hackingbear shares a report from Gizmodo: China claims that America's National Security Agency used sophisticated cyber tools to hack into an elite research university on Chinese soil. The attack allegedly targeted the Northwestern Polytechnical University in Xi'an (not to be confused with a California school of the same name), which is highly ranked in the global university index for its science and engineering programs. The U.S. Justice Department has referred to the school as a "Chinese military university that is heavily involved in military research and works closely with the People's Liberation Army," painting it as a reasonable target for digital infiltration from an American perspective.

China's National Computer Virus Emergency Response Center (CVERC) recently published a report attributing the hack to the Tailored Access Operations group (TAO) -- an elite team of NSA hackers which first became publicly known via the Snowden Leaks back in 2013, helps the U.S. government break into networks all over the world for the purposes of intelligence gathering and data collection. [CVERC identified 41 TAO tools involved in the case.] One such tool, dubbed 'Suctionchar,' is said to have helped infiltrate the school's network by stealing account credentials from remote management and file transfer applications to hijack logins on targeted servers. The report also mentions the exploitation of Bvp47, a backdoor in Linux that has been used in previous hacking missions by the Equation Group -- another elite NSA hacking team. According to CVERC, traces of Suctionchar have been found in many other Chinese networks besides Northwestern's, and the agency has accused the NSA of launching more than 10,000 cyberattacks on China over the past several years.

On Sunday, the allegations against the NSA were escalated to a diplomatic complaint. Yang Tao, the director-general of American affairs at China's Ministry of Foreign Affairs, published a statement affirming the CVERC report and claiming that the NSA had "seriously violated the technical secrets of relevant Chinese institutions and seriously endangered the security of China's critical infrastructure, institutions and personal information, and must be stopped immediately."

VMware engineers have tested the Linux kernel's fix for the Retbleed speculative execution bug, and report it can impact compute performance by a whopping 70 percent. The Register reports: In a post to the Linux Kernel Mailing List titled "Performance Regression in Linux Kernel 5.19", VMware performance engineering staffer Manikandan Jagatheesan reports the virtualization giant's internal testing found that running Linux VMs on the ESXi hypervisor using version 5.19 of the Linux kernel saw compute performance dip by up to 70 percent when using single vCPU, networking fall by 30 percent and storage performance dip by up to 13 percent. Jagatheesan said VMware's testers turned off the Retbleed remediation in version 5.19 of the kernel and ESXi performance returned to levels experienced under version 5.18.

Because speculative execution exists to speed processing, it is no surprise that disabling it impacts performance. A 70 percent decrease in computing performance will, however, have a major impact on application performance that could lead to unacceptable delays for some business processes. VMware's tests were run on Intel Skylake CPUs -- silicon released between 2015 and 2017 that will still be present in many server fleets. Subsequent CPUs addressed the underlying issues that allowed Retbleed and other Spectre-like attacks.

Here's a warning from the threat intelligence unit of AT&T Cybersecurity, AT&T Alien Labs: With a rise of nearly 650% in malware and ransomware for Linux this year, reaching an all-time high in the first half year of 2022, threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads. New malwares like BotenaGo and EnemyBot are examples of how malware writers rapidly incorporate recently discovered vulnerabilities to find new victims and increase their reach.
But they've discovered a new malware targetting Linux endpoints and IoT devices, stealthily "delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist."

The Register summarizes their report: The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that's just 370 bytes... AT&T didn't say how the initial infection occurs, but it did say Shikitega exploits two Linux vulnerabilities disclosed in 2021 to achieve its ultimate objective, which AT&T said appears to be the installation and execution of the XMRig cryptocurrency miner.

The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available. Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name....>
>
Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.
Ars Technica reports: The ultimate objective of the malware isn't clear. It drops the XMRig software for mining the Monero cryptocurrency, so stealthy cryptojacking is one possibility. But Shikitega also downloads and executes a powerful Metasploit package known as Mettle, which bundles capabilities including webcam control, credential stealing, and multiple reverse shells into a package that runs on everything from "the smallest embedded Linux targets to big iron." Mettle's inclusion leaves open the potential that surreptitious Monero mining isn't the sole function....

Given the work the unknown threat actors responsible devoted to the malware's stealth, it wouldn't be surprising if the malware is lurking undetected on some systems.

