Swiss authorities raided the apartment Friday of a hacker who claimed credit for breaching the Silicon Valley security camera company Verkada and gaining access to its customers' surveillance feeds, according to the hacker and a search warrant seen by Bloomberg News. From the report: Tillie Kottmann said their apartment in Lucerne, Switzerland, was raided and that police seized the hacker's electronic devices. The warrant was based on an alleged hack that took place last year and not on the recent breach of Verkada. After being notified of the breach by Bloomberg News, Verkada referred the matter to the FBI. The breach exposed live camera feeds of companies like Tesla, as well as hospitals, jails, and schools. According to a copy of the search warrant provided to Bloomberg News, the search was conducted as part of a U.S criminal case against Kottmann in the Western District of Washington. The warrant requested documents related to hacking as well as information on cryptocurrency holdings. Kottmann has been accused of unauthorized access to protected computers, identify theft, and fraud.

Read more of this story at Slashdot.

The Linux Foundation has announced the launch of Sigstore, a new nonprofit initiative that aims to improve open source software supply chain security by making it easier for developers to adopt cryptographic signing for different components of the software development process. From a report: Sigstore will be free for software providers and developers, who can use it to securely sign software artifacts such as release files, container images, binaries, and bill-of-material manifests. Signing materials are then stored in a tamper-proof public log. The service's code and operation tooling will be fully open source and maintained and developed by the Sigstore community. Founding members include Red Hat, Google, and Purdue University. The idea for the service came from Luke Hinds, security engineering lead in Red Hat's Office of the CTO. He pitched the concept to Google software engineer Dan Lorenc, and the two began to work on it. Now the Sigstore project has a "small but agile community" working on its development, Lorenc says.

Read more of this story at Slashdot.

ArghBlarg (Slashdot reader #79,067) shares some research from a senior application security engineer at GitLab: Michael Henrikson describes his investigations into Go package manager "supply chain" attacks and found at least one very suspicious package, typosquatting on one of the most popular logging libraries. The imposter package phones home to an IP he alleges belongs to the Chinese company Tencent, a good case for always going over your package imports, in any language, and ensuring you're either a) auditing them regularly, or b) keeping frozen vendored copies which you can trust. From the article: I honestly expected the list to be bigger, but I was of course happy to see that the Go ecosystem isn't completely infested (yet) with malicious typosquat packages... It looks like the author utfave wants to know the hostname, operating system, and architecture of all the machines using their version of urfave/cli. The function extracts the system information and then calls out to the IP address 122.51.124.140 belonging to the Chinese company Shenzhen Tencent Computer Systems via HTTP with the system information added as URL parameters. While this code won't give them any access to systems, it's highly suspicious that they collect this information and the actor can quickly change this code to call back with a reverse shell if they identify a system to be valuable or interesting... I think Go is in a better situation than other programming languages because the source of packages is always explicitly written every time they are used, but code editor automation could make typosquat attacks more likely to happen as the developer doesn't write the import paths manually as often.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Krebs On Security: At least 30,000 organizations across the United States -- including a significant number of small businesses, towns, cities and local governments -- have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that's focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems. In each incident, the intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser that gives the attackers administrative access to the victim's computer servers. Speaking on condition of anonymity, two cybersecurity experts who've briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over "hundreds of thousands" of Microsoft Exchange Servers worldwide -- with each victim system representing approximately one organization that uses Exchange to process email. Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed "Hafnium," and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft's initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. "We've worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today," Volexity President Steven Adair said. "Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server. The truth is, if you're running Exchange and you haven't patched this yet, there's a very high chance that your organization is already compromised." A Microsoft spokesperson said in a statement: "The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources."

Read more of this story at Slashdot.

tsu doh nimh shares a report: Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums' user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums. On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. "Maza," "MFclub"), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves. At the top of a 35-page PDF leaked online is a private encryption key allegedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as "I seek you," was an instant message platform trusted by countless early denizens of these older crime forums before its use fell out of fashion in favor of more private networks, such as Jabber and Telegram. This is notable because ICQ numbers tied to specific accounts often are a reliable data point that security researchers can use to connect multiple accounts to the same user across many forums and different nicknames over time. Cyber intelligence firm Intel 471 assesses that the leaked Maza database is legitimate.

Read more of this story at Slashdot.

