An anonymous reader shares a report: Early in March, a bunch of Facebook users got a mysterious, spam-like email titled "Your account requires advanced security from Facebook Protect" and telling them that they were required to turn on the Facebook Protect feature (which they could do by hitting a link in the email) by a certain date, or they would be locked out of their account. The program, according to Facebook, is a "security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials." It's meant to do things like ensure those accounts are monitored for hacking threats and that they are protected by two-factor authentication (2FA).

Unfortunately, the email that Facebook sent from the address security@facebookmail.com resembled a rather common form of spam, and so it's probable that many people ignored it. It actually wasn't spam. In fact, it was real. The first deadline to hit for many people was Thursday, March 17th. And now, they are locked out of their Facebook accounts -- and are having trouble with the process that Facebook has provided to get them back in. Those who did not activate Facebook Protect before their deadline are apparently getting a message explaining why they can't get into their accounts and offering to help them turn it on. However, it's not always working.

The U.S. government is warning of "possible threats" to satellite communication networks amid fears that recent attacks on satellite networks in Europe, sparked by the war in Ukraine, could soon spread to the United States. From a reportL: A joint CISA-FBI advisory published this week urges satellite communication (SATCOM) network providers and critical infrastructure organizations that rely on satellite networks to bolster their cybersecurity defenses due to an increased likelihood of cyberattack, warning that a successful intrusion could create risk in their customer environments.

While the advisory did not name specific sectors under threat, the use of satellite communications is widespread across the United States. It's estimated that about eight million Americans rely on SATCOM networks for internet access. Ruben Santamarta, a cybersecurity expert who specializes in analyzing satellite communications systems, told TechCrunch that networks are used in a wide number of industries, including aviation, government, the media and the military, as well as gas facilities and electricity service stations that are located in remote places.

joshuark writes: In one of those in-your-face irony or karmic debt, Bleeping Computer reports that Microsoft Defender tags Office updates as ransomware. The article states: "Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems."

Further on, an explanation for the source of the karmic irony is: "The root cause of the false positives was a recently deployed update within service components for detecting ransomware alerts." Couldn't this have waited for April 1st?

Bleeping Computer goes on, "A Microsoft spokesperson was not available for comment when contacted by BleepingComputer earlier today."

Russian cyber attacks have so far struggled to successfully target Ukraine's critical national infrastructure, according to government officials. From a report: While they are aware of Russian intent to disrupt or infiltrate Ukrainian systems, according to the officials, they have continued to function and Ukraine has mounted a strong defense. Many denial-of-service attacks targeting Ukraine are of low sophistication and impact, the people said, who asked not to be identified discussing private information. The country's experience fending off major cyber attacks since 2015 may have helped prepare it for recent attempts, they added. The destructive "wiper" malware seen in Ukraine is more insidious and the officials said they are on alert for it appearing outside of the country. In the hours prior to Russia's invasion, some Ukrainian government agencies were targeted with the software, which deleted data held on infected computers. More aggressive network take-downs or attacks may not fit with Russian objectives, they added, and Russia could even be leaving the broadband network active for its own means to gather intelligence.

Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy's Managed WordPress service, all featuring an identical backdoor payload. The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress. BleepingComputer reports: The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy. The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious pages into search results. The campaign uses predominately pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual content.

The goal of these templates is likely to entice the victims to make purchases of fake products, losing money and payment details to the threat actors. Additionally, the actors can harm a website's reputation by altering its content and making the breach evident, but this doesn't seem to be the actors' aim at this time. The intrusion vector hasn't been determined, so while this looks suspiciously close to a supply chain attack, it hasn't been confirmed. [...] In any case, if your website is hosted on GoDaddy's Managed WordPress platform, make sure to scan your wp-config.php file to locate potential backdoor injections. Wordfence also reminds admins that while removing the backdoor should be the first step, removing spam search engine results should also be a priority.

Google's Threat Analysis Group has observed a financially-motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang. From a report: The group, which Google refers to as "Exotic Lily," acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim's network, ransomware gangs like Conti can focus on the execution phase of an attack. In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to ".us," ".co" or ".biz." In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces. The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors' working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.