Patreon has confirmed it laid off five of its security team employees, TechCrunch reports, "but declined to answer our questions, or say how many employees it had on the security team prior to the layoffs."

But while a former senior security engineer posted on LinkedIn that "I and the rest of the Patreon Security Team are no longer with the company," Patreon's U.S. policy head, Ellen Satterwhite told Gizmodo that "a majority of our engineers working on security and vendors remain in place." "As part of a strategic shift of a portion of our security program, we have parted ways with five employees," said Patreon in an emailed statement attributed to the company's U.S. policy head, Ellen Satterwhite.... In response to further questions, Satterwhite also said "the entire internal Patreon security team was not laid off. As a matter of policy, we can't share the exact number of Patreon employees working on security, but can confirm a majority of Patreon's internal engineers working on security remain in place...."

Satterwhite noted that "we also partner with a number of external organizations to continuously develop our security capabilities and conduct regular security assessments." The reference to "external organizations" seemingly suggests that the company has outsourced much of its security operations.

"As a global platform, we will always prioritize the security of our creators' and customers' data," wrote Satterwhite. "The changes made this week will have no impact on our ability to continue providing a secure and safe platform for our creators and patrons."

Network hardware-maker QNAP is urging customers to update their network-attached storage devices immediately to protect them from a new wave of ongoing ransomware attacks that can destroy terabytes of data in a single stroke. From a report: Singapore-based QNAP said recently that it has identified a new campaign from a ransomware group known as DeadBolt. The attacks take aim at QNAP NAS devices that use a proprietary feature known as Photo Station. The advisory instructs customers to update their firmware, suggesting there is a vulnerability that's under exploit, but the company makes no explicit mention of a CVE designation that security professionals use to track such security flaws.

A cybercriminal group containing former members of the notorious Conti ransomware gang is targeting the Ukrainian government and European NGOs in the region, Google says. From a report: The details come from a new blog post from the Threat Analysis Group (TAG), a team within Google dedicated to tracking state-sponsored cyber activity. With the war in Ukraine having lasted more than half a year, cyber activity including hacktivism and electronic warfare has been a constant presence in the background. Now, TAG says that profit-seeking cybercriminals are becoming active in the area in greater numbers. From April through August 2022, TAG has been following "an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers," writes TAG's Pierre-Marc Bureau. One of these state-backed actors has already been designated by CERT -- Ukraine's national Computer Emergency Response Team -- as UAC-0098. But new analysis from TAG links it to Conti: a prolific global ransomware gang that shut down the Costa Rican government with a cyberattack in May.

Albania cut diplomatic ties with Iran and expelled the country's embassy staff over a major cyberattack nearly two months ago that was allegedly carried out by Tehran on Albanian government websites, the prime minister said Wednesday. From a report: The move by Albania, a NATO country, was the first known case of a country cutting diplomatic relations over a cyberattack. The White House vowed unspecified retaliation Wednesday against Iran for what it called "a troubling precedent for cyberspace." In a statement, the White House said it has had experts on the ground for weeks helping Albania and had concluded Iran was behind the "reckless and irresponsible" attack and subsequent hack-and-leak operation.

The government's decision was formally delivered to the Iranian Embassy in Tirana, the capital, in an official note, Prime Minister Edi Rama said. All embassy staff, including diplomatic and security personnel, were ordered to leave Albania within 24 hours. On July 15, a cyberattack temporarily shut down numerous Albanian government digital services and websites. Rama said an investigation determined that the cyberattack wasn't carried out by individuals or independent groups, calling it "state aggression."

Joe Sullivan, Uber's former chief of security, faces criminal charges for his handling of a 2016 security breach. His trial this week has divided the security industry. From a report: Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber. When the security community made its annual summer pilgrimage to Las Vegas for two conferences, Mr. Sullivan was an easily recognizable figure: tall with shaggy hair, wearing sneakers and a hoodie. "Everyone knew him; I was in awe, frankly," said Renee Guttmann, who was the chief information security officer for Coca-Cola and Campbell Soup. "He was an industry leader." So it came as a shock to many in the community when Mr. Sullivan was fired by Uber in 2017, accused of mishandling a security incident the year before. Despite the scandal, Mr. Sullivan got a new job as chief of security at Cloudflare, an internet infrastructure company.

