Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Submission + - LockBit plans comeback with 4.0 release (thecyberexpress.com)

storagedude writes: LockBit was the most active ransomware group until a massive global law enforcement action resulted in takedowns, arrests and source code and decryption key leaks.

Now the group plans a comeback, according to a Cyber Express article that cited Cyble threat researchers, with the launch of LockBit 4.0 coming in February.

“Want a lamborghini, ferrari and lots of girls?” LockBit’s announcement said. “Sign up and start your pentester billionaire journey in 5 minutes with us.”

Cyble researchers noted that “it is uncertain whether LockBit will regain traction, as the group has faced declining credibility amidst competition from other RaaS groups, such as RansomHub, which currently dominate the ransomware landscape.”

Submission + - Did Russian Disinfo Influence U.S. Election? (thecyberexpress.com) 1

storagedude writes: Russian efforts to influence the U.S. election were brazen in 2024, and kicked into overdrive in the final days of the campaign. Given the myriad ways information is reported and amplified, it's difficult to establish a direct effect, but the data suggests a possible effect in Michigan, Wisconsin and some down-ballot races, according to an article by the Cyber Express.

From the article:

"And one place where anti-Harris actors leaned heavily was the ongoing Israel-Hamas war. Cyble researchers and others noted heavy efforts in recent days to paint Harris as a strong supporter of Israel who’s unlikely to support a ceasefire. That criticism may have caught on, even though Trump will likely be more pro-Israel – in addition to being less pro-Ukraine in its war with Russia.

"That disinformation campaign likely explains this bizarre data point from a Michigan exit poll: 'Former President Donald Trump won nearly 4-in-10 Michigan voters who believe the U.S. support for Israel has been ‘too strong.’

"Disinformation campaigns targeting those favoring an end to Israel’s war in Gaza likely gave Trump more votes in targeted swing states than he may have otherwise received. Was it enough to swing the election? The slice of the Michigan electorate delivered to Trump because of that issue would have amounted to about 10% of the overall vote, but some of those voters may have had other reasons to vote for him. But in a battleground state that Trump is currently leading by 1.4% with 97% of the vote counted, it’s a very interesting data point.

"We’d also note that third-party votes – which may have cost Clinton the 2016 election – weren’t much of a factor in the 2024 presidential vote, with candidates like Green Party nominee Jill Stein generally getting around 0.5%. Only in razor-thin Wisconsin, where the candidates are currently separated by about 30,000 votes with 99% of the vote counted (and where Harris may also have run into trouble over support for Israel), could third-party protest votes have swung the election. Margins are bigger than the third-party vote in other swing states.

"However, third-party votes likely affected some close down-ballot races, most notably Democratic Senator Bob Casey.

"Disinformation, then, by itself may not have swung the election, but the issue of the effect of disinformation surrounding support for Israel deserves further study. As part of the larger machinery of disinformation – campaign distortions, social media, timid corporate media – disinformation campaigns from foreign actors like Russia may serve as a well-targeted amplifier.

"But according to Antibot4Navalny, an activist research group tracking Russian disinformation campaigns, a definitive study would be a difficult undertaking.

'Impact from disinfo is extremely hard to measure, and it definitely takes time and a dedicated, talented team to come to a compelling conclusion,' the group told The Cyber Express. On the scale of a U.S. national election, 'there should be multiple such teams.'"

Submission + - Massive AI-Controlled X Disinformation Network Linked to China (thecyberexpress.com)

storagedude writes: Researchers have uncovered a network of at least 5,000 fake X accounts that appear to be controlled by AI in a disinformation campaign linked to China, and the activity appears to be heating up as the U.S. election approaches, according to a Cyber Express report.

The network, dubbed “Green Cicada” by the CyberCX researchers who discovered it, “primarily engages with divisive U.S. political issues and may plausibly be staged to interfere in the upcoming presidential election.”

The network “has also amplified hot-button political issues in other democracies,” including Australia, western Europe, India, Japan and other democratic countries.

The network appears to be controlled by a Chinese LLM, and its developers have been steadily improving operations over time, including reducing malformed outputs.

The researchers said their findings "indicate key gaps in X’s willingness and ability to detect inauthentic content. While we have observed X taking sporadic action against Green Cicada Network accounts during our period of monitoring, we have observed a failure to take systemic action against overtly linked accounts.

“We note that X has reversed initiatives put in place by Twitter to combat inauthentic activity, including efforts to detect, label and/or ban inauthentic accounts.”

