Three Romanians ran a complicated online fraud operation -- along with a massive malware botnet -- for nine years, reports ZDNet, netting tens of millions of US dollars, but their crime spree is now over. But now they're all facing long prison sentences.

"The three were arrested in late 2016 after the FBI and Symantec had silently stalked their malware servers for years, patiently waiting for the highly skilled group to make mistakes that would leave enough of a breadcrumb trail to follow back to their real identities."

An anonymous Slashdot reader writes: The group started from simple eBay scams [involving non-existent cars and even a fake trucking company] to running one of the most widespread keylogger trojans around. They were considered one of the most advanced groups around, using PGP email and OTR encryption when most hackers were defacing sites under the Anonymous moniker, and using multiple proxy layers to protect their infrastructure. The group operated tens of fake websites, including a Yahoo subsidiary clone, conned and stole money from their own money mules, and were of the first groups to deploy Bitcoin crypto-mining malware on desktops, when Bitcoin could still be mined on PCs.

The Bayrob group was led by one of Romania's top IT students, who went to the dark side and helped create a malware operation that took nine years for US authorities and the FBI to track and eventually take down. Before turning hacker, he was the coach of Romania's national computer science team, although he was still a student, and won numerous awards in programming and CS contests.

An anonymous reader quotes a report from Ars Technica: Mirai, the "botnet" malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016 -- including one against the website of security reporter Brian Krebs -- has gotten a number of recent updates. Now, developers using the widely distributed "open" source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.

Researchers at Palo Alto Networks' Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors. The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.

An anonymous reader quotes a report from ZDNet: Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices -- smart signage TVs and wireless presentation systems. This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year. The botnet's author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits. Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. Furthermore, the botnet operator has also expanded Mirai's built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default creds, researchers said in a report published earlier today.

The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices. The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems. The new Mirai botnet is specifically targeting LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

itwbennett writes: Security researchers at Varonis have uncovered a new attack using a new version of the venerable Qbot malware that "creates scheduled tasks and adds entries to the system registry to achieve persistence," writes Lucian Constantin, reporting on the attack for CSO. "The malware then starts recording all keystrokes typed by users, steals credentials and authentication cookies saved inside browsers, and injects malicious code into other processes to search for and steal financial-related text strings." The researchers "found logs showing 2,726 unique victim IP addresses," writes Constantin, but because "computers inside an organization typically access the internet through a shared IP address, the researchers believe the number of individually infected systems to be much larger." The malware first appeared in 2009 and was found to be uploading 2GB of stolen confidential information to its FTP servers each week by April 2010 from private and public sector computers, including 1,100 on the NHS network in the UK. A modified version of the malware resurfaced in April 2016 that was believed to have infected more than 54,000 PCs in thousands of organizations around the world. As Varonis now reports, Qbot is making yet another comeback.

We'll likely see a rise in internet blackouts in 2019, for two reasons: countries deliberately "turning off" the internet within their borders, and hackers disrupting segments of the internet with distributed denial-of-service (DDoS) attacks. Above all, both will force policymakers everywhere to reckon with the fact that the internet itself is increasingly becoming centralized -- and therefore increasingly vulnerable to manipulation, making everyone less safe. From a report: The first method -- states deliberately severing internet connections within their country -- has an important history. In 2004, the Maldivian government caused an internet blackout when citizens protested the president; Nepal similarly caused a blackout shortly thereafter. In 2007, the Burmese government apparently damaged an underwater internet cable in order to "staunch the flow of pictures and messages from protesters reaching the outside world." In 2011, Egypt cut most internet and cell services within its borders as the government attempted to quell protests against then-President Hosni Mubarak; Libya then did the same after its own unrest.

In 2014, Syria had a major internet outage amid its civil war. In 2018, Mauritania was taken entirely offline for two days when undersea submarine internet cables were cut, around the same time as the Sierra Leone government may have imposed an internet blackout in the same region. When we think about terms like "cyberspace" and "internet," it can be tempting to associate them with vague notions of a digital world we can't touch. And while this is perhaps useful in some contexts, this line of thinking forgets the very real wires, servers, and other hardware that form the architecture of the internet. If these physical elements cease to function, from a cut wire to a storm-damaged server farm, the internet, too, is affected. More than that, if a single entity controls -- or can at least access -- that hardware for a region or even an entire country, government-caused internet blackouts are a tempting method of censorship and social control.

One study found that 66% of tweets with links were posted by "suspected bots" -- with an even higher percentage for certain kinds of content. Now a new California law will require bots to disclose that they are bots.

