"Jacob Wayne John Keen, now 24, was 15 years old and living in his mother's rental when he allegedly created a sophisticated spyware tool known as a remote access trojan that allowed users to remotely take control of their victims' computers," reports the Guardian.

Once installed it could be used to steal victims' personal information, spy on them via webcams and microphones and track what they typed into emails or documents. Keen allegedly sold the tool for $35 on a hacking forum, making between $300,000 and $400,000 by selling it to more than 14,500 people in 128 countries....

Keen was slapped with six charges earlier in July, and is due to appear at Brisbane's magistrates court next month. His mother, 42, has also been charged with allegedly dealing in the proceeds of crime.

A global investigation involving more than a dozen law enforcement agencies across Europe led to 85 search warrants being executed around the world, with 434 devices seized and 13 people arrested for using the malware for "alleged criminality".
Among the tool's 14,500 users were a "statistically high" proportion of domestic violence perpetrators (and at least one child sex offender), according to the Australian federal police, who believe there were ultimately "tens of thousands" of victims globally.

Slashdot reader Bruce66423 suggests an appropriate punishment would be sentencing Keen to work for spy agencies.

Long-time Slashdot reader tsu doh nimh writes: 911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations, KrebsOnSecurity reports.
From the article: "On July 28th, a large number of users reported that they could not log in the system," the statement continues. "We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable."

Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911's longtime competitors — malware-based proxy services VIP72 and LuxSock — closed their doors in the past year...

911 wasn't the only major proxy provider disclosing a breach this week tied to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database for Microleaves, a proxy service that rotates its customers' IP addresses every five to ten minutes. That investigation showed Microleaves — like 911 — had a long history of using pay-per-install schemes to spread its proxy software.

"For more than a decade, Google has been baking and eating its own homemade Linux desktop distribution," writes Computerworld.

Long-time Slashdot reader waspleg shared their report: The first version was Goobuntu. (As you'd guess from the name, it was based on Ubuntu.) In 2018, Google moved its in-house Linux desktop from the Goobuntu to a new Linux distro, the Debian-based gLinux. Why? Because, as Google explained, Ubuntu's Long Term Support (LTS) two-year release "meant that we had to upgrade every machine in our fleet of over 100,000 devices before the end-of-life date of the OS."

That was a pain. Add in the time-consuming need to fully customize engineers' PCs, and Google decided that it cost too much. Besides, the "effort to upgrade our Goobuntu fleet usually took the better part of a year. With a two-year support window, there was only one year left until we had to go through the same process all over again for the next LTS. This entire process was a huge stress factor for our team, as we got hundreds of bugs with requests for help for corner cases."

So, when Google had enough of that, it moved to Debian Linux (though not just vanilla Debian). The company created a rolling Debian distribution: GLinux Rolling Debian Testing (Rodete). The idea is that users and developers are best served by giving them the latest updates and patches as they're created and deemed ready for production.
Google's using what appears to be an automated build system (along with virtualized test suites, and eventually "incremental canarying"), the article points out. The end result?

"The entire gLinux development team consists of a single on-duty release engineer position that rotates among team members."

Amazon sent emails out Friday morning to Amazon Drive users to notify them that the company is shutting down its cloud storage service on Dec. 31, 2023. From a report: "We are taking the opportunity to more fully focus our efforts on Amazon Photos to provide customers a dedicated solution for photos and video storage," Amazon says in an FAQ. Amazon says photos and videos in Amazon Drive accounts have been automatically saved to Amazon Photos. "If you rely on Amazon Drive for your file storage, you will need to go to the Amazon Drive website and download your files by December 31, 2023," Amazon noted.

Longtime Slashdot reader HnT shares a report from Ars Technica: Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren't necessarily the countries in which the DSIRF customers who paid for the attack resided.

"MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks," Microsoft researchers wrote. "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF." Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim's Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we've seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).

The Justice Department is investigating a data breach of the U.S. federal courts system dating to early 2020, a top official testified on Capitol Hill Thursday. Politico reports: House Judiciary Committee Chair Jerrold Nadler (D-N.Y.) told fellow lawmakers that there had been a "system security failure" of the U.S. Courts' document management system. He said the committee learned in March about the "startling breadth and scope" of the breach. It was the first public disclosure of the hack. Nadler said the data breach of the courts was separate from the SolarWinds hack revealed in late 2020, which involved Russian government-backed hackers infiltrating the networks of over a dozen U.S. federal agencies for much of 2020, including the federal court systems. He spoke at a committee hearing on oversight of the Justice Department's National Security Division.