"A little noticed side effect of all the sanctions Russia is under for its invasion of Ukraine is that related to IT," writes Slashdot reader quonset. "U.S. sanctions prohibit any technology transfers to the country, including computer chips. However, another issue is Russia is now cut off from cloud storage companies in the West. As a result, Russia is two months away from using up all its domestic storage capacity. Four options have been proposed to counter this issue. BleepingComputer reports: Last week, the Ministry of Digital Development amended the Yarovaya Law (2016) to suspend a yearly requirement for telecom operators to increase storage capacity allocations by 15% for anti-terrorist surveillance purposes. Another move that could free up space would be to demand ISPs abandon media streaming services and other online entertainment platforms that eat up precious resources. Thirdly, there's the option of buying out all available storage from domestic data processing centers. However, this will likely lead to further problems for entertainment providers who need additional storage to add services and content. Russia is also considering seizing IT servers and storage left behind by companies who pulled out of Russia and integrating them into public infrastructure. There is one more option mentioned in the report and it has to do with China. Russia could "tap into Chinese cloud service providers and IT system sellers," reports BleepingComputer, although China has yet to decide how much it's willing to help Russia.

Sophos threat researcher Nick Gregory discovered a hole in Linux's netfilter firewall program that's "exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want." ZDNet reports: Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux's network stack. It's an essential Linux security program, so when a security hole is found in it, it's a big deal. [...] This problem exists because netfilter doesn't handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn't have offload functionality! That's because, as Gregory wrote to a security list, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails."

This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It's listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. How bad? In its advisory, Red Hat said, "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat." So, yes, this is bad. Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn't available yet in all distribution releases.

Seven long, long years ago, Google started offering users a way to buy a domain without having to deal with a host provider. Now, Google Domains is at last out of beta as a full-fledged product. Engadget: Google says, to date, millions of people have used the service to manage a domain. It has added more features and tools to Domains over the years. Folks in 26 countries can now use the full version of the service. [...] To mark the occasion of Domains becoming a fully formed entity, Google's offering new and returning users a discount until April 15th.

DigitalOcean, in a blog post: I am excited to announce that DigitalOcean has acquired the CSS-Tricks website, a learning site with 6,500 articles, videos, guides and other content focused on frontend development. CSS-Tricks will broaden and complement our existing library of content, furthering DigitalOcean's reach with both frontend and full-stack developers, and supports our community strategy, a key differentiator for DigitalOcean in the cloud computing space. CSS-Tricks will continue operating as a standalone site supported by DigitalOcean, and CSS-Tricks founder Chris Coyier will support CSS-Tricks in an advisory capacity.

At DigitalOcean we take great pride in our commitment to the developer and startup communities. We truly believe that our community is bigger than just us, and we have demonstrated this through our creation of more than 6,000 high-quality developer tutorials and approximately 30,000 community-generated questions & answers, hosting of community-focused events such as deploy, and support of the open source community through Hacktoberfest and other initiatives.

Germany warned against using anti-virus software from Moscow-based Kaspersky Lab due to risks it could be exploited by Russia for a cyber attack. From a report: The Federal Office for Information Security, or BSI, issued the warning on Tuesday, saying that companies and authorities with special security status and operators of critical infrastructure could be "particularly at risk." The danger has increased since Russia's invasion of Ukraine, the Bonn-based agency said in a press release, citing threats made by Moscow against NATO, the European Union and Germany. In 2017, the U.S. government banned all use of Kaspersky Lab software in federal information systems, citing concerns about the firm's links to the Russian government and espionage. The company denied any wrongdoing in that case and pushed back against Germany's move now.

Newly discovered data-destroying malware was observed earlier today in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. BleepingComputer reports: "This new malware erases user data and partition information from attached drives," ESET Research Labs explained. "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." While designed to wipe data across Windows domains it's deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices.

While analyzing the PE header of a malware sample discovered on the network of an undisclosed Ukrainian organization, it was also discovered that the malware was deployed in attacks the same day it was compiled. "CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us. The sample we analyzed was not digitally signed," ESET added. "Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target's network beforehand."

An anonymous reader quotes a report from Ars Technica: Cryptographic keys generated with older software now owned by technology company Rambus are weak enough to be broken instantly using commodity hardware, a researcher reported on Monday. This revelation is part of an investigation that also uncovered a handful of weak keys in the wild. The software comes from a basic version of the SafeZone Crypto Libraries, which were developed by a company called Inside Secure and acquired by Rambus as part of its 2019 acquisition of Verimatrix, a Rambus representative said. That version was deprecated prior to the acquisition and is distinct from a FIPS-certified version that the company now sells under the Rambus FIPS Security Toolkit brand.

Researcher Hanno Bock said that the vulnerable SafeZone library doesn't sufficiently randomize the two prime numbers it used to generate RSA keys. (These keys can be used to secure Web traffic, shells, and other online connections.) Instead, after the SafeZone tool selects one prime number, it chooses a prime in close proximity as the second one needed to form the key. "The problem is that both primes are too similar," Bock said in an interview. "So the difference between the two primes is really small." The SafeZone vulnerability is tracked as CVE-2022-26320. Cryptographers have long known that RSA keys that are generated with primes that are too close together can be trivially broken with Fermat's factorization method. French mathematician Pierre de Fermat first described this method in 1643. Fermat's algorithm was based on the fact that any number can be expressed as the difference between two squares. When the factors are near the root of the number, they can be calculated easily and quickly. The method isn't feasible when factors are truly random and hence far apart. The security of RSA keys depends on the difficulty of factoring a key's large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q). When P and Q are known publicly, the key they make up is broken, meaning anyone can decrypt data protected by the key or use the key to authenticate messages.

