An anonymous reader quotes a report from Ars Technica: Researchers have uncovered malware designed to disrupt electric power transmission and may have been used by the Russian government in training exercises for creating or responding to cyberattacks on electric grids. Known as CosmicEnergy, the malware has capabilities that are comparable to those found in malware known as Industroyer and Industroyer2, both of which have been widely attributed by researchers to Sandworm, the name of one of the Kremlin's most skilled and cutthroat hacking groups.

Researchers from Mandiant, the security firm that found CosmicEnergy, wrote: "COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104. The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY."

Right now, the link is circumstantial and mainly limited to a comment found in the code suggesting it works with software designed for training exercises sponsored by the Kremlin. Consistent with the theory that CosmicEnergy is used in so-called Red Team exercises that simulate hostile hacks, the malware lacks the ability to burrow into a network to obtain environment information that would be necessary to execute an attack. The malware includes hardcoded information object addresses typically associated with power line switches or circuit breakers, but those mappings would have to be customized for a specific attack since they differ from manufacturer to manufacturer. "For this reason, the particular actions intended by the actor are unclear without further knowledge about the targeted assets," Mandiant researchers wrote.

According to multiple databases, researchers, and cybersecurity companies who spoke to MIT Technology Review, 2021 has had the highest number of zero-day exploits on record. "At least 66 zero-days have been found in use this year, according to databases such as the 0-day tracking project -- almost double the total for 2020, and more than in any other year on record," the report says. From the report: One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools. Powerful groups are all pouring heaps of cash into zero-days to use for themselves -- and they're reaping the rewards. At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.

Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees. And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes. "Financially motivated actors are more sophisticated than ever," Semrau says. "One-third of the zero-days we've tracked recently can be traced directly back to financially motivated actors. So they're playing a significant role in this increase which I don't think many people are giving credit for."

While there may be an increasing number of people developing or buying zero-days, the record number reported isn't necessarily a bad thing. In fact, some experts say it might be mostly good news. No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time -- just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act. You can look at the data, such as Google's zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild. One change the trend may reflect is that there's more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools. Defenders have clearly gone from being able to catch only relatively simple attacks to detecting more complex hacks, says Mark Dowd, founder of Azimuth Security. "I think this denotes an escalation in the ability to detect more sophisticated attacks," he says. Further reading: Emergency Software Patches Are on the Rise

"Decades before "Zoom fatigue" broke our spirits, the so-called computer revolution brought with it a world of pain previously unknown to humankind," argues Laine Nooney (in a condensed version of a chapter in the 2022 book Abstractions and Embodiments: New Histories of Computing and Society.)

Slashdot reader em1ly shares its observation that "There was really no precedent in our history of media interaction for what the combination of sitting and looking at a computer monitor did to the human body..." Forty years later, what started with simple complaints about tired eyes has become commonplace experience for anyone whose work or school life revolves around a screen. The aches and pains of computer use now play an outsized role in our physical (and increasingly, our mental) health, as the demands of remote work force us into constant accommodation. We stretch our wrists and adjust our screens, pour money into monitor arms and ergonomic chairs, even outfit our offices with motorized desks that can follow us from sitting to standing to sitting again. Entire industries have built their profits on our slowly curving backs, while physical therapists and chiropractors do their best to stem a tide of bodily dysfunction that none of us opted into. These are, at best, partial measures, and those who can't afford extensive medical interventions or pricey furniture remain cramped over coffee tables or fashioning makeshift laptop raisers. Our bodies, quite literally, were never meant to work this way...

As both desktop computers and networked terminals proliferated in offices, schools, and homes over the 1980s, chronic pain became their unanticipated remainder: wrist pain, vision problems, and back soreness grew exponentially... To consider the history of computing through the lens of computer pain is to center bodies, users, and actions over and above hardware, software, and inventors. This perspective demands computer history to engage with a world beyond the charismatic object of computers themselves, with material culture, with design history, with workplace ethnography, with leisure studies... This is not the history of killer apps, wild hacks, and the coding wizards who stayed up late, but something far quieter and harder to trace, histories as intimate as they are "unhistoric": histories of habit, use, and making do. That pain in your neck, the numbness in your fingers, has a history far more widespread and impactful than any individual computer or computing innovator. No single computer changed the world, but computer pain has changed us all...

[T]he next time you experience "tired eyes," wrists tingling, neck cramps, or even the twinge of text neck, let it serve as a denaturalizing reminder that the function of technology has never been to make our lives easier, but only to complicate us in new ways. Computer-related pain, and the astounding efforts humans went to (and continue to, go to), to alleviate it, manage it, and negotiate it, provide one thread through the question of how the computer became personal. The introduction of computers into everyday routines, both at work and at home, was a historic site of vast cultural anxiety around the body.

"Microsoft has implemented an automatic mitigation tool within Defender Antivirus to tackle critical vulnerabilities in Exchange Server," reports ZDNet: On March 18, the Redmond giant said the software will automatically mitigate CVE-2021-26855, a severe vulnerability that is being actively exploited in the wild. This vulnerability is one of four that can be used in a wider attack chain to compromise on-premise Exchange servers.

Microsoft released emergency fixes for the security flaws on March 2 and warned that a state-sponsored threat group called Hafnium was actively exploiting the bugs, and since then, tens of thousands of organizations are suspected to have been attacked. At least 10 other advanced persistent threat (APT) groups have jumped on the opportunity slow or fragmented patching has provided.