Submission + - CrowdStrike Outage Cause By 5-Month-Old Extraneous Input Parameter (thecyberexpress.com)

storagedude writes: CrowdStrike’s root cause analysis (RCA) of the massive Windows BSOD outage released today details an extraneous input parameter field that went unnoticed for 5 months until it was called by a July 19 update, resulting in an out-of-bounds memory read error that crashed 8.5 million machines around the globe, according to a Cyber Express article.

One interesting new revelation in the root cause report is that the initial cause of the error occurred back in February when CrowdStrike released sensor version 7.11, which included a new Template Type for Windows interprocess communication (IPC) mechanisms. IPC Template Instances are delivered as Rapid Response Content to sensors via a corresponding Channel File numbered 291.

The new IPC Template Type defined 21 input parameter fields, but the integration code that invoked the Content Interpreter with Channel File 291’s Template Instances supplied only 20 input values to match against. The parameter count mismatch “evaded multiple layers of build validation and testing,” CrowdStrike said in the new 12-page report, due in part to the use of wildcard matching criteria for the 21st input during testing and in the initial IPC Template Instances.

On July 19, two additional IPC Template Instances were deployed, one of which introduced a non-wildcard matching criterion for the 21st input parameter.

“These new Template Instances resulted in a new version of Channel File 291 that would now require the sensor to inspect the 21st input parameter,” CrowdStrike said. “Until this channel file was delivered to sensors, no IPC Template Instances in previous channel versions had made use of the 21st input parameter field. The Content Validator evaluated the new Template Instances, but based its assessment on the expectation that the IPC Template Type would be provided with 21 inputs.

“Sensors that received the new version of Channel File 291 carrying the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter. At the next IPC notification from the operating system, the new IPC Template Instances were evaluated, specifying a comparison against the 21st input value. The Content Interpreter expected only 20 values. Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash.”

CrowdStrike pledged a half-dozen changes in the wake of the global outage:

-Validating the number of input fields in the Template Type at sensor compile time
-Correcting for a runtime array bounds check that was missing for Content Interpreter input fields on Channel File 291
-Template Type testing covering a wider variety of matching criteria
-Template Instance validation expanding to include testing within the Content Interpreter
-Staged deployment for template instances, including customer control over rollout

Submission + - CrowdStrike, Delta, Shareholders and Asymmetry Make for Messy Security (thecyberexpress.com)

storagedude writes: It’s been two weeks since the global CrowdStrike outage crashed 8.5 million Windows machines, and the lawyers have taken over: Shareholders and Delta are suing CrowdStrike, while CrowdStrike is suing — wait for it — parody sites.

One undiscussed underlying cause of the outage and its extensive damage could be the “shareholder first” mentality that has dominated U.S. companies since the Reagan era, writes longtime Slashdot contributor Paul Shread in an article in The Cyber Express.

“The ‘shareholder first’ doctrine means that companies try to get by with minimal investment while pushing employees and productivity as much as possible,” Shread writes. “That creates fragile systems, and an incident like CrowdStrike-Microsoft-Delta shows just how fragile that chain is, when inadequate testing, a rushed update, a fragile operating system and inadequate recovery processes come together to create a $500 million loss. And that’s just one customer; total outage losses have been estimated at $15 billion by cyber insurer Parametrix.

“With the ‘shareholder first’ focus on maximum profitability, marketing gets ahead of the technology and companies overpromise and underdeliver, and lawyers are brought in to make sure the company can retain every advantage.

“So you get onerous terms and conditions like CrowdStrike’s, where damages are limited to refunds and you get curious language like the following that seems incongruent with a company that has carefully built a reputation as a supplier to organizations with high security needs (the caps are CrowdStrike’s):

“’THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure safe use of an Offering and the CrowdStrike Tools in such applications and installations.’

“CrowdStrike is hardly the only security vendor with terms like that, but it sure doesn’t give you confidence in the security of our critical infrastructure.

“One top industry official — Alex Stamos, SentinelOne’s new CISO — essentially accused CrowdStrike of negligence in a podcast earlier this week, and competitors like Fortinet and Sophos have been revealing how they handle kernel updates to reassure customers.

“But it’s fair to ask: How secure are our security tools? The answer is murky, in part because there are few industries that suffer from greater ‘information asymmetry’ than cybersecurity, where sellers know much more than buyers about how well these products actually work and there are no standards for efficacy.