So far, Bock has identified only a handful of keys in the wild that are vulnerable to the factorization attack. Some of the keys belong to printers originally branded as Fuji Xerox and now belonging to Canon. Printer users can use the keys to generate a Certificate Signing Request. The creation date for the keys was 2020 or later. The weak Canon keys are tracked as CVE-2022-26351. Bock also found four vulnerable PGP keys, typically used to encrypt email, on SKS PGP key servers. A user ID tied to the keys implied they were created for testing, so he doesn't believe they're in active use. Bock said he believes all the keys he found were generated using software or methods not connected to the SafeZone library. If true, other software that generates keys might be easily broken using the Fermat algorithm. It's plausible also that the keys were generated manually, "possibly by people aware of this attack creating test data." The researcher found the keys by searching through billions of public keys that he either had access to, were shared with him by other researchers, or that were available through certificate transparency programs. UPDATE: The headline incorrectly stated that a "600-Year-Old Algorithm" was used. It's been changed to "379-Year-Old-Algorithm" to reflect the updated headline on Ars.

Microsoft has begun testing promotions for some of its other products in the File Explorer app on devices running its latest Windows 11 Insider build. From a report: The new Windows 11 "feature" was discovered by a Windows user and Insider MVP who shared a screenshot of an advertisement notification displayed above the listing of folders and files to the File Explorer, the Windows default file manager. As shown in the screenshot, Microsoft will use such ads to promote other Microsoft products, for instance, about how to "write with confidence across documents, email, and the web with advanced writing suggestions from Microsoft Editor. As you can imagine, the reaction to this was adverse, to say the least, with some saying that "File Explorer one of the worst places to show ads," while others added that this is the way to go if Microsoft wants "people ditching Explorer for something else."

Amid the ongoing disruption from Russia, some ethical hackers in Ukraine are feeling lost as bug bounty platform HackerOne has allegedly withheld their payouts. From a report: The loss due to the sudden halt is said to have mounted to hundreds and thousands of dollars. A few of the affected ethical hackers -- also known as cybersecurity researchers -- have taken the issue to social media. Some of them have also written to the platform to get clarity on why exactly it has disabled their payments in the middle of the humanitarian catastrophe in the country. Ethical hackers normally earn payouts ranging from tens and hundreds to over millions of dollars in the form of rewards through bug bounty platforms for reporting flaws in various Internet-based solutions. However, HackerOne is said to have suddenly stopped payouts for some Ukrainian hackers.

Earlier this month, HackerOne CEO Marten Mickos had announced, "[A]s we work to comply with the new sanctions, we'll withdraw all programmes for customers based in Russia, Belarus, and the occupied areas of Ukraine." On Monday, he clarified that the restrictions were for sanctioned regions - Russia and Belarus, not mentioning any clear details about the status of Ukraine. "That's a really weird situation," said independent security researcher Bob Diachenko, who has been associated with the San Francisco, California-based platform for the last two-three years now. The security researcher tweeted on Sunday that HackerOne stopped paying bounties worth around $3,000 for the flaws he reported. Alongside stopping payouts, HackerOne has removed its 'Clear' status from all Ukraine accounts. The status essentially allows ethical hackers to participate in private programmes run by various companies to earn a minimum of $2,000 for a high-severity vulnerability or $5,000 for a critical one. It requires background-check for researchers to participate in the listed programmes.

"News of a fresh Spectre BHB vulnerability that only impacts Intel and Arm processors emerged this week," reports Tom's Hardware, "but Intel's research around these new attack vectors unearthed another issue.

"One of the patches that AMD has used to fix the Spectre vulnerabilities has been broken since 2018." Intel's security team, STORM, found the issue with AMD's mitigation. In response, AMD has issued a security bulletin and updated its guidance to recommend using an alternative method to mitigate the Spectre vulnerabilities, thus repairing the issue anew....

Intel's research into AMD's Spectre fix begins in a roundabout way — Intel's processors were recently found to still be susceptible to Spectre v2-based attacks via a new Branch History Injection variant, this despite the company's use of the Enhanced Indirect Branch Restricted Speculation (eIBRS) and/or Retpoline mitigations that were thought to prevent further attacks. In need of a newer Spectre mitigation approach to patch the far-flung issue, Intel turned to studying alternative mitigation techniques. There are several other options, but all entail varying levels of performance tradeoffs. Intel says its ecosystem partners asked the company to consider using AMD's LFENCE/JMP technique. The "LFENCE/JMP" mitigation is a Retpoline alternative commonly referred to as "AMD's Retpoline."

