Enlarge/ Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They’re becoming increasingly common.
Getty Images
PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any device that installed them. Ten hours later, it lifted the suspension.
Short for the Python Package Index, PyPI is the go-to source for apps and code libraries written in the Python programming language. Fortune 500 corporations and independent developers alike rely on the repository to obtain the latest versions of code needed to make their projects run. At a little after 7 pm PT on Wednesday, the site started displaying a banner message informing visitors that the site was temporarily suspending new project creation and new user registration. The message didn’t explain why or provide an estimate of when the suspension would be lifted.
About 10 hours later, PyPI restored new project creation and new user registration. Once again, the site provided no reason for the 10-hour halt.
According to security firm Checkmarx, in the hours leading up to the closure, PyPI came under attack by users who likely used automated means to upload malicious packages that, when executed, infected user devices. The attackers used a technique known as typosquatting, which capitalizes on typos users make when entering the names of popular packages into command-line interfaces. By giving the malicious packages names that are similar to popular benign packages, the attackers count on their malicious packages being installed when someone mistakenly enters the wrong name.
“The threat actors target victims with Typosquatting attack technique using their CLI to install Python packages,” Checkmarx researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain wrote Thursday. “This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc.) and various credentials. In addition, the malicious payload employed a persistence mechanism to survive reboots.”
Enlarge/ Screenshot showing some of the malicious packages found by Checkmarx.
Checkmarx
The post said the malicious packages were “most likely created using automation” but didn’t elaborate. Attempts to reach PyPI officials for comment weren’t immediately successful. The package names mimicked those of popular packages and libraries such as Requests, Pillow, and Colorama.
The temporary suspension is only the latest event to highlight the increased threats confronting the software development ecosystem. Last month, researchers revealed an attack on open source code repository GitHub that was flooding the site with millions of packages containing obfuscated code that stole passwords and cryptocurrencies from developer devices. The malicious packages were clones of legitimate ones, making them hard to distinguish to the casual eye.
The party responsible automated a process that forked legitimate packages, meaning the source code was copied so developers could use it in an independent project that built on the original one. The result was millions of forks with names identical to the original ones. Inside the identical code was a malicious payload wrapped in multiple layers of obfuscation. While GitHub was able to remove most of the malicious packages quickly, the company wasn’t able to filter out all of them, leaving the site in a persistent loop of whack-a-mole.
Similar attacks are a fact of life for virtually all open source repositories, including npm pack picks and RubyGems.
Earlier this week, Checkmarx reported a separate supply-chain attack that also targeted Python developers. The actors in that attack cloned the Colorama tool, hid malicious code inside, and made it available for download on a fake mirror site with a typosquatted domain that mimicked the legitimate files.pythonhosted.org one. The attackers hijacked the accounts of popular developers, likely by stealing the authentication cookies they used. Then, they used the hijacked accounts to contribute malicious commits that included instructions to download the malicious Colorama clone. Checkmarx said it found evidence that some developers were successfully infected.
In Thursday’s post, the Checkmarx researchers reported:
The malicious code is located within each package’s setup.py file, enabling automatic execution upon installation.
In addition, the malicious payload employed a technique where the setup.py file contained obfuscated code that was encrypted using the Fernet encryption module. When the package was installed, the obfuscated code was automatically executed, triggering the malicious payload.
Checkmarx
Upon execution, the malicious code within the setup.py file attempted to retrieve an additional payload from a remote server. The URL for the payload was dynamically constructed by appending the package name as a query parameter.
The retrieved payload was also encrypted using the Fernet module. Once decrypted, the payload revealed an extensive info-stealer designed to harvest sensitive information from the victim’s machine.
The malicious payload also employed a persistence mechanism to ensure it remained active on the compromised system even after the initial execution.
Enlarge/ Screenshot showing code that allows persistence.
Checkmarx
Besides using typosquatting and a similar technique known as brandjacking to trick developers into installing malicious packages, threat actors also employ dependency confusion. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the target developer’s internal repository that one or more of the developer’s apps depend on to work. Developers’ software management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. In 2021, a researcher used a similar technique to successfully execute counterfeit code on networks belonging to Apple, Microsoft, Tesla, and dozens of other companies.
There are no sure-fire ways to guard against such attacks. Instead, it’s incumbent on developers to meticulously check and double-check packages before installing them, paying close attention to every letter in a name.
Enlarge/ One thing you can say about this crypto wallet: You can’t confuse it for any other.
Getty Images
The Snap Store, where containerized Snap apps are distributed for Ubuntu’s Linux distribution, has been attacked for months by fake crypto wallet uploads that seek to steal users’ currencies. As a result, engineers at Ubuntu’s parent firm are now manually reviewing apps uploaded to the store before they are available.
The move follows weeks of reporting by Alan Pope, a former Canonical/Ubuntu staffer on the Snapcraft team, who is still very active in the ecosystem. In February, Pope blogged about how one bitcoin investor lost nine bitcoins (about $490,000 at the time) by using an “Exodus Wallet” app from the Snap store. Exodus is a known cryptocurrency wallet, but this wallet was not from that entity. As detailed by one user wondering what happened on the Snapcraft forums, the wallet immediately transferred his entire balance to an unknown address after a 12-word recovery phrase was entered (which Exodus tells you on support pages never to do).
Pope takes pains to note that cryptocurrency is inherently fraught with loss risk. Still, Ubuntu’s App Center, which presents the Snap Store for desktop users, tagged the “Exodus” app as “Safe,” and the web version of the Snap Store describes Snaps as “safe to run.” While Ubuntu is describing apps as “Safe” in the sense of being an auto-updating container with runtime confinement (or “sandboxed”), a green checkmark with “Safe” next to it could be misread, especially by a newcomer to Ubuntu, Snaps, and Linux generally.
