Cybersecurity researchers at Bitdefender say cyber criminals have been using a rootkit named FiveSys "that somehow made its way through the driver certification process to be digitally signed by Microsoft," reports ZDNet: The valid signature enables the rootkit — malicious software that allows cyber criminals to access and control infected computers — to appear valid and bypass operating systems restrictions and gain what researchers describe as "virtually unlimited privileges". It's known for cyber criminals to use stolen digital certificates, but in this case, they've managed to acquire a valid one.

It's a still a mystery how cyber criminals were able to get hold of a valid certificate. "Chances is that it was submitted for validation and somehow it got through the checks. While the digital signing requirements detect and stop most of the rootkits, they are not foolproof," Bogdan Botezatu, director of threat research and reporting at Bitdefender told ZDNet. It's uncertain how FiveSys is actually distributed, but researchers believe that it's bundled with cracked software downloads.

Once installed, FiveSys rootkit redirects internet traffic to a proxy server, which it does by installing a custom root certificate so that the browser won't warn about the unknown identity of the proxy. This also blocks other malware from writing on the drivers, in what's likely an attempt to stop other cyber criminals from taking advantage of the compromised system. Analysis of attacks shows that FiveSys rootkit is being used in cyber attacks targeting online gamers, with the aim of stealing login credentials and the ability to hijack in-game purchases. The popularity of online games means that a lot of money can be involved — not only because banking details are connected to accounts, but also because prestigious virtual items can fetch large sums of money when sold, meaning attackers could exploit access to steal and sell these items.

Currently, the attacks are targeting gamers in China — which is where researchers also believe that the attackers are operating from.
"The campaign started slowly in late 2020, but massively expanded during the course of summer 2021," ZDNet adds.

"The campaign is now blocked after researchers at Bitdefender flagged the abuse of digital trust to Microsoft, which revoked the signature."

"Facebook has filed a lawsuit on Friday against a Ukrainian national for allegedly scraping its website and selling the personal data of more than 178 million users on an underground cybercrime forum," reports the Record. According to court documents filed Friday, the man was identified as Alexander Alexandrovich Solonchenko, a resident of Kirovograd, Ukraine. Facebook alleges that Solonchenko abused a feature part of the Facebook Messenger service called Contact Importer. The feature allowed users to synchronize their phone address books and see which contacts had a Facebook account in order to allow users to reach out to their friends via Facebook Messenger. Between January 2018 and September 2019, Facebook said that Solonchenko used an automated tool to pose as Android devices in order to feed Facebook servers with millions of random phone numbers. As Facebook servers returned information for which phone numbers had an account on the site, Solonchenko collected the data, which he later collected and offered for sale on December 1, 2020, in a post on RaidForums, a notorious cybercrime forum and marketplace for stolen data.
The article also notes that Facebook's court documents say Solonchenko scraped data from some of the largest companies in the Ukraine, including its largest commercial bank and largest private delivery service.

And the Record points out that he's not the only person known to have this hole to scrape Facebook's user data and then sell it on the forum.) Days after another incident in April involving 533 leaked phone numbers of Facebook user, Facebook "revealed that it retired the Messenger Contact Importer feature back in September 2019 after it discovered Solonchenko and other threat actors abusing it."

An anonymous reader quotes a report from Motherboard: In the early hours of Sunday morning, hackers took down the corporate servers and systems of Sinclair Broadcast Group, a giant U.S. TV conglomerate that owns or operates more than 600 channels across the country. Days later, inside the company, "it's pandemonium and chaos," as one current employee, who asked to remain anonymous as they were not authorized to speak to the press, told Motherboard. Sinclair has released very few details about the attack since it was hacked Sunday. On Wednesday, Bloomberg reported that the group behind the attack is the infamous Evil Corp., a ransomware gang that is believed to be based in Russia and which was sanctioned by the U.S. Treasury department in 2019.

