Security

musk-and-trump-both-went-to-penn—now-hacked-by-someone-sympathetic-to-their-cause

Musk and Trump both went to Penn—now hacked by someone sympathetic to their cause

hacking hactivists, Security, University of Pennsylvania / /

Once that information was taken, the hacker sent an email to numerous members of the Penn community. It had the subject line “We got hacked (Action Required),” and it called the school “a dogshit elitist institution full of woke retards.” It went on to claim that the school is “completely unmeritocratic” and that “we hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.”

Sounds political! But the hacker contacted the site Bleeping Computer and said that the real goal was Penn’s “vast, wonderfully wealthy donor database” and that, “while we’re not really politically motivated, we have no love for these nepobaby-serving institutions.” (Among the donors? Elon Musk, who has endowed the Elon Musk Public Lecture at Penn.)

That “denial” of political motivations also sounds pretty political, and there’s precedent for such actions against educational institutions. Columbia University, for instance, was hacked this summer by a “highly sophisticated ‘hacktivist’ who had gained access to private student records in an attempt to further a political agenda,” according to the Associated Press.

It’s always hard to know how much of this “hactivist” activity is truly motivated private actors, however, as opposed to nation-states disguising their own attempts to steal data and to create political disruption.

In response, Penn has called in the FBI and the private company CrowdStrike, while a Penn alumnus has already sued the school for negligence. Penn workers can look forward to “additional mandatory trainings” to prevent similar breaches in the future.

Musk and Trump both went to Penn—now hacked by someone sympathetic to their cause Read More »

5-ai-developed-malware-families-analyzed-by-google-fail-to-work-and-are-easily-detected

5 AI-developed malware families analyzed by Google fail to work and are easily detected

AI, Biz & IT, generative ai, guardrails, malware, ransomware, Security / /

The assessments provide a strong counterargument to the exaggerated narratives being trumpeted by AI companies, many seeking new rounds of venture funding, that AI-generated malware is widespread and part of a new paradigm that poses a current threat to traditional defenses.

A typical example is Anthropic, which recently reported its discovery of a threat actor that used its Claude LLM to “develop, market, and distribute several variants of ransomware, each with advanced evasion capabilities, encryption, and anti-recovery mechanisms.” The company went on to say: “Without Claude’s assistance, they could not implement or troubleshoot core malware components, like encryption algorithms, anti-analysis techniques, or Windows internals manipulation.”

Startup ConnectWise recently said that generative AI was “lowering the bar of entry for threat actors to get into the game.” The post cited a separate report from OpenAI that found 20 separate threat actors using its ChatGPT AI engine to develop malware for tasks including identifying vulnerabilities, developing exploit code, and debugging that code. BugCrowd, meanwhile, said that in a survey of self-selected individuals, “74 percent of hackers agree that AI has made hacking more accessible, opening the door for newcomers to join the fold.”

In some cases, the authors of such reports note the same limitations noted in this article. Wednesday’s report from Google says that in its analysis of AI tools used to develop code for managing command and control channels and obfuscating its operations “we did not see evidence of successful automation or any breakthrough capabilities.” OpenAI said much the same thing. Still, these disclaimers are rarely made prominently and are often downplayed in the resulting frenzy to portray AI-assisted malware as posing a near-term threat.

Google’s report provides at least one other useful finding. One threat actor that exploited the company’s Gemini AI model was able to bypass its guardrails by posing as white-hat hackers doing research for participation in a capture-the-flag game. These competitive exercises are designed to teach and demonstrate effective cyberattack strategies to both participants and onlookers.

Such guardrails are built into all mainstream LLMs to prevent them from being used maliciously, such as in cyberattacks and self-harm. Google said it has since better fine-tuned the countermeasure to resist such ploys.

Ultimately, the AI-generated malware that has surfaced to date suggests that it’s mostly experimental, and the results aren’t impressive. The events are worth monitoring for developments that show AI tools producing new capabilities that were previously unknown. For now, though, the biggest threats continue to predominantly rely on old-fashioned tactics.

5 AI-developed malware families analyzed by Google fail to work and are easily detected Read More »

two-windows-vulnerabilities,-one-a-0-day,-are-under-active-exploitation

Two Windows vulnerabilities, one a 0-day, are under active exploitation

Biz & IT, microsoft windows vulnerabilities, Security, zero-day, zero-day vulnerability / /

Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say.

