"Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations," reports Bleeping Computer, citing disclosures Thursday from Trend Micro's Zero Day Initiative, who reported them to Microsoft on September 7th and 8th, 2023.

In an email to the site, a Microsoft spokesperson said customers who applied the August Security Updates are already protected from the first vulnerability, while the other three require attackers to have prior access to email credentials. (And for two of them no evidence was presented that it can be leveraged to gain elevation of privilege.)

"We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate."

From Bleeping Computer's report: ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks... All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5... It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs...

ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product. We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised.

To explore America's "transition to a post-quantum world," the Washington Post interviewed U.S. federal official Nick Polk, who is focused on national security issues including quantum computing and is also a senior advisor to a White House federal chief information security officer): The Washington Post: The U.S. is in the early stages of a major shift focused on bolstering government network defenses, pushing federal agencies to adopt a new encryption standard known as post-quantum cryptography that aims to prevent systems from being vulnerable to advanced decryption techniques enabled by quantum computers in the near future...

Nick Polk: We've been using asymmetric encryption for a very long time now, and it's been ubiquitous since about 2014, when the U.S. government and some of the large tech companies decided that they're going to make it a default on most web browsers... Interestingly enough, regarding the post-quantum cryptographic standards being developed, the only thing that's quantum about them is that it has "quantum" in the name. It's really just a different type of math that's much more difficult for a quantum computer to be able to reverse-engineer. The National Institute of Standards and Technology is looking at different mathematical models to cover all their bases. The interesting thing is that these post-quantum standards are actually being used to protect classical computers that we have now, like laptops...

Given the breadth of the U.S. government and the amount of computing power we use, we really see ourselves and our role as a steward of the tech ecosystem. One of the things that came out of [this week's Inside Quantum Technology conference in New York City] was that we are very quickly moving along with the private sector to migrate to post-quantum cryptography. I think you're gonna see very shortly a lot of very sensitive private sector industries start to migrate or start to advertise that they're going to migrate. Banks are a perfect example. That means meeting with vendors regularly, and testing their algorithms to ensure that we can accurately and effectively implement them on federal systems...

The administration and national security memorandum set 2035 as our deadline as a government to migrate our [national security] systems to post-quantum cryptography. That's supposed to time with the development of operational quantum computers. We need to ensure that we start now, so that we don't end up not meeting the deadline before computers are operational... This is a prioritized migration for the U.S. government. We're going to start with our most critical systems — that includes what we call high-value assets, and high-impact systems. So for example, we're gonna prioritize systems that have personal health information.

That's our biggest emphasis — both when we talk to private industry and when we encourage agencies when they talk to their contractors and vendors — to really think about where your most sensitive data is and then prioritize those systems for migration.

PC Magazine reports: A powerful piece of malware has been disguising itself as a trivial cryptocurrency miner to help it evade detection for more than five years, according to antivirus provider Kaspersky. This so-called "StripedFly" malware has infected over 1 million Windows and Linux computers around the globe since 2016, Kaspersky says in a report released Thursday...

StripedFly incorporated a version of EternalBlue, the notorious NSA-developed exploit that was later leaked and used in the WannaCry ransomware attack to infect hundreds of thousands of Windows machines back in 2017. According to Kaspersky, StripedFly uses its own custom EternalBlue attack to infiltrate unpatched Windows systems and quietly spread across a victim's network, including to Linux machines. The malware can then harvest sensitive data from infected computers, such as login credentials and personal data. "Furthermore, the malware can capture screenshots on the victim's device without detection, gain significant control over the machine, and even record microphone input," the company's security researchers added.

To evade detection, the creators behind StripedFly settled on a novel method by adding a cryptocurrency mining module to prevent antivirus systems from discovering the malware's full capabilities.

An anonymous reader quotes a report from NPR: Two Ukrainian hacktivist groups are claiming to have broken into Russia's largest private bank, Alfa-Bank. In a blog post last week, the hackers from groups called KibOrg and NLB shared screenshots of what appears to be an internal database belonging to Alfa-Bank, as well as personal details of several Russian individuals as "confirmation" of the breach. Within the database, the hackers say there are over 30 million records including names, birthdates, account numbers and phone numbers of Russian customers.

