A new espionage actor is breaching corporate networks to steal emails from employees involved in big financial transactions like mergers and acquisitions. From a report: Mandiant researchers, which first discovered the advanced persistent threat (APT) group in December 2019 and now tracks it as "UNC3524," says that while the group's corporate targets hint at financial motivation, its longer-than-average dwell time in a victim's environment suggests an intelligence gathering mandate. In some cases, UNC3524 remained undetected in victims' environments for as long as 18 months, versus an average dwell time of 21 days in 2021.

Mandiant credits the group's success at achieving such a long dwell time to its unique approach to its use of a novel backdoor -- tracked as "QuietExit" -- on network appliances that do not support antivirus or endpoint detection, such as storage arrays, load balancers and wireless access point controllers. The QuietExit backdoor's command-and-control servers are part of a botnet built by compromising D-Link and LifeSize conference room camera systems, according to Mandiant, which said the compromised devices were likely breached due to the use of default credentials, rather than an exploit.

Technology startup Rivos allegedly stole Apple's computer-chip trade secrets after poaching its engineers, Apple said in a lawsuit filed in California federal court. From a report: Apple's Friday lawsuit said Mountain View, California-based Rivos has hired over 40 of its former employees in the past year to work on competing "system-on-chip" (SoC) technology, and that at least two former Apple engineers took gigabytes of confidential information with them to Rivos. Rivos is a "stealth" startup that has largely avoided public attention since its founding last year.

Hot Hardware warns that on Tuesday, the Stable Channel for Chrome's desktop edition "had an update on April 26, 2022. That update includes 30 security fixes, some of them so bad that Google is urging all users to update immediately." The release notes for Google's Chrome v101.0.4951.41 for Windows, Mac, and Linux has a long list of bug fixes; you can view it here. However, there's also a key statement in that page.

"Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...."

Effectively the the non-developer translation of the quote above is that something so significant was found, the details are being kept hidden.

As an apparent reward for returning to the office, thousands of Google employees were treated to a private Lizzo concert at the Shoreline Amphitheatre near Google's headquarters, reports CNBC: Google implemented a return-to-office policy starting in early April, requiring employees to go to physical facilities at least three days a week. Staffers pushed back on the mandate and the prospect of navigating traffic jams, after they worked efficiently for so long at home while the company enjoyed some of its fastest revenue growth of the past 15 years....

Google had delayed its return plans on multiple occasions, due mostly to surges in Covid-19 case numbers. But this time, the company stuck to its reopening schedule. In the early days back, employees were greeted with marching bands on campus, as well as photo booths, celebratory food and visits from prominent politicians.

"Thank you for being back!" Lizzo said. "Thank you for surviving! Google, we back, bitch!!" [...] She inserted the company's name into her popular song "Boys," changing the lyrics from "I heard you a freak, too" to "I heard you a freak, Google!"
After two and a half years "of protecting others and ourselves but also being very disconnected," Lizzo told the crowd, "It's so incredible to see how connected we are right now!" CNBC reports.

Someone in the crowd shouted back, "Propaganda! Propaganda!"

The San Francisco Chronicle reports: San Francisco's office occupancy rate continued its spring recovery, rising above New York and San Jose last week, according to a review by a building security firm. After four months of increases, 33.4% of San Francisco workers were back at their desks last week, higher than New York's 32.9% and San Jose's 31%, but still behind seven major cities in security firm Kastle's Back to Work Barometer.... The city of Austin has consistently had the highest office occupancy tracked by Kastle and was at 58% last week, followed by fellow Texas cities Houston and Dallas. [And Los Angeles charts at around 40%]

Both San Francisco Mayor London Breed and New York Mayor Eric Adams have urged firms to bring back workers to the office to help revitalize urban streets and the broader economy. "You can't stay home in your pajamas all day," Adams said at an event in February. "That is not who we are as a city. You need to be out, cross-pollinating ideas, interacting with humans. It is crucial. We're social creatures, and we must socialize to get the energy that we need as a city...."

Around a fifth of San Francisco office space remains vacant and rents have been flat.
That's better than during the omicron surge, when occupancy in New York and San Francisco was around 10%. (According to the article, citing figures from Kastle.) But there's also other metrics.

The newspaper notes that the number of people exiting the stations for the San Francisco's public rail system "were up in the first three months of the year but still only around a quarter of pre-pandemic levels."

"The Biden administration has a plan to rob Vladimir Putin of some of his best innovators," reports Bloomberg, "by waiving some visa requirements for highly educated Russians who want to come to the U.S., according to people familiar with the strategy." One proposal, which the White House included in its latest supplemental request to Congress, is to drop the rule that Russian professionals applying for an employment-based visa must have a current employer. It would apply to Russian citizens who have earned master's or doctoral degrees in science, technology, engineering or mathematics in the U.S. or abroad, the proposal states.

