"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas. Further reading: How Not To Hire a North Korean IT Spy

Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers' computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software.

Kaspersky spokesperson Francesco Tius told TechCrunch that the company informed eligible U.S. customers via email about the migration, which began in early September. Windows users experienced an automatic transition to ensure continuous protection, while Mac and mobile users were instructed to manually install UltraAV. Some customers expressed alarm at the unannounced software swap. Kaspersky blamed missed notifications on unregistered email addresses, directing users to in-app messages and an online FAQ. The abrupt change raises concerns about user autonomy and privacy in software updates, particularly as UltraAV lacks an established security track record.

A year-long test of Apple's 80% charge limit feature on the iPhone 15 Pro Max has revealed only marginal benefits to battery health. MacRumors editor Juli Clover reported her device maintained 94% battery capacity after 299 charge cycles, compared to 87-90% capacity for iPhones without the limit. The opt-in setting, introduced with iPhone 15 models, aims to extend battery longevity by restricting maximum charge.

Clover adhered strictly to the 80% limit for 12 months, noting occasional inconveniences like depleted batteries during long days. While the test showed slightly better battery health retention, Clover questioned whether the trade-off in daily usability was worthwhile. She adds: I don't have a lot of data points for comparison, but it does seem that limiting the charge to 80 percent kept my maximum battery capacity higher than what my co-workers are seeing, but there isn't a major difference. I have four percent more battery at 28 more cycles, and I'm not sure suffering through an 80 percent battery limit for 12 months was ultimately worth it. It's possible that the real gains from an 80 percent limit will come in two or three years rather than a single year, and I'll keep it limited to 80 percent to see the longer term impact.

An anonymous reader shares a report: Google Maps is reeling in business pages engaging in fake reviews, and highlighting such activity to its users. Google will now impose restrictions against business profiles that violate the search giant's Fake Engagement policy, such as temporarily removing reviews, blocking new reviews or ratings, and displaying a warning message on profiles that have had fake reviews deleted.

The business profile restrictions were introduced in the UK earlier this year, but Search Engine Roundtable notes that the support page was updated in mid-September to seemingly apply globally. For the moment, however, only users in the UK are seeing the business warnings.

Intel has released microcode update 0x12B for its 13th and 14th generation Core processors, addressing persistent stability issues stemming from voltage irregularities. The update targets a specific clock tree circuit within the CPU's IA core that was causing elevated voltage requests during idle and light workloads.

The company identified four key factors contributing to voltage instability: motherboards exceeding Intel's power specifications, an Enhanced Thermal Velocity Boost algorithm allowing sustained high performance at elevated temperatures, frequent high voltage requests from the processor, and problematic microcode demanding elevated core voltages during low-activity periods. While previous update 0x129 addressed some concerns, the new 0x12B update aims to resolve the root cause of the "Vmin shift" problem, where voltage spikes lead to increased power requirements and potential degradation over time. Intel is working with motherboard manufacturers to roll out BIOS updates incorporating the new microcode.

WordPress has escalated its feud with WP Engine, a hosting provider, by blocking the latter's servers from accessing WordPress.org resources -- and therefore from potentially vital software updates. From a report: WordPress is an open source CMS which is extensible using plugins. Its home is WordPress.org, which also hosts resources such as themes and plugins for the CMS. A vast ecosystem of plugins exists from numerous suppliers, but WordPress.org is the main source. Many WordPress users rely on several plugins. Preventing WP Engine users from accessing plugin updates is therefore serious, as it could mean users can't update plugins that have security issues, or other fixes.

WordPress co-founder and CEO Matt Mullenweg recently called WP Engine a "cancer" and accused it of profiting from WordPress without contributing to development of the CMS. Mullenweg has sought to have WP Engine pay trademark license fees -- a move he feels would represent a financial contribution commensurate with the benefits it derives from the project. WP Engine doesn't want or intend to pay. Mullenweg argued that if WP Engine won't pay, it should not be able to benefit from resources at WordPress.org.

"Looks like there's a storm brewing, and it's not good news," writes ancient Slashdot reader jd. "Whether or not the bugs are classically security defects or not, this is extremely bad PR for the Linux and Open Source community. It's not clear from the article whether this affects other Open Source projects, such as FreeBSD." From a report: A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered, impacting all GNU/Linux systems. As per agreements with developers, the flaw, which has existed for over a decade, will be fully disclosed in less than two weeks. Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, although experts suggest there should be at least three to six. Leading Linux distributors such as Canonical and RedHat have confirmed the flaw's severity, rating it 9.9 out of 10. This indicates the potential for catastrophic damage if exploited. However, despite this acknowledgment, no working fix is still available. Developers remain embroiled in debates over whether some aspects of the vulnerability impact security.