Adding some legitimacy to those claims, a Ukrainian intelligence official who requested anonymity to discuss the sensitive operation confirmed to NPR that Ukraine's top counterintelligence agency, the SBU, helped the hacktivists breach Alfa-Bank. The official did not share additional details about how the SBU participated or any further plans for sharing the stolen data. Ukrainian journalists including from cybersecurity website The Record previously reported on the connection to the SBU. While the hacktivists did not immediately respond to a request to discuss the breach, they wrote in the blog post -- posted on their own site -- that they would be sharing the data obtained from Alfa-Bank with investigative journalists. Alfa-Bank has not publicly responded to the news of the hack.

Lawrence Abrams reports via BleepingComputer: 1Password, a popular password management platform used by over 100,000 businesses, suffered a security breach after hackers gained access to its Okta ID management tenant. "We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed," reads a very brief security incident notification from 1Password CTO Pedro Canahuati. "On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing."

On Friday, Okta disclosed that threat actors breached its support case management system using stolen credentials. As part of these support cases, Okta routinely asks customers to upload HTTP Archive (HAR) files to troubleshoot customer problems. However, these HAR files contain sensitive data, including authentication cookies and session tokens that can be used to impersonate a valid Okta customer. Okta first learned of the breach from BeyondTrust, who shared forensics data with Okta, showing that their support organization was compromised. However, it took Okta over two weeks to confirm the breach.

An anonymous reader shared this report from the Washington Post: For years, tech companies like Open AI have freely used news stories to build data sets that teach their machines how to recognize and respond fluently to human queries about the world. But as the quest to develop cutting-edge AI models has grown increasingly frenzied, newspaper publishers and other data owners are demanding a share of the potentially massive market for generative AI, which is projected to reach to $1.3 trillion by 2032, according to Bloomberg Intelligence.

Since August, at least 535 news organizations — including the New York Times, Reuters and The Washington Post — have installed a blocker that prevents their content from being collected and used to train ChatGPT. Now, discussions are focused on paying publishers so the chatbot can surface links to individual news stories in its responses, a development that would benefit the newspapers in two ways: by providing direct payment and by potentially increasing traffic to their websites. In July, Open AI cut a deal to license content from the Associated Press as training data for its AI models. The current talks also have addressed that idea, according to two people familiar with the talks who spoke on the condition of anonymity to discuss sensitive matters, but have concentrated more on showing stories in ChatGPT responses.

Other sources of useful data are also looking for leverage. Reddit, the popular social message board, has met with top generative AI companies about being paid for its data, according to a person familiar with the matter, speaking on the condition of anonymity to discuss private negotiations. If a deal can't be reached, Reddit is considering blocking search crawlers from Google and Bing, which would prevent the forum from being discovered in searches and reduce the number of visitors to the site. But the company believes the trade-off would be worth it, the person said, adding: "Reddit can survive without search."
"The moves mark a growing sense of urgency and uncertainty about who profits from online information," the article argues. "With generative AI poised to transform how users interact with the internet, many publishers and other companies see fair payment for their data as an existential issue."

They also cite James Grimmelmann, a professor of digital and information law at Cornell University, who suggests Open AI's decision to negotiate "may reflect a desire to strike deals before courts have a chance weigh in on whether tech companies have a clear legal obligation to license — and pay for — content."

An anonymous reader shares a report: In 2015, researchers reported a surprising discovery that stoked industry-wide security concerns -- an attack called RowHammer that could corrupt, modify, or steal sensitive data when a simple user-level application repeatedly accessed certain regions of DDR memory chips. In the coming years, memory chipmakers scrambled to develop defenses that prevented the attack, mainly by limiting the number of times programs could open and close the targeted chip regions in a given time. Recently, researchers devised a new method for creating the same types of RowHammer-induced bitflips even on a newer generation of chips, known as DDR4, that have the RowHammer mitigations built into them. Known as RowPress, the new attack works not by "hammering" carefully selected regions repeatedly, but instead by leaving them open for longer periods than normal. Bitflips refer to the phenomenon of bits represented as ones change to zeros and vice versa.

Further amplifying the vulnerability of DDR4 chips to read-disturbance attacks -- the generic term for inducing bitflips through abnormal accesses to memory chips -- RowPress bitflips can be enhanced by combining them with RowHammer accesses. Curiously, raising the temperature of the chip also intensifies the effect. "We demonstrate a proof of concept RowPress program that can cause bitflips in a real system that already employs protections against RowHammer," Onur Mutlu, a professor at ETH Zurich and a co-author of a recently published paper titled RowPress: Amplifying Read Disturbance in Modern DRAM Chips [PDF], wrote in an email. "Note that this is not in itself an attack. It simply shows that bitflips are possible and plenty, which can easily form the basis of an attack. As many prior works in security have shown, once you can induce a bitflip, you can use that bitflip for various attacks."