A spokesman for the National Security Council confirmed that the effort is meant to weaken Putin's high-tech resources in the near term and undercut Russia's innovation base over the long run — as well as benefit the U.S. economy and national security. Specifically, the Biden administration wants to make it easier for top-tier Russians with experience with semiconductors, space technology, cybersecurity, advanced manufacturing, advanced computing, nuclear engineering, artificial intelligence, missile propulsion technologies and other specialized scientific areas to move to the U.S.

Biden administration officials have said they've seen significant numbers of high-skilled technology workers flee Russia because of limited financial opportunities from the sanctions the U.S. and allies have imposed after Putin's invasion on Ukraine.

The provision would expire in four years.

Long-time Slashdot reader UnderAttack writes: After Microsoft patched and went public with CVE-2022-26809, the recent Remote Procedure Call vulnerability, the SANS Internet Storm Center set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. But so far, while it has seen thousands of attacks against SMB a day, nothing yet for the new RPC vulnerability....

But still, attackers are heavily hitting other vulnerabilities like of course still ETERNALBLUE
From the article: Should you stop rushing out the April patch? Absolutely not. I hope you are already done applying the patch. But the April Windows patch had several additional gems, not just patches for RPC. Chatter about CVE-2022-26809 has died down, but as they say: Sometimes the quiet ones are the dangerous ones, and people able to exploit this vulnerability may not broadcast what they are doing on social media.
The article is credited to Johannes B. Ullrich, Ph.D. , Dean of Research at the security site SANS.edu.

Interestingly, Ullrich's byline is hyperlinked to a Google+ profile which has been unavailable for nearly three years.

Haje Jan Kamps, writing for TechCrunch: A couple of weeks ago yet another of my friends was a victim of identity theft, and I got yet another deep look into how fantastically broken the U.S. can be when it comes to security. "They have my social security number," she said, and I was reminded of how a lot of systems in the U.S. are woefully poorly designed. To wit: This morning I called my bank and was asked for the last four digits of my SSN and they somehow accepted my identity because I knew those four digits.

When I moved to the U.S. a couple of years ago, my friends made sure that I knew I had to keep my Social Security number (SSN) secret and hidden. When I started opening a bank account and set up a cell phone plan, it became obvious why: All sorts of institutions that really should know better are treating this string of numbers as a password. There's a huge, glaring problem with that. I maintain that Equifax should receive the corporate equivalent of capital punishment for allowing this to happen, but 145 million social security numbers were stolen by hackers a few years ago, which means that the Social Security numbers -- yes, the same numbers that are being treated as "passwords" -- for about half the U.S. adult population are in the wind.

We've gotten used to passwords by now, but at least, in most cases, passwords can be changed when they are hacked. Your social security number? Not so much. If your SSN leaks just once, you're boned. It's not possible to change it, and that brings up the true depth of idiocy in all of this: Relying on security that depends on keeping an unchangeable piece of information secret is really bloody stupid. The corollary is this: Imagine that your email has been hacked but your email provider tells you that you can't change your password, you can't change your email provider, and you'll just have to deal with it. That's the situation we currently have with Social Security numbers.

Information released under data protection laws sheds light on apparent effort to undermine Canadian research group Citizen Lab. From a report: When Downing Street was recently named as the suspected victim of a phone hack by the United Arab Emirates using the Israeli-made spyware, Pegasus, few were surprised at who was behind the discovery. The Citizen Lab at the University of Toronto has for years been a thorn in the side of the NSO Group, deciphering the company's sophisticated hacking tools and -- crucially -- identifying victims of the spyware. Ron Deibert, the longtime director of the Canadian research group, is one of the world's leading experts on identifying digital threats against civil society. John Scott-Railton, a senior researcher at Citizen Lab, is among a relatively small group of experts globally who can identify which iPhones and Android devices have been infected with Pegasus, and which government clients are likely to have been responsible.

It is unsurprising, then, that the pair were an intense focus at Novalpina, the London-based private equity group which took over NSO Group in 2019, and quickly sought to stem its reputation for enabling repressive governments to commit widespread human rights abuses. Using UK data protection laws, Deibert and Scott-Railton last year sought the personal data held on them by Novalpina. The results of their so-called subject access requests, recently shared with the Guardian, contain snippets of hundreds of emails and attachments that included their names. The released data, combined with information from other sources, sheds light on an apparent attempt by Novalpina partner Stephen Peel to gather information on and undermine Citizen Lab. In one case, he even reached out to George Soros, whose foundation is an important Citizen Lab donor, and complained about the researchers.

Microsoft Edge could soon receive an integrated VPN service called the "Microsoft Edge Secure Network." The VPN (Virtual Private Network) service would work very similar to commercial VPN services, but it could be deeply integrated within the Microsoft Edge browser. From a report: The VPN service will be powered by Cloudflare. The company assures it permanently deletes the diagnostic and support data collected, every 25 hours.