Winamp, the iconic media player from the late 1990s, has released its complete source code on GitHub, fulfilling a promise made in May. The move aims to modernize the player by inviting developers to collaborate on the project.

The source code release includes build tools and associated libraries for the Windows app, allowing developers to provide bug fixes and new features. However, the license prohibits distribution of modified software created from this code.

Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, WSJ reported Wednesday, citing people familiar with the matter. From the report: The hacking campaign, called Salt Typhoon by investigators, hasn't previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing's massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America's broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack. Last week, U.S. officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into U.S. networks for a China-based hacking group called Flax Typhoon. And in January, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of U.S. critical infrastructure.

"The cyber threat posed by the Chinese government is massive," said Christopher Wray, the Federal Bureau of Investigation's director, speaking earlier this year at a security conference in Germany. "China's hacking program is larger than that of every other major nation, combined." U.S. security officials allege that Beijing has tried and at times succeeded in burrowing deep into U.S. critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China's actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the U.S.'s ability to mobilize support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island.

Microsoft giveth and Microsoft taketh away, as administrators using Windows Server Update Services (WSUS) will soon find out. From a report: Windows Server 2025 remains in preview, but Microsoft has been busy letting users know what is set for removal and what will be deprecated in the release. WSUS fits into the latter category -- still there for now, but no longer under active development. This is a big deal for many administrators who rely on the feature to deploy and manage the distribution of updates and features in an enterprise environment.

It'll even work on a network disconnected from the internet -- download the patches to a connected computer, stick them on some removable media, import the patches to a WSUS server on the disconnected network, and away you go. A tame administrator told El Reg: "We are migrating to Intune. It's a lot more complicated than WSUS, and it takes a lot longer to get set up."

"Such is progress!" he sighed. Microsoft's advice is, unsurprisingly, to migrate to cloud tools. As well as the aforementioned Intune, there is also Windows Autopatch for client update management or Azure Update Manager for server update management. And there are plenty of third-party tools out there too, such as Ansible. Microsoft's announcement has attracted comment. One user said: "Congratulations, you just made centralized automated patching subject to internal politics and budget constraints. "I survived the era of Melissa, SQL Slammer, and other things that were solved when we no longer had to choose between paid patch management or trusting admins of every server to do the right thing. For those of you that did not live through that, buckle up!"

A new law in California will make it easier for consumers to cancel their streaming subscriptions and similar products when they enroll in automatic renewal of those services. From a report: The law, passed through Assembly Bill (AB) 2863, will require companies that offer automatic subscription renewals through one-click purchases to also offer customers a way to cancel their subscriptions through the same one-click method. California already had one of the toughest subscription cancellation laws in the country, requiring companies to offer a way to cancel a recurring subscription through the Internet if they allowed customers to sign up for a service that way.

The initial law was meant to prevent companies from allowing customers to purchase a subscription through the web, while forcing them to call a hotline to cancel them. Consumer advocacy groups complained that companies would often subject customers to frustrating long wait times on the phone with the hope that they would eventually hang up without cancelling their service. While the law was good in theory, it contained at least one loophole: Companies were in compliance as long as they offered a way for customers to cancel their subscriptions online, but could make them click several links or visit several webpages with opt-in requirements before a cancellation request was processed.

A small city in Kansas switched was forced to switch its water treatment facility to manual operations after a suspected cyberattack was discovered on September 22. The precautionary measure was taken "to ensure plant operations remained secure," the city said. It reassured residents that the drinking water is safe and the water supply remains unaffected. SecurityWeek.com reports: Arkansas City says it has notified the relevant authorities of the incident and that they are working with cybersecurity experts to address the issue and return the facility's operations to normal. "Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents," the city said. While the city's notification does not share further details on the incident, it appears that the water treatment plant might have fallen victim to a ransomware attack. Switching to manual operations suggests that systems were shut down to contain the attack, which is the typical response to incidents involving ransomware.

wiredmikey writes: CrowdStrike says it has revamped several testing, validation, and update rollout processes to prevent a repeat of the embarrassing July outage that caused widespread disruption on Windows systems around the world.

In testimony before the House Subcommittee on Cybersecurity, CrowdStrike vice president Adam Meyers outlined a new set of protocols that include carefully controlled rollouts of software updates, better validation of code inputs, and new testing procedures to cover a broader array of problematic scenarios.

Ars Technica's Dan Goodin reports: Five years ago, researchers made a grim discovery -- a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads. Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible. [...]

The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads -- known as Max Browser -- was also infected. That app is no longer available in Google Play. The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

joshuark shares a report: Microsoft has officially announced that Windows Server Update Services (WSUS) is now deprecated, but plans to maintain current functionality and continue publishing updates through the channel. This move isn't surprising, as Microsoft first listed WSUS as one of the "features removed or no longer developed starting with Windows Server 2025" on August 13. In June, the company also revealed that it would also soon deprecate WSUS driver synchronization.

