campuscodi - Slashdot User

Submission + - Threat actors can simulate iPhone reboots and keep iOS malware on a device (therecord.media)

Submitted by Anonymous Coward on Wednesday January 05, 2022 @08:26PM

An anonymous reader writes: In a piece of groundbreaking research published on Tuesday night, security firm ZecOps said that it found a way to block and then simulate an iOS restart operation, a technique that they believe could be extremely useful to attackers who may want to trick users into thinking they rebooted their device and as a result, maintain access for their malware on that infected system.

The technique is of extreme importance and gravity because of the way the iPhone malware landscape has evolved in recent years, where, due to advances in the security of the iOS operating system, malware can’t achieve boot persistence as easily as it once did. As a result, many security experts have recommended over the past year that users who might be the target of malicious threat actors regularly reboot devices in order to remove backdoors or other implants. But in a blog post on Tuesday, ZecOps said that the iOS restart process isn’t immune to being hijacked once an attacker has gained access to a device, in a way to perform a fake restart where the user's device only has its UI turned off, instead of the entire OS.

Submission + - Microsoft Seizes Domains Used By Chinese Cyber-Espionage Group 'Nickel' (therecord.media)

Submitted by Anonymous Coward on Monday December 06, 2021 @10:30PM

An anonymous reader writes: Microsoft said today that its legal team has successfully obtained a court warrant that allowed it to seize 42 domains used by a Chinese cyber-espionage group in recent operations that targeted organizations in the US and 28 other countries. Tracked by Microsoft as Nickel, but also known under other names such as APT15, Mirage, or Vixen Panda, Ke3Chang, and others, the group has been active since 2012 and has conducted numerous operations against a broad set of targets. Tom Burt, Microsoft VP of Customer Security & Trust, said today that the recent domains had been used for “intelligence gathering” from government agencies, think tanks, and human rights organizations.

Burt said the seized domains were being used to gather information and data from the hacked organizations. “Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Burt said in a blog post today announcing the company’s legal action against Nickel domains. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” he added. According to Burt, the group’s victims had been hacked using compromised third-party virtual private network (VPN) suppliers or stolen credentials obtained from spear-phishing campaigns, which is in tune with similar industry reports detailing recent tactics used by Chinese espionage groups, in general.

Submission + - SolarWinds Hackers Have a Whole Bag of New Tricks For Mass Compromise Attacks (arstechnica.com)

Submitted by Anonymous Coward on Monday December 06, 2021 @07:44PM

An anonymous reader writes: Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies. Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.

Mandiant’s report shows that Nobelium’s ingenuity hasn’t wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack—one called UNC3004 and the other UNC2652—have continued to devise new ways to compromise large numbers of targets in an efficient manner. Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers.

The advanced tradecraft didn’t stop there. According to Mandiant, other advanced tactics and ingenuities included:

Use of credentials stolen by financially motivated hackers using malware such as Cryptbot (PDF), an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn’t use a hacked service provider.
Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with “application impersonation privileges,” which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
Gaining access to an active directory stored in a target’s Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what’s known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
Use of a custom downloader dubbed Ceeloader.

Submission + - Eurostar Tests Facial Recognition System On London Train Station (bleepingcomputer.com)

Submitted by Anonymous Coward on Monday December 06, 2021 @05:39PM

An anonymous reader writes: Eurostar is testing a new biometric facial recognition technology on passengers traveling from London’s St Pancras International station to continental Europe. The passengers will be given the opportunity to complete their pre-departure ticket and passport checks via the new biometric system, called the “SmartCheck” lane. Those who take this option will be allowed to board the train without going through the typically tedious ID verification procedures. The system will involve two facial scans, one at the ticket gate to verify the ticket check and one at the UK Exit Checkpoint, to confirm that the passport information is valid.

The goal, according to Eurostar, is to eliminate queues and expedite the boarding process, not only improving customer satisfaction but also minimizing the chances for viral transmission. The system will be trialed with a limited number of invited passengers and won’t involve the UK’s or Schengen entry controls. Eurostar announced its intention to introduce a facial recognition system to replace physical tickets and passport checks last year, and facial recognition company iProov helped them build it. iProov is a proponent of what they call “passive authentication”, which is facial recognition without the user having to do anything. The user consents to the platform by visiting an online portal to register with their information and takes an image of their face with the smartphone or webcam. When they reach a physical checkpoint, they simply look at the camera, and the system authenticates them effortlessly.

Submission + - Giant Study Finds Viagra Is Linked to Almost 70% Lower Risk of Alzheimer's (sciencealert.com)

Submitted by fahrbot-bot on Monday December 06, 2021 @05:03PM

fahrbot-bot writes: Usage of the medication sildenafil – better known to most as the brand-name drug Viagra – is associated with dramatically reduced incidence of Alzheimer's disease, new research suggests.