More than that, Pope’s post points out that writing, packaging, and uploading the Snap to Ubuntu’s store results in an app that is “immediately searchable, and available for anyone, almost anywhere to download, install and run it” (emphasis Pope’s). There are, he noted, “No humans in the loop.”
Mark Shuttleworth, founder of Ubuntu and CEO of Canonical, responded to a related thread on whether crypto apps should be banned entirely. “I agree that cryptocurrency is largely a cesspit of ignoble intentions, even if the mathematics are interesting,” Shuttleworth wrote. At Ubuntu, it was “fair to challenge ourselves” to offer additional safety measures, “even if they will never be perfect.” Making apps safer for people vulnerable to social engineering is “a very hard problem but one I think we can and should engage in,” Shuttleworth wrote.
He did not, however, agree that cryptocurrency apps should be broadly banned.
After what Shuttleworth described as “a quiet war with these malicious actors for the past few months” (which was, according to Pope, ongoing as of earlier this month), Snaps are indeed changing.
At the Snapcraft forums, Holly Hall, product lead for Ubuntu’s backing services company Canonical, wrote last week about a new policy of manual review for all new Snap registrations. Engineering teams will review apps and reach out to publishers to verify names and intents. A name that is “suspected as being malicious or is crypto-wallet-related” will be rejected. A policy regarding how to properly publish a crypto wallet in the Snap store is forthcoming, Hall wrote.
Broadcom has made sweeping changes to VMware’s business since acquiring the company in November 2023, killing off the perpetually licensed versions of VMware’s software and instituting large-scale layoffs. Broadcom executives have acknowledged the “unease” that all of these changes have created among VMware’s customers and partners but so far haven’t been interested in backtracking.
Among the casualties of the acquisition is the free version of VMware’s vSphere Hypervisor, also known as ESXi. ESXi is “bare-metal hypervisor” software, meaning that it allows users to run multiple operating systems on a single piece of hardware while still allowing those operating systems direct access to disks, GPUs, and other system resources.
One alternative to ESXi for home users and small organizations is Proxmox Virtual Environment, a Debian-based Linux operating system that provides broadly similar functionality and has the benefit of still being an actively developed product. To help jilted ESXi users, the Proxmox team has just added a new “integrated import wizard” to Proxmox that supports importing of ESXi VMs, easing the pain of migrating between platforms.
The announcement claims that an imported ESXi VM will have “most of its config mapped to Proxmox VE’s config model” to minimize downtime. The documentation indicates that the import wizard is still “in tech preview state” and “under active development,” though it’s also said to be “working stable.” The importer works with VMs made in ESXi versions 6.5 through 8.0, which was the most recent version available before Broadcom discontinued the software.
A wiki article from Proxmox also provides more information about preparing your VMs for the move. The article recommends uninstalling guest tools made to work with ESXi, noting network configuration settings like MAC addresses or any manually assigned IP addresses, and disabling any full-disk encryption that stores its keys in your hypervisor’s virtual TPM. It’s currently not possible to migrate vTPM settings from one hypervisor to another, so booting up a VM with disk encryption enabled will require a recovery key before the machine will boot.
Like the free version of ESXi, the free version of Proxmox VE doesn’t include technical support beyond what is offered in Proxmox’s community forums. For people who use Proxmox VE and want to deploy it more widely in a business, Proxmox does offer a few subscription tiers that provide access to its more stable Enterprise Repositories and actual technical support from the software’s developers.
Thousands of servers storing AI workloads and network credentials have been hacked in an ongoing attack campaign targeting a reported vulnerability in Ray, a computing framework used by OpenAI, Uber, and Amazon.
The attacks, which have been active for at least seven months, have led to the tampering of AI models. They have also resulted in the compromise of network credentials, allowing access to internal networks and databases and tokens for accessing accounts on platforms including OpenAI, Hugging Face, Stripe, and Azure. Besides corrupting models and stealing credentials, attackers behind the campaign have installed cryptocurrency miners on compromised infrastructure, which typically provides massive amounts of computing power. Attackers have also installed reverse shells, which are text-based interfaces for remotely controlling servers.
Hitting the jackpot
“When attackers get their hands on a Ray production cluster, it is a jackpot,” researchers from Oligo, the security firm that spotted the attacks, wrote in a post. “Valuable company data plus remote code execution makes it easy to monetize attacks—all while remaining in the shadows, totally undetected (and, with static security tools, undetectable).”
Among the compromised sensitive information are AI production workloads, which allow the attackers to control or tamper with models during the training phase and, from there, corrupt the models’ integrity. Vulnerable clusters expose a central dashboard to the Internet, a configuration that allows anyone who looks for it to see a history of all commands entered to date. This history allows an intruder to quickly learn how a model works and what sensitive data it has access to.
Oligo captured screenshots that exposed sensitive private data and displayed histories indicating the clusters had been actively hacked. Compromised resources included cryptographic password hashes and credentials to internal databases and to accounts on OpenAI, Stripe, and Slack.
Kuberay Operator running with Administrator permissions on the Kubernetes API.
Password hashes accessed
Production database credentials
AI model in action: handling a query submitted by a user in real time. The model could be abused by the attacker, who could potentially modify customer requests or responses.
Tokens for OpenAI, Stripe, Slack, and database credentials.
Cluster Dashboard with Production workloads and active tasks
Ray is an open source framework for scaling AI apps, meaning allowing huge numbers of them to run at once in an efficient manner. Typically, these apps run on huge clusters of servers. Key to making all of this work is a central dashboard that provides an interface for displaying and controlling running tasks and apps. One of the programming interfaces available through the dashboard, known as the Jobs API, allows users to send a list of commands to the cluster. The commands are issued using a simple HTTP request requiring no authentication.
Last year, researchers from security firm Bishop Fox flagged the behavior as a high-severity code-execution vulnerability tracked as CVE-2023-48022.