Internet infrastructure company Cloudflare said this week that it mitigated one of the largest volumetric distributed denial of service (DDoS) attacks that has been recorded to date. From a report: Cloudflare said it detected and mitigated a 15.3 million request-per-second (rps) DDoS attack earlier this month -- making it one of the largest HTTPS DDoS attacks on record. Volumetric DDoS attacks differ from traditional bandwidth DDoS attacks where attackers attempt to exhaust and clog up the victim's internet connection bandwidth. Instead, attackers focus on sending as many junk HTTP requests to a victim's server in order to take up precious server CPU and RAM and prevent legitimate users from using targeted sites. Cloudflare previously announced that it stopped the largest DDoS attack on record in August 2021, when it mitigated a 17.2 million HTTP requests/second (rps) attack, a figure that the company described as almost three times larger than any previous volumetric DDoS attack that was ever reported in the public domain. Earlier this month, the company said it stopped an attack targeting a company in the cryptocurrency space.

An anonymous reader quotes a report from Ars Technica: Vulnerabilities recently discovered by Microsoft make it easy for people with a toehold on many Linux desktop systems to quickly gain root system rights -- the latest elevation of privileges flaw to come to light in the open source OS. [...] Nimbuspwn, as Microsoft has named the EoP threat, is two vulnerabilities that reside in the networkd-dispatcher, a component in many Linux distributions that dispatch network status changes and can run various scripts to respond to a new status. When a machine boots, networkd-dispatcher runs as root. [...] A hacker with minimal access to a vulnerable desktop can chain together exploits for these vulnerabilities that give full root access. [The step-by-step exploit flow can be found in the article. The researcher also was able to gain persistent root access using the exploit flow to create a backdoor.]

The proof-of-concept exploit works only when it can use the "org.freedesktop.network1" bus name. The researcher found several environments where this happens, including Linux Mint, in which the systemd-networkd by default doesn't own the org.freedodesktop.network1 bus name at boot. The researcher also found several processes that run as the systemd-network user, which is permitted to use the bus name required to run arbitrary code from world-writable locations. The vulnerable processes include several gpgv plugins, which are launched when apt-get installs or upgrades, and the Erlang Port Mapper Daemon, which allows running arbitrary code under some scenarios. The vulnerability has been patched, although it's unclear which version of Linux the patch is in.

At least six different Kremlin-linked hacking groups have conducted nearly 240 cyber operations against Ukrainian targets, Microsoft said Wednesday, in data reveal a broader scope of alleged Russian cyberattacks during the war on Ukraine than previously documented. From a report: "Russia's use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations," said Tom Burt, a Microsoft vice president.

The Microsoft report is the most comprehensive public record yet of Russian hacking efforts related to the war in Ukraine. It fills in some gaps in public understanding of where Russia's vaunted cyber capabilities have been deployed during the war. Burt cited a cyberattack on a Ukrainian broadcast company on March 1, the same day as a Russian missile strike against a TV tower in Kyiv, and malicious emails sent to Ukrainians falsely claiming the Ukrainian government was "abandoning" them amid the Russian siege of the city of Mariupol. Suspected Russian hackers "are working to compromise organizations in regions across Ukraine," and may have been collecting intelligence on Ukrainian military partnerships many months before the full-scale invasion in February, the Microsoft report says.

Apple on Wednesday followed through on its plans to begin publicly releasing repair manuals for some of its products, in addition to selling parts and tools online. The goal, the company said, is to allow iPhone owners an alternative way to repair their devices. From a report: The tech giant's new program, called Self Service Repair, is starting out for US customers with Apple's iPhone 13 line of smartphones, the iPhone 12 and new iPhone SE. Apple said it designed the program to offer adventurous and capable people access to the same parts, tools and instructions it gives to its own certified technicians and partner repair shops, hopefully making it easier for people to repair devices instead of resorting to buying a new one. "We believe we have a responsibility to customers and the environment to offer convenient access to safe, reliable, and secure repairs to help customers get the most out of their devices," the company wrote in a document published Wednesday that outlines its plans. "As the doors open on this new venue, we're underwhelmed, and settling back into our usual skepticism," iFixit posted on Wednesday. The firm adds: The biggest problem? Apple is doubling down on their parts pairing strategy, enabling only very limited, serial number-authorized repairs. You cannot purchase key parts without a serial number or IMEI. If you use an aftermarket part, there's an "unable to verify" warning waiting for you. This strategy hamstrings third-party repair with feature loss and scare tactics and could dramatically limit options for recyclers and refurbishers, short-circuiting the circular economy. As of today, you can buy an official Apple iPhone 12 screen and install it yourself, on your own device, with no fuss. Until now, DIY repairs relied on keeping the Face ID speaker and sensor assembly intact, then very carefully moving it to your new screen, and finally ignoring some gentle warnings. If your assembly was damaged or defective, you were out of luck. The new program will solve that problem -- assuming you've bought an official Apple part.