An anonymous reader quotes a report from The Guardian: An estimated 20,000 Britons have been approached by Chinese state actors on LinkedIn in the hope of stealing industrial or technological secrets, the head of MI5 has said. Ken McCallum said industrial espionage was happening at "real scale," and he estimated that 10,000 UK businesses were at risk, particularly in artificial intelligence, quantum computing or synthetic biology where China was trying to gain a march. "Week by week, our teams detect massive amounts of covert activity by the likes of China in particular, but also Russia and Iran," the MI5 director general said ahead of a summit of domestic spy chiefs from the Five Eyes agencies hosted by the FBI in California. "Activity not aimed just at government or military secrets. Not even just aimed at our critical infrastructure but increasingly [at] promising startups -- innovative companies spun out of our universities, academic research itself, and people that understandably may not think national security is about them."

A key attack vector, McCallum said, was to try and steal information by Chinese actors posing as recruitment consultants on LinkedIn. "We think we're above 20,000 cases where that initial approach has been made online through sites of that sort," he said, compared to 10,000 two and a half years ago. [...] On Tuesday, the agency said it was aware of 20 instances of Chinese companies considering or pursuing use of "obfuscated investment, imaginative company structures" to circumvent regulations in order to gain access to technology developed by British companies and in universities. Details were scant but MI5 indicated it was aware of at least two Chinese companies trying to identify legal loopholes to access the sensitive technology of UK firms undetected, and another Chinese company acquiring research data stolen from a top UK university.

French technology company Shadow has confirmed a data breach involving customers' personal information. TechCrunch: The Paris-headquartered startup, which offers gaming through its cloud-based PC service, said in an email to customers this week that hackers had accessed their personal information after a successful social engineering attack targeted the company. "At the end of September, we were the victim of a social engineering attack targeting one of our employees," Shadow CEO Eric Sele said in the email, seen by TechCrunch. "This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack."

Shadow said that though its security team took unspecified "immediate action," the hackers were able to connect to the management interface of one of the company's software-as-a-service (SaaS) providers to obtain customers' private data. That data includes full names, email addresses, dates of birth, billing addresses and credit card expiry dates. Shadow says no passwords or sensitive banking data were compromised.

Climate breakdown is already changing the taste and quality of beer, scientists have warned. From a report: The quantity and quality of hops, a key ingredient in most beers, is being affected by global heating, according to a study. As a result, beer may become more expensive and manufacturers will have to adapt their brewing methods. Researchers forecast that hop yields in European growing regions will fall by 4-18% by 2050 if farmers do not adapt to hotter and drier weather, while the content of alpha acids in the hops, which gives beers their distinctive taste and smell, will fall by 20-31%.

"Beer drinkers will definitely see the climate change, either in the price tag or the quality," said Miroslav Trnka, a scientist at the Global Change Research Institute of the Czech Academy of Sciences and co-author of the study, published in the journal Nature Communications. "That seems to be inevitable from our data." Beer, the third-most popular drink in the world after water and tea, is made by fermenting malted grains like barley with yeast. It is usually flavoured with aromatic hops grown mostly in the middle latitudes that are sensitive to changes in light, heat and water. Climate-induced decline in the quality and quantity of European hops calls for immediate adaptation measures (Nature).

Jonathan Greig writes via The Record: Genetic testing giant 23andMe confirmed that a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web. The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

When asked about the post, the company initially denied that the information was legitimate, calling it a "misleading claim" in a statement to Recorded Future News. The company later said it was aware that certain 23andMe customer profile information was compiled through unauthorized access to individual accounts that were signed up for the DNA Relative feature -- which allows users to opt in for the company to show them potential matches for relatives. [...] When pressed on how compromising a handful of user accounts would give someone access to millions of users, the spokesperson said the company does not believe the threat actor had access to all of the accounts but rather gained unauthorized entry to a much smaller number of 23andMe accounts and scraped data from their DNA Relative matches.

A researcher approached Recorded Future News after examining the leaked database and found that much of it looked real. [...] The researcher downloaded two files from the BreachForums post and found that one had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage. The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23andme's health data. The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone's profile. The data available through this only includes profile photos, names, birth years and location but does not include test results.