The implementation of a recent security intelligence update for Microsoft Defender Antivirus and System Center Endpoint Protection means that mitigations will be applied on vulnerable Exchange servers when the software is deployed, without any further input from users. According to the firm, Microsoft Defender Antivirus will automatically identify if a server is vulnerable and apply the mitigation fix once per machine.
The article also points out Microsoft also released a one-click mitigation tool earlier this week, which is "still readily available as an alternative way to mitigate risk to vulnerable servers if IT admins do not have Defender Antivirus."

wiredmikey shares a report from SecurityWeek.com: Apple has quietly added several anti-exploit mitigations into iOS in what appears to be a specific response to zero-click iMessage attacks observed in the wild. The new mitigations were discovered by Samuel Grob, a Google Project Zero security researcher, [with the first big addition being] a new, tightly sandboxed "BlastDoor" service that is now responsible for the parsing of untrusted data in iMessages.

With iOS 14, Grob discovered that Apple shipped a significant refactoring of iMessage processing, and made all four parts of an attack much harder to succeed. Apple added logic into iOS 14 to specifically detect [shared cache region] attacks and new techniques to limit an attacker's ability to retry exploits or brute force Address Space Layout Randomization (ASLR). "Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole," the Google researcher added.

An anonymous reader writes: A recent vulnerability in WhatsApp shows that there's little defenders can do to detect and analyze iPhone hacks. Some iOS security experts say this is yet another incident that shows iOS is so locked down it's hard -- if not impossible -- to figure out if your own iPhone has been hacked.

[...] "The simple reality is there are so many 0-day exploits for iOS," said Stefan Esser, a security researcher that specializes in iOS. "And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones." As of today, there is no specific tool that an iPhone user can download to analyze their phone and figure out if it has been compromised. In 2016, Apple took down an app made by Esser that was specifically designed to detect malicious jailbreaks.

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

You may recall "APT28", the Russian hacking group which was tied to last year's interference in the presidential election. It has long been known for its advanced range of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs. From a report on ComputerWorld: The group -- known in the security industry under different names including Fancy Bear, Pawn Storm, and APT28 -- has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent. X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan. It's not entirely clear how the malware is being distributed because the Bitdefender researchers obtained only the malware sample, not the full attack chain. However, it's possible a macOS malware downloader dubbed Komplex, found in September, might be involved. Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted web pages.Further reading on ArsTechnica.

Last week, you asked Kevin Mitnick questions about his past, his thoughts on ethics and disclosure, and his computer set-up. He's graciously responded; read on for his answers. (No dice on the computer set-up, though.) Thanks, Kevin.

bluefoxlucid asks: "Lately I've been looking into technical books, and have come to the conclusion that there are a lot of useful books out there containing information that could be useful to me. To my alarm, I've found that many of these titles are not in my local public library! This requires action; I must build my own library, and actually use that bookshelf in my room! But, without a way to sample the books, how should I know which to buy? What (mainly non-fiction) recommendations would you make for anyone who would fall into the Slashdot audience to read?"

norburym writes "The publishers' blurb on the back cover describes Knoppix as 'a veritable Swiss Army knife in CD form.' Knoppix Hacks by Kyle Rankin is no less astounding in revealing the hidden versatility and power inherent in this unassuming tool." Read on for the rest of Norbury-Glaser's review.

Thanks to Halo.Bungie.Org for info on a new Halo Xbox hacking movie revealing some spectacular new tricks, including the ability to use the previously unavailable flamethrower and gravity rifle weapons in-game, plus much more outlandish stunts. As the site says, "...even if you're not excited by the hacking scene, it's a hoot to see how much damage you can do when you're standing in a tower of 3 dozen Master Chiefs and your assault rifle fires frag grenades." These hacks were accomplished by hex-editing a cache file on a modified Xbox, and coincidentally, Gearbox Software have just posted the a new screenshot of the PC-exclusive flamethrower weapon, which probably works a sight better than the unfinished Xbox one.

Your intrepid reporter took a jaunt down to the H2K2 conference this past weekend, held in the lovely Hotel Pennsylvania. The conference had much more floor space than they had two years ago, and it seemed like more attendance as well. Wireless networks were available, though overcrowded, and if you didn't encrypt your communications, well, you've probably already paid the price. My notes on the conference and the sessions I attended are below, followed by a couple of reader submissions.

Reader Bob Johnson wrote this detailed review of Hacking Exposed followup Hacking Linux Exposed -- especially in light of the various color-coded Windows viruses still on the loose, this might be a good present for your your local Windows administrator as well, but both Bob and the authors are clear: GNU/Linux systems may be more resistant, but are not immune to cracking.

Maybe Peacefire's timing is bad. Two courts have recently said that the reverse-engineered DeCSS program is illegal to publish in the United States, and UCITA gets closer every second. Yet Peacefire today released a program that reverse-engineers the encryption on a list of sites blocked by a major censorware product. Maybe T-shirts that say 'X-Stop has a 68% error rate for blocking student homepages' will get classified as munitions next. Bennett Haselton shares his thoughts (below) on corporate crypto.

Physicists, gamers, Web designers and developers and engineers took up (with a vengeance) the question of whether or not the Net and the Web was an Infinite Space, forever expansible. Most felt that while Web Space was infinite, desirable property isn't. Also comments about crackers, cryptography, gaming, virtual property, the future of the Net and the Web, and concerns about whether real world property laws apply online. All in all, a great cyber gab-fest, pro and con.