Assistant Attorney General for National Security Matthew Olsen testified to the committee that NSD is "working very closely with the judicial conference and judges around the country to address this issue," and committed to updating the committee on the investigation as it progressed. A committee aide said that Nadler's questions came after the committee received a briefing on the attack, noting that "the sweeping impact it may have had on the operation of the Department of Justice is staggering." The aide was granted anonymity in order to discuss a private briefing.

Committee member Rep. Sheila Jackson Lee (D-Texas) pressed Olsen for more details on how many cases had been impacted by the breach. "I would expect your preparation and for us to be able to get that information as quickly as possible in a setting that would be appropriate, but this is a dangerous set of circumstances that has now been publicly announced, and we need to know how many... were dismissed," Jackson Lee said. Nadler questioned Olsen on whether the breach had in any way affected cases pursued by the NSD, and Olsen testified he could not "think of anything in particular."

Sky Mavis, the company that makes the online game, says the executive was shoring up funds to protect the business and help users after Ronin attack. From a report: This spring, Sky Mavis, the startup that makes the video game Axie Infinity, announced it had suffered a devastating hack. While most video games are primarily recreational, Axie Infinity's popularity relied largely on its players' ability to trade and earn crypto tokens that had financial value, and players had stashes that represented significant savings. The hack forced the Vietnam-based game developer to shut down its system for pulling tokens out of the game, essentially freezing the assets of its users before they could react to the news.

Most of them, anyway. In the hours before the announcement and freeze, a digital wallet belonging to its chief executive officer and co-founder, Trung Nguyen, made a large transaction that included about $3 million worth of Axie Infinity's main token, AXS. The tokens moved from Axie's blockchain -- a digital ledger for recording transactions -- to the crypto exchange Binance. Although the transfer was visible to anyone with an internet connection, there's nothing about the wallet that directly connects it to the person controlling it, as is true of most crypto transactions. But after being presented with analysis of public data that seemed to link the wallet to Nguyen, Sky Mavis confirmed that he controlled it. The unusual activity took place during a moment of acute stress for Sky Mavis. For months, the first version of its game had been showing showing signs of steep decline, and many players were losing faith.

The company was rushing to get the new version of Axie Infinity out when hackers on March 23 drained its system of cryptocurrencies that were worth over $600 million at the time. It was one of the biggest cyberattacks in the history of crypto. Anyone who knew what was going on would have had a strong incentive to sell tokens in the system before they were temporarily locked up, and moving them to the Binance exchange would have been a necessary first step toward cashing them out. But Sky Mavis says that this wasn't the reason Nguyen made the transfer. In emails, Kalie Moore, a company spokeswoman, said that Nguyen had been working to shore up the company's finances during the crisis, and had to do so in way that wasn't obvious to the broader crypto market, for the good of the overall Axie Infinity economy. By moving AXS to the exchange, said Moore, the company could provide liquidity to its users as it restored access to funds via Binance.

joshuark writes: Dan Goodin of Ars Technica reports that security researchers have found that rootkits for Unified Extensible Firmware Interface (UEFI) are not rare, and difficult to detect. Kaspersky researchers profiled CosmicStrand, the security firm's name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. They state: "The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 -- long before UEFI attacks started being publicly described." The researchers warned that "the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."

The average cost of a data breach rose to an all-time high of $4.4 million this year, according to the IBM Security report released Wednesday. That marked a 2.6% increase from a year ago and a 13% jump since 2020. CNET reports: More than half of the organizations surveyed acknowledged they had passed on those costs to their customers in the form of higher prices for their products and services, IBM said. The annual report is based on an analysis of data breaches experienced by 550 organizations around the world between March 2021 and March 2022. The research, which was sponsored and analyzed by IBM, was conducted by the Ponemon Institute.

The cost estimates are based on both immediate and longer-term expenses. While some costs like the payment of ransoms and those related to investigating and containing the breach tend to be accounted for right away, others such as regulatory fines and lost sales can show up years later. On average, those polled said they accrued just under half of the costs related to a given breach more than a year after it occurred.

Between 1850 and 1855, someone published a series of unusual ads in the British newspaper The Times. They were made up of a series of seemingly random letters, apparently gobbledygook. An anonymous reader adds: Almost 200 years later, a group of codebreakers has finally been able to decrypt some of them and read what they said, discovering that they were actually encrypted messages from a rescue expedition in the Arctic Ocean.