But the investigation into the incident at Uber continued, and in 2020, the same prosecutor's office where Mr. Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Mr. Sullivan has pleaded not guilty to the charges. Mr. Sullivan stepped down from his job at Cloudflare in July, in preparation for his trial, which begins this week in U.S. District Court in San Francisco. Other chief security officers are following the case closely, worried about what it means for them. [...] At the very least, security executives are worried about being on the hook for potential legal bills. Charles Blauner, a retired CISO and cybersecurity adviser, said security chiefs had taken a strong interest in directors and officers insurance, which covers the legal costs of executives who are sued as a result of their work with a company. "A lot of sitting chief information security officers are going to their bosses and asking if they have D.&O. insurance and, if not, can I have it?" Mr. Blauner said. "They are saying, 'If I'm going to be held liable for something our company does, I want legal coverage.'" After being charged, Mr. Sullivan sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.

An anonymous reader quotes a report from CNET: In a new study, published Monday in the journal npj Flexible Electronics, an international team of researchers revealed it has engineered a system to remotely control the legs of cockroaches from afar. The system, which is basically a cockroach backpack wired into the creature's nervous system, has a power output about 50 times higher than previous devices and is built with an ultrathin and flexible solar cell that doesn't hinder the roach's movement. Pressing a button sends a shock to the backpack that tricks the roach into moving a certain direction.

Cockroach cyborgs are not a new idea. Back in 2012, researchers at North Carolina State University were experimenting with Madagascar hissing cockroaches and wireless backpacks, showing the critters could be remotely controlled to walk along a track. The way scientists do this is by attaching the backpack and connecting wires to a cockroach's "cerci," two appendages at the end of the abdomen that are basically sensory nerves. One on the left, one on the right. Previous studies have shown electrical impulses to either side can stimulate the roach into moving in that direction, giving researchers some control over locomotion. But to send and receive signals, you need to power the backpack. You might be able to use a battery but, eventually, a battery will run out of power and the cyborg cockroach will be free to disappear into the leaf litter.

The team at Riken crafted the system to be solar-powered and rechargeable. They attached a battery and stimulation module to the cockroach's thorax (the upper segment of its body). That was the first step. The second step was to make sure the solar cell module would adhere to the cockroach's abdomen, the segmented lower section of its body. [T]he Riken team tested a number of thin electronic films, subjecting their roaches to a bunch of experiments and watching how the roaches moved depending on the thickness of the film. This helped them decide on a module about 17 times thinner than a human hair. It adhered to the abdomen without greatly limiting the degree of freedom the roaches had and also stuck around for about a month, greatly outlasting previous systems. "The current system only has a wireless locomotion control system, so it's not enough to prepare an application such as urban rescue," said Kenjiro Fukuda, an expert in flexible electronics at Japan's Riken. "By integrating other required devices such as sensors and cameras, we can use our cyborg insects for such purposes."

Fukuda notes the design of the ultrathin solar cell could be applied to other insects, like beetles and cicadas.

Beijing this week accused the United States of launching "tens of thousands" of cyberattacks on China and pilfering troves of sensitive data, including from a public research university. From a report: Washington has accused Beijing of cyberattacks against US businesses and government agencies, one of the issues over which ties between the two powers have nosedived in recent years. China has consistently denied the claims and in turn lashed out against alleged US cyber espionage, but has rarely made public disclosures of specific attacks. But a report released Monday by its National Computer Virus Emergency Response Center (CVERC) accused the US National Security Agency (NSA) of carrying out "tens of thousands of malicious attacks on network targets in China in recent years." It specifically accused the NSA's Office of Tailored Access Operations (TAO) of infiltrating the Northwestern Polytechnical University in the city of Xi'an.

The Los Angeles Unified School District (LAUSD) has confirmed it was hit by a ransomware attack that is causing ongoing technical disruptions. From a report: LAUSD is the second largest school district in the U.S. after the New York City Department of Education. The LAUSD serves over 600,000 students spanning from kindergarten through 12th grade at over 1,000 schools, and employs more than 26,000 teachers. The district said on Monday that it was hit by a cyberattack over the weekend, which it later confirmed was ransomware.

