Russian military hackers tried and failed to attack Ukraine's energy infrastructure last week, the country's government and a major cybersecurity company said Tuesday. From a report: The attack was designed to infiltrate computers connected to multiple substations, then delete all files, which would shut that infrastructure down, according to Ukraine's summary of the incident. ESET, a Slovakia-based cybersecurity company working to help secure Ukrainian infrastructure, said in a summary of the attack that it was conducted by the same arm of Russia's military intelligence agency, GRU, that had previously successfully executed similar attacks in 2014 and 2015. In both of those incidents, some residents of Kyiv temporarily lost power. This attack had been planned for at least two weeks, ESET said. Since Russia began its invasion in February, Ukraine hasn't been hit by any attacks as visibly destructive as those previous hacks of Kyiv energy companies. But Ukraine has faced multiple so-called "wiper" attacks, including ones that have targeted computers in Ukraine's government, financial institutions and internet service providers. Those attacks also look to mass-delete files from hacked computers.

U.S. and European authorities said on Tuesday they had seized RaidForums, a popular website used by hackers to buy and sell stolen data, and the United States also unsealed charges against the website's founder and chief administrator Diego Santos Coelho. From a report: Coelho, 21, of Portugal, was arrested in the United Kingdom on Jan. 31, and remains in custody while the United States seeks his extradition to stand trial in the U.S. District Court for the Eastern District of Virginia, the U.S. Justice Department said. The department said it had obtained court approval to seize three different domain names that hosted the RaidForums website: raidforums.com, Rf.ws and Raid.lol. Among the types of data that were available for sale on the site included stolen bank routing and account numbers, credit card information, log-in credentials and social security numbers.

David Spirk, the chief data officer for America's Department of Defense, "called for the Pentagon to make urgent investments to defend against potential espionage from quantum computers" that could crack the encryption on sensitive data, Bloomberg reports: "I don't think that there's enough senior leaders getting their heads around the implications of quantum," Spirk said. "Like AI, I think that's a new wave of compute that when it arrives is going to be a pretty shocking moment to industry and government alike."

"We have to pick up pace because we have competitors who are also attempting to accelerate," he added.

Spirk's comments come amid warnings that U.S. adversaries, particularly China, are aggressively pursuing advanced technologies that could radically accelerate the pace of modern warfare. China is investing in AI and quantum sciences as part of its plan to become an innovation superpower, according to the Pentagon's latest annual report to Congress on China's military power. China is "at or near the lead on numerous science fields," including AI and quantum, it said. The National Security Agency, meanwhile, said last year that the adversarial use of a quantum computer "could be devastating" to the U.S. and its national security systems. The NSA said it could take 20 years or more to roll out new post-quantum cryptography that would resist such code-cracking.

Tim Gorman, a spokesperson at the Pentagon, said the Department of Defense was taking post-quantum cryptography seriously and coordinating with Congress and across government agencies. He added there was "a significant effort" underway.

A January presidential memo further charged agencies with establishing a timeline for transitioning to quantum resistant cryptography.

"Enabling developer productivity has become a key vector in every organization's success," writes Matt Asay at InfoWorld — not a nice-to-have feature but a must-have.

"Which is why, perhaps ironically, the best way to set your developers free may actually be to fetter their freedom." The more developers mattered, the more everyone wanted to cater to their needs with new software tools, new open source projects, new cloud services, etc. This meant lots of new developer choice and associated freedom, but that wasn't necessarily an unalloyed good. As RedMonk analyst Steven O'Grady noted in 2017, "The good news is that this developer-driven fragmentation has yielded an incredible array of open source software. The bad news is that, even for developers, managing this fragmentation is challenging."

Can one have too much choice? Yep.

It's long been known in consumer retail, for example, that when there is too much choice, "consumers are less likely to buy anything at all, and if they do buy, they are less satisfied with their selection." Turns out this isn't just a matter of breakfast cereals or clothing. It also applies to developers building enterprise software. InfoWorld's Scott Carey writes that "complexity is killing software developers." He's right. But what can be done?

In a conversation with Weaveworks CEO Alexis Richardson, he related how self-service development platforms are reemerging to help developers make sense of all that open source and cloud choice. By giving developers "a standard, pre-approved environment in which the effort to create an app from an idea is minimal," he explained, it allows them to "focus on innovation not plumbing."
"Done right, a little bit of constraint goes a long way..." Asay argues, touting the benefits of PaaS (platform as a service) self-service development platforms. ("Enterprises that want to give their developers the freedom the cloud affords can couple it with just enough constraint to make that freedom useful....")