According to a study led by researchers at the Cleveland Clinic, taking sildenafil is tied to a nearly 70 percent lower risk of developing Alzheimer's compared to non-users.

That's based on an analysis of health insurance claim data from over 7.2 million people, in which records showed that claimants who took the medication were much less likely to develop Alzheimer's over the next six years of follow up, compared to matched control patients who didn't use sildenafil.

It's important to note that observed associations like this – even on a huge scale – are not the same as proof of a causative effect. For example, it's possible that the people in the cohort who took sildenafil might have something else to thank for their improved chances of not developing Alzheimer's.

Nonetheless, the researchers say the correlation shown here – in addition to other indicators in the study – is enough to identify sildenafil as a promising candidate drug for Alzheimer's disease, the viability of which can be explored in future randomized clinical trials designed to test whether causality does indeed exist.

Submission + - Missouri was to thank "hacker" journalist before Governor accused him of crimes (arstechnica.com)

Submitted by UnknowingFool on Monday December 06, 2021 @04:59PM

UnknowingFool writes: Two days before Missouri governor Michael Parson (R) accused a newspaper reporter, Josh Renaud, of "hacking" for reporting about a fixed flaw in a state website, the state government of Missouri was planning to publicly thank Renaud for alerting them of the flaw, emails show in a public records request. Two days later, however, the Governor publicly accused Renaud of crimes. Also in the request, emails show that a day before the article was published the state's cybersecurity specialist informed other state officials that "[FBI Agent] Kyler [Storm] after reading the emails from the reporter that this incident is not an actual network intrusion".

St Louis Dispatch reporter, Josh Renaud, had discovered that the state's website was exposing the Social Security Numbers of teachers and other school employees in the HTML code of the state's site. He informed the state who fixed the flaw, and he delayed publishing the article until after the flaw was fixed. The article was published on October 14. The same day, Governor Parson accused Renaud of cyber crimes. A week later, Parson doubled down after criticism.

Submission + - Better.com CEO Vishal Garg fires 15% of his workforce on a Zoom call (forbes.com)

Submitted by McGruber on Monday December 06, 2021 @12:44PM

McGruber writes: Vishal Garg, CEO of unicorn mortgage lender startup Better.com, bluntly informed his 900 employees that a large number of people will be fired in a cold, awkward one-way video announcement on Thursday.

Looking visibly uncomfortable, Garg said that 15% of the workforce would be laid off. In a monotone voice, he said, “This is the second time in my career I’m doing this and I do not want to do this. The last time I did it, I cried; this time, I hope to be stronger.”

During the holiday season, it's standard company practices to hold off on bad news, such as mass terminations. Instead of waiting some weeks for the staff to enjoy family and friends during the holiday season, Garg dropped the bombshell announcement, “If you’re on this call, you are part of the unlucky group that is being laid off. Your employment here is terminated effective immediately.”

In a video version of the termination call, a presumed disgruntled employee cursed out the CEO, saying “F*ck you, dude.” Garg did say, “I wish you all the best of luck.”

The mass-firing happened right after Better.com receivied a $750 million cash infusion bringing the company's valuation to around $7 billion.

Comment Re:DUPE (Score 1) 10

by campuscodi on Wednesday December 01, 2021 @10:36AM (#62036125) Attached to: Thousands of AT&T Customers in the US Infected by New Data-stealing Malware

Chill dude! It's just the internet. Relax.

Comment I wouldn't take this at face value (Score 1) 11

by campuscodi on Wednesday November 17, 2021 @06:51PM (#61997457) Attached to: Russian Ransomware Gangs Start Collaborating With Chinese Hackers

I wouldn't take this at face value as that forum is considered low-quality by most threat analysts and their administrator is known for making stuff up just for media attention, hoping to draw in new users. Take it from someone who knows what they're talking about.

Submission + - Exploit Lets Spoofed Addresses Masquerade as Legit on Linux Servers (arstechnica.com)

Submitted by shoor on Wednesday November 17, 2021 @02:09PM

shoor writes: The exploit may allow malicious hackers to redirect inquiries to phishing and other malware sites that are replicas of legitimate sites. A new DNS spec was supposed to randomize the port DNS queries come from, closing off an exploit that allowed attackers to introduce a malicious IP address into a DNS resolver's cache. Under the new spec, an ICMP probe can change internal state in the Linux Kernel in a way that can be observed through a side channel.