A distributed execution framework
“In the default configuration, Ray does not enforce authentication,” wrote Berenice Flores Garcia, a senior security consultant at Bishop Fox. “As a result, attackers may freely submit jobs, delete existing jobs, retrieve sensitive information, and exploit the other vulnerabilities described in this advisory.”
Anyscale, the developer and maintainer of Ray, responded by disputing the vulnerability. Anyscale officials said they have always held out Ray as framework for remotely executing code and as a result, have long advised it should be properly segmented inside a properly secured network.
“Due to Ray’s nature as a distributed execution framework, Ray’s security boundary is outside of the Ray cluster,” Anyscale officials wrote. “That is why we emphasize that you must prevent access to your Ray cluster from untrusted machines (e.g., the public Internet).”
The Anyscale response said the reported behavior in the jobs API wasn’t a vulnerability and wouldn’t be addressed in a near-term update. The company went on to say it would eventually introduce a change that would enforce authentication in the API. It explained:
We have considered very seriously whether or not something like that would be a good idea, and to date have not implemented it for fear that our users would put too much trust into a mechanism that might end up providing the facade of security without properly securing their clusters in the way they imagined.
That said, we recognize that reasonable minds can differ on this issue, and consequently have decided that, while we still do not believe that an organization should rely on isolation controls within Ray like authentication, there can be value in certain contexts in furtherance of a defense-in-depth strategy, and so we will implement this as a new feature in a future release.
Critics of the Anyscale response have noted that repositories for streamlining the deployment of Ray in cloud environments bind the dashboard to 0.0.0.0, an address used to designate all network interfaces and to designate port forwarding on the same address. One such beginner boilerplate is available on the Anyscale website itself. Another example of a publicly available vulnerable setup is here.
Critics also note Anyscale’s contention that the reported behavior isn’t a vulnerability has prevented many security tools from flagging attacks.
An Anyscale representative said in an email the company plans to publish a script that will allow users to easily verify whether their Ray instances are exposed to the Internet or not.
The ongoing attacks underscore the importance of properly configuring Ray. In the links provided above, Oligo and Anyscale list practices that are essential to locking down clusters. Oligo also provided a list of indicators Ray users can use to determine if their instances have been compromised.
Online graphic design platform provider Canva announced its acquisition of Affinity on Tuesday. The purchase adds tools for creative professionals to the Australian startup’s repertoire, presenting competition for today’s digital design stronghold, Adobe.
The companies didn’t provide specifics about the deal, but Cliff Obrecht, Canva’s co-founder and COO, told Bloomberg that it consists of cash and stock and is worth “several hundred million pounds.”
Canva, which debuted in 2013, has made numerous acquisitions to date, including Flourish, Kaleido, and Pixabay, but its purchase of Affinity is its biggest yet—by both price and headcount (90). Affinity CEO Ashley Hewson said via a YouTube video that Canva approached Affinity about a potential deal two months ago.
Before its Affinity purchase, Canva claimed 175 million users, which interestingly includes 90 million accrued since September 2022, when Canva launched Visual Suite. Without Affinity, though, Canva hasn’t had a way to appeal to the business-to-business market.
Affinity, which works with iPads, Macs, and Windows PCs, meanwhile, has a creative suite that includes a photo editor, professional page layout software, and Designer, a vector-based graphics software that “thousands” of illustrators, designers, and game developers use, Obrecht said when announcing the acquisition.
Of course, Affinity’s user base isn’t nearly the size of Adobe’s. Affinity claims that 3 million creative professionals use its tools. Adobe hasn’t provided hard numbers recently, but in 2017, it was estimated that Adobe Creative Cloud had 12 million subscribers, and Adobe currently claims to have 50 million members on its Behance online community.
However, Affinity has earned a following among creative professionals seeking an alternative to Adobe. Speaking to Bloomberg, Obrecht was keen to point out that Apple has featured Affinity apps in presentations about creative products, for example.
Perpetual Affinity licenses will still be available
Since being founded in 2014, one of the biggest ways that Affinity has stood out to creatives looking to avoid the costs associated with Adobe, including subscription fees, is perpetual licensing. New owner Canva pledged in an announcement today that one-time purchase fees will always be an option for Affinity users.
“Perpetual licenses will always be offered, and we will always price Affinity fairly and affordably,” an announcement today from Canva and Affinity said.
If Canva ever decides to sell Affinity as a subscription, perpetual licensing will remain available, Canva said, adding: “This fits with enabling Canva users to start adopting Affinity. It could also allow us to offer Affinity users a way to scale their workflows using Canva as a platform to share and collaborate on their Affinity assets, if they choose to.”
As we’ve seen with many other acquisitions, though, it’s common for companies to start changing their minds about how they’re willing to operate an acquired business years or even months after finalizing the purchase. And, of course, Canva’s idea of pricing “fairly and affordably” could differ from those of long-time Affinity users.
What about AI?
Canva also vowed to keep Affinity available as a standalone product and said there will be upcoming free updates to Affinity V2. However, Cameron Adams, Canva’s co-founder, pointed to potential future integration between Canva’s and Affinity’s offerings when speaking with Sydney Morning Herald:
Our product teams have already started chatting and we have some immediate plans for lightweight integration, but we think the products themselves will always be separate. Professional designers have really specific needs.
Canva’s announcement today said that the company plans to accelerate the rollout of “highly requested” Affinity features, “such as variable font support, blend and width tools, auto object selection, multi-page spreads, [and] ePub export.” With Canva, which was valued at $26 billion in 2021 and generates over $2.1 billion in annualized revenue, taking ownership of Affinity, the creative suite is expected to have more resources for improvements and updates than before.
Notably, though, Canva hasn’t revealed to what degree it may try to incorporate AI into Affinity. Canva is fully aboard the generative AI hype train and, as recently as this Monday pushed workers of all types to embrace the technology. Affinity, meanwhile, has said that it won’t make any generative AI tech and is “against anything which undermines human talent or tramples on artists’ IP.” Affinity’s stance could be forced to change one day under its new owner.