An anonymous reader quotes a report from NBC News: The U.S. has issued an emergency warning after Microsoft said it caught China hacking into its mail and calendar server program, called Exchange. The perpetrator, Microsoft said in a blog post, is a hacker group that the company has "high confidence" is working for the Chinese government and primarily spies on American targets. The latest software update for Exchange blocks the hackers, prompting the U.S. Cybersecurity and Infrastructure Security Agency to issue a rare emergency directive that requires all government networks do so. CISA, the U.S.'s primary defensive cybersecurity agency, rarely exercises its authority to demand the entire U.S. government take protective steps to protect its cybersecurity. The move was necessary, the agency announced, because the Exchange hackers are able "to gain persistent system access." All government agencies have until noon Friday to download the latest software update. In a separate blog post, Microsoft Vice President Tom Burt wrote that the hackers have recently spied on a wide range of American targets, including disease researchers, law firms and defense contractors. There was no immediate indication that the hack led to significant exploitation of U.S. government computer networks. But the announcement marks the second instance in recent months that the U.S. scrambled to address a widespread hacking campaign believed be the work of foreign government spies.

Read more of this story at Slashdot.

The far-right social media platform Gab says a trove of its contents has been stolen in a security breach -- including passwords and private communications. Wired reports: On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls GabLeaks, a collection of more than 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says a hacktivist who self-identifies as "JaXpArO and My Little Anonymous Revival Project" siphoned that data out of Gab's backend databases in an effort to expose the platform's largely right-wing users. Those Gab patrons, whose numbers have swelled after Parler went offline, include large numbers of Qanon conspiracy theorists, white nationalists, and promoters of former president Donald Trump's election-stealing conspiracies that resulted in the January 6 riot on Capitol Hill. DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab's public posts and profiles -- with the exception of any photos or videos uploaded to the site -- but also private group and private individual account posts and messages, as well as user passwords and group passwords. "It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content," Best wrote in a text message interview with WIRED. "It's another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6." DDoSecrets says it's not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. According to DDoSecrets' Best, the hacker says that they pulled out Gab's data via a SQL injection vulnerability in the siteâ"a common web bug in which a text field on a site doesn't differentiate between a user's input and commands in the site's code, allowing a hacker to reach in and meddle with its backend SQL database. Despite the hacker's reference to an "Anonymous Revival Project," they're not associated with the loose hacker collective Anonymous, they told Best, but do "want to represent the nameless struggling masses against capitalists and fascists." The company's CEO, Andrew Torba, responded in a public statement on the company's blog that "reporters, who write for a publication that has written many hit pieces on Gab in the past, are in direct contact with the hacker and are essentially assisting the hacker in his efforts to smear our business and hurt you, our users."

Read more of this story at Slashdot.

Catalin Cimpanu, reporting for The Record: A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain. The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018. [...] The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU. Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security. Software patches were released at the time, but the Meltdown and Spectre disclosures forced Intel to rethink its entire approach to CPU designs going forward. At the time, the teams behind the Meltdown and Spectre bugs published their work in the form of research papers and some trivial proof-of-concept code to prove their attacks. Shortly after the Meltdown and Spectre publications, experts at AV-TEST, Fortinet, and Minerva Labs spotted a spike in VirusTotal uploads for both CPU bugs. While initially there was a fear that malware authors might be experimenting with the two bugs as a way to steal data from targeted systems, the exploits were classified as harmless variations of the public PoC code published by the Meltdown and Spectre researchers and no evidence was found of in-the-wild attacks. But today, Voisin said he discovered new Spectre exploits -- one for Windows and one for Linux -- different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.

Read more of this story at Slashdot.

The number of malware strains coded in the Go programming language has seen a sharp increase of around 2,000% over the last few years, since 2017, cybersecurity firm Intezer said in a report published recently. From a report: The company's findings highlight and confirm a general trend in the malware ecosystem, where malware authors have slowly moved away from C and C++ to Go, a programming language developed and launched by Google in 2007. While the first Go-based malware was detected in 2012, it took, however, a few years for Golang to catch on with the malware scene. "Before 2019, spotting malware written in Go was more a rare occurrence and during 2019 it became a daily occurrence," Intezer said in its report. But in the new report, Golang (as it's often also referred to instead of Go) has broken through and has been widely adopted. It is used by nation-state hacking groups (also known as APTs), cybercrime operators, and even security teams alike, who often used it to create penetration-testing toolkits.

Read more of this story at Slashdot.

chicksdaddy writes: The Security Ledger reports that a flaw in Zoom's Keybase secure chat application left copies of images contained in secure communications on Keybase users' computers after they were supposedly deleted, according to researchers from the security research group Sakura Samurai. The flaw in the encrypted messaging application, CVE-2021-23827 does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. It comes as millions of users have flocked to apps like Keybase, Signal and Telegram in recent months. Sakura Samurai researchers Aubrey Cottle, Robert Willis, and Jackson Henry discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, researcher John Jackson told Security Ledger. In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security "very seriously." "We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates," the spokesman said. In most cases, the failure to remove files from cache after they were deleted would count as a "low priority" security flaw. However, in the context of an end-to-end encrypted communications application like Keybase, the failure takes on added weight, Jackson wrote.

