BleepingComputer was recently contacted by an alleged "venture capitalist" firm that wanted to invest or purchase our site. However, as we later discovered, this was a malicious campaign designed to install malware that provides remote access to our devices. Lawrence Abrams from BleepingComputer writes: Last week, BleepingComputer received an email to our contact form from an IP address belonging to a United Kingdom virtual server company. Writing about cybersecurity for so long, I am paranoid regarding email, messaging, and visiting unknown websites. So, I immediately grew suspicious of the email, fired up a virtual machine and VPN, and did a search for Vuxner. Google showed only a few results for 'Vuxner,' with one being for a well-designed and legitimate-looking vuxner[.]com, a site promoting "Vuxner Chat -- Next level of privacy with free instant messaging." As this appeared to be the "Vuxner chat" the threat actors referenced in their email, BleepingComputer attempted to download it and run it on a virtual machine.

BleepingComputer found that the VuxnerChat.exe download [VirusTotal] actually installs the "Trillian" messaging app and then downloads further malware onto the computer after Trillian finishes installing. As this type of campaign looked similar to other campaigns that have pushed remote access and password-stealing trojans in the past, BleepingComputer reached out to cybersecurity firm Cluster25 who has previously helped BleepingComputer diagnose similar malware attacks in the past. Cluster25 researchers explain in a report coordinated with BleepingComputer that the Vuxner[.]com is hosted behind Cloudflare, however they could still determine hosting server's actual address at 86.104.15[.]123.

The researchers state that the Vuxner Chat program is being used as a decoy for installing a remote desktop software known as RuRAT, which is used as a remote access trojan. Once a user installs the Vuxner Trillian client and exits the installer, it will download and execute a Setup.exe executable [VirusTotal] from https://vuxner[.]com/setup.exe. When done, the victim will be left with a C:\swrbldin folder filled with a variety of batch files, VBS scripts, and other files used to install RuRAT on the device. Cluster25 told BleepingComputer that the threat actors are using this attack to gain initial access to a device and then take control over the host. Once they control the host, they can search for credentials and sensitive data or use the device as a launchpad to spread laterally in a network.

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: Around the same time Russian forces launched a massive rocket into a square in Kharkiv, Ukraine's second-largest city, killing and wounding an as of yet unknown number of people, Eugene Kaspersky, head of his namesake Russian cybersecurity firm, tweeted that he hoped negotiations between Ukraine and Russia would lead to "a compromise." The statement encapsulates the company's position since Russia invaded Ukraine six days ago -- that of attempted neutrality in a war where silence or fence sitting is implicitly siding with the Russian forces. In another statement to Motherboard sent on Monday, the company said "As a technology and cybersecurity service provider the company is not in a position to comment or speculate on geopolitical developments outside of its area of expertise."

Kaspersky is one of the best-known Russian companies, and for years its antivirus product has been among the most used in the world. The antivirus software also harvests telemetry data for Kaspersky's researchers who can then use that to identify and counter new threats. Its researchers are some of the best in the world, with its Global Research & Analysis Team (GReAT) regularly publishing leading research on various government malware operations. Famously the company first revealed details of a U.S. government hacking group that it dubbed Equation Group. Kaspersky has also researched suspected Russian government linked hackers. Eugene's tweet also brings something else to the surface again: how much is Kaspersky, the company, influenced by the Russian government, even if indirectly? As a Russian firm operating in Moscow under Russian laws, it may feel the need to toe the line on Russian issues.

Kaspersky's company statement on Monday added that "Kaspersky is focused on its mission to build a safer world. For 25 years, the company delivers deep threat intelligence and security expertise that is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. Kaspersky's business operations remain stable. The company guarantees the fulfillment of its obligations to partners and customers -- including product delivery and support and financial transaction continuity. The global management team is monitoring the situation carefully and is ready to act very quickly if needed." Kaspersky may not currently feel it is in a position to speculate or take a position on the invasion of Ukraine. But with a 40 mile long Russian military convoy making its way to Kyiv, and with the prospect of more cyber attacks playing a role in the invasion, Kaspersky may need to take a side.