To start, though, Canva’s acquisition helps to fill the B2B gap in its portfolio, and it’s expected to use its new appeal to go after some of Adobe’s dominance.
“While our last decade at Canva has focused heavily on the 99 percent of knowledge workers without design training, truly empowering the world to design includes empowering professional designers, too. By joining forces with Affinity, we’re excited to unlock the full spectrum of designers at every level and stage of the design journey,” Obrecht said in Tuesday’s announcement.
Meanwhile, Adobe abandoned its own recent merger and acquisition efforts, a $20 billion purchase of Figma, in December due to regulatory concerns.
Crooks are working overtime to anonymize their illicit online activities using thousands of devices of unsuspecting users, as evidenced by two unrelated reports published Tuesday.
The first, from security firm Lumen Labs, reports that roughly 40,000 home and office routers have been drafted into a criminal enterprise that anonymizes illicit Internet activities, with another 1,000 new devices being added each day. The malware responsible is a variant of TheMoon, a malicious code family dating back to at least 2014. In its earliest days, TheMoon almost exclusively infected Linksys E1000 series routers. Over the years it branched out to targeting the Asus WRTs, Vivotek Network Cameras, and multiple D-Link models.
In the years following its debut, TheMoon’s self-propagating behavior and growing ability to compromise a broad base of architectures enabled a growth curve that captured attention in security circles. More recently, the visibility of the Internet of Things botnet trailed off, leading many to assume it was inert. To the surprise of researchers in Lumen’s Black Lotus Lab, during a single 72-hour stretch earlier this month, TheMoon added 6,000 ASUS routers to its ranks, an indication that the botnet is as strong as it’s ever been.
More stunning than the discovery of more than 40,000 infected small office and home office routers located in 88 countries is the revelation that TheMoon is enrolling the vast majority of the infected devices into Faceless, a service sold on online crime forums for anonymizing illicit activities. The proxy service gained widespread attention last year following this profile by KrebsOnSecurity.
“This global network of compromised SOHO routers gives actors the ability to bypass some standard network-based detection tools—especially those based on geolocation, autonomous system-based blocking, or those that focus on TOR blocking,” Black Lotus researchers wrote Tuesday. They added that “80 percent of Faceless bots are located in the United States, implying that accounts and organizations within the US are primary targets. We suspect the bulk of the criminal activity is likely password spraying and/or data exfiltration, especially toward the financial sector.”
The researchers went on to say that more traditional ways to anonymize illicit online behavior may have fallen out of favor with some criminals. VPNs, for instance, may log user activity despite some service providers’ claims to the contrary. The researchers say that the potential for tampering with the Tor anonymizing browser may also have scared away some users.
The second post came from Satori Intelligence, the research arm of security firm HUMAN. It reported finding 28 apps available in Google Play that, unbeknownst to users, enrolled their devices into a residential proxy network of 190,000 nodes at its peak for anonymizing and obfuscating the Internet traffic of others.
HUMAN
ProxyLib, the name Satori gave to the network, has its roots in Oko VPN, an app that was removed from Play last year after being revealed using infected devices for ad fraud. The 28 apps Satori discovered all copied the Oko VPN code, which made them nodes in the residential proxy service Asock.
HUMAN
The researchers went on to identify a second generation of ProxyLib apps developed through lumiapps[.]io, a software developer kit deploying exactly the same functionality and using the same server infrastructure as Oko VPN. The LumiApps SDK allows developers to integrate their custom code into a library to automate standard processes. It also allows developers to do so without having to create a user account or having to recompile code. Instead they can upload their custom code and then download a new version.
HUMAN
“Satori has observed individuals using the LumiApps toolkit in the wild,” researchers wrote. “Most of the applications we identified between May and October 2023 appear to be modified versions of known legitimate applications, further indicating that users do not necessarily need to have access to the applications’ source code in order to modify them using LumiApps. These apps are largely named as ‘mods’ or indicated as patched versions and shared outside of the Google Play Store.”
The researchers don’t know if the 190,000 nodes comprising Asock at its peak were made up exclusively of infected Android devices or if they included other types of devices compromised through other means. Either way, the number indicates the popularity of anonymous proxies.
People who want to prevent their devices from being drafted into such networks should take a few precautions. The first is to resist the temptation to keep using devices once they’re no longer supported by the manufacturer. Most of the devices swept into TheMoon, for instance, have reached end-of-life status, meaning they no longer receive security updates. It’s also important to install security updates in a timely manner and to disable UPnP unless there’s a good reason for it remaining on and then allowing it only for needed ports. Users of Android devices should install apps sparingly and then only after researching the reputation of both the app and the app maker.
The US Justice Department on Monday unsealed an indictment charging seven men with hacking or attempting to hack dozens of US companies in a 14-year campaign furthering an economic espionage and foreign intelligence gathering by the Chinese government.
All seven defendants, federal prosecutors alleged, were associated with Wuhan Xiaoruizhi Science & Technology Co., Ltd. a front company created by the Hubei State Security Department, an outpost of the Ministry of State Security located in Wuhan province. The MSS, in turn, has funded an advanced persistent threat group tracked under names including APT31, Zirconium Violet Typhoon, Judgment Panda, and Altaire.
Relentless 14-year campaign
“Since at least 2010, the defendants … engaged in computer network intrusion activity on behalf of the HSSD targeting numerous US government officials, various US economic and defense industries and a variety of private industry officials, foreign democracy activists, academics and parliamentarians in response to geopolitical events affecting the PRC,” federal prosecutors alleged. “These computer network intrusion activities resulted in the confirmed and potential compromise of work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans, including at least some information that could be released in support of malign influence targeting democratic processes and institutions, and economic plans, intellectual property, and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s state-sponsored apparatus to transfer US technology to the PRC.”
