shanen shares a report: Data extortionists who stole up to 1 terabyte of data from Nvidia have delivered one of the most unusual ultimatums ever in the annals of cybercrime: allow Nvidia's graphics cards to mine cryptocurrencies faster or face the imminent release of the company's crown-jewel source code. A ransomware group calling itself Lapsus$ first claimed last week that it had hacked into Nvidia's corporate network and stolen more than 1TB of data. Included in the theft, the group claims, are schematics and source code for drivers and firmware. A relative newcomer to the ransomware scene, Lapsus$ has already published one tranche of leaked files, which among other things included the usernames and cryptographic hashes for 71,335 of the chipmaker's employees.

More than 400,000 people have volunteered to help a crowdsourced Ukrainian government effort that is using digital means to disrupt Russian government and military targets, according to a Ukrainian cybersecurity official. From a report: Victor Zhora, deputy chief of Ukraine's information protection service, said in a briefing Friday that the country was engaged in a "cyber resistance" against Russia that was aimed at making the country weaker. The update comes after Ukraine's minister of digital transformation called on international computer specialists to attack Russian web infrastructure. "Our friends, Ukrainians all over globe, [are] united to defend our country in cyberspace," Zhora said. Ukraine was working to do "everything possible to protect our land in cyberspace, our networks, and to make the aggressor feel uncomfortable with their actions," he added.

An anonymous reader quotes a report from TechCrunch: When Erik Johnson couldn't get his university's mobile student ID app to reliably work, he sought to find a workaround. The app is fairly important, since it allows him and every other student at his university to pay for meals, get into events and even unlock doors to dorm rooms, labs and other facilities across campus. The app is called GET Mobile, and it's developed by CBORD, a technology company that brings access control and payment systems to hospitals and universities. But Johnson -- and the many who left the app one-star reviews in frustration -- said the app was slow and would take too long to load. There had to be a better way.

And so by analyzing the app's network data at the same time he unlocked his dorm room door, Johnson found a way to replicate the network request and unlock the door by using a one-tap Shortcut button on his iPhone. For it to work, the Shortcut has to first send his precise location along with the door unlock request or his door won't open. Johnson said as a security measure students have to be physically in proximity to unlock doors using the app, seen as a measure aimed at preventing accidental door openings across campus. It worked, but why stop there? If he could unlock a door without needing the app, what other tasks could he replicate?

Johnson didn't have to look far for help. CBORD publishes a list of commands available through its API, which can be controlled using a student's credentials, like his. But he soon found a problem: The API was not checking if a student's credentials were valid. That meant Johnson, or anyone else on the internet, could communicate with the API and take over another student's account without having to know their password. Johnson said the API only checked the student's unique ID, but warned that these are sometimes the same as a university-issued student username or student ID number, which some schools publicly list on their online student directories, and as such cannot be considered a secret. Johnson described the password bug as a "master key" to his university -- at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present -- simply by sending back the approximate coordinates of the lock itself. The vulnerability was fixed and session keys were invalidated shortly after TechCrunch shared details of the bug with CBORD.

BleepingComputer was recently contacted by an alleged "venture capitalist" firm that wanted to invest or purchase our site. However, as we later discovered, this was a malicious campaign designed to install malware that provides remote access to our devices. Lawrence Abrams from BleepingComputer writes: Last week, BleepingComputer received an email to our contact form from an IP address belonging to a United Kingdom virtual server company. Writing about cybersecurity for so long, I am paranoid regarding email, messaging, and visiting unknown websites. So, I immediately grew suspicious of the email, fired up a virtual machine and VPN, and did a search for Vuxner. Google showed only a few results for 'Vuxner,' with one being for a well-designed and legitimate-looking vuxner[.]com, a site promoting "Vuxner Chat -- Next level of privacy with free instant messaging." As this appeared to be the "Vuxner chat" the threat actors referenced in their email, BleepingComputer attempted to download it and run it on a virtual machine.