Although the attack caused "significant disruption" to LAUSD's infrastructure, the district said it will resume classes on Tuesday -- after observing Labor Day on Monday -- while it works to restore impacted services. LAUSD said that it does not expect technical issues to impact transportation, food or after-school programs, but noted that "business operations may be delayed or modified." It warned that ongoing disruptions include "access to email, computer systems, and applications," while a post from Northridge Academy High, a school in the district, confirmed that teachers and students might be unable to access Google Drive and Schoology, a K-12 learning management system, until further notice.

Google has released Chrome 105.0.5195.102 for Windows, Mac, and Linux users to address a single high-severity security flaw, the sixth Chrome zero-day exploited in attacks patched this year. From a report: "Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the company said in a security advisory published on Friday. This new version is rolling out in the Stable Desktop channel, with Google saying that it will reach the entire user base within a matter of days or weeks. It was available immediately when BleepingComputer checked for new updates by going into the Chrome menu > Help > About Google Chrome. The web browser will also auto-check for new updates and automatically install them after the next launch.

TikTok is denying reports that it was breached after a hacking group posted images of what they claim is a TikTok database that contains the platform's source code and user information. In response to these allegations, TikTok said its team "found no evidence of a security breach." From a report: According to Bleeping Computer, hackers shared the images of the alleged database to a hacking forum, saying they obtained the data on a server used by TikTok. It claims the server stores over 2 billion records and 790GB worth of user data, platform statistics, code, and more. "We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases," TikTok spokesperson Maureen Shanahan said in a statement to The Verge. "We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community."

"Quiet quitting" as a catchphrase "took off on TikTok among millennials and Gen Zers," according to Business Insider. They describe it as "employees doing what their job expects of them, and not offering to do more than what they get paid to do."

The Washington Post digs deeper: Quiet quitting looks to many like a reasonable retreat from the round-the-clock hustle culture. But to others, quiet quitting represents disengaged employees sandbagging and shirking all but the minimum effort, not expecting — or not caring — that their employers might fire them for it.

But if we're going to accuse workers of quiet quitting, we should also acknowledge the phenomenon of "quiet firing," in which employers avoid providing all but the bare legal minimum, possibly with the aim of getting unwanted employees to quit. They may deny raises for years, fail to supply resources while piling on demands, give feedback designed to frustrate and confuse, or grant privileges to select workers based on vague, inconsistent performance standards. Those who don't like it are welcome to leave.
Their article even provides an example. One reader (near retirement age) says their employer required them to return to the office for at least three days a week — "but those who left the area are allowed to continue to work fully remotely."

Seven years ago, Slashdot reader #66,542 announced "Panopticlick 2.0," a site showing how your web browser handles trackers.

But it was just one of the many privacy-protecting projects Peter Eckersley worked on, as a staff technologist at the EFF for more than a decade. Eckersley also co-created Let's Encrypt, which today is used by hundreds of millions of people.

Friday the EFF's director of cybersecurity announced the sudden death of Eckersley at age 43. "If you have ever used Let's Encrypt or Certbot or you enjoy the fact that transport layer encryption on the web is so ubiquitous it's nearly invisible, you have him to thank for it," the announcement says. "Raise a glass."

Peter Eckersley's web site is still online, touting "impactful privacy and cybersecurity projects" that he co-created, including not just Let's Encrypt, Certbot, and Panopticlick, but also Privacy Badger and HTTPS Everywhere. And in addition, "During the COVID-19 pandemic he convened the the stop-covid.tech group, advising many groups working on privacy-preserving digital contact tracing and exposure notification, assisting with several strategy plans for COVID mitigation." You can also still find Peter Eckersley's GitHub repositories online.

But Peter "had apparently revealed recently that he had been diagnosed with cancer," according to a tribute posted online by security company Sophos, noting his impact is all around us: If you click on the padlock in your browser [2022-09-0T22:37:00Z], you'll see that this site, like our sister blog site Sophos News, uses a web certificate that's vouched for by Let's Encrypt, now a well-established Certificate Authority (CA). Let's Encrypt, as a CA, signs TLS cryptographic certificates for free on behalf of bloggers, website owners, mail providers, cloud servers, messaging services...anyone, in fact, who needs or wants a vouched-for encryption certificate, subject to some easy-to-follow terms and conditions....