The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common.

A large-scale, coordinated operation

Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491.

On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack.

“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf said. “The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.”

Two Windows vulnerabilities, one a 0-day, are under active exploitation Read More »

fcc-to-rescind-ruling-that-said-isps-are-required-to-secure-their-networks

FCC to rescind ruling that said ISPs are required to secure their networks

FCC, Policy, salt typhoon, Security / /

The Federal Communications Commission will vote in November to repeal a ruling that requires telecom providers to secure their networks, acting on a request from the biggest lobby groups representing Internet providers.

FCC Chairman Brendan Carr said the ruling, adopted in January just before Republicans gained majority control of the commission, “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.” Carr said the vote scheduled for November 20 comes after “extensive FCC engagement with carriers” who have taken “substantial steps… to strengthen their cybersecurity defenses.”

The FCC’s January 2025 declaratory ruling came in response to attacks by China, including the Salt Typhoon infiltration of major telecom providers such as Verizon and AT&T. The Biden-era FCC found that the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law, “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”

“The Commission has previously found that section 105 of CALEA creates an affirmative obligation for a telecommunications carrier to avoid the risk that suppliers of untrusted equipment will ‘illegally activate interceptions or other forms of surveillance within the carrier’s switching premises without its knowledge,’” the January order said. “With this Declaratory Ruling, we clarify that telecommunications carriers’ duties under section 105 of CALEA extend not only to the equipment they choose to use in their networks, but also to how they manage their networks.”

ISPs get what they want

The declaratory ruling was paired with a Notice of Proposed Rulemaking that would have led to stricter rules requiring specific steps to secure networks against unauthorized interception. Carr voted against the decision at the time.

Although the declaratory ruling didn’t yet have specific rules to go along with it, the FCC at the time said it had some teeth. “Even absent rules adopted by the Commission, such as those proposed below, we believe that telecommunications carriers would be unlikely to satisfy their statutory obligations under section 105 without adopting certain basic cybersecurity practices for their communications systems and services,” the January order said. “For example, basic cybersecurity hygiene practices such as implementing role-based access controls, changing default passwords, requiring minimum password strength, and adopting multifactor authentication are necessary for any sensitive computer system. Furthermore, a failure to patch known vulnerabilities or to employ best practices that are known to be necessary in response to identified exploits would appear to fall short of fulfilling this statutory obligation.”

FCC to rescind ruling that said ISPs are required to secure their networks Read More »

leaker-reveals-which-pixels-are-vulnerable-to-cellebrite-phone-hacking

Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking

Cellebrite, Google, Security, smartphones, Tech / /

Cellebrite leak

This blurry screenshot appears to list which Pixel phones Cellebrite devices can hack.

Credit: rogueFed

This blurry screenshot appears to list which Pixel phones Cellebrite devices can hack. Credit: rogueFed

At least according to Cellebrite, GrapheneOS is more secure than what Google offers out of the box. The company is telling law enforcement in these briefings that its technology can extract data from Pixel 6, 7, 8, and 9 phones in unlocked, AFU, and BFU states on stock software. However, it cannot brute-force passcodes to enable full control of a device. The leaker also notes law enforcement is still unable to copy an eSIM from Pixel devices. Notably, the Pixel 10 series is moving away from physical SIM cards.

For those same phones running GrapheneOS, police can expect to have a much harder time. The Cellebrite table says that Pixels with GrapheneOS are only accessible when running software from before late 2022—both the Pixel 8 and Pixel 9 were launched after that. Phones in both BFU and AFU states are safe from Cellebrite on updated builds, and as of late 2024, even a fully unlocked GrapheneOS device is immune from having its data copied. An unlocked phone can be inspected in plenty of other ways, but data extraction in this case is limited to what the user can access.

The original leaker claims to have dialed into two calls so far without detection. However, rogueFed also called out the meeting organizer by name (the second screenshot, which we are not reposting). Odds are that Cellebrite will be screening meeting attendees more carefully now.

We’ve reached out to Google to inquire about why a custom ROM created by volunteers is more resistant to industrial phone hacking than the official Pixel OS. We’ll update this article if Google has anything to say.

Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking Read More »

npm-flooded-with-malicious-packages-downloaded-more-than-86,000-times

NPM flooded with malicious packages downloaded more than 86,000 times

Biz & IT, code dependencies, code repositories, npm, phantomraven, Security / /

Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection.

The finding, laid out Wednesday by security firm Koi, brings attention to an NPM practice that allows installed packages to automatically pull down and run unvetted packages from untrusted domains. Koi said a campaign it tracks as PhantomRaven has exploited NPM’s use of “Remote Dynamic Dependences” to flood NPM with 126 malicious packages that have been downloaded more than 86,000 times. Some 80 of those packages remained available as of Wednesday morning, Koi said.

A blind spot

“PhantomRaven demonstrates how sophisticated attackers are getting [better] at exploiting blind spots in traditional security tooling,” Koi’s Oren Yomtov wrote. “Remote Dynamic Dependencies aren’t visible to static analysis.”

Remote Dynamic Dependencies provide greater flexibility in accessing dependencies—the code libraries that are mandatory for many other packages to work. Normally, dependencies are visible to the developer installing the package. They’re usually downloaded from NPM’s trusted infrastructure.

RDD works differently. It allows a package to download dependencies from untrusted websites, even those that connect over HTTP, which is unencrypted. The PhantomRaven attackers exploited this leniency by including code in the 126 packages uploaded to NPM. The code downloads malicious dependencies from URLs, including http://packages.storeartifact.com/npm/unused-imports. Koi said these dependencies are “invisible” to developers and many security scanners. Instead, they show the package contains “0 Dependencies.” An NPM feature causes these invisible downloads to be automatically installed.

Compounding the weakness, the dependencies are downloaded “fresh” from the attacker server each time a package is installed, rather than being cached, versioned, or otherwise static, as Koi explained:

NPM flooded with malicious packages downloaded more than 86,000 times Read More »

this-browser-claims-“perfect-privacies-protection,”-but-it-acts-like-malware

This browser claims “perfect privacies protection,” but it acts like malware

malware, Security, syndicated, Universe Browser, web browsers / /

Researchers note links to Asia’s booming cybercrime and illegal gambling networks.

This looks like a 100 percent above-board product, right? Right? Credit: Ars Technica

The Universe Browser makes some big promises to its potential users. Its online advertisements claim it’s the “fastest browser,” that people using it will “avoid privacy leaks” and that the software will help “keep you away from danger.” However, everything likely isn’t as it seems.

The browser, which is linked to Chinese online gambling websites and is thought to have been downloaded millions of times, actually routes all Internet traffic through servers in China and “covertly installs several programs that run silently in the background,” according to new findings from network security company Infoblox. The researchers say the “hidden” elements include features similar to malware—including “key logging, surreptitious connections,” and changing a device’s network connections.

Perhaps most significantly, the Infoblox researchers who collaborated with the United Nations Office on Drugs and Crime (UNODC) on the work, found links between the browser’s operation and Southeast Asia’s sprawling, multibillion-dollar cybercrime ecosystem, which has connections to money-laundering, illegal online gambling, human trafficking, and scam operations that use forced labor. The browser itself, the researchers says, is directly linked to a network around major online gambling company BBIN, which the researchers have labeled a threat group they call Vault Viper.

The researchers say the discovery of the browser—plus its suspicious and risky behavior—indicates that criminals in the region are becoming increasingly sophisticated. “These criminal groups, particularly Chinese organized crimes syndicates, are increasingly diversifying and evolving into cyber enabled fraud, pig butchering, impersonation, scams, that whole ecosystem,” says John Wojcik, a senior threat researcher at Infoblox, who also worked on the project when he was a staff member at the UNODC.

“They’re going to continue to double down, reinvest profits, develop new capabilities,” Wojcik says. “The threat is ultimately becoming more serious and concerning, and this is one example of where we see that.”

Under the hood

The Universe Browser was first spotted—and mentioned by name—by Infoblox and UNODC at the start of this year when they began unpacking the digital systems around an online casino operation based in Cambodia, which was previously raided by law enforcement officials. Infoblox, which specializes in domain name system (DNS) management and security, detected a unique DNS fingerprint from those systems that they linked to Vault Viper, making it possible for the researchers to trace and map websites and infrastructure linked to the group.