Asay argues that "However you approach it, the point is to stop thinking about freedom and control as impossibly opposed. Smart enterprises are figuring out ways to enable their developers using self-service platforms. Maybe you should, too."

An anonymous reader quotes a report from Ars Technica: Since its launch, the Raspberry Pi OS (and most operating systems based on it) has shipped with a default "pi" user account, making it simpler to boot up a Pi and start working without needing to hook up the device to a monitor or go through a multi-step setup process. But as of today, that's changing -- new installs of the Raspberry Pi OS are shedding that default user account for both security and regulatory reasons.

Raspberry Pi Foundation software engineer Simon Long explains the thinking in this blog post. "[The "pi" user account] could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials," he writes. This move will improve the Pi operating system's security.

Before, even if you assigned a good password to the "pi" account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the "pi" username. Many Pi OS-based operating systems also ship with the default "pi" user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place. The flip side is that the change could break some software and scripts, particularly those that are hard-coded to use the "pi" user account and home folder. "[T]he Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment," adds Ars. "And that setup wizard now prompts you to create a username and password rather than simply assigning a password to the default 'pi' user account. To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first."

The new version of the Pi OS also includes experimental support for the Wayland display server protocol, but Long says most people should ignore it for now since it's explicitly labeled as "experimental."

OneHundredAndTen writes: It would seem that a majority of managers have decided to launch a campaign of threats to force people back into the office. From the report: About 77% of managers said they'd be willing to implement "severe consequences" -- including firing workers or cutting pay and benefits -- on those who refuse to return to the office, according to a recent survey by employment background check company GoodHire of 3,500 American managers.

Microsoft has rolled out a new security feature called Smart App Control with Windows 11. From a report: "Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications," Microsoft vice president David Weston explains. "It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals." Smart App Control is interesting because it will be enabled by default on new Windows PCs in the future. But if you upgrade to whatever version of Windows 11 that enables this feature on an existing install, you will have to use Reset this PC to reset Windows 11 and clean install it. That is, I believe, unprecedented.

Talent shortages, geopolitical disruption, currency fluctuations and inflation aren't expected to have an impact on IT investments in 2022. In fact, research firm Gartner forecasts a four percent increase in worldwide IT spending this year amid all the turmoil. From a report: "Contrary to what we saw at the start of 2020, CIOs are accelerating IT investments as they recognize the importance of flexibility and agility in responding to disruption," said John-David Lovelock, research vice president at Gartner. As such, Gartner anticipates heavy spending on IT services including analytics, cloud computing and security. [...] Collective spending across all IT categories totaled nearly $4.3 trillion in 2021. This year, organizations are expected to shell out more than $4.4 trillion. Growth in categories like IT services and software is forecasted to increase by 6.8 percent and 9.8 percent, respectively. In 2023, the software category could see double-digit growth thanks to experimental end-consumer experiences and supply chain optimizations.

An anonymous reader quotes a report from Ars Technica: Facebook today reported an increase in attacks on accounts run by Ukraine military personnel. In some cases, attackers took over accounts and posted "videos calling on the Army to surrender," but Facebook said it blocked sharing of the videos. Specifically, Facebook owner Meta's Q1 2022 Adversarial Threat Report said it has "seen a further spike in compromise attempts aimed at members of the Ukrainian military by Ghostwriter," a hacking campaign that "typically targets people through email compromise and then uses that to gain access to their social media accounts across the Internet." Ghostwriter has been linked to the Belarusian government.

"Since our last public update [on February 27], this group has attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel," Meta wrote today. Ghostwriter successfully hacked into the accounts in "a handful of cases" in which "they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners. We blocked these videos from being shared." In its February 27 update, Meta said it detected Ghostwriter's "attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender." Meta said it had "taken steps to secure accounts that we believe were targeted by this threat actor" and "blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts." But Ghostwriter continued its operations and hacked into accounts of Ukrainian military personnel, as previously mentioned.

Separately, Facebook recently removed a network of Russian accounts that were trying to silence Ukrainians by reporting "fictitious policy violations." "Under our Inauthentic Behavior policy against mass reporting, we removed a network in Russia for abusing our reporting tools to repeatedly report people in Ukraine and in Russia for fictitious policy violations of Facebook policies in an attempt to silence them," Meta said today. Providing more detail in its quarterly report, Meta said the removed network included 200 accounts operated from Russia. "The individuals behind it coordinated to falsely report people for various violations, including hate speech, bullying, and inauthenticity, in an attempt to have them and their posts removed from Facebook. The majority of these fictitious reports focused on people in Ukraine and Russia, but the network also reported users in Israel, the United States, and Poland," the report said.