Read more of this story at Slashdot.

Slashdot reader b-dayyy writes: CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool. CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub. It uses a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to 'immunize' them against this IP. The goal is to leverage the power of the crowd to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the community to create an extremely accurate IP reputation system that benefits all its users. It was clear to the founders that Open Source was going to be one of the main pillars of CrowdSec. The project's founders have been working on open-source projects for decades — they didn't just jump on the train. Rather, they are strong Open Source believers. They believe that the crowd is key to the mass hacking plague we are experiencing, and that Open Source is the best lever to create a community and have people contribute their knowledge to the project, ultimately make it better and more secure. The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API.

Read more of this story at Slashdot.

Jamaica's JamCOVID app and website were taken offline late on Thursday following a third security lapse, which exposed quarantine orders on more than half a million travelers to the island. From a report: JamCOVID was set up last year to help the government process travelers arriving on the island. Quarantine orders are issued by the Jamaican Ministry of Health and instruct travelers to stay in their accommodation for two weeks to prevent the spread of COVID-19. These orders contain the traveler's name and the address of where they are ordered to stay. But a security researcher told TechCrunch that the quarantine orders were publicly accessible from the JamCOVID website but were not protected with a password. Although the files were accessible from anyone's web browser, the researcher asked not to be named for fear of legal repercussions from the Jamaican government. More than 500,000 quarantine orders were exposed, some dating back to March 2020. TechCrunch shared these details with the Jamaica Gleaner, which was first to report on the security lapse after the news outlet verified the data spillage with local cybersecurity experts. Amber Group, which was contracted to build and maintain the JamCOVID coronavirus dashboard and immigration service, pulled the service offline a short time after TechCrunch and the Jamaica Gleaner contacted the company on Thursday evening. JamCOVID's website was replaced with a holding page that said the site was "under maintenance." At the time of publication, the site had returned.

Read more of this story at Slashdot.

CD Projekt SA said Wednesday it will delay a promised update to the much-criticized role-playing game Cyberpunk 2077, pinning the blame for its slow progress on a recent security breach. From a report: What the Polish publisher didn't say is that most of its employees have been locked out of their workstations for the past two weeks, according to people familiar with the matter. The work stoppage is the result of a ransomware attack disclosed on Feb. 9. The extent of the disruption, which hasn't been previously reported, poses a major setback to CD Projekt's attempt to rescue a game in desperate need of repairs. CD Projekt has said it refused to pay a ransom to the hackers. As a result, employees remain unable to log onto the company's virtual private network, making it impossible to access the systems and tools needed to do most of their jobs, said the people, requesting anonymity because they weren't authorized to talk publicly. Although some CD Projekt employees are working from the headquarters in Warsaw, the majority are at home due to the coronavirus pandemic.

Read more of this story at Slashdot.

Although the Flash Player app formally reached its end of life on December 31, 2020, Adobe has allowed a local Chinese company to continue distributing Flash inside China, where the application still remains a large part of the local IT ecosystem and is broadly used across both the public and private sectors. From a report: Currently, this Chinese version of the old Flash Player app is available only via flash.cn, a website managed by a company named Zhong Cheng Network, the only entity authorized by Adobe to distribute Flash inside China. But in a report published earlier this month, security firm Minerva Labs said its security products picked up multiple security alerts linked to this Chinese Flash Player version. During subsequent analysis, researchers found that the app was indeed installing a valid version of Flash but also downloading and running additional payloads. More precisely, the app was downloading and running nt.dll, a file that was loaded inside the FlashHelperService.exe process and which proceed to open a new browser window at regular intervals, showing various ad- and popup-heavy sites.

Read more of this story at Slashdot.

Experian may be in trouble again — this time in Brazil. ZDNet reports on "the emergence of a leak that exposed the personal data of more than 220 million citizens and companies, which is being offered for sale in the dark web." After receiving feedback from Experian over a massive data leak in Brazil, São Paulo state consumer rights foundation Procon described the company's explanations as "insufficient" and said it is likely that the incident was initiated in a corporate environment... Security firm PSafe discovered the incident, which exposed all manner of personal details, including information from Mosaic, a consumer segmentation model used by Serasa, Experian's Brazilian subsidiary. Following the emergence of the leak in January, Procon notified the credit bureau, and asked the company for a confirmation of the incident, and an explanation of the reasons that caused the leak, the steps taken to contain it, how it will repair the damage to consumers impacted and the measures taken to prevent it from happening again... Contacted by ZDNet, Serasa Experian did not answer to requests for comment on Procon's response to its feedback. The agency's demands for answers follow calls from the Brazilian Institute for Consumer Protection for urgent measures to investigate and punish those responsible for exposing the population's data, as well as improved citizen information and transparency.