The ransomware attack interfered with several channels' broadcast programming, preventing them from airing ads or NFL games, as reported by The Record, a news site owned by cybersecurity firm Recorded Future. It has also left employees confused and wondering what's going on, according to current Sinclair workers. "Whoever did this, they either by accident or by design did a very good job," a current employee said in a phone call, explaining that there are some channels that haven't been able to air commercials since Sunday. "We're really running in the blind [...] you really can't do your job." The employee said that he was working on Sunday and was able to get two emails out to colleagues. "And one of them got it, and the other one didn't," they said.

Employees did not have access to their emails until Tuesday morning, according to the two employees and text messages seen by Motherboard. The office computers, however, are still locked by the company out of precaution, and Sinclair told employees not to log into their corporate VPN, which they usually used to do their jobs. Until Thursday, the company was communicating with employees via text, according to the sources, who shared some of the texts sent by the company. In one of them, they called for an all hands meeting. The meeting, according to the two current employees, was quick and vague. Both sources said that the company should be more transparent with its own employees.

An anonymous reader quotes a report from Motherboard: Bitcoin is on a tear, reaching an all time high price of $67,000 for 1 BTC on Wednesday, buoyed by a series of approvals for Bitcoin futures funds on the stock market. But on one major U.S. exchange, the price flash-crashed 87 percent to roughly $8,200 on Thursday due to a bug in a trading algorithm. The crash occurred during a massive sell-off on the Binance.US exchange that occurred around 7:42 a.m. ET, Bloomberg reported. Binance is the largest cryptocurrency exchange in the world, and its Binance.US exchange is meant to be compliant with U.S. regulations, although it is still banned in several states.

According to a Binance.US spokesperson, the crash was due to an issue with a trading algorithm being run by one "institutional trader," which may indicate an investment fund of some sort. "One of our institutional traders indicated to us that they had a bug in their trading algorithm, which appears to have caused the sell-off," Binance.US told Bloomberg. "We are continuing to look into the event, but understand from the trader that they have now fixed their bug and that the issue appears to have been resolved." It's entirely possible that some lucky traders were at the right place at the right time and managed to snap up some incredibly cheap BTC, but mostly it's yet another example of weirdness along the edges of the crypto ecosystem.

Intel has open-sourced ControlFlag , a tool that uses machine learning to detect problems in computer code -- ideally to reduce the time required to debug apps and software. From a report: In tests, the company's machine programming research team says that ControlFlag has found hundreds of defects in proprietary, "production-quality" software, demonstrating its usefulness. "Last year, ControlFlag identified a code anomaly in Client URL (cURL), a computer software project transferring data using various network protocols over one billion times a day," Intel principal AI scientist Justin Gottschlich wrote in a blog post on LinkedIn.

"Most recently, ControlFlag achieved state-of-the-art results by identifying hundreds of latent defects related to memory and potential system crash bugs in proprietary production-level software. In addition, ControlFlag found dozens of novel anomalies on several high-quality open-source software repositories." The demand for quality code draws an ever-growing number of aspiring programmers to the profession. After years of study, they learn to translate abstracts into concrete, executable programs -- but most spend the majority of their working hours not programming. A recent study found that the IT industry spent an estimated $2 trillion in 2020 in software development costs associated with debugging code, with an estimated 50% of IT budgets spent on debugging.

An anonymous reader shares a report from Reuters: The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official. Former partners and associates of the Russian-led criminal gang were responsible for a May cyberattack on the Colonial Pipeline that led to widespread gas shortages on the U.S. East Coast. REvil's direct victims include top meatpacker JBS. The crime group's "Happy Blog" website, which had been used to leak victim data and extort companies, is no longer available. Officials said the Colonial attack used encryption software called DarkSide, which was developed by REvil associates.