According to Vx-underground on Twitter, Nvidia has reportedly retaliated against the hacker group that stole over 1TB of the company's data by sneaking back into the hacker's system and encrypting the stolen data. Tom's Hardware reports: LAPSU$, an extortion group in South America, had illegally tapped into Nvidia's mailing server and installed malware on the software distribution server. As a result, the hacker group purportedly extracted over 1TB of Nvidia's data. However, it's unknown what kind of data the hackers had stolen, whether Nvidia's or its clients' data. It would seem that Nvidia has identified the attackers. According to the Vx-underground's Twitter post and backed by screenshots, the chipmaker has infected the perpetrators' system with ransomware and encrypted the stolen data in response to the attack. The group claimed that it had a backup of the data, though.

Security researchers with U.S. cybersecurity firm Symantec said they have discovered a "highly sophisticated" Chinese hacking tool that has been able to escape public attention for more than a decade. Reuters reports: The discovery was shared with the U.S. government in recent months, who have shared the information with foreign partners, said a U.S. official. Symantec, a division of chipmaker Broadcom, published its research about the tool, which it calls Daxin, on Monday. "It's something we haven't seen before," said Clayton Romans, associate director with the U.S. Cybersecurity Infrastructure Security Agency (CISA). "This is the exact type of information we're hoping to receive."

CISA highlighted Symantec's membership in a joint public-private cybersecurity information sharing partnership, known as the JCDC, alongside the new research paper. The JCDC, or Joint Cyber Defense Collaborative, is a collective of government defense agencies, including the FBI and National Security Agency, and 22 U.S. technology companies that share intelligence about active cyberattacks with one another. Symantec's attribution to China is based on instances where components of Daxin were combined with other known, Chinese-linked computer hacker infrastructure or cyberattacks, said Vikram Thakur, a technical director with Symantec. [...] "Daxin can be controlled from anywhere in the world once a computer is actually infected," said Thakur. "That's what raises the bar from malware that we see coming out of groups operating from China."

The government of Ukraine is asking for volunteers from the country's hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project. From a report: As Russian forces attacked cities across Ukraine, requests for volunteers began to appear on hacker forums on Thursday morning, as many residents fled the capital Kyiv. "Ukrainian cybercommunity! It's time to get involved in the cyber defense of our country," the post read, asking hackers and cybersecurity experts to submit an application via Google docs, listing their specialties, such as malware development, and professional references. Yegor Aushev, co-founder of a cybersecurity company in Kyiv, told Reuters he wrote the post at the request of a senior Defense Ministry official who contacted him on Thursday. Aushev's firm Cyber Unit Technologies is known for working with Ukraine's government on the defense of critical infrastructure. Another person directly involved in the effort confirmed that the request came from the Defense Ministry on Thursday morning. Further reading: Washington steels for Russian cyberattacks.

Web3 is Going Great reports: The popular Tom's Hardware and PC Gamer websites both ran articles about a utility called "Nvidia RTX LHR v2 Unlocker", which claimed to increase the artificially-limited cryptocurrency mining performance of its RTX graphics cards. These graphics cards are shipped with performance-limiting software to reduce the GPUs' attractiveness to cryptocurrency miners, whose thirst for GPUs has made it difficult and expensive for gamers and various others to acquire the hardware. Unfortunately, both publications had to run a second article just a day later to warn their readers away from the software they had just advertised.

An anonymous reader quotes a report from Motherboard: A Chinese cybersecurity company accused the NSA of being behind a hacking tool used for ten years in a report published on Wednesday. The report from Pangu Lab delves into malware that its researchers first encountered in 2013 during an investigation into a hack against "a key domestic department." At the time, the researchers couldn't figure out who was behind the hack, but then, thanks to leaked NSA data about the hacking group Equation Group -- widely believed to be the NSA -- released by the mysterious group Shadow Brokers and by the German magazine Der Spiegel, they connected the dots and realized it was made by the NSA, according to the report.