Read more of this story at Slashdot.

Long-time Slashdot reader b0s0z0ku quotes Ars Technica: A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, which are still trying to understand precisely what it does and what purpose its self-destruct capability serves. Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met. Also curious, the malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question why the mechanism exists. Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so... The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Red Canary, the security firm that discovered the malware, has named it "Silver Sparrow." Long-time Slashdot reader Nihilist_CE writes: First detected in August of 2020, the Silver Sparrow malware is interesting in several unsettling ways. It uses the macOS Installer Javascript API to launch a bash process to gain a foothold into the user's system, a hitherto-unobserved method for bypassing malware detection. This bash shell is then used to invoke macOS's built-in PlistBuddy tool to create a LaunchAgent which executes a bash script every hour. This is the command and control process, which downloads a JSON file containing (potentially) new instructions. Besides the novel installation method, Silver Sparrow is also mysterious in its payload: a single, tiny binary that does nothing but open a window reading "Hello, World!" (in v1, which targets Intel Macs) or "You did it!" (in v2, which is an M1-compatible fat binary). These "bystander binaries" are never executed and appear to be proofs-of-concept or placeholders for future functionality.

Read more of this story at Slashdot.

A sprawling cyber-attack that compromised popular software created by Texas-based SolarWinds was executed from within the U.S., a top White House official said, though the government believes Russia was responsible. From a report: The federal investigation of the hack will take several months, Deputy National Security Advisor Anne Neuberger said in a briefing for reporters on Wednesday. "As of today, nine federal agencies and about 100 private-sector companies were compromised," Neuberger said. She didn't identify them and said the government hasn't ruled out the possibility of further victims. She said the government believes it's still at the "beginning stages" of understanding the scope and scale of the attack, which was publicly disclosed in December but was likely executed months earlier. "The hackers launched the hack from inside the United States which further made it difficult for the U.S. government to observe their activity," she said. Neuberger is leading the U.S. response to the SolarWinds attack. The Texas-based company's software is used by several government agencies and Fortune 500 companies.

Read more of this story at Slashdot.

France's cyber-security agency said that a group of Russian military hackers, known as the Sandworm group, have been behind a three-years-long operation during which they breached the internal networks of several French entities running the Centreon IT monitoring software. From a report: The attacks were detailed in a technical report released today by Agence Nationale de la Securite des Systemes d'Information, also known as ANSSI, the country's main cyber-security agency. "This campaign mostly affected information technology providers, especially web hosting providers," ANSSI officials said today. "The first victim seems to have been compromised from late 2017. The campaign lasted until 2020." The point of entry into victim networks was linked to Centreon, an IT resource monitoring platform developed by French company CENTREON, and a product similar in functionality to SolarWinds' Orion platform. ANSSI said the attackers targeted Centreon systems that were left connected to the internet. The French agency couldn't say at the time of writing if the attacks exploited a vulnerability in the Centreon software or if the attackers guessed passwords for admin accounts. However, in the case of a successful intrusion, the attackers installed a version of the P.A.S. web shell and the Exaramel backdoor trojan, two malware strains that when used together allowed hackers full control over the compromised system and its adjacent network.

Read more of this story at Slashdot.

Criminals who keep their funds in cryptocurrency tend to launder funds through a small cluster of online services, blockchain investigations firm Chainalysis said in a report last week. From a report: This includes services like high-risk (low-reputation) crypto-exchange portals, online gambling platforms, cryptocurrency mixing services, and financial services that support cryptocurrency operations headquartered in high-risk jurisdictions. Criminal activity studied in this report included cryptocurrency addresses linked to online scams, ransomware attacks, terrorist funding, hacks, transactions linked to child abuse materials, and funds linked to payments made to dark web marketplaces offering illegal services like drugs, weapons, and stolen data. But while you'd expect that the money laundering resulting from such a broad spectrum of illegal activity to have taken place across a large number of services, Chainalysis reports that just a small group of 270 blockchain addresses have laundered around 55% of cryptocurrency associated with criminal activity.

Read more of this story at Slashdot.

A hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is "the largest and most sophisticated attack the world has ever seen," Microsoft Corp President Brad Smith said. From a report: The operation, which was identified in December and that the U.S. government has said was likely orchestrated by Russia, breached software made by SolarWinds Corp, giving hackers access to thousands of companies and government offices that used its products. The hackers got access to emails at the U.S. Treasury, Justice and Commerce departments and other agencies. Cybersecurity experts have said it could take months to identify the compromised systems and expel the hackers. "I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen," Smith said during an interview that aired on Sunday on the CBS program "60 Minutes." The breach could have compromised up to 18,000 SolarWinds customers that used the company's Orion network monitoring software, and likely relied on hundreds of engineers.

Read more of this story at Slashdot.