Tens of thousands of web domains, plus various command-and-control infrastructure and registered companies, are linked to Vault Viper activity, Infoblox researchers say in a report shared with WIRED. They also say they examined hundreds of pages of corporate documents, legal records, and court filings with links to BBIN or other subsidiaries. Time and time again, they came across the Universe Browser online.

“We haven’t seen the Universe Browser advertised outside of the domains Vault Viper controls,” says Maël Le Touz, a threat researcher at Infoblox. The Infoblox report says the browser was “specifically” designed to help people in Asia—where online gambling is largely illegal—bypass restrictions. “Each of the casino websites they operate seem to contain a link and advertisement to it,” Le Touz says.

The Universe Browser itself is mostly offered for direct download from these casino websites—often being linked at the bottom of the websites, next to the logo of BBIN. There are desktop versions available for Windows, as well as an app version in Apple’s App Store. And while it is not in Google’s Play Store, there are Android APK files that allow the app to be directly installed on Android phones. The researchers say multiple parts of the Universe Browser and the code for its apps reference BBIN, and other technical details also reference the company.

The researchers reverse-engineered the Windows version of the browser. They say that while they have been unable to “verify malicious intent,” elements of the browser that they uncovered include many features that are similar to those found malware and tries to evade detection by antivirus tools. When the browser is launched, it “immediately” checks for the user’s location, language, and whether it is running in a virtual machine. The app also installs two browser extensions: one of which can allow screenshots to be uploaded to domains linked to the browser.

While online gambling in China is largely illegal, the country also runs some of the world’s strictest online censorship operations and has taken action against illegal gambling rings. While the browser may most often be being used by those trying to take part in illegal gambling, it also puts their data at risk, the researchers say. “In the hands of a malicious actor—a Triad for example—this browser would serve as the perfect tool to identify wealthy players and obtain access to their machine,” the Infoblox report says.

Beyond connecting to China, running key logging, and other programs that run in the background, Infoblox’s report also says multiple functions have been disabled. “The right click, settings access and developer tools, for instance, have all been removed, while the browser itself is run with several flags disabling major security features including sandboxing, and the removal of legacy SSL protocols, greatly increasing risk when compared with typical mainstream browsers,” the company’s report says. (SSL, also known as Secure Sockets Layer, is a historic type of web encryption that protected some data transfers.)

It is unclear whether these same suspicious behaviors are present in the iOS and Android versions of the app. A Google spokesperson says the company is looking into the app and confirmed it was not available through its Google Play store. Apple did not respond to requests for comment about the app.

Connect the dots

The web infrastructure around the Universe Browser led the researchers back to BBIN, a company that has existed since 1999. While it was originally founded in Taiwan, the company now has a large base in the Philippines.

BBIN, which also goes by the name Baoying Group and has multiple subsidies, describes itself as a “leading” supplier of iGaming software in Asia. A UNODC report from April, which links BBIN to the Universe Browser but does not formally name the company as Vault Viper, says the firm runs several hotels and casinos in Southeast Asia as well as providing “one of the largest and most successful” iGaming platforms in the region. Over the last decade, BBIN has sponsored or partnered with multiple major European soccer teams, such as Spain’s Atlético de Madrid, Germany’s Borussia Dortmund, and Dutch team AFC Ajax.

In recent years, multiple football clubs in England’s Premier League have faced scrutiny over sponsorship by Asian gambling companies—including by TGP Europe, which was owned by Alvin Chau, the chairman and founder of SunCity Group, who was sentenced in January 2023 to 18 years in prison after being found guilty of running illegal gambling operations. TGP Europe left the UK earlier this year after being fined by the country’s gambling regulator. Atlético Madrid, Borussia Dortmund, and AFC Ajax did not respond to WIRED requests for comment.

The iGaming industry develops online gambling software, such as virtual poker or other online casino games, that can easily be played on the web or on phones. “BBIN Baoying is officially an online casino game developer or ‘white label’ online casino platform, meaning it outsources its online gambling technology to other sites,” says Lindsey Kennedy, research director at The EyeWitness Project, which investigates corruption and organized crime. “The only languages it offers are Korean, Japanese, and Chinese, which isn’t a great sign as online gambling is either banned or heavily restricted in all three countries.”