"The Equation Group is the world's leading cyber-attack group and is generally believed to be affiliated with the National Security Agency of the United States. Judging from the attack tools related to the organization, including Bvp47, Equation group is indeed a first-class hacking group," the report read, referring to the name of the tool the researchers found. "The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by 0day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort. The Equation Group is in a dominant position in national-level cyberspace confrontation." Further Reading: Anatomy of Top-Tier Suspected NSA Backdoor Code (The Register)

ZDNet reports: Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity — and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed. Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there's also a lack of focus on managing and detecting threats against them.

This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments. That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows. These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key.

The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they're not paid a ransom.... Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency....

Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems — that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented. That includes cybersecurity hygiene procedures such as ensuring default passwords aren't in use and avoiding sharing one account across multiple users.

A "shadowy hacker group" named Modified Elephant has been targeting people throughout India "for at least a decade," reports Gizmodo, "sometimes using its digital powers to plant fabricated evidence of criminal activity on their devices. That phony evidence has, in turn, often provided a pretext for the victims' arrest."

They cite a new report from cybersecurity firm Sentinel One "illuminating the way in which its digital dirty tricks have been used to surveil and target "human rights activists, human rights defenders, academics, and lawyers" throughout India. The most prominent case involving Elephant centers around Maoist activist Rona Wilson and a group of his associates who, in 2018, were arrested by India security services and accused of plotting to overthrow the government. Evidence for the supposed plot — including a word document detailing plans to assassinate the nation's prime minister, Narendra Modi — was found on the Wilson's laptop. However, later forensic analysis of the device showed that the documents were actually fake and had been artificially planted using malware. According to Sentinel researchers, it was Elephant that put them there.

This case, which gained greater exposure after being covered by the Washington Post, was blown open after the aforementioned laptop was analyzed by a digital forensics firm, Boston-based Arsenal Consulting. Arsenal ultimately concluded that Wilson and all of his so-called co-conspirators, as well as many other activists, had been targeted with digital manipulation....

According to the Sentinel One's report, Elephant uses common hacking tools and techniques to gain a foothold in victims' computers. Phishing emails, typically tailored to the victim's interests, are loaded with malicious documents that contain commercially available remote access tools (RATs) — easy-to-use programs available on the dark web that can hijack computers....

An entirely different group is believed to have conducted similar operations against Baris Pehlivan, a journalist in Turkey who was incarcerated for 19 months in 2016 after the Turkish government accused him of terrorism. Digital forensics later revealed that the documents used to justify Pehlivan's charges had been artificially implanted, much like those on Wilson's laptop.

Slashdot reader joshuark writes: Beware fake Windows 11 upgrades install RedLine malware, reports Bleeping Computer.

"Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware." Bleeping Computer advises, "...these dangerous sites are promoted via forum and social media posts or instant messages, so don't trust anything but the official Windows upgrade system alerts."
Bleeping Computer points out that hardware incompatibilities rule out upgrades for many Windows 10 users from official distribution channels — "something that malware operators see as an excellent opportunity for finding new victims." The timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation's success. RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.

According to researchers at HP, who have spotted this campaign, the actors used the seemingly legitimate "windows-upgraded.com" domain for the malware distribution part of their campaign. The site appears like a genuine Microsoft site and, if the visitor clicked on the 'Download Now' button, they received a 1.5 MB ZIP archive named "Windows11InstallationAssistant.zip," fetched directly from a Discord CDN...

Although the distribution site is down now, nothing stops the actors from setting up a new domain and restarting their campaign. In fact, this is very likely already happening in the wild.

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase. A report published on Tuesday is only the latest one involving Magecart, an umbrella term given to competing crime groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that cause them to run malicious code. When visitors enter payment card details during purchase, the code sends that information to attacker-controlled servers.

Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com. "The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form," firm researchers wrote on Twitter. "Payments are sent to https://naturalfreshmall.com/p...." The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.

Sansec worked with the admins of hacked sites to determine the common entry point used by the attackers. The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. [...] It's not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was going live, Bedexpress[.]com continued to contain this HTML attribute, which pulls JavaScript from the rogue naturalfreshmall[.]com domain. The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this deprecated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using either DIY software from the OpenMage project or with commercial support from Mage-One.