The relentless, 14-year campaign targeted thousands of individuals and dozens of companies through the use of zero-day attacks, website vulnerability exploitation, and the targeting of home routers and personal devices of high-ranking US government officials and politicians and election campaign staff from both major US political parties.
“The targeted US government officials included individuals working in the White House, at the Departments of Justice, Commerce, Treasury and State, and US Senators and Representatives of both political parties,” Justice Department officials said. “The defendants and others in the APT31 Group targeted these individuals at both professional and personal email addresses. Additionally in some cases, the defendants also targeted victims’ spouses, including the spouses of a high-ranking Department of Justice official, high-ranking White House officials and multiple United States Senators. Targets also included election campaign staff from both major US political parties in advance of the 2020 election.”
One technique the defendants allegedly used was the sending of emails to journalists, political officials, and companies. The messages, which were made to appear as originating from news outlets or journalists, contained hidden tracking links, which, when activated, gave APT31 members information about the locations, IP addresses, network schematics, and specific devices of the targets for use in follow-on attacks. Some of the targets of these emails included foreign government officials who were part of the Inter-Parliamentary Alliance on China, a group formed after the 1989 Tiananmen Square massacre that’s critical of the Chinese government; every European Union member of that’s a member of that group; and 43 UK parliamentary accounts part of the group or critical of the People’s Republic of China.
APT31 used a variety of methods to infect networks of interest with custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCa, and later the widely available Cobalt Strike Beacon security testing tool. In late 2016, the hacking group exploited what was then a zero-day vulnerability in unnamed software to gain access to an unidentified defense contractor. In their indictment, prosecutors wrote:
Using the zero-day privilege escalation exploit, the Conspirators first obtained administrator access to a subsidiary’s network before ultimately pivoting into the Defense Contractor’s core corporate network,” prosecutors wrote in the indictment. “The Conspirators used a SQL injection, in which they entered malicious code into a web form input box to gain access to information that was not intended to be displayed, to create an account on the subsidiary’s network with the username “testdew23.” The Conspirators used malicious software to grant administrator privileges to the “testdew23” user account. Next, the Conspirators uploaded a web shell, or a script that enables remote administration of the computer, named “Welcome to Chrome,” onto the subsidiary’s web server. Thereafter, the Conspirators used the web shell to upload and execute at least two malicious files on the web server, which were configured to open a connection between the victim’s network and computers outside that network that were controlled by the Conspirators. Through this method, the Conspirators successfully gained unauthorized access to the Defense Contractor’s network.
Other APT31 targets include military contractors and companies in the aerospace, IT services, software, telecommunications, manufacturing, and financial services industries. APT31 has long been known to target not only individuals and entities with information of primary interest but also companies or services that the primary targets rely on. Primary targets were dissidents and critics of the PRC and Western companies in possession of technical information of value to the PRC.
Prosecutors said targets successfully hacked by APT31 include:
a cleared defense contractor based in Oklahoma that designed and manufactured military flight simulators for the US military
a cleared aerospace and defense contractor based in Tennessee
an Alabama-based research corporation in the aerospace and defense industries
a Maryland-based professional support services company that serviced the Department of Defense and other government agencies
a leading American manufacturer of software and computer services based in California
a leading global provider of wireless technology based in Illinois; a technology company based in New York
a software company servicing the industrial controls industry based in California
an IT consulting company based in California; an IT services and spatial processing company based in Colorado
a multifactor authentication company; an American trade association
multiple information technology training and support companies
a leading provider of 5G network equipment in the United States
an IT solutions and 5G integration service company based in Idaho
a telecommunications company based in Illinois
a voice technology company headquartered in California;
a prominent trade organization with offices in New York and elsewhere
a manufacturing association based in Washington, DC
a steel company
an apparel company based in New York
an engineering company based in California
an energy company based in Texas
a finance company headquartered in New York
A US multi-national management consulting company with offices in Washington, DC, and elsewhere
a financial ratings company based in New York
an advertising agency based in New York
a consulting company based in Virginia;
multiple global law firms based in New York and throughout the United States
a law firm software provider
a machine learning laboratory based in Virginia
a university based in California
multiple research hospitals and institutes located in New York and Massachusetts
an international non-profit organization headquartered in Washington, DC.
The defendants are:
Ni Gaobin (倪高彬), age 38
Weng Ming (翁明), 37
Cheng Feng (程锋), 34
Peng Yaowen (彭耀文), 38
Sun Xiaohui (孙小辉), 38
Xiong Wang (熊旺), 35
Zhao Guangzong (赵光宗), 38
The men were charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud. While none of the men are in US custody or likely to face prosecution, the US Department of Treasury on Monday sanctioned Wuhan Xiaoruizhi Science and Technology Company, Limited. The department also designated Zhao Guangzong and Ni Gaobin for their roles in hacks targeting US critical infrastructure.
“As a result of today’s action, all property and interests in property of the designated persons and entity described above that are in the United States or in the possession or control of US persons are blocked and must be reported to OFAC,” Treasury officials wrote. “In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by US persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.”
The US State Department is offering $10 million for information leading to the identification or location of any of the defendants or others associated with the campaign.
Researchers have unearthed never-before-seen wiper malware tied to the Kremlin and an operation two years ago that took out more than 10,000 satellite modems located mainly in Ukraine on the eve of Russia’s invasion of its neighboring country.
AcidPour, as researchers from security firm Sentinel One have named the new malware, has stark similarities to AcidRain, a wiper discovered in March 2022 that Viasat has confirmed was used in the attack on its modems earlier that month. Wipers are malicious applications designed to destroy stored data or render devices inoperable. Viasat said AcidRain was installed on more than 10,000 Eutelsat KA-SAT modems used by the broadband provider seven days prior to the March 2022 discovery of the wiper. AcidRain was installed on the devices after attackers gained access to the company’s private network.