“Baoying and BBIN are what I would call a multi-billion dollar gray-area international conglomerate with deep criminal connections, backstopping and providing services to online gambling businesses, scams and cybercrime actors,” alleges Jeremy Douglas, chief of staff at the UNODC and its former regional representative for Southeast Asia. “Aside from what has been estimated at a two-thirds ownership by Alvin Chau of SunCity—arguably the biggest money launderer in the history of Asia—law enforcement partners have documented direct connections with Triad groups including the Bamboo Union, Four Seas, Tian Dao,” Douglas says of BBIN. (When Chau was sentenced in January 2023, court documents pointed to him allegedly owning a 66.67 percent share of Baoying).

BBIN did not respond to multiple requests for comment from WIRED. The firm’s primary contact email address it lists on its website bounced back, while questions sent to another email address and online contact forms, plus attempts to contact two alleged staff members on LinkedIn were not answered by the time of publication. A company Telegram account pointed WIRED to one of the contact forms that did not provide any answers.

The Presidential Anti-Organized Crime Commission (PAOCC) in the Philippines, which tackles organized and international crimes, did not respond to a request for comment from WIRED about BBIN.

Over the last decade, online crime in Southeast Asia has massively surged, driven partially by illegal online gambling and also a series of scam compoundsthat have been set up across Myanmar, Laos, and Cambodia. Hundreds of thousands of people from more than 60 countries have been tricked into working in these compounds, where they operate scams day and night, stealing billions of dollars from people around the world.

“Scam parks and compounds across the region generally host both online gambling and online scam operations, and the methodology used to lure individuals into opening online gambling accounts parallels that associated with pig-butchering scams,” says Jason Tower, a senior expert at the Global Initiative Against Transnational Organized Crime.

Last week, US law enforcement seized $15 billion in Bitcoin from one giant Cambodian organization, which publicly dealt in real estate but allegedly ran scam facilities in “secret.” One of the sanctioned entities, the Jin Bei Group in Cambodia, which US authorities accused of operating a series of scam compounds, also shows links to BBIN’s technology, Tower says. “There are multiple Telegram groups and casino websites indicating that BBIN partners with multiple entities inside the Jinbei casino,” Tower says, adding that one group on Telegram “posts daily advertisements indicating an official partnership between Jinbei and BBIN.”

Over recent years, multiple government press releases and news reports fromcountries including China and Taiwan, have alleged how BBIN’s technology has been used within illegal gambling operations and linked to cybercrime. “There are hundreds of Telegram posts aggressively advertising various illegal Chinese facing gambling sites that say they either are, or are built on, BBIN/Baoying technology, many of them by individuals claiming to operate out of scam and illegal gambling compounds, or as part of the highly illegal, trafficking-driven industry in Cambodia and Northern Myanmar,” says Kennedy from The EyeWitness Project.

While the Universe Browser has most likely been downloaded by those accessing Chinese-language gambling websites, researchers say that its development indicates how pivotal and lucrative illegal online gambling operations are and exposing their links to scamming efforts that operate across the world. “As these operations continue to scale and diversify, they are marked by growing technical expertise, professionalization, operational resilience, and the ability to function under the radar with very limited scrutiny and oversight,” Infoblox’s report concludes.

This story originally appeared on wired.com.

Photo of WIRED

Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture.

This browser claims “perfect privacies protection,” but it acts like malware Read More »

jaguar-land-rover-looking-at-$2.5-billion-price-tag-from-crippling-cyberattack

Jaguar Land Rover looking at $2.5 billion price tag from crippling cyberattack

Cars, cybercrime, Jaguar Land Rover, ransomware, Security / /

The CMC estimated in June that the financial impact of the attacks on the two retailers was between £270 million and £440 million.

The investigation into the JLR attack is being led by the National Crime Agency but few details have emerged on who was behind the incident. The CMC estimate did not include assumptions about whether JLR had paid a ransom or not.

Martin said companies tended to focus their resources on protecting themselves against data breaches since they have a legal obligation to protect customer data.

But cases like JLR underscore the increasing risks of attackers not just stealing data but destroying critical networks supporting a company’s operations, and the high costs associated with such attacks.