But does that violate the bots' freedom of speech, asks Laurent Sacharoff, a law professor at the University of Arkansas. "Even though bots are abstract entities, we might think of them as having free speech rights to the extent that they are promoting or promulgating useful information for the rest of us," Sacharoff says. "That's one theory of why a bot would have a First Amendment free speech right, almost independent of its creators." Alternatively, the bots could just be viewed as direct extensions of their human creators. In either case -- whether because of an independent right to free speech or because of a human creator's right -- Sacharoff says, "you can get to one or another nature of bots having some kind of free speech right."

In previous Bulletin coverage, the author of the new California law dismisses the idea that the law violates free speech rights. State Sen. Robert Hertzberg says anonymous marketing and electioneering bots are committing fraud. "My point is, you can say whatever the heck you want," Hertzberg says. "I don't want to control one bit of the content of what's being said. Zero, zero, zero, zero, zero, zero. All I want is for the person who has to hear the content to know it comes from a computer. To me, that's a fraud element versus a free speech element."

Sacharoff believes that the issue of bots and their potential First Amendment rights may one day have its day in court. Campaigns, he says, will find that bots are helpful and that their "usefulness derives from the fact that they don't have to disclose that they're bots. If some account is retweeting something, if they have to say, 'I'm a bot' every time, then it's less effective. So sure I can see some campaign seeking a declaratory judgment that the law is invalid," he says. "Ditto, I guess, [for] selling stuff on the commercial side."

Long-time Slashdot reader AmiMoJo shared this article from New York magazine: In late November, the Justice Department unsealed indictments against eight people accused of fleecing advertisers of $36 million in two of the largest digital ad-fraud operations ever uncovered... Hucksters infected 1.7 million computers with malware that remotely directed traffic to "spoofed" websites.... [B]ots "faked clicks, mouse movements, and social network login information to masquerade as engaged human consumers." Some were sent to browse the internet to gather tracking cookies from other websites, just as a human visitor would have done through regular behavior. Fake people with fake cookies and fake social-media accounts, fake-moving their fake cursors, fake-clicking on fake websites -- the fraudsters had essentially created a simulacrum of the internet, where the only real things were the ads.

How much of the internet is fake? Studies generally suggest that, year after year, less than 60 percent of web traffic is human; some years, according to some researchers, a healthy majority of it is bot. For a period of time in 2013, the Times reported this year, a full half of YouTube traffic was "bots masquerading as people," a portion so high that employees feared an inflection point after which YouTube's systems for detecting fraudulent traffic would begin to regard bot traffic as real and human traffic as fake. They called this hypothetical event "the Inversion...."

[N]ot even Facebook, the world's greatest data-gathering organization, seems able to produce genuine figures. In October, small advertisers filed suit against the social-media giant, accusing it of covering up, for a year, its significant overstatements of the time users spent watching videos on the platform (by 60 to 80âpercent, Facebook says; by 150 to 900 percent, the plaintiffs say). According to an exhaustive list at MarketingLand, over the past two years Facebook has admitted to misreporting the reach of posts on Facebook Pages (in two different ways), the rate at which viewers complete ad videos, the average time spent reading its "Instant Articles," the amount of referral traffic from Facebook to external websites, the number of views that videos received via Facebook's mobile site, and the number of video views in Instant Articles.
On Twitter the author also shared a Twitter thread by the Washington Post's director of advertising technology, who shares his own complaints about the ecosystem of online advertising. "The problem isn't just that the internet is full of fakery and bullshit and bad numbers and malfunctioning metrics and bullshitters and fraudsters. The problem is that all the fake shit is layered on top of other fake shit and it just COMPOUNDS itself... Like you get fake users, who get autoplay videos which no one is really watching....

"That's not even counting the entire ad campaigns that are fake where the product is just a bullshit excuse to collect data on you."

In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

An anonymous reader quotes a report from ZDNet: A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned. The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. "I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions." But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.

At the Usenix Security conference this week, a group of Princeton University security researchers will present a study that considers a little-examined question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side? From a report: In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters. Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid. Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people -- a population roughly equal to Canada or California -- the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners. "Power grids are stable as long as supply is equal to demand," says Saleh Soltan, a researcher in Princeton's Department of Electrical Engineering, who led the study. "If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want."

Trailrunner7 writes: Twitter has something of a bot problem. Anyone who uses the platform on even an occasional basis likely could point out automated accounts without much trouble. But detecting bots at scale is a much more complex problem, one that a pair of security researchers decided to tackle by building their own classifier and analyzing the characteristics and behavior of 88 million Twitter accounts. Using a machine learning model with a set of 20 distinct characteristics such as the number of tweets relative to the age of the account and the speed of replies and retweets, the classifier is able to detect bots with about 98 percent accuracy. The tool outputs a probability that a given account is a bot, with anything above 50 percent likely being a bot.