An anonymous reader quotes a report from the Financial Times: Belgium's intelligence service has been monitoring Alibaba's main logistics hub in Europe for espionage following suspicions Beijing has been exploiting its growing economic presence in the west. European governments have been increasing scrutiny of the alleged security and economic risks posed by Chinese companies, which has been part of a wider reassessment of the EU's traditional openness to trade with China. In specific reference to Alibaba's logistics arm at the cargo airport in Liege, Belgium's security services told the Financial Times they were working to detect "possible espionage and/or interference activities" carried out by Chinese entities "including Alibaba".

Alibaba, which denies any wrongdoing, signed an agreement with Belgium in 2018 to open the hub in Liege, Europe's fifth-largest cargo airport, ploughing 100 million euros of investment into the ailing economy of the French-speaking Walloon region. But almost two years on from the site being opened, the Belgian State Security Service (VSSE) has continued monitoring Alibaba's operations following intelligence assessments, said people familiar with the matter. One area of scrutiny includes the introduction of software systems that collate sensitive economic information. The security service said the presence of Alibaba "constitutes a point of attention for the VSSE" because of legislation forcing Chinese companies to share their data with Chinese authorities and intelligence services. "China has the intent and capacity to use this data for non-commercial purposes," the agency said.

Concerns about potential espionage at the site were first raised before the hub was built, including in the Belgian parliament. At the time China strongly denied the "unprovoked insinuations" over exaggerated "so-called security risks of Chinese companies." The VSSE's statement to the FT indicate its concerns over espionage still remain after the opening of the hub. [...] The main concern is that this platform, alongside a couple of other logistical platforms that the Chinese have been proposing to European countries, is giving them a lot of insights into supply chains and into eventual vulnerabilities," said Jonathan Holslag, a professor at the Vrije Universiteit Brussel. According to a person familiar with Alibaba's relations to China's government, the logistics centers are expected to pass on information about local sentiment and report data about European trade and logistics to Beijing's authorities. "The site in Liege is the only European logistics center run by Alibaba's logistics spin-off Cainiao," reports the FT. The company is reportedly able to access data about merchants, products, transport details and flows. It may also be able to access information about final customers.

Slash_Account_Dot shares a report from 404 Media, written by Joseph Cox: In a bombshell report, an oversight body for the Department of Homeland Security (DHS) found that Immigration and Customs Enforcement (ICE), Customs and Border Enforcement (CBP), and the Secret Service all broke the law while using location data harvested from ordinary apps installed on smartphones. In one instance, a CBP official also inappropriately used the technology to track the location of coworkers with no investigative purpose. For years U.S. government agencies have been buying access to location data through commercial vendors, a practice which critics say skirts the Fourth Amendment requirement of a warrant. During that time, the agencies have typically refused to publicly explain the legal basis on which they based their purchase and use of the data. Now, the report shows that three of the main customers of commercial location data broke the law while doing so, and didn't have any supervisory review to ensure proper use of the technology. The report also recommends that ICE stop all use of such data until it obtains the necessary approvals, a request that ICE has refused.

The report, titled "CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data," is dated September 28, 2023, and comes from Joseph V. Cuffari, the Inspector General for DHS. The report was originally marked as "law enforcement sensitive," but the Inspector General has now released it publicly.

Anyone who has used H&R Block's tax return preparation services since 2015 "may have unintentionally helped line Meta and Google's pocket," reports Gizmodo: That's according to a new class action lawsuit which alleges the three companies "jointly schemed" to install trackers on the H&R Block site to scan and transmit tax data back to the tech companies which then used elements of the data to engage in targeted advertising.

Attorneys bringing the case forward claim the three companies' conduct amounts to a "pattern of racketeering activity" covered under the Racketeer Influenced and Corrupt Organizations Act (RICO), a tool typically reserved for organized crime. "H&R Block, Google, and Meta ignored data privacy laws, and passed information about people's financial lives around like candy," Brent Wisner, one of the attorneys bringing forward the complaint said.

The lawsuit, filed in the Northern District of California this week, stems from a bombshell Congressional report released earlier this year detailing the way multiple tax preparation firms, including H&R Block, "recklessly" shared the sensitive tax data of tens of millions of Americans without proper safeguards. At issue are the tax preparation firms' use of tracking "pixels" placed on their websites. These trackers, which the lawsuit refers to as "spy cams" would allegedly scan tax documents and reveal a variety of personal tax information, including a filer's name, filing status, federal taxes owed, address, and number of dependents. That data was then anonymized and used for targeted advertising and to train Meta's AI algorithms, the congressional report notes.
The attorneys argue that H&R Block, Meta, and Google "explicitly and intentionally" entered into an agreement to violate taxpayers' privacy rights for financial gain, according to the article. The suit seeks refunds and punitive damages.