While state actors have not been behind recent attacks on M&S and other retailers, Martin warned that there was an increasing “geopolitical vulnerability” and risk that hostile nation states could attack UK businesses for non-financial reasons.

“It is now clear not just that criminal disruptive attacks are the worst problem in cybersecurity right now, but they’re a playbook to hostile nation states on how to attack us,” Martin said at a separate speech in London on Wednesday. “So cybersecurity has become economic security. And economic security is national security.”

Last week, the UK National Cyber Security Centre also warned that state actors continued to pose “a significant threat” to Britain and global cyber security, citing the risks posed by China, Russia, and others.

According to an annual review by NCSC, the UK had suffered 204 “nationally significant [cyber] incidents” in the 12 months to August 2025, compared with 89 in the same period a year earlier.

The term is used to describe the three most serious types of incidents as defined by UK law enforcement.

© 2025 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.

Jaguar Land Rover looking at $2.5 billion price tag from crippling cyberattack Read More »

nation-state-hackers-deliver-malware-from-“bulletproof”-blockchains

Nation-state hackers deliver malware from “bulletproof” blockchains

Biz & IT, Blockchain, hacking, malware, Security / /

Hacking groups—at least one of which works on behalf of the North Korean government—have found a new and inexpensive way to distribute malware from “bulletproof” hosts: stashing them on public cryptocurrency blockchains.

In a Thursday post, members of the Google Threat Intelligence Group said the technique provides the hackers with their own “bulletproof” host, a term that describes cloud platforms that are largely immune from takedowns by law enforcement and pressure from security researchers. More traditionally, these hosts are located in countries without treaties agreeing to enforce criminal laws from the US and other nations. These services often charge hefty sums and cater to criminals spreading malware or peddling child sexual abuse material and wares sold in crime-based flea markets.

Next-gen, DIY hosting that can’t be tampered with

Since February, Google researchers have observed two groups turning to a newer technique to infect targets with credential stealers and other forms of malware. The method, known as EtherHiding, embeds the malware in smart contracts, which are essentially apps that reside on blockchains for Ethereum and other cryptocurrencies. Two or more parties then enter into an agreement spelled out in the contract. When certain conditions are met, the apps enforce the contract terms in a way that, at least theoretically, is immutable and independent of any central authority.

“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google researchers Blas Kojusner, Robert Wallace, and Joseph Dobson wrote. “This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.”

There’s a wide array of advantages to EtherHiding over more traditional means of delivering malware, which besides bulletproof hosting include leveraging compromised servers.

    • The decentralization prevents takedowns of the malicious smart contracts because the mechanisms in the blockchains bar the removal of all such contracts.
    • Similarly, the immutability of the contracts prevents the removal or tampering with the malware by anyone.
    • Transactions on Ethereum and several other blockchains are effectively anonymous, protecting the hackers’ identities.
    • Retrieval of malware from the contracts leaves no trace of the access in event logs, providing stealth
    • The attackers can update malicious payloads at anytime

Nation-state hackers deliver malware from “bulletproof” blockchains Read More »

thousands-of-customers-imperiled-after-nation-state-ransacks-f5’s-network

Thousands of customers imperiled after nation-state ransacks F5’s network

big-ip, Biz & IT, breach, f5, Security / /

Customers position BIG-IP at the very edge of their networks for use as load balancers and firewalls, and for inspection and encryption of data passing into and out of networks. Given BIG-IP’s network position and its role in managing traffic for web servers, previous compromises have allowed adversaries to expand their access to other parts of an infected network.

F5 said that investigations by two outside intrusion-response firms have yet to find any evidence of supply-chain attacks. The company attached letters from firms IOActive and NCC Group attesting that analyses of source code and build pipeline uncovered no signs that a “threat actor modified or introduced any vulnerabilities into the in-scope items.” The firms also said they didn’t identify any evidence of critical vulnerabilities in the system. Investigators, which also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial, support case management, or health systems was accessed.

The company released updates for its BIG-IP, F5OS, BIG-IQ, and APM products. CVE designations and other details are here. Two days ago, F5 rotated BIG-IP signing certificates, though there was no immediate confirmation that the move is in response to the breach.