Submission + - SPAM: NASA is going to miss its moon landing target date by 'several YEARS'

Submitted by schwit1 on Tuesday November 16, 2021 @05:08PM

schwit1 writes: NASA is not properly estimating costs for the Artemis program and could spend $93 billion between fiscal years 2021 and 2025

NASA recently extended its target date for sending astronauts back to the moon to 2025 at the earliest
Link to Original Source

Submission + - Emotet botnet returns after law enforcement mass-uninstall operation (therecord.media)

Submitted by Anonymous Coward on Monday November 15, 2021 @07:33PM

An anonymous reader writes: The Emotet malware botnet is back up and running once again almost ten months after an international law enforcement operation took down its command and control servers earlier this year in January.

The comeback is surprising because after taking over Emotet’s server infrastructure, law enforcement officials also orchestrated a mass-uninstall of the malware from all infected computers on April 25, effectively wiping out the entire botnet across the internet.

Submission + - SPAM: Nigeria's E-Naira Lures About Half a Million People Weeks After Its Launch

Submitted by Anonymous Coward on Monday November 15, 2021 @06:12PM

An anonymous reader writes: Nigerian central bank’s digital currency has lured about half a million users three weeks after it was introduced in a move to entice people away from crypto currencies. Adoption rate for the Central Bank of Nigeria digital currency called eNaira “has been excellent,” according to Osita Nwanisobi, spokesman for the Abuja-based lender. More than 488,000 people have downloaded the consumer wallet — that’s needed to transact eNaira — while about 78,000 merchants from more than 160 countries have enrolled, Nwanisobi said by phone.

The central bank is opposed to crypto currencies but that hasn’t stopped Nigerians from using virtual currencies as a hedge against the nation’s capital controls and to remit money. Demand is so large that individuals in the West African nation hold the world’s highest proportion of such assets per capita, according to a survey by Statista. About 62 million naira ($150,000) of the virtual currency have been traded since it was introduced, according to Nwanisobi. The nation has traded 60,215 Bitcoins since 2017 to the end of last year — valued at $3.9 billion as of Monday — the largest volume outside the U.S., according to Paxful, a peer-to-peer Bitcoin marketplace. It has also the largest proportion of retail users conducting transactions under $10,000, according to Chainalysis.
Link to Original Source

Submission + - SPAM: Russia May Have Just Shot Down Its Own Satellite, Creating a Huge Debris Cloud

Submitted by Anonymous Coward on Monday November 15, 2021 @05:39PM

An anonymous reader writes: The seven astronauts and cosmonauts onboard the International Space Station sheltered inside their respective spacecraft, a Crew Dragon and Soyuz, on Monday morning as the orbiting laboratory passed through an unexpected debris field. This was not a pre-planned collision avoidance maneuver in low Earth orbit, in which the station would use onboard propulsion to move away. Rather, the situation required the astronauts to quickly take shelter. Had there been a collision during the conjunction, the two spacecraft would have been able to detach from the space station and make an emergency return to Earth. Ultimately that was not necessary, and the astronauts reemerged into the space station later Monday. However, as the crew on board the station prepared for their sleep schedule, Mission Control in Houston asked them to keep as many of the hatches onboard the space station closed for the time being, in case of an unexpected collision during subsequent orbits.

It appears likely that the debris field that had alarmed flight controllers on Monday was caused by an anti-satellite test performed by Russia's military early on Monday. [...] It appears that Russia launched a surface-to-space Nudol missile on Monday, between 02:00 and 05:00 UTC, from the Plesetsk Cosmodrome in the northern part of the country. The missile then struck an older satellite, Cosmos 1408. Launched in 1982, the satellite had been slowly losing altitude and was a little more than 450 km above the Earth. This is a large satellite, with a mass of about 2,000 kg. As of Monday afternoon, US Space Command said it was already tracking more than 1,000 pieces of new debris. Although the satellite's altitude is higher than the International Space Station, which is about 400 km above the surface, a kinetic impact would spread a large cloud of debris. Satellite expert Jonathan McDowell believes the Cosmos 1408 satellite is the likely candidate for the space station's ongoing debris event.

During a daily briefing today, US State Department Spokesman Ned Price said the test had created more than 1,500 pieces of trackable debris and hundreds of thousands of pieces of un-trackable debris. "The Russian Federation recklessly conducted a destructive satellite test of a direct-ascent anti-satellite missile against one of its own satellites," Price said. "This test will significantly increase the risk to astronauts and cosmonauts on the International Space Station as well as to other human spaceflight activities. Russia's dangerous and irresponsible behavior jeopardizes the long-term sustainability of outer space."
Link to Original Source

Submission + - Unprivileged attack on Rowhammer Memory Exploit (arstechnica.com)

Submitted by shoor on Monday November 15, 2021 @02:39PM

shoor writes: An unprivileged application can corrupt data in memory by accessing 'hammering' rows of DDR4 memory in certain patterns millions of times a second, giving those untrusted applications nearly unfettered system privileges.

Slashdot Top Deals