BleepingComputer found that the VuxnerChat.exe download [VirusTotal] actually installs the "Trillian" messaging app and then downloads further malware onto the computer after Trillian finishes installing. As this type of campaign looked similar to other campaigns that have pushed remote access and password-stealing trojans in the past, BleepingComputer reached out to cybersecurity firm Cluster25 who has previously helped BleepingComputer diagnose similar malware attacks in the past. Cluster25 researchers explain in a report coordinated with BleepingComputer that the Vuxner[.]com is hosted behind Cloudflare, however they could still determine hosting server's actual address at 86.104.15[.]123.

The researchers state that the Vuxner Chat program is being used as a decoy for installing a remote desktop software known as RuRAT, which is used as a remote access trojan. Once a user installs the Vuxner Trillian client and exits the installer, it will download and execute a Setup.exe executable [VirusTotal] from https://vuxner[.]com/setup.exe. When done, the victim will be left with a C:\swrbldin folder filled with a variety of batch files, VBS scripts, and other files used to install RuRAT on the device. Cluster25 told BleepingComputer that the threat actors are using this attack to gain initial access to a device and then take control over the host. Once they control the host, they can search for credentials and sensitive data or use the device as a launchpad to spread laterally in a network.

Backblaze has published its first SSD edition of the Drive Stats report. A Slashdot reader writes: This edition focuses exclusively on their SSDs as opposed to their quarterly and annual Drive Stats reports which, until last year, focused exclusively on HDDs. Initially they expect to publish the SSD edition twice a year, although that could change depending on its value to readers. They'll continue to publish the HDD Drive Stats reports quarterly. It's an interesting look at SSD reliability in a commercial environment and may be useful to anyone wondering what drive they should (or shouldn't) consider for their own deployment.

Ukraine's "IT army" of volunteer hackers announced a new set of targets on Thursday - including the Belarusian railway network and Russia's homegrown satellite-based navigation system, GLONASS. From a report: "We need to mobilise and intensify our efforts as much as possible," a post on the "IT army" Telegram channel said. The post listed the top priorities targeted by the group, including Belarus' railway, Russian telecom companies, and GLONASS, which is Russia's alternative to the Global Positioning System (GPS) satellite navigation network. Ukraine has called on its hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, Reuters previously reported. Kyiv announced the formation of its "IT army" on Saturday. A hacking team focused on Belarus, which has been used as a key staging post for Russia's invasion of Ukraine, called the Belarusian Cyber Partisans told Reuters on Tuesday they had disabled railway traffic systems there and attacked the network because it had been used to transport Russian soldiers.

An anonymous reader quotes a report from Reuters: Alphabet's Google from April 4 will require employees back about three days a week in some of its U.S., U.K. and Asia Pacific offices, its first step to end policies that allowed remote work because of COVID-19 concerns. An internal email on Wednesday seen by Reuters told employees in the San Francisco Bay Area that "advances in prevention and treatment, the steady decline in cases we continue to see and the improved safety measures we have implemented ... now mean we can officially begin the transition to the hybrid work week."

Google expects most employees will be in offices about three days a week, with some variance by team and role. Everyone coming to the office must be fully vaccinated against COVID-19 or have an approved exemption, according to the email from John Casey, Google's vice president of global benefits. Unvaccinated workers without an exemption will be given an option to seek one or apply for permanent remote work. Fully vaccinated workers will not have to wear masks in Bay Area offices, Casey said. Employees not prepared to return April 4 also can seek a remote-work extension, Google said. Google largely has restored office perks such as free meals, massages and transit. But while business visitors and meetings are permitted, employees cannot yet bring back families or children to dine or visit with them.