In one of the most impactful changes made in recent years, Microsoft has announced today that it will block by default the execution of VBA macro scripts inside five Office applications. From a report: Starting with early April 2022, Access, Excel, PowerPoint, Visio, and Word users will not be able to enable macro scripts inside untrusted documents that they downloaded from the internet. The change, which security researchers have been requesting for years, is expected to put a serious roadblock for malware gangs, which have relied on tricking users into enabling the execution of a macro script as a way to install malware on their systems. In these attacks, users typically receive a document via email or which they are instructed to download from an internet website. When they open the file, the attacker typically leaves a message instructing the user to enable the execution of the macro script. While users with some technical and cybersecurity knowledge may be able to recognize this as a lure to get infected with malware, many day-to-day Office users are still unaware of this technique and end up following the provided instructions, effectively infecting themselves with malware.

The administrators of the Node Package Manager (npm), the largest package repository of the JavaScript ecosystem, said they enrolled the maintainers of the top 100 most popular libraries (based on the number of dependencies) into their mandatory two-factor authentication (2FA) procedure. From a report: npm, which is owned by GitHub, enforced this new security requirement starting yesterday, February 1, 2022. "Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects," the GitHub security team said in a blog post. The move represents the second phase of a major push from the npm team to secure developer accounts, which have been getting hijacked in recent years and used to push malware inside legitimate JavaScript libraries. In many cases, the accounts are hacked because project maintainers use simple-to-guess passwords or reused passwords that were previously leaked via breaches at other companies. The first phase of this process took place between December 7, 2021, and January 4, 2022, when the npm team rolled out a new feature called "enhanced login verification" for all npm package maintainers.

"Focus on the horse race and the flashy news and you'll miss the real stories," argues Mike Loukides, the content strategy VP at O'Reilly Media. So instead he shares trends observed on O'Reilly's learning platform in the first nine months of 2021: While new technologies may appear on the scene suddenly, the long, slow process of making things that work rarely attracts as much attention. We start with an explosion of fantastic achievements that seem like science fiction — imagine, GPT-3 can write stories! — but that burst of activity is followed by the process of putting that science fiction into production, of turning it into real products that work reliably, consistently, and fairly. AI is making that transition now; we can see it in our data. But what other transitions are in progress...?

Important signals often appear in technologies that have been fairly stable. For example, interest in security, after being steady for a few years, has suddenly jumped up, partly due to some spectacular ransomware attacks. What's important for us isn't the newsworthy attacks but the concomitant surge of interest in security practices — in protecting personal and corporate assets against criminal attackers. That surge is belated but healthy.... Usage of content about ransomware has almost tripled (270% increase). Content about privacy is up 90%; threat modeling is up 58%; identity is up 50%; application security is up 45%; malware is up 34%; and zero trust is up 23%. Safety of the supply chain isn't yet appearing as a security topic, but usage of content about supply chain management has seen a healthy 30% increase....

Another important sign is that usage of content about compliance and governance was significantly up (30% and 35%, respectively). This kind of content is frequently a hard sell to a technical audience, but that may be changing.... This increase points to a growing sense that the technology industry has gotten a regulatory free ride and that free ride is coming to an end. Whether it's stockholders, users, or government agencies who demand accountability, enterprises will be held accountable. Our data shows that they're getting the message.

According to a study by UC Berkeley's School of Information, cybersecurity salaries have crept slightly ahead of programmer salaries in most states, suggesting increased demand for security professionals. And an increase in demand suggests the need for training materials to prepare people to supply that demand. We saw that play out on our platform....

C++ has grown significantly (13%) in the past year, with usage that is roughly twice C's. (Usage of content about C is essentially flat, down 3%.) We know that C++ dominates game programming, but we suspect that it's also coming to dominate embedded systems, which is really just a more formal way to say "internet of things." We also suspect (but don't know) that C++ is becoming more widely used to develop microservices. On the other hand, while C has traditionally been the language of tool developers (all of the Unix and Linux utilities are written in C), that role may have moved on to newer languages like Go and Rust. Go and Rust continue to grow. Usage of content about Go is up 23% since last year, and Rust is up 31%. This growth continues a trend that we noticed last year, when Go was up 16% and Rust was up 94%....