Sentinel One, which also discovered AcidRain, said at the time that the earlier wiper had enough technical overlaps with malware the US government attributed to the Russian government in 2018 to make it likely that AcidRain and the 2018 malware, known as VPNFilter, were closely linked to the same team of developers. In turn, Sentinel One’s report Thursday noting the similarities between AcidRain and AcidPour provides evidence that AcidPour was also created by developers working on behalf of the Kremlin.
AcidPour also shares programming similarities with another piece of malware attributed to Sandworm: CaddyWiper, which was used against various targets in Ukraine.
“AcidPour is programmed in C without relying on statically compiled libraries or imports,” Thursday’s report noted. “Most functionality is implemented via direct syscalls, many called through the use of inline assembly and opcodes.” Developers of CaddyWiper used the same approach.
Bolstering the theory that AcidPour was created by the same Russian threat group behind previous attacks on Ukraine, a representative with Ukraine’s State Service of Special Communications and Information Protection told Cyberscoop that AcidPour was linked to UAC-0165, a splinter group associated with Sandworm (a much larger threat group run by Russia’s military intelligence unit, GRU). Representatives with the State Service of Special Communications and Information Protection of Ukraine didn’t immediately answer an email seeking comment for this post.
Sandworm has a long history of targeting Ukrainian critical infrastructure. Ukrainian officials said last September that UAC-0165 regularly props up fake hacktivist personas to take credit for attacks the group carries out.
Sentinel One researchers Juan Andrés Guerrero-Saade and Tom Hegel went on to speculate that AcidPour was used to disrupt multiple Ukrainian telecommunications networks, which have been down since March 13, three days before the researchers discovered the new wiper. They point to statements a persona known as SolntsepekZ made on Telegram that took responsibility for hacks that took out Triangulum, a consortium providing telephone and Internet services under the Triacom brand, and Misto TV.
A message a persona known as SolntsepekZ posted to Telegram.
Sentinel One
The weeklong outage has been confirmed anecdotally and by Network intelligence firm Kentik and content delivery network Cloudflare, with the latter indicating the sites remained inoperable at the time this post went live on Ars. As of Thursday afternoon California time, Misto-TV’s website displayed the following network outage notice:
Enlarge/ Outage notice displayed on Misto-TV’s website.
“At this time, we cannot confirm that AcidPour was used to disrupt these ISPs,” Guerrero-Saade and Hegel wrote in Thursday’s post. “The longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded 3 days after this disruption started, would fit the bill for the requisite toolkit. If that’s the case, it could serve as another link between this hacktivist persona and specific GRU operations.”
The researchers added:
“The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications.”
On Thursday, the United Nations General Assembly unanimously consented to adopt what some call the first global resolution on AI, reports Reuters. The resolution aims to foster the protection of personal data, enhance privacy policies, ensure close monitoring of AI for potential risks, and uphold human rights. It emerged from a proposal by the United States and received backing from China and 121 other countries.
Being a nonbinding agreement and thus effectively toothless, the resolution seems broadly popular in the AI industry. On X, Microsoft Vice Chair and President Brad Smith wrote, “We fully support the @UN’s adoption of the comprehensive AI resolution. The consensus reached today marks a critical step towards establishing international guardrails for the ethical and sustainable development of AI, ensuring this technology serves the needs of everyone.”
The resolution, titled “Seizing the opportunities of safe, secure and trustworthy artificial intelligence systems for sustainable development,” resulted from three months of negotiation, and the stakeholders involved seem pleased at the level of international cooperation. “We’re sailing in choppy waters with the fast-changing technology, which means that it’s more important than ever to steer by the light of our values,” one senior US administration official told Reuters, highlighting the significance of this “first-ever truly global consensus document on AI.”
In the UN, adoption by consensus means that all members agree to adopt the resolution without a vote. “Consensus is reached when all Member States agree on a text, but it does not mean that they all agree on every element of a draft document,” writes the UN in a FAQ found online. “They can agree to adopt a draft resolution without a vote, but still have reservations about certain parts of the text.”
The initiative joins a series of efforts by governments worldwide to influence the trajectory of AI development following the launch of ChatGPT and GPT-4, and the enormous hype raised by certain members of the tech industry in a public worldwide campaign waged last year. Critics fear that AI may undermine democratic processes, amplify fraudulent activities, or contribute to significant job displacement, among other issues. The resolution seeks to address the dangers associated with the irresponsible or malicious application of AI systems, which the UN says could jeopardize human rights and fundamental freedoms.
Resistance from nations such as Russia and China was anticipated, and US officials acknowledged the presence of “lots of heated conversations” during the negotiation process, according to Reuters. However, they also emphasized successful engagement with these countries and others typically at odds with the US on various issues, agreeing on a draft resolution that sought to maintain a delicate balance between promoting development and safeguarding human rights.
The new UN agreement may be the first “global” agreement, in the sense of having the participation of every UN country, but it wasn’t the first multi-state international AI agreement. That honor seems to fall to the Bletchley Declaration signed in November by the 28 nations attending the UK’s first AI Summit.
Also in November, the US, Britain, and other nations unveiled an agreement focusing on the creation of AI systems that are “secure by design” to protect against misuse by rogue actors. Europe is slowly moving forward with provisional agreements to regulate AI and is close to implementing the world’s first comprehensive AI regulations. Meanwhile, the US government still lacks consensus on legislative action related to AI regulation, with the Biden administration advocating for measures to mitigate AI risks while enhancing national security.
Enlarge/ An illustration of a humanoid robot created by Nvidia.
Nvidia
In sci-fi films, the rise of humanlike artificial intelligence often comes hand in hand with a physical platform, such as an android or robot. While the most advanced AI language models so far seem mostly like disembodied voices echoing from an anonymous data center, they might not remain that way for long. Some companies like Google, Figure, Microsoft, Tesla, Boston Dynamics, and others are working toward giving AI models a body. This is called “embodiment,” and AI chipmaker Nvidia wants to accelerate the process.