An anonymous reader shares a report: Cloud gaming isn't for everyone, but it's getting easier to tell if it's for you because Nvidia and Google are now letting you try their virtual gaming PCs for free. Following Google's recent announcement that any Stadia developer will be able to offer an instantly accessible free trial of their game without needing to log into a Google account, Nvidia's GeForce Now is now pushing reduced-friction demos as well -- starting with Chorus, Ghostrunner, Inscryption, Diplomacy Is Not an Option and The Riftbreaker: Prologue. Typically, you'd need to log into an Nvidia account, then log in again to a Steam, Epic Games, or Ubisoft account to play one of these demos on GeForce Now, and you'd have to search for them as well. Now, the Nvidia account is all you'll need. Demos will automatically appear in a new "Instant Play Free Demos" row and won't require the second login.

Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader. BleepingComputer reports: The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents. This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006.

Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player's export functions. The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity. Apart from the custom loader, which O Gorman said Symantec does not have a name but has been seen in previous attacks attributed to Cicada/APT10, the adversary also deployed a WinVNC server to gain remote control over victim systems. The attacker also executed the Sodamaster backdoor on compromised networks, a tool believed to be used exclusively by the Cicada threat group since at least 2020.

Sodamaster runs in the system memory (fileless) and is equipped to evade detection by looking in the registry for clues of a sandbox environment or by delaying its execution. The malware can also collect details about the system, search for running processes, and download and execute various payloads from the command and control server. [...] The attackers' dwell time on the networks of some of the discovered victims lasted for as long as nine months, the researchers note in a report today.

The Federal Bureau of Investigation has disclosed it carried out an operation in March to mass-remove malware from thousands of compromised routers that formed a massive botnet controlled by Russian intelligence. From a report: The operation was authorized by courts in California and Pennsylvania, allowing the FBI to copy and remove the so-called Cyclops Blink malware from infected Asus and WatchGuard routers across the U.S., severing the devices from the servers that remotely control and send instructions to the wider botnet. The Justice Department announced the March operation on Wednesday, describing it as "successful," but warned that device owners should still take immediate action to prevent reinfection.

The Justice Department said that since the news first emerged about the rising threat of Cyclops Blink in February, thousands of compromised devices have been secured, but justified the court-ordered operation because the "majority" of infected devices were still compromised just weeks later in mid-March. Cyclops Blink is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security researchers in 2018 and later targeted by a U.S. government operation to disrupt its command and control servers. Both Cyclops Blink and VPNFilter are attributed to Sandworm, a group of hackers working for Russia's GRU, the country's military intelligence unit.

Thieves netting massive sums in cybercrime have limited options for laundering the funds. From a report: Many eyes in the crypto world are on a 42-character address on the Ethereum blockchain, which has unclear ownership and is currently home to the equivalent of about $600 million. Hackers stole the funds from players of online game "Axie Infinity" in a March 23 heist uncovered last week. The criminals have moved millions of dollars of assets in recent days, according to blockchain-monitoring tools, but the majority of funds remain in place, leaving victims and outside observers awaiting next moves. Crypto's transparency has turned money laundering into a perverse spectator sport. Transaction records on public blockchains give authorities a bird's-eye view of stolen funds equivalent to tens or hundreds of millions of dollars, often pilfered by targeting poorly secured software bridges that transfer assets between blockchains. The openness leaves successful cyber thieves facing a key question: How do you launder a nine-figure score?

"When there's a hack like that, everyone is watching the wallets," said Kimberly Grauer, director of research at Chainalysis, a blockchain-analytics firm. "So you better damn well know what you're going to do." The fate of the money stolen from "Axie Infinity" users, one of the largest such thefts, has become a topic of speculation. On Etherscan, a monitoring platform where users can see transactions to and from the address in question, commenters claiming to be victims, broke college students or Ukrainian refugees have posted messages asking the hackers to spread their newfound wealth. [...] Last week, blockchain analysts and amateur digital sleuths watched as ether worth about $20 million moved to crypto exchanges based in the Bahamas and Seychelles. On Monday, an additional $12 million of assets flowed into a mixer, which blends different cryptocurrencies to help obscure their sources. Mixers can have their own security compromises and are dependent on having enough crypto on hand to exchange illicit deposits for cleaner funds, said Mitchell Amador, chief executive of Immunefi, a bug-bounty platform focused on decentralized systems.