BrendaEM shares a report from The Register: Ukrainian news website Ukrainska Pravda says the nation's Centre for Defense Strategies think tank has obtained the personal details of 120,000 Russian servicemen fighting in Ukraine. The publication has now shared this data freely on its website. The Register and others have been unable to fully verify the accuracy of the data from the leak. The records include what appears to be names, addresses, passport numbers, unit names, and phone numbers. Some open source intelligence researchers on Twitter said they found positive matches, as did sources who spoke confidentially to El Reg; others said they couldn't verify dip-sampled data. Rumors swirled on the internet that activists were behind the disclosure. The Ukrainian news agency said the personnel records were obtained from "reliable sources." Whether or not the database's contents is real, the impact on Russian military morale -- knowing that your country's enemies have your personal details and can contact your family if you're captured, killed, or even still alive -- won't be insignificant.

New submitter briaguya shares a report from VideoCardz: Hackers that infiltrated NVIDIA systems are now threatening to release more confidential information unless the company commits to open sourcing their drivers. It is unclear what the stolen data contains, but the group confirmed that there are 250GB of hardware related data in their possession. Furthermore, the group confirmed they have evaluated NVIDIA position, which means that NVIDIA is might trying to communicate with the group to prevent future leaks. The group has already published information on NVIDIA DLSS technology and upcoming architectures. Yesterday, Nvidia reportedly retaliated against the hacker group known as "Lapsus$" by sneaking back into the hacker's system and encrypting the stolen data. The group claimed that it had a backup of the data, though.

The imperfect, scattershot search tool delivers just enough usefulness and serendipity to keep one hooked. From a report: Google Alerts can cast a wonderful net, but mesh size matters: large holes and it catches nothing, too small and it catches everything. Consider the earliest and one of the most persistent reasons for setting these alerts: tracking yourself. All is vanity, perhaps especially on the Internet, so it's no surprise that one of the things that we're most eager to know is what the world is saying about us. The engineer who developed the alert system for Google told CNN that when he first presented the idea, twenty years ago, his manager was skeptical, worrying that it would starve the search-engine of traffic: rather than consumers constantly searching for fresh mentions of whatever topic interested them, they would wait for the alert, then follow its links not to Google but to outside Web sites, leaching away potential advertising revenue. In response, the engineer, one of the first forty or so employees of the company, took his prototype to Google's co-founders, who approved it after watching him demonstrate only two search terms: "Google" and "Larry Page," the name of one of the co-founders.

Learning what other people thought about us used to take either a great deal of luck, like Tom Sawyer being mistaken for dead and then getting to eavesdrop on his own funeral, or a great deal of effort, like Harun al-Rashid, a caliph of the Abbasid dynasty, in the "Arabian Nights," disguising himself in order to venture out into the streets and talk with his subjects candidly. But the Internet has made it easy -- made it, in fact, almost unavoidable. The same Google Alert can make sure you know that your long-lost bunkmate from summer camp has mentioned you in an essay, that a friend of your deceased uncle has written a memoir of their time together in the Marines (including the care packages you sent them), and that the local newspaper has digitized its archives, thereby offering up to the Internet your high-school football averages and your arrest for vandalism.

An anonymous reader shares a report: Ukraine's core cyberdefense has done better than expected because it focused on the issue after Russian hackers briefly knocked out power to swaths of the country in 2015 and 2016, said David Cowan, a veteran cybersecurity venture capitalist and corporate director, and because it has had help from American and European experts. "I would have thought that by now Russia would have disabled a lot more infrastructure around communications, power and water," Cowan said. "If Russia were attacking the U.S., there would be more cyber damage." The absence of major disruptions predicted by cyberwar doctrine has allowed Ukraine's President Volodymyr Zelensky to deliver propaganda coups with little more than a smartphone and a data link.

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: Around the same time Russian forces launched a massive rocket into a square in Kharkiv, Ukraine's second-largest city, killing and wounding an as of yet unknown number of people, Eugene Kaspersky, head of his namesake Russian cybersecurity firm, tweeted that he hoped negotiations between Ukraine and Russia would lead to "a compromise." The statement encapsulates the company's position since Russia invaded Ukraine six days ago -- that of attempted neutrality in a war where silence or fence sitting is implicitly siding with the Russian forces. In another statement to Motherboard sent on Monday, the company said "As a technology and cybersecurity service provider the company is not in a position to comment or speculate on geopolitical developments outside of its area of expertise."