An anonymous reader quotes a report from Ars Technica: GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper (PDF) published Tuesday. The cross-origin attack allows a malicious website from one domain -- say, example.com -- to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains. [...]

GPU.zip works only when the malicious attacker website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must:

1. allow cross-origin iframes to be loaded with cookies
2. allow rendering SVG filters on iframes and
3. delegate rendering tasks to the GPU

For now, GPU.zip is more of a curiosity than a real threat, but that assumes that Web developers properly restrict sensitive pages from being embedded by cross-origin websites. End users who want to check if a page has such restrictions in place should look for the X-Frame-Options or Content-Security-Policy headers in the source. "This is impactful research on how hardware works," a Google representative said in a statement. "Widely adopted headers can prevent sites from being embedded, which prevents this attack, and sites using the default SameSite=Lax cookie behavior receive significant mitigation against personalized data being leaked. These protections, along with the difficulty and time required to exploit this behavior, significantly mitigate the threat to everyday users. We are in communication and are actively engaging with the reporting researchers. We are always looking to further improve protections for Chrome users."

An Intel representative, meanwhile, said that the chipmaker has "assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third-party software." A Qualcomm representative said "the issue isn't in our threat model as it more directly affects the browser and can be resolved by the browser application if warranted, so no changes are currently planned." Apple, Nvidia, AMD, and ARM didn't comment on the findings.

An informational write-up of the findings can be found here.

The founder of the data-breach notification site Have I Been Pwned manages "the largest known repository of stolen data on the planet," reports Australia's public broadcaster ABC, including over 6 billion email address. Yet with no employees, Troy Hunt manages all of the technical and operational aspects single-handedly, and "has ended up playing an oddly central role in global cybersecurity." Troy is very careful with how he handles what he finds. He only collects (and encrypts) the mobile numbers, emails and passwords that he finds in the breaches, discarding the victims' names, physical addresses, bank details and other sensitive information. The idea is to let users find out where their data has been leaked from, but without exposing them to further risk. Once he identifies where a data breach has occurred, Troy also contacts the organisation responsible to allow it to inform its users before he does. This, he says, is often the hardest step of the process because he has to convince them it's legitimate and not some kind of scam itself.

He's not required to give organisations this opportunity, much less persist when they ignore his messages or accuse him of trying to shake them down for money. But there's evidence that this approach is working. Despite the legal grey area he has operated in for a decade now, he's avoided being sued by any of the organisations responsible for the 705 breaches that are now searchable on Have I Been Pwned. These days, major tech companies like Mozilla and 1Password use Have I Been Pwned, and Troy likes to point out that dozens of national governments and law enforcement agencies also partner with his service...

"He's not a company that's audited. He's just a dude on the web," says Jane Andrew, an expert on data breaches at the University of Sydney. "I think it's so shocking that this is where we find out information about ourselves. She says governments and law enforcement have, in general, left it to individuals to deal with the fallout from data breaches... Without an effective global regulator, Professor Andrew says, a crucial part of the world's cybersecurity infrastructure is left to rely on the goodwill of this one man on the Gold Coast.
Thanks to long-time Slashdot reader slincolne for sharing the article.

Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords, while publishing a storage bucket of open source training data on GitHub. From a report: In research shared with TechCrunch, cloud security startup Wiz said it discovered a GitHub repository belonging to Microsoft's AI research division as part of its ongoing work into the accidental exposure of cloud-hosted data. Readers of the GitHub repository, which provided open source code and AI models for image recognition, were instructed to download the models from an Azure Storage URL. However, Wiz found that this URL was configured to grant permissions on the entire storage account, exposing additional private data by mistake. This data included 38 terabytes of sensitive information, including the personal backups of two Microsoft employees' personal computers. The data also contained other sensitive personal data, including passwords to Microsoft services, secret keys and more than 30,000 internal Microsoft Teams messages from hundreds of Microsoft employees.