As a result of Intel's investigation, the company discovered that the mitigation AMD has used since 2018 to patch the Spectre vulnerabilities isn't sufficient — the chips are still vulnerable. The issue impacts nearly every modern AMD processor spanning almost the entire Ryzen family for desktop PCs and laptops (second-gen to current-gen) and the EPYC family of datacenter chips....

In response to the STORM team's discovery and paper, AMD issued a security bulletin (AMD-SB-1026) that states it isn't aware of any currently active exploits using the method described in the paper. AMD also instructs its customers to switch to using "one of the other published mitigations (V2-1 aka 'generic retpoline' or V2-4 aka 'IBRS')." The company also published updated Spectre mitigation guidance reflecting those changes [PDF]....

AMD's security bulletin thanks Intel's STORM team by name and noted it engaged in the coordinated vulnerability disclosure, thus allowing AMD enough time to address the issue before making it known to the public.
Thanks to Slashdot reader Hmmmmmm for submitting the story...

"Companies critical to U.S. national interests will now have to report when they're hacked or they pay ransomware, according to new rules approved by Congress," reports the Associated Press: The rules are part of a broader effort by the Biden administration and Congress to shore up the nation's cyberdefenses after a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will give the federal government much greater visibility into hacking efforts that target private companies, which often have skipped going to the FBI or other agencies for help. "It's clear we must take bold action to improve our online defenses," Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee and wrote the legislation, said in a statement on Friday.

The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity that's considered part of the nation's critical infrastructure, which includes the finance, transportation and energy sectors, to report any "substantial cyber incident" to the government within three days and any ransomware payment made within 24 hours....

The legislation designates the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency as the lead agency to receive notices of hacks and ransomware payments.... The new rules also empower CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.

Gaming giant Ubisoft has confirmed a cybersecurity incident that led to the mass-reset of company passwords, but has declined to say what the incident actually was. From a report: In a brief statement, Ubisoft said: "Last week, Ubisoft experienced a cyber security incident that caused temporary disruption to some of our games, systems, and services. Our IT teams are working with leading external experts to investigate the issue. As a precautionary measure we initiated a company-wide password reset. Also, we can confirm that all our games and services are functioning normally and that at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident," the statement said. The France-headquartered video game company is best known for its Assassin's Creed and Far Cry brands. According to the company's latest earnings report from October, Ubisoft had 117 million active players.

Ordinary Russians face another major blow to their everyday lives due to the backlash to President Vladimir Putin's invasion of Ukraine. On the same day, two major web-security companies have decided to quit selling to them, making Russians' internet use more vulnerable to Kremlin snooping, hacking and other cybercrimes. From a report: The departure of the two companies, Avast, a $6 billion antivirus provider based in the Czech Republic, and Utah-based website-certification firm DigiCert, will further isolate the country of 145 million people. "We are horrified at Russia's aggression against Ukraine, where the lives and livelihoods of innocent people are at severe risk, and where all freedoms have come under attack," Avast CEO Ondrej Vlcek wrote on Thursday. Vlcek said the company was including Belarus in the withdrawal of services, and was continuing to pay the full salaries of employees in Russia and Ukraine, many of whom it was helping to relocate. "We do not take this decision lightly," Vlcek wrote. "We've offered our products in Russia for nearly 20 years and users in this country are an important part of our global community." While Avast joins other antivirus companies, including NortonLifeLock and ESET, in halting sales, Russians will still be able to get antivirus protection from Moscow-based Kaspersky and other providers within the country. The departure of DigiCert could prove more significant. DigiCert is one of the world's biggest providers of website certificates, which aim to prove that when a person visits a site it's owned by the entity they expected.

Code Verify is a new browser extension from WhatsApp parent company Meta that aims to improve the security of WhatsApp's web version, the company has announced. From a report: The extension works by verifying that the contents of WhatsApp's web version haven't been tampered with. The aim is to make it a lot more difficult for a would-be attacker to compromise data or the privacy of WhatsApp's end-to-end encrypted messages when using the browser-based version of the service. The extension follows the launch of WhatsApp's multi-device beta last year. This aims to make using the messaging service from devices other than your primary phone easier and more seamless. Since the feature's launch, WhatsApp says it's seen an increase in people accessing its service through web browsers, which present new security challenges compared to an app. There's nothing particularly new about the security methods underpinning Code Verify. Ultimately it's just comparing a hash of the code running in your browser, with a hash held by trusted third-party Cloudflare.