Kaspersky is one of the best-known Russian companies, and for years its antivirus product has been among the most used in the world. The antivirus software also harvests telemetry data for Kaspersky's researchers who can then use that to identify and counter new threats. Its researchers are some of the best in the world, with its Global Research & Analysis Team (GReAT) regularly publishing leading research on various government malware operations. Famously the company first revealed details of a U.S. government hacking group that it dubbed Equation Group. Kaspersky has also researched suspected Russian government linked hackers. Eugene's tweet also brings something else to the surface again: how much is Kaspersky, the company, influenced by the Russian government, even if indirectly? As a Russian firm operating in Moscow under Russian laws, it may feel the need to toe the line on Russian issues.

Kaspersky's company statement on Monday added that "Kaspersky is focused on its mission to build a safer world. For 25 years, the company delivers deep threat intelligence and security expertise that is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. Kaspersky's business operations remain stable. The company guarantees the fulfillment of its obligations to partners and customers -- including product delivery and support and financial transaction continuity. The global management team is monitoring the situation carefully and is ready to act very quickly if needed." Kaspersky may not currently feel it is in a position to speculate or take a position on the invasion of Ukraine. But with a 40 mile long Russian military convoy making its way to Kyiv, and with the prospect of more cyber attacks playing a role in the invasion, Kaspersky may need to take a side.

Domain and web hosting provider Namecheap is terminating all service with the company's Russian-based users over the Kremlin's invasion of Ukraine. From a report: "Unfortunately, due to the Russian regime's war crimes and human rights violations in Ukraine, we will no longer be providing services to users registered in Russia," US-based Namecheap told Russian users in an email on Monday. The company is asking Russian users to transfer their domains to another provider by March 6. Otherwise their sites will resolve to a 403 Forbidden page. In addition, Namecheap has begun blocking Russian clients from using the company's web hosting and private email services over Russian internet domains, including .ru and .su. "While we sympathize that this war may not affect your own views or opinion on the matter, the fact is, your authoritarian government is committing human rights abuses and engaging in war crimes so this is a policy decision we have made and will stand by," the company added. The decision has caused some Russian users to complain they've been unfairly targeted. "Whoever came up with this idea is an idiot and should be fired," wrote one user on Twitter, who claims Namecheap is "blanket targeting" civilians, instead of going after Russia's government.

U.S. chipmaker Nvidia said on Tuesday a cyber attacker has leaked employee credentials and some company proprietary information online after their systems were breached. From a report: "We have no evidence of ransomware being deployed on the Nvidia environment or that this is related to the Russia-Ukraine conflict," the company's spokesperson said in a statement. The Santa Clara, California-based company said it became aware of the breach on Feb. 23. Nvidia added it was working to analyze the information that has been leaked and does not anticipate any disruption to the company's business. A ransomware outfit under the name "Lapsus$" has reportedly claimed to be responsible for the leak and seemingly has information about the schematics, drivers and firmware, among other data, about the graphics chips.

According to Vx-underground on Twitter, Nvidia has reportedly retaliated against the hacker group that stole over 1TB of the company's data by sneaking back into the hacker's system and encrypting the stolen data. Tom's Hardware reports: LAPSU$, an extortion group in South America, had illegally tapped into Nvidia's mailing server and installed malware on the software distribution server. As a result, the hacker group purportedly extracted over 1TB of Nvidia's data. However, it's unknown what kind of data the hackers had stolen, whether Nvidia's or its clients' data. It would seem that Nvidia has identified the attackers. According to the Vx-underground's Twitter post and backed by screenshots, the chipmaker has infected the perpetrators' system with ransomware and encrypted the stolen data in response to the attack. The group claimed that it had a backup of the data, though.