VMWare head of cybersecurity strategy Tom Kellermann said law enforcement and intelligence personnel stopped the group from victimizing additional companies. "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. "REvil was top of the list." [...] U.S. government attempts to stop REvil, one of the worst of dozens of ransomware gangs that work with hackers to penetrate and paralyze companies around the world, accelerated after the group compromised U.S. software management company Kaseya in July. That breach opened access to hundreds of Kaseya's customers all at once, leading to numerous emergency cyber incident response calls. Following the attack on Kaseya, the FBI obtained a universal decryption key that allowed those infected via Kaseya to recover their files without paying a ransom. But law enforcement officials initially withheld the key for weeks as it quietly pursued REvil's staff, the FBI later acknowledged. According to three people familiar with the matter, law enforcement and intelligence cyber specialists were able to hack REvil's computer network infrastructure, obtaining control of at least some of their servers.

After websites that the hacker group used to conduct business went offline in July, the main spokesman for the group, who calls himself "Unknown," vanished from the internet. When gang member 0_neday and others restored those websites from a backup last month, he unknowingly restarted some internal systems that were already controlled by law enforcement. "The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised," said Oleg Skulkin, deputy head of the forensics lab at the Russian-led security company Group-IB. "Ironically, the gang's own favorite tactic of compromising the backups was turned against them." Reliable backups are one of the most important defenses against ransomware attacks, but they must be kept unconnected from the main networks or they too can be encrypted by extortionists such as REvil.

"Apparently a bug in GPSD, the daemon responsible for deriving time from the GPS system, is going to trigger on October 24, 2021, jumping the time back to March of 2002," writes Slashdot reader suutar. "There's a fix that's been committed since August, but of course not everything is up to date." ZDNet's Steven J. Vaughan-Nichols writes: This will be ugly. Or, as Stephen Williams, who uncovered the bug put it, "I have a feeling that there will be some 'interesting moments' in the early morning when a bunch of the world's stratum 1 NTP servers using GPSD take the long strange trip back to 2002." GPSD maintainer Gary E. Miller has acknowledged the problem, and a fix has been made to the code. To be exact, the fix is in August 2021's GPSD 3.23 release. So, what's the problem if the fix is already in?

Well, there are two problems. First, it won't be backported to previous releases. If you're still using an older version, you may be out of luck. Second, as Miller observed, not all distros "pick up GPSD updates or upstream their patches. [This] is a very sore spot with me." So, just because your operating system is up to date does not mean that it will have the necessary GPSD fix. Miller suggests that you check it and do it yourself: "I [am] gonna fall back on Greg K_H's dictum: All users must update."

Oh, wondering what the mysterious root cause of all this commotion GPS Week Rollover? It's a legacy GPS problem. The GPS signal GPS week number uses a 10-bit code with a maximum value of 1,023. This means every 19.7 years; the GPS week number rolls over to zero. Or, as Miller noted, "This code is a 1024 week time warp waiting to happen." So, check your systems now for this problem. And, if, like most of us, you're relying on someone upstream from you for the correct time, check with them to make sure they've taken care of this forthcoming trouble.

AMD and Microsoft have issued patches to address the slowdowns reported with Ryzen processors when Windows 11 launched. Engadget reports: The latest chipset driver (version 3.10.08.506) should take care of the UEFI CPPC2 issue, which in some cases didn't "preferentially schedule threads on a processor's fastest core," AMD said. That could have slowed down apps that are sensitive to CPU thread performance. AMD noted that the problem was likely more noticeable in more powerful processors with more than eight cores and 65W or higher Thermal Design Power (TDP).

Meanwhile, Microsoft is rolling out a software update tackling a bug that increased L3 cache latency. The issue impacted apps that need quick memory access, which in turn caused CPUs to slow down by up to 15 percent. The patch, Windows 11 update KB5006746, will be available starting today, but at the time of writing, a page containing instructions for installing it isn't yet live. You should be able to install it via Windows Update too.

