Hacktivists in Belarus said on Monday they had infected the network of the country's state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine. Ars Technica reports: Referring to the Belarus Railway, a group calling itself Cyber Partisans wrote on Telegram: "BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the 'Peklo' cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed [...]." The group also announced the attack on Twitter.

A representative from the group said in a direct message that the Peklo cyber campaign targets specific entities and government-run companies with the goal of pressuring the Belarus government to release political prisoners and stop Russian troops from entering Belarus to use its ground for the attacks on Ukraine. "The government continues to suppress the free will of Belarusians, imprison innocent people, they continue to unlawfully keep... thousands of political prisoners," the representative wrote. "The major goal is to overthrow Lukashenko's regime, keep the sovereignty and build a democratic state with the rule of law, independent institutions and protection of human rights."

At the time this post went live, several services on the railway's website were unavailable. Online ticket purchases, for instance, weren't working [...]. The representative said that besides ticketing and scheduling being disrupted, the cyberattack also affected freight trains. According to reports, Russia has been sending military equipment and personnel by rail into Belarus, which shares a border with Ukraine. @belzhd_live, a group of Belarus Railway workers that tracks activity on the 5,512-km railway, said on Friday that in a week's time, more than 33 Russian military trains loaded with equipment and troops had arrived in Belarus for joint strategic exercises there. The worker group said at the time that it expected a total of 200 so-called echelons to arrive in the coming days.

Security researchers from Kaspersky said they have discovered a novel bootkit that can infect a computer's UEFI firmware. From a report: What makes MoonBounce -- the name they gave the bootkit -- special is the fact that the malware doesn't burrow and hide inside a section of the hard drive named ESP (EFI System Partition), where some UEFI code typically resides, but instead it infects the SPI flaws memory that is found on the motherboard. This means that, unlike similar bootkits, defenders can't reinstall the operating system and replace the hard drive, as the bootkit will continue to remain on the infected device until the SPI memory is re-flashed (a very complex process) or the motherboard is replaced. According to Kaspersky, MoonBounce marks the third UEFI bootkit they have seen so far that can infect and live inside the SPI memory, following previous cases such as LoJax and MosaicRegressor. Furthermore, MoonBounce's discovery also comes after researchers have also found additional UEFI bootkits in recent months, such as ESPectre, FinSpy's UEFI bootkit, and others, which has led the Kaspersky team to conclude that what was once considered unachievable following the rollout of the UEFI standard has gradually become the norm.

A bug in OpenSea, the popular NFT marketplace, has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners -- and hundreds of thousands of dollars in profits for the apparent thieves. From a report: The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to "steal" NFTs with a market value of over $1 million. One of the NFTs, Bored Ape Yacht Club #9991, was purchased using the exploit technique for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400), netting the attacker a profit of more than $190,000. An Ethereum address linked to the reseller had received more than 400 ETH ($904,000) in payouts from OpenSea in the same 12-hour period.

"It's a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn't otherwise have accepted right now," said Tom Robinson, chief scientist and co-founder of Elliptic. According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea's user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.

"The traditional idea of going to the office five days a week or working 9 to 5 may be dying," reports the Washington Post: Zoom, which many workplaces and workers relied on during the pandemic, is starting to allow its more than 6,000 workers to choose whether to work in the office, work remotely, or go hybrid, as in working remotely a certain number of days per week or month at their choosing. Bolt, a San Francisco-based e-commerce start-up boldly introduced a permanent four-day workweek for its nearly 600 employees. Workplace communications platform Slack is reimagining its office primarily as a gathering place for meetings and projects. And tech giants Amazon and Salesforce are allowing their employees to decide as a team when and where they should work, based on the projects at hand.

These approaches come as companies rethink workplace policies amid the fast spread of the omicron variant and the "Great Resignation," during which employers are finding it more difficult to retain talent. U.S. office occupancy dipped to about 28 percent during the third week of January, compared to 40 percent in November before the massive spread of the omicron variant, according to building security company Kastle Systems. Still, some employers see this as an opportunity to rethink the way employees have traditionally worked, opting for even more flexible and creative arrangements that are more likely to lure and retain workers....

Jennifer Christie [Bolt's chief people officer] said after piloting the policy last year, 91 percent of managers and 94 percent of employees wanted to continue. They also reported increased productivity and better work-life balance. Meanwhile, the start-up has been inundated with resumes and emails from people interested in working for the company, Christie said. "People want to be empowered and have autonomy to do work in a way that fits them," Christie said. "That's going to be where talent is attracted...."

The one thing the Kickstarter union workers agree on is the desire for the four-day workweek. "I'd be lying if I said I hadn't listened to some recruiters from places that already implemented a four-day workweek," said Dannel Jurado [a member of Kickstarter United, which is part of the Office and Professional Employees International Union].