Security researchers with U.S. cybersecurity firm Symantec said they have discovered a "highly sophisticated" Chinese hacking tool that has been able to escape public attention for more than a decade. Reuters reports: The discovery was shared with the U.S. government in recent months, who have shared the information with foreign partners, said a U.S. official. Symantec, a division of chipmaker Broadcom, published its research about the tool, which it calls Daxin, on Monday. "It's something we haven't seen before," said Clayton Romans, associate director with the U.S. Cybersecurity Infrastructure Security Agency (CISA). "This is the exact type of information we're hoping to receive."

CISA highlighted Symantec's membership in a joint public-private cybersecurity information sharing partnership, known as the JCDC, alongside the new research paper. The JCDC, or Joint Cyber Defense Collaborative, is a collective of government defense agencies, including the FBI and National Security Agency, and 22 U.S. technology companies that share intelligence about active cyberattacks with one another. Symantec's attribution to China is based on instances where components of Daxin were combined with other known, Chinese-linked computer hacker infrastructure or cyberattacks, said Vikram Thakur, a technical director with Symantec. [...] "Daxin can be controlled from anywhere in the world once a computer is actually infected," said Thakur. "That's what raises the bar from malware that we see coming out of groups operating from China."

Key Russian websites and state online portals have been taken offline by attacks claimed by the Ukrainian cyber police force, which now openly engages in cyber-warfare. From a report: As the announcement of the law enforcement agency's site details, specialists from the force have teamed with volunteers to attack the web resources of Russia and Belarus. The three countries are currently involved in an ongoing and large-scale armed forces conflict that includes a cyber frontline, which manifested even before the invasion. The Ukrainian cyber police have announced having targeted the websites of the Investigative Committee of the Russian Federation, the FSB (Federal Security Service), and the Sberbank, Russia's state-owned bank.

Microsoft says it began detecting "destructive cyberattacks directed against Ukraine's digital infrastructure" several hours before the Russian military began launching missiles or moving tanks into the country last week. From a report: The disclosure Monday, part of a larger blog post about Ukraine by Microsoft President Brad Smith, provides a glimpse of how cyber-warfare is being used as part of the ongoing invasion. The company says it is giving ongoing guidance to the Ukrainian government about cyberthreats as the situation unfolds. Smith also outlined the company's efforts to combat state-sponsored disinformation campaigns, ensuring that its platforms are not displaying or distributing any content or apps from Russia's state-sponsored RT and Sputnik news organizations, in line with a recent European Union decision. He wrote that there's "a well-orchestrated battle ongoing in the information ecosystem where the ammunition is disinformation, undermining truth and sowing seeds of discord and distrust," he wrote.

Toyota said it will suspend domestic factory operations on Tuesday, losing around 13,000 cars of output, after a supplier of plastic parts and electronic components was hit by a suspected cyber attack. From a report: No information was immediately available about who was behind the possible attack or the motive. The attack comes just after Japan joined Western allies in clamping down on Russia after it invaded Ukraine, although it was not clear if the attack was at all related. Japanese Prime Minister Fumio Kishida said his government would investigate the incident and whether Russia was involved. Kishida on Sunday announced that Japan would join the United States and other countries in blocking some Russian banks from accessing the SWIFT international payment system. He also said Japan would give Ukraine $100 million in emergency aid.

A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang's internal chats after the group's leaders posted an aggressive pro-Russian message on their official site, on Friday, in the aftermath of Russia's invasion of Ukraine. From a report: The message appears to have rubbed Conti's Ukrainian members the wrong way, and one of them has hacked the gang's internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists and security researchers. Dmitry Smilyanets, a threat intelligence analyst for Recorded Future, who has interacted with the Conti gang in the past, has confirmed the authenticity of the leaked conversations. The leaked data contains 339 JSON files, with each file consisting of a full day's log. Conversations from January 29, 2021, to last February 27, 2022, have been leaked and can be read online here, courtesy of security firm IntelligenceX.