Almost two years after a wave of complaints flooded Google's support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Google's security team has finally tracked down the root cause of these attacks. From a report: In a report published today, the Google Threat Analysis Group (TAG) attributed these incidents to "a group of hackers recruited in a Russian-speaking forum." TAG said the hackers operated by reaching out to victims via email with various types of business opportunities. YouTubers were typically lured with potential sponsorship deals. Victims were asked to install and test various applications and then publish a review. Apps typically used in these schemes involved antivirus software, VPN clients, music players, photo editors, PC optimizers, or online games.

But unbeknownst to the targets, the hackers hid malware inside the apps. Once the YouTube creators received and installed the demo app, the installer would drop malware on their devices, malware which would extract login credentials and authentication cookies from their browsers and send the stolen data to a remote server. The hackers would then use the authentication cookies to access a YouTuber's account -- bypassing the need to enter a two-factor authentication (2FA) token -- and move to change passwords and the account's recovery email and phone numbers. With the victims locked out of their accounts, the hackers would typically sell the hijacked YouTube channel on underground marketplaces for stolen identities.

Gov. Mike Parson escalated his war with the St. Louis Post-Dispatch on Wednesday when his political operation published a video doubling down on his attack against a reporter who informed the state that a state website revealed teacher Social Security numbers. From a report: The video is produced by Uniting Missouri, a political action committee created by Parson supporters to back his 2020 election campaign. The PAC continues to raise and spend large sums of money to promote Parson's political agenda. It operates without direct input from Parson on its activities.

"The St. Louis Post-Dispatch is purely playing politics," the ad states. "Exploiting personal information is a squalid excuse for journalism." The ad comes less than a week after Parson's widely criticized demand for an investigation and prosecution of the reporter who discovered the security flaw in a state website, along with "all those involved." Parson read a statement calling the reporter "a hacker" to reporters gathered outside his Missouri Capitol office last Thursday, then left without taking questions. John Hancock, chairman of Uniting Missouri, declined to discuss any specifics about the video.

Google today released Chrome v95, the latest version of its popular web browser and a version that contains several changes that will likely cause problems for a considerable part of its users. The problematic changes include: removing support for File Transfer Protocol (FTP) URLs -- ftp://
removing support for the Universal 2nd Factor (U2F) standard, used in old-generation security keys (Chrome will only support FIDO2/WebAuth security keys going forward)
adding file size limits for browser cookies
removing support for URLs with non-IPv4 hostnames ending in numbers, such as http://example.0.1

In addition to breaking changes, Chrome 95 also comes with a new UI component called the "Side Panel," which can be used to view the Chrome browser's Reading List and Bookmarks.

A weekend cyberattack against Sinclair Broadcast Group was linked to one of the most infamous Russian cybergangs, called Evil Corp, Bloomberg reports. From the report: The Sinclair hackers used malware called Macaw, a variant of ransomware known as WastedLocker. Both Macaw and WastedLocker were created by Evil Corp., according to the two people, who requested anonymity to discuss confidential matters. Evil Corp. was sanctioned by the U.S. Treasury Department in 2019. Since then, it has been accused by cybersecurity experts of rebranding in an attempt to avoid the sanctions. People in the U.S. are generally prohibited from engaging in transactions with sanctioned entities, including paying a ransom. "Sinclair appears to have been hit by Macaw ransomware, a relatively new strain first reported in early October," said Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future Inc. "There have not been any other Macaw victims publicly reported."

An anonymous reader quotes a report from Engadget: Under Acting Chairwoman Jessica Rosenworcel, the Federal Communications Commission is seeking to create new rules targeting spam text messages. Like another recent proposed rulemaking from the agency, the policy would push wireless carriers and telephone companies to block the spam before it ever gets to your phone.

"We've seen a rise in scammers trying to take advantage of our trust of text messages by sending bogus robotexts that try to trick consumers to share sensitive information or click on malicious links," Rosenworcel said. "It's time we take steps to confront this latest wave of fraud and identify how mobile carriers can block these automated messages before they have the opportunity to cause any harm."