UnknowingFool writes: In 2020, Paragon Software announced they wanted to upstream their previously proprietary NTFS driver into Linux. After a year of review, the NTFS3 driver was added to the Linux 5.15 kernel. While Paragon pledged to maintain their driver, there have been no major updates to the driver despite a growing list of patches that have submitted. Developer Kari Argillander has raised his concerns on the mailing list that the driver is orphaned, and that the Paragon maintainer has not responded to any messages about fixes. An offer to co-maintain the driver has also been met with "radio silence".

An anonymous reader quotes a report from PC Magazine: European wind-energy companies have reportedly been targeted by hackers -- or been affected by cyberattacks on their suppliers -- since Russia invaded Ukraine in late February. The Wall Street Journal reports that Nordex SE and Deutsche Windtechnik AG have both reported cyber incidents over the last few months. A third German company, Enercon GmbH, told the Journal it was "collateral damage" when Viasat was hacked at the start of the invasion.

The severity of the hacks varies. Nordex SE had to shut down its IT systems; Deutsche Windtechnik AG couldn't remotely control about 2,000 turbines for at least a day; and Enercon GmbH lost remote access to some 5,800 turbines because of the Viasat hack. The notorious Conti ransomware gang has reportedly claimed responsibility for the March hack of Nordex SE; the Journal says that security experts are currently investigating the possibility that it was involved with the April hack of Deutsche Windtechnik AG as well.

Bored Ape Yacht Club's Instagram account and Discord server were both hacked on Monday, with an unofficial "mint" link being sent out to followers. From a report: "There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything," the NFT project wrote on Twitter. At the time of writing, it is estimated that around 24 Bored Apes and 30 Mutant Apes have been stolen according to recent OpenSea transfers, although some of these may be holders transferring their NFTs for security purposes. The value of the 54 NFTs calculated by floor price is $13.7 million.

CNBC explores the dream of "a future where nobody has to constantly update and change online passwords to stay ahead of hackers and keep data secure." Here's the good news: Some of the biggest names in tech are already saying that the dream of a password-less internet is close to becoming a reality. Apple, Google and Microsoft are among those trying to pave the way... In theory, removing passwords from your cybersecurity equation nixes what former Secretary of Homeland Security Michael Chertoff has called "by far the weakest link in cybersecurity." More than 80% of data breaches are a result of weak or compromised passwords, according to Verizon....

Doing away with passwords altogether is not without risks. First, verification codes sent via email or text message can be intercepted by hackers. Even scarier: Hackers have shown the ability to trick fingerprint and facial recognition systems, sometimes by stealing your biometric data. As annoying as changing your password might be, it's much harder to change your face or fingerprints. Second, some of today's password-less options still ask you to create a PIN or security questions to back up your account. That's not much different from having a password.... Plus, tech companies still need to make online accounts accessible across multiple platforms, not just on smartphones — and also to the people who don't own smartphones at all, roughly 15% of the U.S.
Some data points from the article:

• "Microsoft says 'nearly 100%' of the company's employees use password-less options to log into their corporate accounts."

• "In September, Microsoft announced that its users could go fully password-less to access services like Windows, Xbox, and Microsoft 365."

• "Similarly, Google sells physical security keys, and its Smart Lock app allows you to tap a button on your Android or iOS device to log into your Google account on the web."

• Apple's devices have used Touch ID and Face ID features for several years."

A former NSA computer scientist is disgusted with the current state of security practices, writes ITWire. Slashdot reader samuel_the_fool shares their report: Patching of vulnerabilities is the security industry's equivalent of thoughts and prayers, a prominent American security expert has said during a debate on the topic "Patching is useless" at a recent online conference named Hack At The Harbor. Dave Aitel, 46, a former NSA computer scientist who ran his own security shop, Immunity, for many years, said the remedies proposed by security vendors and big technology companies had served to lull people into a false sense of security all these years and ensure that all the old problems still remained.... Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others, rather than being continuously patched....

Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.

On the positive side, he had praise for ChromeOS, an operating system that is produced by Google, and recommended the use of Chromebooks rather Windows machines.

Aitel called for vulnerability management, advocating the government as the best entity to handle this. His argument was that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry.

An anonymous reader shares a report: According to 9to5Google, a recent bug in Google's Messages app on Android phones left the camera running in the background -- a great way to both heat up your phone and run down your battery. The Google Messages app allows you to easily take a photo directly from the app and attach it to a chat message. According to the article in 9to5Google, the camera app would occasionally keep running, even when you did not have it on screen.