Both Rust and Go are here to stay. Rust reflects significantly new ways of thinking about memory management and concurrency. And in addition to providing a clean and relatively simple model for concurrency, Go represents a turn from languages that have become increasingly complex with every new release.
Other highlights from their report:

• "Quantum computing remains a topic of interest. Units viewed is still small, but year-over-year growth is 39%. That's not bad for a technology that, honestly, hasn't been invented yet...."

• "Whether it's the future of finance or history's biggest Ponzi scheme, use of content about cryptocurrency is up 271%, with content about the cryptocurrencies Bitcoin and Ethereum (ether) up 166% and 185% respectively...."

• "Use of JavaScript content on our platform is surprisingly low — though use of content on TypeScript (a version of JavaScript with optional static typing) is up.... Even with 19% growth, TypeScript has a ways to go before it catches up; TypeScript content usage is roughly a quarter of JavaScript's..."

• "Python, Java, and JavaScript are still the leaders, with Java up 4%, Python down 6%, and JavaScript down 3%...."

• "Finally, look at the units viewed for Linux: it's second only to Kubernetes. While down very slightly in 2021, we don't believe that's significant. Linux has long been the most widely used server operating system, and it's not ceding that top spot soon."

The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity. BleepingComputer reports: BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian users. In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was seen targeting e-banking users and stealing their credentials with the involvement of fraudsters posing as bank customer support agents. Analysts at Cleafy continued to monitor BRATA for new features, and in a new report published today, illustrate how the malware continues to evolve.

The latest versions of the BRATA malware now target e-banking users in the UK, Poland, Italy, Spain, China, and Latin America. Each variant focuses on different banks with dedicated overlay sets, languages, and even different apps to target specific audiences. The authors use similar obfuscation techniques in all versions, such as wrapping the APK file into an encrypted JAR or DEX package. This obfuscation successfully bypasses antivirus detections [...]. On that front, BRATA now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.

The best way to avoid being infected by Android malware is to install apps from the Google Play Store, avoid APKs from shady websites, and always scan them with an AV tool before opening. During installation, pay close attention to the requested permissions and avoid granting any that appear unnecessary for the app's core functionality. Finally, monitor battery consumption and network traffic volumes to identify any inexplicable spikes that may be attributed to malicious processes running in the background.

Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website. From a report: The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include: victim device fingerprinting, screen capture, file download/upload, execute terminal commands, audio recording, and keylogging. Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy -- as well as the exploit chain used to install it -- is impressive. It also doesn't appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual. "First, they seem to be targeting Macs only," Eset researcher Marc-Etienne M.Leveille wrote in an email. "We haven't seen payloads for Windows nor clues that it would exist. Secondly, they have the resources to develop complex exploits and their own spying malware, which is quite significant."

Security researchers from Kaspersky said they have discovered a novel bootkit that can infect a computer's UEFI firmware. From a report: What makes MoonBounce -- the name they gave the bootkit -- special is the fact that the malware doesn't burrow and hide inside a section of the hard drive named ESP (EFI System Partition), where some UEFI code typically resides, but instead it infects the SPI flaws memory that is found on the motherboard. This means that, unlike similar bootkits, defenders can't reinstall the operating system and replace the hard drive, as the bootkit will continue to remain on the infected device until the SPI memory is re-flashed (a very complex process) or the motherboard is replaced. According to Kaspersky, MoonBounce marks the third UEFI bootkit they have seen so far that can infect and live inside the SPI memory, following previous cases such as LoJax and MosaicRegressor. Furthermore, MoonBounce's discovery also comes after researchers have also found additional UEFI bootkits in recent months, such as ESPectre, FinSpy's UEFI bootkit, and others, which has led the Kaspersky team to conclude that what was once considered unachievable following the rollout of the UEFI standard has gradually become the norm.