AMD has confirmed to Tom's Hardware that a bug in its GPU driver is, in fact, changing Ryzen CPU settings in the BIOS without permission. This condition has been shown to auto-overclock Ryzen CPUs without the user's knowledge. From the report: Reports of this issue began cropping up on various social media outlets recently, with users reporting that their CPUs had mysteriously been overclocked without their consent. The issue was subsequently investigated and tracked back to AMD's GPU drivers. AMD originally added support for automatic CPU overclocking through its GPU drivers last year, with the idea that adding in a Ryzen Master module into the Radeon Adrenalin GPU drivers would simplify the overclocking experience. Users with a Ryzen CPU and Radeon GPU could use one interface to overclock both. Previously, it required both the GPU driver and AMD's Ryzen Master software.

Overclocking a Ryzen CPU requires the software to manipulate the BIOS settings, just as we see with other software overclocking utilities. For AMD, this can mean simply engaging the auto-overclocking Precision Boost Overdrive (PBO) feature. This feature does all the dirty work, like adjusting voltages and frequency on the fly, to give you a one-click automatic overclock. However, applying a GPU profile in the AMD driver can now inexplicably alter the BIOS settings to enable automatic overclocking. This is problematic because of the potential ill effects of overclocking -- in fact, overclocking a Ryzen CPU automatically voids the warranty. AMD's software typically requires you to click a warning to acknowledge that you understand the risks associated with overclocking, and that it voids your warranty, before it allows you to overclock the system. Unfortunately, that isn't happening here. Until AMD issues a fix, "users have taken to using the Radeon Software Slimmer to delete the Ryzen Master SDK from the GPU driver, thus preventing any untoward changes to the BIOS settings," adds Tom's Hardware.

An anonymous reader shares a report: Microsoft Endpoint Manager is the company's platform for helping IT teams manage and secure large fleets of devices, something that's become increasingly complicated since the start of the pandemic. As part of its larger "Future of Hybrid Work" event, the company also today launched some updates to Endpoint Manager that go beyond some of the traditional feature sets for similar services, with the promise to expand on these in the future.

The first new feature Microsoft is adding to the platform under the name of "Microsoft Advanced Management" is remote help. If you've ever used Teamviewer to help a family member fix a computer issue, you can basically think of it as that, but with all of the enterprise bells and whistles it takes to make sure a service like this is secure, the devices on both ends are configured correctly and everybody is who they say they are. And that's why this is part of the overall Endpoint Manager story, because that's what provides the access and idenity controls through a tight integration with Azure Active Directory and helps verify the users and devices. You wouldn't just want your employees to be able to give control over their machines to any random social hacker, after all.

Block has confirmed a data breach involving a former employee who downloaded reports from Cash App that contained some U.S. customer information. From a report: In a filing with the Securities and Exchange Commission (SEC) on April 4, Block -- formerly known as Square -- said that the reports were accessed by the insider on December 10. "While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended," the filing reads. Block refused to answer our questions about why a former employee still had access to this data, and for how long they retained access after their employment at the company had ended. The information in the reports included users' full names and brokerage account numbers, and for some customers the accessed data also included brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day.

A letter from the National Archives and Records Administration hints at growing unease with government officials' use of some encrypted messaging apps. NBC News: In October, Laurence Brewer, the chief records officer of the National Archives and Records Administration, told officials at U.S. Customs and Border Protection he was worried about how the agency was using an app called Wickr. The Amazon-owned encrypted messaging platform is known for its ability to automatically delete messages. Brewer, who is responsible for ensuring that government officials handle records correctly, wrote in a letter that he was "concerned about agencywide deployment of a messaging application that has this functionality without appropriate policies and procedures governing its use." Brewer addressed his letter to Eric Hysen, the chief information officer of the Department of Homeland Security. It was uploaded to the National Archives website, and its concerns had not been previously reported. The document offers a rare insight into Customs and Border Protection's use of Wickr, and highlights the broader worries that some officials and watchdogs have about the growing use of messaging apps at all levels of the U.S. government.

Wickr was bought by Amazon's cloud-computing division last June and has contracts with a number of government agencies. Customs and Border Protection (CBP), which has been criticized by human rights activists and immigration lawyers over what they say are its secretive practices, has spent more than $1.6 million on Wickr since 2020, according to public procurement records. But little is known about how the agency has deployed the app, which is popular among security-minded people ranging from journalists to criminals. Its auto-deletion feature has made the platform a cause of concern among government record keepers, as well as external watchdogs, who worry that Wickr and other similar apps are creating ways for customs officials to sidestep government transparency requirements.