Akamai researchers have analyzed 10,000 JavaScript samples including malware droppers, phishing pages, scamming tools, Magecart snippets, cryptominers, etc. At least 26% of them use some form of obfuscation to evade detection, indicating an uptick in the adoption of this basic yet effective technique. BleepingComputer reports: Obfuscation is when easy-to-understand source code is converted into a hard to understand and confusing code that still operates as intended. Threat actors commonly use obfuscation to make it harder to analyze malicious scripts and to bypass security software. Obfuscation can be achieved through various means like the injection of unused code into a script, the splitting and concatenating of the code (breaking it into unconnected chunks), or the use of hexadecimal patterns and tricky overlaps with function and variable naming.

But not all obfuscation is malicious or tricky. As the report explains, about 0.5% of the 20,000 top-ranking websites on the web (according to Alexa), also use obfuscation techniques. As such, detecting malicious code based on the fact that is obfuscated isn't enough on its own, and further correlation with malicious functionality needs to be made. This mixing with legitimate deployment is precisely what makes the detection of risky code challenging, and the reason why obfuscation is becoming so widespread in the threat landscape.

A hacker has breached the Argentinian government's IT network and stolen ID card details for the country's entire population, data that is now being sold in private circles. The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons. From a report: The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen's personal information.

An anonymous reader quotes a report from BleepingComputer: Researchers have proven it's possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands. The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important. Next, the machine-learning model is trained to recognize pad presses and assign specific probabilities on a set of guesses, using video of people typing PINs on the ATM pad.

For the experiment, the researchers collected 5,800 videos of 58 different people of diverse demographics, entering 4-digit and 5-digit PINs. The machine that ran the prediction model was a Xeon E5-2670 with 128 GB of RAM and three Tesla K20m with 5GB of RAM each. By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs. The model can exclude keys based on the non-typing hand coverage, and deduces the pressed digits from the movements of the other hand by evaluating the topological distance between two keys. The placement of the camera which captures the tries plays a key role, especially if recording left or right-handed individuals. Concealing a pinhole camera at the top of the ATM was determined to be the best approach for the attacker. If the camera is capable of capturing audio too, the model could also use pressing sound feedback which is slightly different for each digit, thus making the predictions a lot more accurate.

The financial crimes investigation unit of the US Treasury Department, also known as FinCEN, said last week it identified approximately $5.2 billion in outgoing Bitcoin transactions potentially tied to ransomware payments. From a report: FinCEN officials said the figure was compiled by analyzing 2,184 Suspicious Activity Reports (SARs) filed by US financial institutions over the last decade, between January 1, 2011, and June 30, 2021. While the initial SAR reports highlighted $1.56 billion in suspicious activity, a subsequent FinCEN investigation of the Top 10 most common ransomware variants exposed additional transactions, amounting to around $5.2 billion just from these groups alone.

TV broadcasts for Sinclair-owned channels went down Sunday across the US in what the stations have described as technical issues, but which multiple sources told The Record to be a ransomware attack. From the report: The incident occurred in the early hours of the day and took down the Sinclair internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations. As a result of the attack, many channels weren't able to broadcast morning shows, news segments, and scheduled NFL games, according to a barrage of tweets coming from viewers and the TV channels themselves. "Internally, it's bad," a source who had to call Sinclair employees on their personal numbers to get more details about the attack, told The Record earlier today in a private conversation.

"As the United States seeks to shore up its defenses against cyberattacks, the country is seeking to harness the skills of some of the country's most promising young minds," reports the Washington Post, "using a model that mirrors competitive video gaming, also known as esports."

Though it's a partnership between the federal government, academia and the private sector, it's being run by Katzcy, a northern Virginia-based digital marketing firm, the Post reports: U.S. Cyber Games, a project founded in April and funded by the National Institute of Standards and Technology's National Initiative for Cybersecurity Education, has assembled a team of 25 Americans, ages 18 to 26, who will compete against other countries in the inaugural International Cybersecurity Challenge, scheduled to be held in Greece in June 2022.