In 2015 the San Francisco Arts Commission surveyed nearly 600 local artists. "More than 70% of them had either already left San Francisco or were about to be displaced from their work, home or both," reports SFGate.com, adding "The pandemic has only intensified these problems. A report by Americans for the Arts found that 53% of artists have no savings whatsoever as a result of the pandemic."

Would it help to give over 100 artists their own Universal Basic Income? In an effort to mitigate what appears to be an existential threat to the arts, in March 2021, the city of San Francisco partnered with the Yerba Buena Center for the Arts [YBCA] to launch a guaranteed income pilot, called the SF Guaranteed Income Pilot for Artists, or SF-GIPA, that gives 130 local low-income artists who have been severely impacted by the COVID-19 pandemic $1,000 a month, no strings attached, for 18 months.... At the time, YBCA was planning to launch its own guaranteed income project for artists, and this allowed it to combine forces and take both projects further. The first six months of funding for the SF-GIPA project came from the Arts Impact Endowment, which is funded by San Francisco's hotel tax and designated for underserved communities. YBCA extended the project by an additional 12 months with private funding from the Start Small Foundation, a philanthropic initiative by former Twitter CEO Jack Dorsey....

Though the additional income from SF-GIPA is a welcome relief, as the project moves past its halfway point, the question remains: Will 18 months be enough time to truly make a difference in these artists' lives? YBCA is currently scrambling to find a way to continue supporting guaranteed income recipients after the project's scheduled end in October 2023.... "It's just so sad; people come to San Francisco because of the art and culture, but the art and culture makers can't afford to live here," says Stephanie Imah, who is leading YBCA's pilot. "This is very much a rental problem. It's really hard for artists living in San Francisco unless they work in tech. It's clear we need long-term solutions." For YBCA, that means advocating for big policy changes down the line.

"Our eyes are on the federal government," YBCA CEO Deborah Cullinan explains in an interview with Berkeley's Aurora Theatre. "We'd like to see guaranteed income programs across the country for all people." For now, the organization is focused on collecting "university standard research" in order to make an irrefutable case for universal basic income as a viable long-term solution to poverty.

"Microsoft's first Patch Tuesday for 2022 was a rocky start to the year, giving admins and users numerous headaches to deal with..." reports ZDNet. "The Windows Update on January 11 was intended to address 96 security flaws but also brought a load of pain for users and admins."

"One of the major issues that came up during the week for IT admins included finding that Windows Server 2012 became stuck in a boot loop," adds the Verge, "while other versions suffered broken Windows VPN clients, and some hard drives appeared as RAW format (and unusable). Many IT Admins were forced to roll back the updates — leaving many servers vulnerable with none of last week's security patches."

And now for some versions of Windows, this week Microsoft "released emergency out-of-band updates to address multiple issues..." reports BleepingComputer: "This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failure," the company said.... According to admin reports, Windows domain controllers were being plagued by spontaneous reboots, Hyper-V was no longer starting on Windows servers, and Windows Resilient File System (ReFS) volumes were no longer accessible after deploying the January 2022 updates. Windows 10 users and administrators also reported problems with L2TP VPN connections after installing the recent Windows 10 and Windows 11 cumulative updates and seeing "Can't connect to VPN." errors....

[S]ince Microsoft also bundles all the security updates with these Windows cumulative updates, removing them will also remove all fixes for vulnerabilities patched during the January 2022 Patch Tuesday.
While all the updates are available for download on the Microsoft Update Catalog, some of them can also be installed directly through Windows Update, notes Bleeping Computer. But "You will have to manually check for updates if you want to install the emergency fixes through Windows Update because they are optional updates and will not install automatically."

ZDNet adds: As Ask Woody's influential IT admin blogger Susan Bradley recently argued in 2020, Microsoft's decision to roll up patches in a big bundle on the second Tuesday of every month requires admins to place a great deal of trust in the company. That trust is eroded if applying the updates results in a lag on productivity from buggy patches.
Thanks to long-time Slashdot reader waspleg for sharing the story.

An anonymous reader quotes a report from Ars Technica: Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on "quite a few" sites running the open source content management system. The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean. "Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites," Ben Martin, a researcher with Web security firm Sucuri, wrote in a separate analysis of the backdoor.

The Jetpack post said evidence indicates that the supply chain attack on AccessPress Themes was performed in September. Martin, however, said evidence suggests the backdoor itself is much older than that. Some of the infected websites had spam payloads dating back nearly three years. He said his best guess is that the people behind the backdoor were selling access to infected sites to people pushing web spam and malware. He wrote, "[...] it seems that the malware that we've found associated with this backdoor is more of the same: spam, and redirects to malware and scam sites." The Jetpack post provides full names and versions of the infected AccessPress software. Anyone running a WordPress site with this company's offerings should carefully inspect their systems to ensure they're not running a backdoored instance. Site owners may also want to consider installing a website firewall, many of which would have prevented the backdoor from working.

