• chevron_right

      Thousands of servers hacked in ongoing attack targeting Ray AI framework

      news.movim.eu / ArsTechnica · Yesterday - 22:40

    Thousands of servers hacked in ongoing attack targeting Ray AI framework

    Enlarge (credit: Getty Images)

    Thousands of servers storing AI workloads and network credentials have been hacked in an ongoing attack campaign targeting a reported vulnerability in Ray, a computing framework used by OpenAI, Uber, and Amazon.

    The attacks, which have been active for at least seven months, have led to the tampering of AI models. They have also resulted in the compromise of network credentials, allowing access to internal networks and databases and tokens for accessing accounts on platforms including OpenAI, Hugging Face, Stripe, and Azure. Besides corrupting models and stealing credentials, attackers behind the campaign have installed cryptocurrency miners on compromised infrastructure, which typically provides massive amounts of computing power. Attackers have also installed reverse shells, which are text-based interfaces for remotely controlling servers.

    Hitting the jackpot

    “When attackers get their hands on a Ray production cluster, it is a jackpot,” researchers from Oligo, the security firm that spotted the attacks, wrote in a post . “Valuable company data plus remote code execution makes it easy to monetize attacks—all while remaining in the shadows, totally undetected (and, with static security tools, undetectable).”

    Read 12 remaining paragraphs | Comments

    • chevron_right

      “MFA Fatigue” attack targets iPhone owners with endless password reset prompts

      news.movim.eu / ArsTechnica · Yesterday - 18:10

    iPhone showing three password reset prompts

    Enlarge / They look like normal notifications, but opening an iPhone with one or more of these stacked up, you won't be able to do much of anything until you tap "Allow" or "Don't Allow." And they're right next to each other. (credit: Kevin Purdy)

    Human weaknesses are a rich target for phishing attacks. Making humans click "Don't Allow" over and over again in a phone prompt that can't be skipped is an angle some iCloud attackers are taking—and likely having some success.

    Brian Krebs' at Krebs on Security detailed the attacks in a recent post , noting that "MFA Fatigue Attacks" are a known attack strategy . By repeatedly hitting a potential victim's device with multifactor authentication requests, the attack fills a device's screen with prompts that typically have yes/no options, often very close together. Apple's devices are just the latest rich target for this technique.

    Both the Kremlin-backed Fancy Bear advanced persistent threat group and a rag-tag bunch of teenagers known as Lapsus$ have been known to use the technique, also known as MFA prompt bombing , successfully.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      Thousands of phones and routers swept into proxy service, unbeknownst to users

      news.movim.eu / ArsTechnica · 2 days ago - 19:56 · 1 minute

    Thousands of phones and routers swept into proxy service, unbeknownst to users

    Enlarge (credit: Getty Images)

    Crooks are working overtime to anonymize their illicit online activities using thousands of devices of unsuspecting users, as evidenced by two unrelated reports published Tuesday.

    The first, from security firm Lumen Labs, reports that roughly 40,000 home and office routers have been drafted into a criminal enterprise that anonymizes illicit Internet activities, with another 1,000 new devices being added each day. The malware responsible is a variant of TheMoon , a malicious code family dating back to at least 2014. In its earliest days, TheMoon almost exclusively infected Linksys E1000 series routers. Over the years it branched out to targeting the Asus WRTs, Vivotek Network Cameras, and multiple D-Link models.

    In the years following its debut, TheMoon’s self-propagating behavior and growing ability to compromise a broad base of architectures enabled a growth curve that captured attention in security circles. More recently, the visibility of the Internet of Things botnet trailed off, leading many to assume it was inert. To the surprise of researchers in Lumen’s Black Lotus Lab, during a single 72-hour stretch earlier this month, TheMoon added 6,000 ASUS routers to its ranks, an indication that the botnet is as strong as it’s ever been.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      Justice Department indicts 7 accused in 14-year hack campaign by Chinese gov

      news.movim.eu / ArsTechnica · 3 days ago - 20:20 · 1 minute

    Justice Department indicts 7 accused in 14-year hack campaign by Chinese gov

    Enlarge (credit: peterschreiber.media | Getty Images)

    The US Justice Department on Monday unsealed an indictment charging seven men with hacking or attempting to hack dozens of US companies in a 14-year campaign furthering economic espionage and foreign intelligence gathering by the Chinese government.

    All seven defendants, federal prosecutors alleged, were associated with Wuhan Xiaoruizhi Science & Technology Co., Ltd, a front company created by the Hubei State Security Department, an outpost of the Ministry of State Security located in Wuhan province. The MSS, in turn, has funded an advanced persistent threat group tracked under names including APT31, Zirconium Violet Typhoon, Judgment Panda, and Altaire.

    Relentless 14-year campaign

    “Since at least 2010, the defendants … engaged in computer network intrusion activity on behalf of the HSSD targeting numerous US government officials, various US economic and defense industries, and a variety of private industry officials, foreign democracy activists, academics, and parliamentarians in response to geopolitical events affecting the PRC,” federal prosecutors alleged . “These computer network intrusion activities resulted in the confirmed and potential compromise of work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans, including at least some information that could be released in support of malign influence targeting democratic processes and institutions, and economic plans, intellectual property, and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s state-sponsored apparatus to transfer US technology to the PRC.”

