced with the challenge of devising a software update that would work around the defective hardware.

Usable engineering data began to be returned later in April, and in May the mission team sent commands to instruct the probe to keep science data flowing. The result was that the plasma wave subsystem and magnetometer instrument began sending data immediately. According to NASA, the cosmic ray subsystem and low energy charged particle instrument required a little more tweaking but are now operational. The rescue was made all the more impressive by the fact that it takes 22.5 hours for a command to reach Voyager 1 and another 22.5 hours for a response to be received on Earth.

Space

Blue Origin Joins SpaceX, ULA In Winning Bids For $5.6 Billion Pentagon Rocket Program (cnbc.com) 22

The Pentagon announced the first winners of its $5.6 billion National Security Space Launch program, with Jeff Bezos' Blue Origin securing a spot for the first time alongside Elon Musk's SpaceX and United Launch Alliance (ULA). These companies will compete for contracts through mid-2029 under the program's Phase 3, which is expected to include 90 rocket launch orders. CNBC reports: Under the program, known as NSSL Phase 3 Lane 1, the trio of companies will be eligible to compete for contracts through mid-2029. ULA and SpaceX have already been competing for contracts under the previous Phase 2 edition of NSSL: In total, over five years of Phase 2 launch orders, the military assigned ULA with 26 missions worth $3.1 billion, while SpaceX got 22 missions worth $2.5 billion. Blue Origin, as well as Northrop Grumman, missed out on Phase 2 when the Pentagon selected ULA and SpaceX for the program in August 2020. But with Phase 3, the U.S. military is raising the stakes -- and widening the field -- on a high-profile competition for Space Force mission contracts. Phase 3 is expected to see 90 rocket launch orders in total, with a split approach of categories Lane 1 and Lane 2 to allow even more companies to bid.
The Courts

Google Loses Bid To End US Antitrust Case Over Digital Advertising (reuters.com) 2

An anonymous reader quotes a report from Reuters: Alphabet's Google must face trial on U.S. antitrust enforcers' claim that the internet search juggernaut illegally dominates the online advertising technology market, a federal judge ruled on Friday. U.S. District Judge Leonie Brinkema in Alexandria, Virginia, denied Google's motion during a hearing, according to court records. Google had argued for a win without a trial, saying that antitrust laws do not block companies from refusing to deal with rivals and that regulators had not accurately defined the ad tech market. Court papers did not specify what reasons the judge provided at the hearing. Motions like the one Google filed are only granted where a judge determines there is no factual dispute to send to trial. Last year, the U.S. Justice department and eight states sued Google, calling for the break up of the search giant's ad-technology business over alleged illegal monopolization of the digital advertising market.
AI

GPT-4 Has Passed the Turing Test, Researchers Claim 108

Drew Turney reports via Live Science: The "Turing test," first proposed as "the imitation game" by computer scientist Alan Turing in 1950, judges whether a machine's ability to show intelligence is indistinguishable from a human. For a machine to pass the Turing test, it must be able to talk to somebody and fool them into thinking it is human. Scientists decided to replicate this test by asking 500 people to speak with four respondents, including a human and the 1960s-era AI program ELIZA as well as both GPT-3.5 and GPT-4, the AI that powers ChatGPT. The conversations lasted five minutes -- after which participants had to say whether they believed they were talking to a human or an AI. In the study, published May 9 to the pre-print arXiv server, the scientists found that participants judged GPT-4 to be human 54% of the time.

ELIZA, a system pre-programmed with responses but with no large language model (LLM) or neural network architecture, was judged to be human just 22% of the time. GPT-3.5 scored 50% while the human participant scored 67%. "Machines can confabulate, mashing together plausible ex-post-facto justifications for things, as humans do," Nell Watson, an AI researcher at the Institute of Electrical and Electronics Engineers (IEEE), told Live Science. "They can be subject to cognitive biases, bamboozled and manipulated, and are becoming increasingly deceptive. All these elements mean human-like foibles and quirks are being expressed in AI systems, which makes them more human-like than previous approaches that had little more than a list of canned responses."
Further reading: 1960s Chatbot ELIZA Beat OpenAI's GPT-3.5 In a Recent Turing Test Study
Power

Electricity Bills Forecasted To Climb With Summer Heat (theverge.com) 76

The Energy Information Administration (EIA) expects Americans' monthly electricity bills to average $173 between June through August, compared to $168 last summer. "The slight bump in costs comes from consumers cranking up their air conditioning more to cope with a warmer season than last year," writes The Verge's Justine Calma. "Bills would have jumped higher, if not for lower residential electricity prices helping to balance out some of the increased energy use from air conditioning." From the report: Some regions are likely to be harder hit by the weather than others. Because of heat and humidity along the Gulf Coast, residents in Southern states typically use the most electricity in the summer to cool their homes. The Pacific Coast, meanwhile, faces the biggest potential percentage increase in retail electricity prices in the nation -- a 7 percent jump since last year. Wholesale electricity costs there have risen since 2022, in part because of a heat and drought-induced shortfall in hydroelectricity generation. Households along the Pacific could see their electricity bills go up an average of $11 per month this summer, according to the EIA.

To be sure, the EIA says that weather is "the main source of uncertainty" in its forecasts for folks' utility bills. If this summer winds up being hotter than expected, households could wind up paying even more. Residential electricity use typically peaks in the summer for most of the US because of air conditioning. Extreme heat can even trigger power outages if demand suddenly rises too sharply. California, the Southwest, the Midwest, Texas, and New England are at "elevated risk" of electricity supply shortages during any extreme weather this summer, according to an assessment (PDF) by the North American Electric Reliability Corporation.

Security

Ransomware Attackers Quickly Weaponize PHP Vulnerability With 9.8 Severity Rating (arstechnica.com) 20

A critical vulnerability in the PHP programming language (CVE-2024-4577) has been exploited by ransomware criminals, leading to the infection of up to 1,800 servers primarily in China with the TellYouThePass ransomware. This vulnerability, which affects PHP when run in CGI mode, allows attackers to execute malicious code on web servers. Ars Technica's Dan Goodin reports: As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, down from 1,800 detected on Monday. The servers, primarily located in China, no longer display their usual content; instead, many list the site's file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 in exchange for the decryption key. The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.

CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn't set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale -- used to personalize the OS to the local language of the user -- must be set to either Chinese or Japanese. The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.

In a post published Friday, Censys researchers said that the exploitation by the TellYouThePass gang started on June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to China, Taiwan, Hong Kong, or Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said in an email. Since then, the number of infected sites -- detected by observing the public-facing HTTP response serving an open directory listing showing the server's filesystem, along with the distinctive file-naming convention of the ransom note -- has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday. Censys researchers said in an email that they're not entirely sure what's causing the changing numbers.

Slashdot Top Deals