An anonymous reader quotes a report from Ars Technica: A download site surreptitiously served Linux users malware that stole passwords and other sensitive information for more than three years until it finally went quiet, researchers said on Tuesday. The site, freedownloadmanager[.]org, offered a benign version of a Linux offering known as the Free Download Manager. Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkg[.]org, which served a malicious version of the app. The version available on the malicious domain contained a script that downloaded two executable files to the /var/tmp/crond and /var/tmp/bs file paths. The script then used the cron job scheduler to cause the file at /var/tmp/crond to launch every 10 minutes. With that, devices that had installed the booby-trapped version of Free Download Manager were permanently backdoored.

After accessing an IP address for the malicious domain, the backdoor launched a reverse shell that allowed the attackers to remotely control the infected device. Researchers from Kaspersky, the security firm that discovered the malware, then ran the backdoor on a lab device to observe how it behaved. "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," the researchers wrote in a report on Tuesday. "After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers' infrastructure."

Last week IEEE Spectrum released its 10th annual rankings of the Top Programming Languages. It choose a top language for each of three categories: actively used among typical IEEE members and working software engineers, in demand by employers, or "in the zeitgeist".

The results? This year, Python doesn't just remain No. 1 in our general "Spectrum" ranking — which is weighted to reflect the interests of the typical IEEE member — but it widens its lead.

Python's increased dominance appears to be largely at the expense of smaller, more specialized, languages. It has become the jack-of-all-trades language — and the master of some, such as AI, where powerful and extensive libraries make it ubiquitous. And although Moore's Law is winding down for high-end computing, low-end microcontrollers are still benefiting from performance gains, which means there's now enough computing power available on a US $0.70 CPU to make Python a contender in embedded development, despite the overhead of an interpreter. Python also looks to be solidifying its position for the long term: Many children and teens now program their first game or blink their first LED using Python. They can then move seamlessly into more advanced domains, and even get a job, with the same language.

But Python alone does not make a career. In our "Jobs" ranking, it is SQL that shines at No. 1. Ironically though, you're very unlikely to get a job as a pure SQL programmer. Instead, employers love, love, love, seeing SQL skills in tandem with some other language such as Java or C++. With today's distributed architectures, a lot of business-critical data live in SQL databases...

But don't let Python and SQL's rankings fool you: Programming is still far from becoming a monoculture. Java and the various C-like languages outweigh Python in their combined popularity, especially for high-performance or resource-sensitive tasks where that interpreter overhead of Python's is still too costly (although there are a number of attempts to make Python more competitive on that front). And there are software ecologies that are resistant to being absorbed into Python for other reasons.
The article cites the statistical analysis/visualization language R, as well as Fortran and Cobol, as languages that are hard to port code from or that have accumulated large already-validated codebases. But Python also remains at #1 in their third "Trending" category — with Java in second there and on the general "IEEE Spectrum" list.

JavaScript appears below Python and Java on all three lists. Java is immediately below them on the Trending and "Jobs" list, but two positions further down on the general "Spectrum" list (below C++ and C).

The metrics used for the calculation include the number of hits on Google, recent questions on Stack Overflow, tags on Discord, mentions in IEEE's library of journal articles and its CareerBuilder job site, and language use in starred GitHub repositories and number of new programming books.

Researchers say they have found fake apps in Google Play that masqueraded as legitimate ones for the Signal and Telegram messaging platforms. The malicious apps could pull messages or other sensitive information from legitimate accounts when users took certain actions. ArsTechnica: An app with the name Signal Plus Messenger was available on Play for nine months and had been downloaded from Play roughly 100 times before Google took it down last April after being tipped off by security firm ESET. It was also available in the Samsung app store and on signalplus[.]org, a dedicated website mimicking the official Signal.org. An app calling itself FlyGram, meanwhile, was created by the same threat actor and was available through the same three channels. Google removed it from Play in 2021. Both apps remain available in the Samsung store.

Both apps were built on open source code available from Signal and Telegram. Interwoven into that code was an espionage tool tracked as BadBazaar. The Trojan has been linked to a China-aligned hacking group tracked as GREF. BadBazaar has been used previously to target Uyghurs and other Turkic ethnic minorities. The FlyGram malware was also shared in a Uyghur Telegram group, further aligning it to previous targeting by the BadBazaar malware family. Signal Plus could monitor sent and received messages and contacts if people connected their infected device to their legitimate Signal number, as is normal when someone first installs Signal on their device. Doing so caused the malicious app to send a host of private information to the attacker, including the device IMEI number, phone number, MAC address, operator details, location data, Wi-Fi information, emails for Google accounts, contact list, and a PIN used to transfer texts in the event one was set up by the user.