The US Cybersecurity and Infrastructure Security agency has warned that federal agencies that rely on the appliance face an “imminent threat” from the thefts, which “pose an unacceptable risk.” The agency went on to direct federal agencies under its control to take “emergency action.” The UK’s National Cyber Security Center issued a similar directive.

CISA has ordered all federal agencies it oversees to immediately take inventory of all BIG-IP devices in networks they run or in networks that outside providers run on their behalf. The agency went on to direct agencies to install the updates and follow a threat-hunting guide that F5 has also issued. BIG-IP users in private industry should do the same.

Thousands of customers imperiled after nation-state ransacks F5’s network Read More »

nato-boss-mocks-russian-navy,-which-is-on-the-hunt-for-red-october-“the-nearest-mechanic”

NATO boss mocks Russian navy, which is on the hunt for Red October “the nearest mechanic”

Cyberattacks, russia, Russian navy, Security, submarine / /

When one of its Kilo-class, diesel-electric submarines recently surfaced off the coast of France, Russia denied that there was a problem with the vessel. The sub was simply surfacing to comply with maritime transit rules governing the English Channel, the Kremlin said—Russia being, of course, a noted follower of international law.

But social media accounts historically linked to Russian security forces suggested a far more serious problem on the submarine Novorossiysk. According to The Maritime Executive, “Rumors began to circulate on well-informed social media channels that the Novorossiysk had suffered a fuel leak. They suggested the vessel lacked onboard capabilities and was forced to surface to empty flooded compartments. Some reports said it was a dangerous fuel leak aboard the vessel, which was commissioned in 2012.”

France 24 quoted further social media reports as saying, “The submarine has neither the spare parts nor the qualified specialists onboard to fix the malfunction,” and it “now poses an explosion hazard.”

When the Novorossiysk surfaced off the coast of France a few days ago, it headed north and was promptly shadowed by a French warship, then an English ship, and finally a Dutch hydrographic recording vessel and an NH90 combat helicopter. The Dutch navy said in a statement that the Novorossiysk and “the tugboat Yakov Grebelskiy,” which was apparently towing it, have left the Dutch Exclusive Economic Zone. Although Russian ships have the right to transit international waters, the Dutch wanted to show “vigilance” in “preventing Russian ships from sabotaging submarine infrastructure.”

NATO boss mocks Russian navy, which is on the hunt for Red October “the nearest mechanic” Read More »

hackers-can-steal-2fa-codes-and-private-messages-from-android-phones

Hackers can steal 2FA codes and private messages from Android phones

android, Biz & IT, Google, pixnapping, privacy, Security, side channel / /

In the second step, Pixnapping performs graphical operations on individual pixels that the targeted app sent to the rendering pipeline. These operations choose the coordinates of target pixels the app wants to steal and begin to check if the color of those coordinates is white or non-white.

“Suppose, for example, [the attacker] wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator,” Wang said. “This pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Then, conceptually, the attacker wants to cause some graphical operations whose rendering time is long if the target victim pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the victim app that was opened in Step 1.”

The third step measures the amount of time required at each coordinate. By combining the times for each one, the attack can rebuild the images sent to the rendering pipeline one pixel at a time.

The amount of time required to perform the attack depends on several variables, including how many coordinates need to be measured. In some cases, there’s no hard deadline for obtaining the information the attacker wants to steal. In other cases—such as stealing a 2FA code—every second counts, since each one is valid for only 30 seconds. In the paper, the researchers explained:

To meet the strict 30-second deadline for the attack, we also reduce the number of samples per target pixel to 16 (compared to the 34 or 64 used in earlier attacks) and decrease the idle time between pixel leaks from 1.5 seconds to 70 milliseconds. To ensure that the attacker has the full 30 seconds to leak the 2FA code, our implementation waits for the beginning of a new 30-second global time interval, determined using the system clock.

… We use our end-to-end attack to leak 100 different 2FA codes from Google Authenticator on each of our Google Pixel phones. Our attack correctly recovers the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The average time to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively. We are unable to leak 2FA codes within 30 seconds using our implementation on the Samsung Galaxy S25 device due to significant noise. We leave further investigation of how to tune our attack to work on this device to future work.

In an email, a Google representative wrote, “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior. We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation.”

Hackers can steal 2FA codes and private messages from Android phones Read More »