“Building foundation models for general humanoid robots is one of the most exciting problems to solve in AI today,” said Nvidia CEO Jensen Huang in a statement. Huang spent a portion of Nvidia’s annual GTC conference keynote on Monday going over Nvidia’s robotics efforts. “The next generation of robotics will likely be humanoid robotics,” Huang said. “We now have the necessary technology to imagine generalized human robotics.”
To that end, Nvidia announced Project GR00T, a general-purpose foundation model for humanoid robots. As a type of AI model itself, Nvidia hopes GR00T (which stands for “Generalist Robot 00 Technology” but sounds a lot like a famous Marvel character) will serve as an AI mind for robots, enabling them to learn skills and solve various tasks on the fly. In a tweet, Nvidia researcher Linxi “Jim” Fan called the project “our moonshot to solve embodied AGI in the physical world.”
AGI, or artificial general intelligence, is a poorly defined term that usually refers to hypothetical human-level AI (or beyond) that can learn any task a human could without specialized training. Given a capable enough humanoid body driven by AGI, one could imagine fully autonomous robotic assistants or workers. Of course, some experts think that true AGI is long way off, so it’s possible that Nvidia’s goal is more aspirational than realistic. But that’s also what makes Nvidia’s plan a moonshot.
NVIDIA Robotics: A Journey From AVs to Humanoids.
“The GR00T model will enable a robot to understand multimodal instructions, such as language, video, and demonstration, and perform a variety of useful tasks,” wrote Fan on X. “We are collaborating with many leading humanoid companies around the world, so that GR00T may transfer across embodiments and help the ecosystem thrive.” We reached out to Nvidia researchers, including Fan, for comment but did not hear back by press time.
Nvidia is designing GR00T to understand natural language and emulate human movements, potentially allowing robots to learn coordination, dexterity, and other skills necessary for navigating and interacting with the real world like a person. And as it turns out, Nvidia says that making robots shaped like humans might be the key to creating functional robot assistants.
The humanoid key
Enlarge/ Robotics startup figure, an Nvidia partner, recently showed off its humanoid “Figure 01” robot.
Figure
So far, we’ve seen plenty of robotics platforms that aren’t human-shaped, including robot vacuum cleaners, autonomous weed pullers, industrial units used in automobile manufacturing, and even research arms that can fold laundry. So why focus on imitating the human form? “In a way, human robotics is likely easier,” said Huang in his GTC keynote. “And the reason for that is because we have a lot more imitation training data that we can provide robots, because we are constructed in a very similar way.”
That means that researchers can feed samples of training data captured from human movement into AI models that control robot movement, teaching them how to better move and balance themselves. Also, humanoid robots are particularly convenient because they can fit anywhere a person can, and we’ve designed a world of physical objects and interfaces (such as tools, furniture, stairs, and appliances) to be used or manipulated by the human form.
Along with GR00T, Nvidia also debuted a new computer platform called Jetson Thor, based on NVIDIA’s Thor system-on-a-chip (SoC), as part of the new Blackwell GPU architecture, which it hopes will power this new generation of humanoid robots. The SoC reportedly includes a transformer engine capable of 800 teraflops of 8-bit floating point AI computation for running models like GR00T.
Enlarge/ A pit stop during the Bahrain Formula One Grand Prix in early March evokes how the team’s manager was feeling when looking at the Excel sheet that managed the car’s build components.
ALI HAIDER/POOL/AFP via Getty Images
There’s a new boss at a storied 47-year-old Formula 1 team, and he’s eager to shake things up. He’s been saying that the team is far behind its competition in technology and coordination. And Excel is a big part of it.
Starting in early 2023, Williams team principal James Vowles and chief technical officer Pat Fry started reworking the F1 team’s systems for designing and building its car. It would be painful, but the pain would keep the team from falling even further behind. As they started figuring out new processes and systems, they encountered what they considered a core issue: Microsoft Excel.
The Williams car build workbook, with roughly 20,000 individual parts, was “a joke,” Vowles recently told The Race. “Impossible to navigate and impossible to update.” This colossal Excel file lacked information on how much each of those parts cost and the time it took to produce them, along with whether the parts were already on order. Prioritizing one car section over another, from manufacture through inspection, was impossible, Vowles suggested.
“When you start tracking now hundreds of thousands of components through your organization moving around, an Excel spreadsheet is useless,” Vowles told The Race. Because of the multiple states each part could be in—ordered, backordered, inspected, returned—humans are often left to work out the details. “And once you start putting that level of complexity in, which is where modern Formula 1 is, the Excel spreadsheet falls over, and humans fall over. And that’s exactly where we are.”
The consequences of this row/column chaos, and the resulting hiccups, were many. Williams missed early pre-season testing in 2019. Workers sometimes had to physically search the team’s factory for parts. The wrong parts got priority, other parts came late, and some piled up. And yet transitioning to a modern tracking system was “viciously expensive,” Fry told The Race, and making up for the painful process required “humans pushing themselves to the absolute limits and breaking.”
Williams’ driver Alexander Albon drives during the qualifying session of the Saudi Arabian Formula One Grand Prix at the Jeddah Corniche Circuit in Jeddah on March 8, 2024.
Joseph Eid/AFP via Getty Images
The devil you know strikes again
The idea that a modern Formula 1 team, building some of the most fantastically advanced and efficient machines on Earth, would be using Excel to build those machines might strike you as odd. F1 cars cost an estimated $12–$16 million each, with resource cap of about $145 million. But none of this really matters, and it actually makes sense, if you’ve ever worked IT at nearly any decent-sized organization.