An ongoing cybercriminal operation is targeting digital marketing and human resources professionals in an effort to hijack Facebook Business accounts using a newly discovered data-stealing malware. TechCrunch reports: Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail and found evidence to suggest that a Vietnamese threat actor has been developing and distributing the malware since the latter half of 2021. The firm added that the operations' motives appear to be purely financially driven. The threat actor first scouts targets via LinkedIn where it selects employees likely to have high-level access to Facebook Business accounts, particularly those with the highest level of access. The threat actor then uses social engineering to convince the target to download a file hosted on a legitimate cloud host, like Dropbox or iCloud. While the file features keywords related to brands, products, and project planning in an attempt to appear legitimate, it contains data-stealing malware that WithSecure says is the first malware that they have seen specifically designed to hijack Facebook Business accounts.

Once installed on a victim's system, the Ducktail malware steals browser cookies and hijacks authenticated Facebook sessions to steal information from the victim's Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has sufficient access to simply by adding their email address to the compromised account, which prompts Facebook to to send a link, via email, to the same email address. The recipient -- in this case, the threat actor -- then interacts with the emailed link to gain access to that Facebook Business. The threat actors then leverage their new privileges to replace the account's set financial details in order to direct payments to their accounts or to run Facebook Ad campaigns using money from the victimized firms.

China tried to build a network of informants inside the Federal Reserve system, at one point threatening to imprison a Fed economist during a trip to Shanghai unless he agreed to provide nonpublic economic data, a congressional investigation found. From a report: The investigation by Republican staff members of the Senate's Committee on Homeland Security and Governmental Affairs found that over a decade Fed employees were offered contracts with Chinese talent recruitment programs, which often include cash payments, and asked to provide information on the U.S. economy, interest rate changes and policies, according to a report of the findings released on Tuesday. In the case of the economist, the report said, Chinese officials in 2019 detained and tried to coerce him to share data and information on U.S. government policies, including on tariffs while the U.S. and China were in the midst of a trade war. The report doesn't say whether any sensitive information was compromised. Access to such information could provide valuable insights given the Fed's extensive analysis of U.S. economic activity, its oversight of the U.S. financial system, and the setting of interest-rate policy.

The Republican-led investigation said the Fed failed to mount an adequate response. The report's findings show "a sustained effort by China, over more than a decade, to gain influence over the Federal Reserve and a failure by the Federal Reserve to combat this threat effectively." Fed Chairman Jerome Powell strongly disputed the report's findings and called its characterizations of some employees unfair. "Because we understand that some actors aim to exploit any vulnerabilities, our processes, controls, and technology are robust and updated regularly. We respectfully reject any suggestions to the contrary," he wrote in a letter to Sen. Rob Portman of Ohio, the committee's top Republican.

The source code for an information-stealing malware coded in Rust has been released for free on hacking forums, with security analysts already reporting that the malware is actively used in attacks. BleepingComputer reports: The malware, which the author claims to have developed in just six hours, is quite stealthy, with VirusTotal returning a detection rate of around 22%. As the info-stealer is written in Rust, a cross-platform language, it allows threat actors to target multiple operating systems. However, in its current form, the new info-stealer only targets Windows operating systems.

Analysts at cybersecurity firm Cyble, who sampled the new info-stealer and named it "Luca Stealer," report that the malware comes with standard capabilities for this type of malware. When executed, the malware attempts to steal data from thirty Chromium-based web browsers, where it will steal stored credit cards, login credentials, and cookies. The stealer also targets a range of "cold" cryptocurrency and "hot" wallet browser addons, Steam accounts, Discord tokens, Ubisoft Play, and more. Where Luca Stealer stands out against other info-stealers is the focus on password manager browser addons, stealing the locally stored data for 17 applications of this kind. In addition to targeting applications, Luca also captures screenshots and saves them as a .png file, and performs a "whoami" to profile the host system and send the details to its operators.

"Google has released security updates for Google Chrome browser for Windows, Mac and Linux, addressing vulnerabilities that could allow a remote attacker to take control of systems," reports ZDNet: There are 11 fixes in total, including five that are classed as high-severity. As a result, CISA has issued an alert encouraging IT administrators and regular users to install the updates as soon as possible to ensure their systems are not vulnerable to the flaws.

Among the most severe vulnerabilities that are patched by the Google Chrome update is CVE-2022-2477, a vulnerability caused by a use-after-free flaw in Guest View, which could allow a remote attacker to execute arbitrary code on systems or crash them... Another of the vulnerabilities, CVE-2022-2480, relates to a use-after-free flaw in the Service Worker API, which which acts as a proxy server that sit between web applications, the browser and the network in order to improve offline experiences, among other things.

ZDNet reports: Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials. The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet.

RDP remains the top method for initial access in ransomware deployments, with groups specializing in compromising RDP endpoints and selling them to others for access.