The cyber games consist of two broad formats, with the competitions organized and promoted to appeal to a generation raised on video gaming. The goal is to identify and train candidates for careers in cybersecurity. There are king-of-the-hill-type games where one team tries to break into a network while the other team tries to defend it. There are also capture-the-flag-type games where teams must complete a series of puzzles that follow the basic tenets of cybersecurity programs, like decrypting an encrypted file or analyzing secret network traffic...

The U.S. cyber team's head coach, retired Lt. Col. TJ O'Connor who served as a communications support officer with special forces, noted the unique platform presented by cybersecurity competitions. Unlike other forms of computer science education, O'Connor said, staying up to date on the latest developments in cybersecurity is difficult, with hackers constantly iterating on and developing new tactics to break through cyberdefenses. "Understanding the most likely attack is one thing you gain through Cyber Games. It's an attack-based curriculum, and then you can plan the most appropriate strategies when they occur," said O'Connor, who helped create and now chairs Florida Tech's cybersecurity program.

A 2014 breach at Twitch "was so bad that Twitch essentially had to rebuild much of its code infrastructure because the company eventually decided to assume most of its servers were compromised," reports Vice. "They figured it would be easier to just label them 'dirty,' and slowly migrate them to new servers, according to three former employees who saw and worked with these servers."

Slashdot reader em1ly shares Vice's report (which Vice based on interviews with seven former Twitch employees who'd worked there when the breach happened): The discovery of the suspicious logs kicked off an intense investigation that pulled nearly all Twitch employees on deck. One former employee said they worked 20 hours a day for two months, another said he worked "three weeks straight." Other employees said they worked long hours for weeks on end; some who lived far from the office slept in hotel rooms booked by the company. At the time, Twitch had few, if any, dedicated cybersecurity engineers, so developers and engineers from other teams were pulled into the effort, working together in meeting rooms with glass windows covered, frantically trying to figure out just how bad the hack was, according to five former Twitch employees who were at the company at the time...

Twitch's users would only find out about the breach six months after its discovery, on March 23, 2015, when the company published a short blog post that explained "there may have been unauthorized access to some Twitch user account information," but did not let on nearly how damaging the hack was to Twitch internally.... When Twitch finally disclosed the hack in March of 2015, security engineers at Twitch and Amazon, who had come to help with the incident response, concluded that the hack had started at least eight months before the discovery in October of 2014, though they had no idea if the hackers had actually broken in even earlier than that, according to the former employee. "That was long enough for them to learn entirely how our whole system worked and the attacks they launched demonstrated that knowledge," the former employee said...

For months after the discovery and public announcement, several servers and services were internally labeled as "dirty," as a way to tell all developers and engineers to be careful when interacting with them, and to make sure they'd get cleaned up eventually. This meant that they were still live and in use, but engineers had put restrictions on them in the event that they were still compromised, according to three former employees. "The plan apparently was just to rebuild the entire infra[structure] from known-good code and deprecate the old 'dirty' environment. We still, years later, had a split between 'dirty' services (servers or other things that were running when the hack took place) and 'clean' services, which were fired up after," one of the former employees said. "We celebrated office-wide the day we took down the last dirty service!"
Another former employees tells Vice that the breach came as a surprise, even though the company hadn't invested in keeping itself secure. "Security efforts kept getting cancelled or deprioritized with the argument that 'everyone loves Twitch; no one wants to hack us.'" The Twitch engineer who'd first stumbled onto the breach described his reaction to Vice. " 'Oh fuck.' But I remember thinking that there was so much 'I told you so' here."

One former employee added later that a more recent incident just this month "demonstrates that they didn't learn anything from the incident in 2014." But not everyone agrees. Other former employees, however, said that the damage of this new data breach appears to be less severe than the 2014 hack. And that it's likely thanks to Twitch taking security more seriously since then.