Then again, it’s not even uncommon in Formula 1. When Sebastian Anthony embedded with the Renault team, he reported back for Ars in 2017 that Renault Sport Formula One’s Excel design and build spreadsheet was 77,000 lines long—more than three times as large as the Williams setup that spurred an internal revolution in 2023.
Every F1 team has its own software setup, Anthony wrote, but they have to integrate with a lot of other systems: Computational Fluid Dynamics (CFD) and wind tunnel results, rapid prototyping and manufacturing, and inventory. This leaves F1 teams “susceptible to the plague of legacy software,” Anthony wrote, though he noted that Renault had moved on to a more dynamic cloud-based system that year. (Renault was also “a big Microsoft shop” in other areas, like email and file sharing, at the time.)
One year prior to Anthony’s excavation, Adam Banks wrote for Ars about the benefits of adopting cloud-based tools for enterprise resource planning (ERP). You adopt a cloud-based business management software to go “Beyond Excel.” “If PowerPoint is the universal language businesses use to talk to one another, their internal monologue is Excel,” Banks wrote. The issue is that all the systems and processes a business touches are complex and generate all kinds of data, but Excel is totally cool with taking in all of it. Or at least 1,048,576 rows of it.
Banks cited Tim Worstall’s 2013 contention that Excel could be “the most dangerous software on the planet.” Back then, international investment bankers were found manually copying and pasting Excel between Excel sheets to do their work, and it raised alarm.
But spreadsheets continue to show up where they ought not. Spreadsheet errors in recent years have led to police doxxing, false trainee test failures, an accidental $10 million crypto transfer, and bank shares sold at sorely undervalued prices. Spreadsheets are sometimes called the “dark matter” of large organizations, being ever-present and far too relied upon despite 90 percent of larger sheets being likely to have a major error.
So, Excel sheets catch a lot of blame, even if they’re just a symptom of a larger issue. Still, it’s good to see one no longer connected to the safety of a human heading into a turn at more than 200 miles per hour.
Enlarge/ The GB200 “superchip” covered with a fanciful blue explosion.
Nvidia / Benj Edwards
On Monday, Nvidia unveiled the Blackwell B200 tensor core chip—the company’s most powerful single-chip GPU, with 208 billion transistors—which Nvidia claims can reduce AI inference operating costs (such as running ChatGPT) and energy consumption by up to 25 times compared to the H100. The company also unveiled the GB200, a “superchip” that combines two B200 chips and a Grace CPU for even more performance.
The news came as part of Nvidia’s annual GTC conference, which is taking place this week at the San Jose Convention Center. Nvidia CEO Jensen Huang delivered the keynote Monday afternoon. “We need bigger GPUs,” Huang said during his keynote. The Blackwell platform will allow the training of trillion-parameter AI models that will make today’s generative AI models look rudimentary in comparison, he said. For reference, OpenAI’s GPT-3, launched in 2020, included 175 billion parameters. Parameter count is a rough indicator of AI model complexity.
Nvidia named the Blackwell architecture after David Harold Blackwell, a mathematician who specialized in game theory and statistics and was the first Black scholar inducted into the National Academy of Sciences. The platform introduces six technologies for accelerated computing, including a second-generation Transformer Engine, fifth-generation NVLink, RAS Engine, secure AI capabilities, and a decompression engine for accelerated database queries.
Enlarge/ Press photo of the Grace Blackwell GB200 chip, which combines two B200 GPUs with a Grace CPU into one chip.
Several major organizations, such as Amazon Web Services, Dell Technologies, Google, Meta, Microsoft, OpenAI, Oracle, Tesla, and xAI, are expected to adopt the Blackwell platform, and Nvidia’s press release is replete with canned quotes from tech CEOs (key Nvidia customers) like Mark Zuckerberg and Sam Altman praising the platform.
GPUs, once only designed for gaming acceleration, are especially well suited for AI tasks because their massively parallel architecture accelerates the immense number of matrix multiplication tasks necessary to run today’s neural networks. With the dawn of new deep learning architectures in the 2010s, Nvidia found itself in an ideal position to capitalize on the AI revolution and began designing specialized GPUs just for the task of accelerating AI models.
Nvidia’s data center focus has made the company wildly rich and valuable, and these new chips continue the trend. Nvidia’s gaming GPU revenue ($2.9 billion in the last quarter) is dwarfed in comparison to data center revenue (at $18.4 billion), and that shows no signs of stopping.
A beast within a beast
Enlarge/ Press photo of the Nvidia GB200 NVL72 data center computer system.
The aforementioned Grace Blackwell GB200 chip arrives as a key part of the new NVIDIA GB200 NVL72, a multi-node, liquid-cooled data center computer system designed specifically for AI training and inference tasks. It combines 36 GB200s (that’s 72 B200 GPUs and 36 Grace CPUs total), interconnected by fifth-generation NVLink, which links chips together to multiply performance.
Enlarge/ A specification chart for the Nvidia GB200 NVL72 system.
“The GB200 NVL72 provides up to a 30x performance increase compared to the same number of NVIDIA H100 Tensor Core GPUs for LLM inference workloads and reduces cost and energy consumption by up to 25x,” Nvidia said.
That kind of speed-up could potentially save money and time while running today’s AI models, but it will also allow for more complex AI models to be built. Generative AI models—like the kind that power Google Gemini and AI image generators—are famously computationally hungry. Shortages of compute power have widely been cited as holding back progress and research in the AI field, and the search for more compute has led to figures like OpenAI CEO Sam Altman trying to broker deals to create new chip foundries.
While Nvidia’s claims about the Blackwell platform’s capabilities are significant, it’s worth noting that its real-world performance and adoption of the technology remain to be seen as organizations begin to implement and utilize the platform themselves. Competitors like Intel and AMD are also looking to grab a piece of Nvidia’s AI pie.
Nvidia says that Blackwell-based products will be available from various partners starting later this year.