Let's Encrypt wasn't the first effort to try to build a free-as-in-freedom and free-as-in-beer infrastructure for online encryption certificates, but the Let's Encrypt team was the first to build a free certificate signing system that was simple, scalable and solid. As a result, the Let's Encrypt project was soon able to to gain the trust of the browser making community, to the point of quickly getting accepted as a approved certificate signer (a trusted-by-default root CA, in the jargon) by most mainstream browsers....

In recent years, Peter founded the AI Objectives Institute, with the aim of ensuring that we pick the right social and economic problems to solve with AI:

"We often pay more attention to how those goals are to be achieved than to what those goals should be in the first place. At the AI Objectives Institute, our goal is better goals."

Windows' "Defender" software is supposed to detect malware. But its Microsoft team is now investigating reports that it's mistakenly flagging Electron-based or Chromium-based applications — as malware.

"It's a false positive, and your computer is OK," wites the blog Windows Central: This morning, many people worldwide experienced Microsoft Defender warning them of a recurring virus threat.... People on Reddit are "freaking out" over not just a reported threat from Microsoft Defender but one that keeps popping up and recurring despite the alleged threat being blocked.

The threat is revealed in a pop-up message noting that "Behavior:Win32/Hive.ZY" has been detected and is listed as "severe." However, after taking action to rectify the issue, it does not go away, and the user will keep receiving the same prompt. The reminder may return after 20 seconds, with the cycle repeating endlessly.

This detection appears to be a false positive, according to a Microsoft Support forum... From DaveM121, an Independent Advisor: [I]t is a bug currently being reported by hundreds of people at the moment, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify, etc....
Also affected are Google Chrome and even Microsoft Edge, as well as "anything that runs Visual Studio Code," according to the article.

"The problem seems to originate from Defender's Definition/Update Version 1.373.1508.0, meaning Microsoft needs to update that file, and the issue should be resolved."

So Australia's foreign intelligence cybersecurity agency marked its 75th anniversary by collaborating with the Australian mint to release a special commemorative coin with a four-layer secret code. The agency's director even said that if someone cracked all four layers of the code, "maybe they'll apply for a job."

A 14-year-old boy cracked their code "in just over an hour." Australia's national broadcaster reports: The ASD said the coin's four different layers of encryption were each progressively harder to solve, and clues could be found on both sides — but ASD director-general Rachel Noble said in a speech at the Lowy Institute on Friday that the 14-year-old managed it in just over an hour.... "Just unbelievable. Can you imagine being his mum?

"So we're hoping to meet him soon ... to recruit him...."

She also revealed on Friday that there was a fifth level of encryption on the coin which no one had broken yet.

Brian Krebs, reporting at Krebs on Security: In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer's Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. The phishers behind this scheme used newly-registered domains that often included the name of the target company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule.

The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server. This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign "0ktapus" for the attackers targeting organizations using identity management tools from Okta.com. "This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations," Group-IB wrote. "Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance." It's not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies.

U.S. electronics giant Samsung has confirmed a data breach affecting customers' personal information. From a report: In a brief notice, Samsung said it discovered the security incident in late-July and that an "unauthorized third party acquired information from some of Samsung's U.S. systems." The company said it determined customer data was compromised on August 4. Samsung said Social Security numbers and credit card numbers were not affected, but some customer information -- name, contact and demographic information, date of birth, and product registration information -- was taken.

New submitter IsThisNickNameUsed writes: The Australian Mint has released a coin in partnership with the Australian Signals Directorate (ASD) that has incorporated a code-breaking challenge in the design. The coin is to mark the 75th anniversary of the spy agency and incorporates a code with four layers of encryption -- each layer progressively harder to solve. "We thought this was a really fun way to engage people in code-breaking with the hope that, if they make it through all four levels of coding on the coin, maybe they'll apply for a job at the Australian Signals Directorate," said ASD director-general Rachel Noble.

Fitting the codes on the faces of the coin was a complex process, she said. "Ensuring people could see the code to decrypt it was one of the challenges our people were able to solve with ASD, to create a unique and special product."

Ms Noble said that while there were no classified messages on the coin, those who crack the codes could discover "some wonderful, uplifting messages." "Like the early code breakers in ASD, you can get through some of the layers with but a pencil and paper but, right towards the end, you may need a computer to solve the last level," she said.

UPDATE: A 14-year-old boy cracked the code "in just over an hour."