The new feature is rolling out to Windows 11 in a recent Insider test build, but the feature is also being backported to Windows 10 desktop and server, according to Dave Weston, vice president of OS Security and Enterprise at Microsoft. "Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks — this control will make brute forcing much harder which is awesome!," Weston tweeted.

Weston emphasized "default" because the policy is already an option in Windows 10 but isn't enabled by default. That's big news and is a parallel to Microsoft's default block on internet macros in Office on Windows devices, which is also a major avenue for malware attacks on Windows systems through email attachments and links.... The defaults will be visible in the Windows Local Computer Policy directory "Account Lockout Policy".

The default "account lockout duration" is 10 minutes; the "account lockout threshold" is set to a maximum of 10 invalid logon attempts; a setting to "allow administrator account lockout" is enabled; and the "reset account lockout counter after" setting is set to 10 minutes.

76.6 million Americans were affected by last year's T-Mobile data breach, TechCrunch reports — and now in compensation they may have a few bucks coming their way.

T-mobile has announced a settlement of $550 million for affected customers (and the various attorneys bringing the consolidated class action lawsuits) — plus another $150 million "for data security and related technology." For now, the class defined by the settlement document is "the approximately 76.6 million U.S. residents identified by T-Mobile whose information was compromised in the Data Breach," with a little extra legalese for Californians, where class actions are handled slightly differently.

As is common in these giant lawsuits, lawyers take a huge bite and then the company must alert the class members they're owed money, so you can expect a postcard if you were a T-Mobile customer in August of 2021 (in the interest of full disclosure, I was). Then the money gets split up, depending on how many people respond and how much the lawyers take. The final settlement terms could be approved as early as December.

Chances are you won't even be able to cover a single monthly mobile bill with what you get, but these days a $9 check might be the difference between "dinner" and "no dinner" for quite a few people, so let's not mock these small sums — except that it's kind of insulting to have five serious breaches in as many years and all customers get is enough to order off the value menu.

9to5Mac reports: A Twitter data breach has allowed an attacker to get access to the contact details of 5.4M accounts. Twitter has confirmed the security vulnerability which allowed the data to be extracted. The data — which ties Twitter handles to phone numbers and email addresses — has been offered for sale on a hacking forum, for $30,000... There is as yet no way to check whether your account is included in the Twitter data breach.
More details from the Restore Privacy security news site: A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.... The seller on the hacking forum goes by the username "devil" and claims that the dataset includes "Celebrities, to Companies, randoms, OGs, etc."

Microsoft confirmed this week that it will soon start blocking Visual Basic Applications (VBA) macros in Office apps by default after quietly rolling back the change earlier this month. From a report: In a new update, the technology giant said that it will start blocking Office macros by default starting from July 27. This comes shortly after Microsoft halted the rollout of the macros-blocking feature citing unspecified "user feedback." It's thought the initial rollout, which kicked off at the beginning of June, caused issues for organizations using macros to automate routine processes, such as data collection or running certain tasks. In a statement given to TechCrunch, Microsoft said it paused the rollout while it "makes some additional changes to enhance usability." The company has since updated its documentation with step-by-step instructions for end users and IT admins explaining how Office determines whether to block or run macros, which Office versions are affected by the new rules, how to allow VBA macros in trusted files and how to prepare for the change.

The Canadian town of St. Marys, Ontario, has been hit by a ransomware attack that has locked staff out of internal systems and encrypted data. The Verge reports: The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit's dark web site listed townofstmarys.com as a victim of the ransomware and previewed files that had been stolen and encrypted. In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts. "To be honest, we're in somewhat of a state of shock," Strathdee said. "It's not a good feeling to be targeted, but the experts we've hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case ... there are people here working on it 24/7."

Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government's cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team's advice on how to engage further. Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit's standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online. The LockBit group has been responsible for 50 ransomware incidents in June 2022, "making it the most prolific global ransomware group," notes The Verge.

"In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials."

An anonymous reader quotes a report from Ars Technica: Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was "trivial to obtain."

The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence. "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. "It is important to remediate this vulnerability on affected systems immediately."

A day later, Atlassian was back to report that "an external party has discovered and publicly disclosed the hardcoded password on Twitter," leading the company to ratchet up its warnings. "This issue is likely to be exploited in the wild now that the hardcoded password is publicly known," the updated advisory read. "This vulnerability should be remediated on affected systems immediately." The company warned that even when Confluence installations don't actively have the app installed, they may still be vulnerable. Uninstalling the app doesn't automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system. To figure out if a system is vulnerable, Confluence users can use these instructions Atlassian provided for locating such accounts.

According to the company, the two ways to fix the issue are to disable or remove the "disabledsystemuser" account.