Email marketing giant Mailchimp has confirmed a data breach after malicious hackers compromised an internal company tool to gain access to customer accounts. From a report: In a statement given to TechCrunch, Mailchimp CISO Siobhan Smyth said the company became aware of the intrusion on March 26 after it identified a malicious actor accessing a tool used by the company's customer support and account administration teams. Access was gained following a successful social engineering attack, a type of attack that exploits human error and uses manipulation techniques to gain private information, access or valuables. "We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected," Smyth said.

"Google is taking aim at Microsoft's dominance in government technology and security," reports NBC News: Jeanette Manfra, director of risk and compliance for Google's cloud services and a former top U.S. cybersecurity official, said Thursday that the government's reliance on Microsoft — one of Google's top business rivals — is an ongoing security threat.

Manfra also said in a blog post published Thursday that a survey commissioned by Google found that a majority of federal employees believe that the government's reliance on Microsoft products is a cybersecurity vulnerability. "Overreliance on any single vendor is usually not a great idea," Manfra said in a phone interview. "You have an attack on one product that the majority of the government is depending on to do their job, you have a significant risk in how the government can continue to function."

Microsoft pushed back strongly against the claim, calling it "unhelpful." The study comes as Google is positioning itself to challenge Microsoft's dominance in federal government offices, where Windows and Office programs are commonly used....

The blog post comes as hackers continue to discover critical software vulnerabilities at an increasing pace across major tech products, but especially in Microsoft programs. Last year, researchers discovered 21 "zero-days" — an industry term for a critical vulnerability that a company doesn't have a ready solution for — actively in use against Microsoft products, compared to 16 against Google and 12 against Apple. he most prominent zero-day was used against Microsoft's Exchange email program, which cybersecurity experts say was first employed by Chinese cyberspies and then quickly adopted by criminal hackers, leading to hundreds of companies becoming compromised.

In March of 2021 the Krebs on Security blog reported that Ubiquiti, "a major vendor of cloud-enabled Internet of Things devices," had disclosed a breach exposing customer account credentials. But Krebs added that a company source "alleges" that Ubiquiti was downplaying the severity of the incident — which is not true, says Ubiquiti.

Krebs' original post now includes an update — putting the word "breach" in quotation marks, and noting that actually a former Ubiquiti developer had been indicted for the incident...and also for trying to extort the company. It was that extortionist, Ubiquiti says, who'd "alleged" they were downplaying the incident (which the extortionist had actually caused themselves).

Ubiquiti is now suing Krebs, "alleging that he falsely accused the company of 'covering up' a cyberattack," ITWire reports: In its complaint, Ubiquiti said contrary to what Krebs had reported, the company had promptly notified its clients about the attack and instructed them to take additional security precautions to protect their information. "Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com," the complaint alleged.

It said there was no evidence to support Krebs' claims and only one source, [the indicted former employee] Nickolas Sharp....

According to the indictment issued by the Department of Justice against Sharp in December 2021, after publication of the articles in question on 30 and 31 March, Ubiquiti's stock price fell by about 20% and the company lost more than US$4 billion (A$5.32 billion) in market capitalisation.... The complaint alleged Krebs had intentionally misrepresented the truth because he had a financial incentive to do so, adding, "His entire business model is premised on publishing stories that conform to this narrative...."

"Through its investigation, Ubiquiti learned that Sharp had used his administrative access codes (which Ubiquiti provided to him as part of his employment) to download gigabytes of data. Sharp used a Virtual Private Network (VPN) to mask his online activity, and he also altered log retention policies and related files to conceal his wrongful actions," the complaint alleged. "Ubiquiti shared this information with federal authorities and the company assisted the FBI's investigation into Sharp's blackmail attempt. The federal investigation culminated with the FBI executing a search warrant on Sharp's home on 24 March 2021." The complaint then went into detail about how Sharp contacted Krebs and how the story came to be published.

Krebs was accused of two counts of defamation, with Ubiquiti seeking a jury trial and asking for a judgment against him that awarded compensatory damages of more than US$75,000, punitive damages of US$350,000, all expenses and costs including lawyers' fees and any further relief deemed appropriate by the court.
Krebs' follow-up post in December had included more details: Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp's Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads...

Several days after the FBI executed its search warrant, Sharp "caused false or misleading news stories to be published about the incident," prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti's systems kept certain logs of user activity in AWS.
Thanks to Slashdot reader juul_advocate for sharing the story...