“A Picus Security report published this week found that security tools miss an alarming number of attacks. While prevention effectiveness rose from 59% in the 2023 report to 69% in 2024, detection effectiveness, and alert scores in particular, dropped from 16% to 12%. ‘This means we are better at preventing some attacks, we are still struggling to detect them promptly,’ Picus said.”

Comment I think this entire post is WRONG (Score 1) 64

The post seems like a complete misreading of this passage: "We can leverage the unique stack and attributes of this crash to identify the Windows crash reports generated by this specific CrowdStrike programming error. It’s worth noting the number of devices which generated crash reports is a subset of the number of impacted devices previously shared by Microsoft in our blog post, because crash reports are sampled and collected only from customers who choose to upload their crashes to Microsoft." If you look at the graphic below that, it shows 4 million devices - half the claimed 8.5 million total.

Submission + - REvil Ransomware Trial Details Tesla Bribe Attempt as Russia Reduces Charges (thecyberexpress.com)

storagedude writes: The trial of eight members of the REvil ransomware group in Russia has been a bizarre display of reduced charges, a ruling that limited evidence, and claims of limited help from the U.S., according to a report by the Cyber Express.

REvil, along with the closely affiliated DarkSide, wreaked havoc on U.S. networks and critical infrastructure in 2021, including attacks on Colonial Pipeline, Kaseya, Apple supplier Quanta, and meat supplier JBS.

Only two of the defendants – alleged REvil leader Daniil Puzyrevsky and Ruslan Khansvoyarov – have been charged with anything resembling a ransomware crime: “creation and distribution of malicious programs by a group of persons by prior conspiracy, causing large-scale damage or committed for selfish purposes,” according to Izvestia.

The other six defendants face charges related to bank card theft.

Investigators found a record on Puzyrevsky’s computer with transactions from his Bitcoin wallet, which included a transfer dated May 9, 2021 for 63.7 BTC ($2.3 million), which was 85% of the ransom paid by Colonial Pipeline and was subsequently seized by the U.S. Justice Department.

One of the more interesting revelations to come from the case involved an attempted bribe of a Tesla engineer that led to an arrest in the case.

In the interrogations of witnesses in the case, Yegor Kryuchkov said that in the summer of 2020, Alexey Skorobogatov, who was close to the leaders of REvil, asked Kryuchkov if he had any friends working in large foreign companies. When Kryuchkov said he had an engineer friend at Tesla, REvil offered him $500,000 to hack the company.

Kryuchkov flew to the U.S. to meet with the engineer to convince him to introduce a malicious program into Tesla’s network, “or simply to open a letter sent to corporate mail with a Trojan virus,” said Izvestia.

Kryuchkov met with the Tesla engineer, who wanted $1 million for his efforts. The engineer alerted U.S. law enforcement, and Kryuchkov was arrested by the FBI. Kryuchkov served 10 months, then was deported to Russia to became a witness in the REvil case. Skorobogatov is not one of the defendants in the trial.

Comment Re:Who is responsible? (Score 1) 220

The problem may be more that charging stations aren't a profitable business model, unless you can sell people a ton of snacks while they wait. Charging infrastructure will lead demand - at least that's the case for me, and it's not there yet in the places I'm watching - so seems like a good place for government investment.

Submission + - Windows Recall Preview Remains Hackable as Google Develops Similar Feature (thecyberexpress.com)

storagedude writes: The latest version of Microsoft’s planned Windows Recall feature still contains data privacy and security vulnerabilities, according to a report by the Cyber Express.

Security researcher Kevin Beaumont – whose work started the backlash that resulted in Recall getting delayed last month – said the most recent preview version is still hackable by Alex Hagenah’s “TotalRecall” method “with the smallest of tweaks.”

The Windows screen recording feature could as yet be refined to fix security concerns, but some have spotted it recently in some versions of the Windows 11 24H2 release preview that will be officially released in the fall.

Google, meanwhile, is working on a similar feature, only with greater privacy controls that may be more appealing to data privacy and security advocates, according to an Android Authority report.

Submission + - 10-Year-Old Open Source Flaw Could Affect 'Almost Every Apple Device' (thecyberexpress.com)

storagedude writes: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities — including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc.

E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device."

The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.”

The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new 'Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed.

While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started.

“Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code,” the E.V.A researchers said.

Slashdot Top Deals

Biology is the only science in which multiplication means the same thing as division.

Working...