During their research, conducted from May through July, Jordan Wright and Olabode Anise of Duo Security discovered an organized network of more than 15,000 bots that was being used to promote a cryptocurrency scam. The botnet, which is still partially active, spoofs many legitimate accounts and even took over some verified accounts as part of a scheme designed to trick victims into sending small amounts of the cryptocurrency Ethereum to a specific address. Unlike most botnets, the Ethereum network has a hierarchical structure, with a division of labor among the bots. Usually, each bot in a network performs the same task, whether that's launching a DDoS attack or mining Bitcoin on a compromised machine. But the Ethereum botnet had clusters of bots with a three-tier organization. Some of the bots published the scam tweets, while others amplified those tweets or served as hub accounts for others to follow. Wright and Anise mapped the social media connections between the various accounts and looked at which accounts followed which others to create a better picture of the network. Anise and Wright will discuss the results of their research during a talk at the Black Hat USA conference on Wednesday and will release their detection tool as an open source project that day, too.

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices. Ars Technica reports: Researchers from Cisco's Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI's advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The Justice Department and U.S. Department of Homeland Security have also issued statements advising users to reboot their routers as soon as possible.

The Daily Beast reports that the FBI has seized control of a key server in the Kremlin's global botnet of 500,000 hacked routers. "The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow's ability to reinfect its targets," writes Kevin Poulsen. From the report: The FBI counter-operation goes after "VPN Filter," a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.

VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim's Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.

An anonymous reader quotes Ars Technica: Criminals infected more than 100,000 computers with browser extensions that stole login credentials, surreptitiously mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google's official Chrome Web Store. The scam was active since at least March with seven malicious extensions known so far, researchers with security firm Radware reported Thursday. Google's security team removed five of the extensions on its own and removed two more after Radware reported them. In all, the malicious add-ons infected more than 100,000 users, at least one inside a "well-protected network" of an unnamed global manufacturing firm, Radware said...

The extensions were being pushed in links sent over Facebook that led people to a fake YouTube page that asked for an extension to be installed. Once installed, the extensions executed JavaScript that made the computers part of a botnet. The botnet stole Facebook and Instagram credentials and collected details from a victim's Facebook account. The botnet then used that pilfered information to send links to friends of the infected person. Those links pushed the same malicious extensions. If any of those friends followed the link, the whole infection process started all over again. The botnet also installed cryptocurrency miners that mined the monero, bytecoin, and electroneum digital coins.

Two vulnerabilities affecting over one million routers, and disclosed earlier this week, are now under attack by botnet herders, who are trying to gather the vulnerable devices under their control. From a report: Attacks started yesterday, Thursday, May 3, according to Netlab, the network security division of Chinese cyber-security vendor Qihoo 360. Exploitation of these two flaws started after on Monday, April 30, an anonymous researcher published details of the two vulnerabilities via the VPNMentor blog. His findings detail two flaws -- an authentication bypass (CVE-2018-10561) and a remote code execution vulnerability (CVE-2018-10562). The most ludicrous of these two flaws is the first, which basically allows anyone to access the router's internal settings by appending the "?images" string to any URL, effectively giving anyone control over the router's configuration.

Researchers with Netlab 360 warn that attackers are mass-exploiting "Drupalgeddon2," the name of an extremely critical vulnerability Drupal maintainers patched in late March. The exploit allows them to take control of powerful website servers. Ars Technica reports: Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers.

Drupalgeddon2 "is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses," Daniel Cid, CTO and founder of security firm Sucuri, told Ars. "Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can." China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.

The founder of Rendition Security believes his daughter "is more safe on a Chromebook than a Windows laptop," and he's not the only one. CNET's staff reporter argues that Google's push for simplicity, speed, and security "ended up playing off each other." mspohr shared this article: Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out -- perhaps something out of a scene from "Mr. Robot." That's not what I got. Everywhere I went I'd see small groups of people carrying Chromebooks, and they'd tell me that when heading into unknown territory it was their travel device... "If you want prehardened security, then Chromebooks are it," said Kenneth White, director of the Open Crypto Audit Project. "Not because they're Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle...." Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010: sandboxing, verified boots, power washing and quick updates. These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did.

That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store. But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.
The article argues that "Fewer software choices mean limited options for hackers. Those are some of the benefits that have led security researchers to warm up to the laptops...

"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."