While new features and development for WSUS will cease, Microsoft said today that it plans to continue supporting the service's existing functionality and updates, which will still be distributed, even after deprecation. "Specifically, this means that we are no longer investing in new capabilities, nor are we accepting new feature requests for WSUS," Microsoft's Nir Froimovici said on Friday. "However, we are preserving current functionality and will continue to publish updates through the WSUS channel. We will also support any content already published through the WSUS channel."

Customers of Kaspersky antivirus in the United States found out in the last few days that their cybersecurity software was automatically replaced with a new one called UltraAV, according to several customers. And while Kaspersky said earlier this month that its U.S. customers would be transitioned to UltraAV, many of its customers said they had no idea this was going to happen and that it would automatically be forced upon them. From a report: "Woke up to Kasperky [sic] completely gone from my system with Ultra AV and Ultra VPN freshly installed (not by me, just automatically while I slept)," a user on Reddit wrote. Others reported having the same experience in the same Reddit thread, as well as in other threads. A reseller, who until recently sold Kaspersky products prior to the recent sales ban, told TechCrunch that he was left "annoyed" by the move to automatically remove Kaspersky software and replace it with an entirely different antivirus. A former senior U.S. government cybersecurity official said that this was an example of the "huge risk" posed by the access granted by Kaspersky software. It's worth noting that, on the other hand, other customers did report receiving an email from Kaspersky about the transition to UltraAV.

Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft's security culture "inadequate."

Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.

Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.

Sonos launched a disastrous app update in May, prompting CEO Patrick Spence to commission an internal investigation led by chief counsel Eddie Lazarus. The software release, plagued with missing features and bugs, has sparked widespread customer outrage and led to a $200 million revenue shortfall. Sonos shares have plummeted 25% this year. Lazarus interviewed about two dozen employees and reviewed meeting recordings before presenting his findings to the board in late July. Bloomberg: What has happened to Sonos is at its heart a cautionary tale of company leadership ignoring the perils of "technical debt," the term used by software engineers to describe the compounding threat of outdated code and infrastructure on security, usability and stability.

For two decades, Sonos had allowed its tech debt to pile high. When it undertook in earnest its effort to revamp its app in mid-2022, the company knew it was sitting on infrastructure and code written in languages that were pretty much obsolete. The Sonos app had been adapted and spliced and tinkered with so often, the vast majority of work being performed for the new app was less about introducing new functionality than sorting out the existing mess.

The company could have tackled its tech debt sooner but appears to have lacked a crucial element: urgency. It finally came in the form of the Sonos Ace headphones, the first product in the Sonos range to be fully mobile rather than using home or office Wi-Fi. The app needed to be rebuilt, as did the cloud computing setup underpinning it.

Ace is a critical product for Sonos. Now that Sonos' pandemic sales boom has subsided, Wall Street has started to question where revenue growth will come from. Sonos Ace is a big part of the answer. Despite the company's lofty and well-earned reputation, Sonos' share of the $100 billion audio market is only around 2% because it has not gone toe-to-toe in the headphones category with Apple, Sennheiser, Bose and the rest.

Automattic CEO and WordPress co-creator Matt Mullenweg unleashed a scathing attack on a rival firm this week, calling WP Engine -- a managed WordPress hosting provider that has raised nearly $300 million in funding over its 14-year history -- a "cancer to WordPress." From a report: Mullenweg criticized the company -- which has been commercializing the open source WordPress project since 2010 -- for profiteering without giving much back, while also disabling key features that make WordPress such a powerful platform in the first place.

[...] But speaking last week at WordCamp US 2024, a WordPress-focused conference held in Portland, Oregon, Mullenweg pulled no punches in his criticism of WP Engine. Taking to the stage, Mullenweg read out a post he had just published to his personal blog, where he points to the distinct "five for the future" investment pledges made by Automattic and WP Engine to contribute resources to support the sustained growth of WordPress, with Automattic contributing 3,900 hours per week, an WP Engine contributing just 40 hours.

While he acknowledged that these figures are just a "proxy," and might not be perfectly accurate, Mullenweg said that this disparity in contributions is notable, as both Automattic and WP Engine "are roughly the same size, with revenue in the ballpark of half-a-billion [dollars]." [...] Mullenweg published a follow up blog post, where he calls WP Engine a "cancer" to WordPress. "It's important to remember that unchecked, cancer will spread," he wrote. "WP Engine is setting a poor standard that others may look at and think is ok to replicate."

"Many GitHub users this week received a novel phishing email warning of critical security holes in their code," reports Krebs on Security — citing an email shared by one of his readers: "Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue...." Clicking the "I'm not a robot" button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter "R," which opens a Windows "Run" prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."

Thanks to long-time Slashdot reader sinij for sharing the article.