    Read 11 remaining paragraphs | Comments

    • chevron_right

      Hackers can unlock over 3 million hotel doors in seconds

      news.movim.eu / ArsTechnica · 6 days ago - 13:52 · 1 minute

    Picture of Saflok lock on hotel door

    Enlarge / A Saflok branded lock. (credit: Dormakaba)

    When thousands of security researchers descend on Las Vegas every August for what's come to be known as “hacker summer camp,” the back-to-back Black Hat and Defcon hacker conferences, it's a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city's elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room's gadgets, from its TV to its bedside VoIP phone.

    One team of hackers spent those days focused on the lock on the room's door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they're finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.

    Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok . The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries.

    Read 19 remaining paragraphs | Comments

    • chevron_right

      Never-before-seen data wiper may have been used by Russia against Ukraine

      news.movim.eu / ArsTechnica · 6 days ago - 00:37 · 1 minute

    Never-before-seen data wiper may have been used by Russia against Ukraine

    Enlarge (credit: Getty Images)

    Researchers have unearthed never-before-seen wiper malware tied to the Kremlin and an operation two years ago that took out more than 10,000 satellite modems located mainly in Ukraine on the eve of Russia’s invasion of its neighboring country.

    AcidPour, as researchers from security firm Sentinel One have named the new malware, has stark similarities to AcidRain , a wiper discovered in March 2022 that Viasat has confirmed was used in the attack on its modems earlier that month. Wipers are malicious applications designed to destroy stored data or render devices inoperable. Viasat said AcidRain was installed on more than 10,000 Eutelsat KA-SAT modems used by the broadband provider seven days prior to the March 2022 discovery of the wiper. AcidRain was installed on the devices after attackers gained access to the company’s private network.

    Sentinel One, which also discovered AcidRain, said at the time that the earlier wiper had enough technical overlaps with malware the US government attributed to the Russian government in 2018 to make it likely that AcidRain and the 2018 malware, known as VPNFilter, were closely linked to the same team of developers. In turn, Sentinel One’s report Thursday noting the similarities between AcidRain and AcidPour, provides evidence that AcidPour was also created by developers working on behalf of the Kremlin.

    Read 10 remaining paragraphs | Comments

    • chevron_right

      Unpatchable vulnerability in Apple chip leaks secret encryption keys

      news.movim.eu / ArsTechnica · 7 days ago - 14:40 · 1 minute

    Apple's M1 chip.

    Enlarge / Apple's M1 chip. (credit: Photographer: Daniel Acker/Bloomberg via Getty Images)

    A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday.

    The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.

    Beware of hardware optimizations

    The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel's 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.

    Read 19 remaining paragraphs | Comments

    • chevron_right

      “Disabling cyberattacks” are hitting critical US water systems, White House warns

      news.movim.eu / ArsTechnica · Wednesday, 20 March - 00:26 · 1 minute

    Aerial view of a sewage treatment plant.

    Enlarge / Aerial view of a sewage treatment plant. (credit: Getty Images)

    The Biden administration on Tuesday warned the nation’s governors that drinking water and wastewater utilities in their states are facing “disabling cyberattacks” by hostile foreign nations that are targeting mission-critical plant operations.

    “Disabling cyberattacks are striking water and wastewater systems throughout the United States,” Jake Sullivan, assistant to the President for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter . “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

    The letter cited two recent hacking threats water utilities have faced from groups backed by hostile foreign countries. One incident occurred when hackers backed by the government of Iran disabled operations gear used in water facilities that still used a publicly known default administrator password. The letter didn’t name the facility by name, but details included in a linked advisory tied the hack to one that struck the Municipal Water Authority of Aliquippa in western Pennsylvania last November. In that case, the hackers compromised a programmable logic controller made by Unitronics and made the device screen display an anti-Israeli message. Utility officials responded by temporarily shutting down a pump that provided drinking water to local townships.

    Read 4 remaining paragraphs | Comments

    • chevron_right

      Fujitsu says it found malware on its corporate network, warns of possible data breach

      news.movim.eu / ArsTechnica · Monday, 18 March - 19:44

    Fujitsu says it found malware on its corporate network, warns of possible data breach

    Enlarge (credit: Getty Images)

    Japan-based IT behemoth Fujitsu said it has discovered malware on its corporate network that may have allowed the people responsible to steal personal information from customers or other parties.

    “We confirmed the presence of malware on several of our company's work computers, and as a result of an internal investigation, it was discovered that files containing personal information and customer information could be illegally taken out,” company officials wrote in a March 15 notification that went largely unnoticed until Monday. The company said it continued to “investigate the circumstances surrounding the malware's intrusion and whether information has been leaked.” There was no indication how many records were exposed or how many people may be affected.

    Fujitsu employs 124,000 people worldwide and reported about $25 billion in its fiscal 2023, which ended at the end of last March. The company operates in 100 countries. Past customers include the Japanese government. Fujitsu’s revenue comes from sales of hardware such as computers, servers, and telecommunications gear, storage systems, software, and IT services.

    Read 3 remaining paragraphs | Comments