An anonymous reader quotes a report from Ars Technica: Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on "quite a few" sites running the open source content management system. The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean. "Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites," Ben Martin, a researcher with Web security firm Sucuri, wrote in a separate analysis of the backdoor.

The Jetpack post said evidence indicates that the supply chain attack on AccessPress Themes was performed in September. Martin, however, said evidence suggests the backdoor itself is much older than that. Some of the infected websites had spam payloads dating back nearly three years. He said his best guess is that the people behind the backdoor were selling access to infected sites to people pushing web spam and malware. He wrote, "[...] it seems that the malware that we've found associated with this backdoor is more of the same: spam, and redirects to malware and scam sites." The Jetpack post provides full names and versions of the infected AccessPress software. Anyone running a WordPress site with this company's offerings should carefully inspect their systems to ensure they're not running a backdoored instance. Site owners may also want to consider installing a website firewall, many of which would have prevented the backdoor from working.

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for DDoS (distributed denial of service) attacks. BleepingComputer reports: A Crowdstrike report looking into the attack data from 2021 summarizes the following:

- In 2021, there was a 35% rise in malware targeting Linux systems compared to 2020.
- XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all Linux-targeting malware attacks observed in 2021.
- Mozi, in particular, had explosive growth in its activity, with ten times more samples circulating in the wild the year that passed compared to the previous one.
- XorDDoS also had a notable year-over-year increase of 123%.
[...]
The Crowstrike findings aren't surprising as they confirm an ongoing trend that emerged in previous years. For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year. In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms. This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

"Microsoft warned on Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine," reports the New York Times, "that appeared to be waiting to be triggered by an unknown actor...."

The Times reports that the malware "bears some resemblance" to NotPetya, the widespreading 2017 malware which "American intelligence officials later traced to Russian actors."

The discovery comes in the midst of what the Times earlier called "the security crisis Russia has ignited in Eastern Europe by surrounding Ukraine on three sides with 100,000 troops and then, by the White House's accounting, sending in saboteurs to create a pretext for invasion."

Long-time Slashdot reader 14erCleaner shares the Times' latest report: In a blog post, [Microsoft] said that on Thursday — around the same time government agencies in Ukraine found that their websites had been defaced — investigators who watch over Microsoft's global networks detected the code. "These systems span multiple government, nonprofit and information technology organizations, all based in Ukraine," Microsoft said.... The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end....

Microsoft said that it could not yet identify the group behind the intrusion, but that it did not appear to be an attacker that its investigators had seen before. The code, as described by the company's investigators, is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise cash.

It is possible that the destructive software has not spread too widely and that Microsoft's disclosure will make it harder for the attack to metastasize. But it is also possible that the attackers will now launch the malware and try to destroy as many computers and networks as possible.... Warnings like the one from Microsoft can help abort an attack before it happens, if computer users look to root out the malware before it is activated. But it can also be risky. Exposure changes the calculus for the perpetrator, who, once discovered, may have nothing to lose in launching the attack, to see what destruction it wreaks.

So far there is no evidence that the destructive malware has been unleashed by the hackers who placed it in the Ukrainian systems....

The new attack would wipe hard drives clean and destroy files. Some defense experts have said such an attack could be a prelude to a ground invasion by Russia. Others think it could substitute for an invasion, if the attackers believed a cyberstrike would not prompt the kind of financial and technological sanctions that [U.S. President] Biden has vowed to impose in response.
Ukraine's Ministry of Digital Development issued a statement that "All evidence indicates that Russia is behind the cyberattack. Moscow continues to wage a hybrid war and is actively building up its forces in the information and cyberspaces." While the Associated Press reported the statement, the Times notes that the ministry provided no evidence, "and early attribution of attacks is frequently wrong or incomplete."

But the Times also cites U.S. national security adviser Jake Sullivan as saying "If it turns out that Russia is pummeling Ukraine with cyberattacks, and if that continues over the period ahead, we will work with our allies on the appropriate response."