Twitter shook up the top ranks of its security team this week with the termination of the head of security and the exit of the chief information security officer, the company told employees on Wednesday, as its new chief executive reorganizes the social media service. From a report: Peiter Zatko, the head of security who is better known within the security community as "Mudge," is no longer at the company, Twitter confirmed. Rinki Sethi, the chief information security officer, will depart in the coming weeks. The changes follow "an assessment of how the organization was being led and the impact on top priority work," according to a memo from Parag Agrawal, Twitter's chief executive, that was sent to employees on Wednesday and obtained by The New York Times. Mr. Agrawal said the "nature of this situation" limited what he was allowed to share with employees.

Mr. Agrawal, who was appointed Twitter's chief executive in November, has shuffled the company's executives since taking over from Jack Dorsey, a founder. In December, Mr. Agrawal reorganized the leadership team and dismissed Dantley Davis, the chief design officer, and Michael Montano, the head of engineering. Mr. Zatko and Ms. Sethi joined Twitter in late 2020. He is a well-known hacker and has had a long career in government and private industry. Before taking on his role at Twitter, he held roles at DARPA, Google and Stripe. He began his cybersecurity career in the 1990s, when he was a member of the hacking group Cult of the Dead Cow. He was recruited to Twitter after teenagers compromised the company's systems in July 2020 and took over the accounts of prominent users.

A cyberattack targeting a contractor working for the International Committee of the Red Cross has spilled confidential data on more than 515,000 "highly vulnerable" people, many of whom have been separated from their families due to conflict, migration and disaster. From a report: The Red Cross did not name the contractor, based in Switzerland, which it uses to store data nor say what led to the security incident, but said that the data comes from at least 60 Red Cross and Red Crescent national societies. In a statement, the international organization pleaded with the attackers not to publicly share or leak the information given the sensitivity of the data.

The Red Cross has disclosed that it was the victim of a cyber attack and has asked the hackers who broke into the IT network of one of its contractors not to leak the personal information of more than 515,000 of "highly vulnerable people." The Record reports: The data was stolen from a Red Cross program called Restoring Family Links, which aims to reunite family members separated by conflict, disaster, or migration. "While we don't know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them," said Robert Mardini, director-general for the International Committee of the Red Cross. "Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world's least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data," Mardini said.

"The people affected include missing people and their families, unaccompanied or separated children, detainees and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters or migration," the organization said in an email.

An anonymous reader quotes a report from The Verge: The CEO of cryptocurrency exchange Crypto.com, Kris Marszalek, has finally confirmed that hundreds of user accounts were indeed compromised by hackers and had funds stolen as a result, though details of the exact method of breach remain unclear. Marszalek acknowledged the hack in an online interview with Bloomberg Wednesday, stating that around 400 customer accounts had been compromised. He also told Bloomberg that he had not received any outreach from regulators since the attack was first disclosed but would share information if official inquiries were made.

Previous statements from Marszalek and other communications from Crypto.com have been criticized for being vague and unclear. Official messaging from the company referred to a security "incident," and an early Twitter post mentioned only that a small number of users were "reporting suspicious activity on their accounts." Marszalek followed up by tweeting that "no customer funds were lost" -- a statement some commentators interpreted as meaning that the exchange would take the financial hit rather than passing it on to customers. Shortly afterward, security company PeckShield posted a tweet claiming that, in reality, Crypto.com's losses amounted to around $15 million in ETH and were being sent to Tornado Cash to be "washed."

OpenSubtitles, one of the largest repositories of subtitle files on the internet, has been hacked. TorrentFreak reports: Founded in 2006, the site was reportedly hacked in August 2021 with the attacker obtaining the personal data of nearly seven million subscribers including email and IP addresses, usernames and passwords. The site alerted users yesterday after the hacker leaked the database online.

"In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data," the post reads. "We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data."

Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more. [...] OpenSubtitles describes the hack as a "hard lesson" and admits failings in its security. The platform has spent time and money securing the site and is requiring members to reset their passwords. However, for those who have had their data breached, it may already be too late to prevent damage. The hacker has already had access to data for several months and now the breach is in the wild, problems could certainly escalate.

President Biden on Wednesday expanded the National Security Agency's role in protecting the U.S. government's most sensitive computer networks, issuing a directive intended to bolster cybersecurity within the Defense Department and intelligence agencies. From a report: The memorandum signed by Mr. Biden mandates baseline cybersecurity practices and standards, such as two-factor authentication and use of encryption, for so-called national security systems, which include the Defense Department and intelligence agencies and the federal contractors that support them. It effectively aligns the cybersecurity standards imposed on national security agencies with those previously established for civilian agencies under an executive order Mr. Biden signed last May. Affected agencies will soon be expected to implement various cybersecurity protocols, including use of certain cloud technologies and software that can detect security problems on a network. Cybersecurity failures have plagued the U.S. government for decades, including thefts of detailed personnel records and military secrets that have been blamed on Russia, China and other adversaries. While national security agencies are generally seen as more secure than their civilian counterparts, they have endured significant breaches, too.

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. From a report: The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device. McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day. Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else's name, and now the IRS is about to join them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver's license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

The Biden administration is reviewing e-commerce giant Alibaba's cloud business to determine whether it poses a risk to U.S. national security, Reuters reported Tuesday, citing three people briefed on the matter, as the government ramps up scrutiny of Chinese technology companies' dealings with U.S. firms. From a report: The focus of the probe is on how the company stores U.S. clients' data, including personal information and intellectual property, and whether the Chinese government could gain access to it, the people said. The potential for Beijing to disrupt access by U.S. users to their information stored on Alibaba cloud is also a concern, one of the people said. U.S. regulators could ultimately choose to force the company to take measures to reduce the risks posed by the cloud business or prohibit Americans at home and abroad from using the service altogether. Former President Donald Trump's Commerce Department was concerned about Alibaba's cloud business, but the Biden administration launched the formal review after he took office in January, according to one of the three people and a former Trump administration official. Alibaba's U.S. cloud business is small, with annual revenue of less than an estimated $50 million, according to research firm Gartner Inc. But if regulators ultimately decide to block transactions between American firms and Alibaba Cloud, it would damage the bottom line one of the company's most promisingbusinesses and deal a blow to reputation of the company as a whole.

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for DDoS (distributed denial of service) attacks. BleepingComputer reports: A Crowdstrike report looking into the attack data from 2021 summarizes the following:

- In 2021, there was a 35% rise in malware targeting Linux systems compared to 2020.
- XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all Linux-targeting malware attacks observed in 2021.
- Mozi, in particular, had explosive growth in its activity, with ten times more samples circulating in the wild the year that passed compared to the previous one.
- XorDDoS also had a notable year-over-year increase of 123%.
[...]
The Crowstrike findings aren't surprising as they confirm an ongoing trend that emerged in previous years. For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year. In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms. This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

The UK government is set to launch a multi-pronged publicity attack on end-to-end encryption, Rolling Stone has learned. From the report: One key objective: mobilizing public opinion against Facebook's decision to encrypt its Messenger app. The Home Office has hired the M&C Saatchi advertising agency -- a spin-off of Saatchi and Saatchi, which made the "Labour Isn't Working" election posters, among the most famous in UK political history -- to plan the campaign, using public funds. According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt -- placing an adult and child (both actors) in a glass box, with the adult looking "knowingly" at the child as the glass fades to black. Multiple sources confirmed the campaign was due to start this month, with privacy groups already planning a counter-campaign.

New submitter bolind writes: A data center migration from eNom web hosting provider caused unexpected domain resolution problems that are expected to last for a few hours. Customers started to complain that they could no longer access their websites and emails due to Domain Name System (DNS) issues. My google apps gmail is not getting email, turns out DNS is not working because @enom is doing "a datacenter move" that ran into problems. What medieval times are these when a datacenter move brings down DNS for organizations? Advance warning would have been nice @enomsupport.

A serious Safari bug disclosed in this blog post from FingerprintJS can disclose information about your recent browsing history and even some info of the logged-in Google account. From a report: A bug in Safari's IndexedDB implementation on Mac and iOS means that a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table. For instance, Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user's profile picture is revealed. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved.

"The San Diego County Sheriff's Department last week encrypted its radio communications, blocking the public from listening to information about public safety matters in real time," reports the San Diego Union Tribune: The department is the latest law enforcement agency in the county and state to cut off access to radio communications in response to a California Department of Justice mandate that required agencies to protect certain personal information that law enforcement personnel obtain from state databases. Such information — names, drivers license numbers, dates of birth and other information from the California Law Enforcement Telecommunications System, or CLETS — sometimes is broadcast over police radios.

The October 2020 mandate gave agencies two options: to limit the transmission of database-obtained personal information on public channels or to encrypt their radio traffic. Police reform advocates say the switch to encrypted channels is problematic. The radio silence, they say, will force members of the public, including the news media, to rely on law enforcement agencies' discretion in releasing information about public safety matters....

A sheriff's spokesperson has said the department is exploring ways to disseminate information about incidents as they unfold. One idea is an online page that would show information about calls to which deputies respond.