Editor’s Pick

In recent years, commercial spyware has been deployed by more actors against a wider range of victims, but the prevailing narrative has still been that the malware is used in targeted attacks against an extremely small number of people. At the same time, though, it has been difficult to check devices for infection, leading individuals to navigate an ad hoc array of academic institutions and NGOs that have been on the front lines of developing forensic techniques to detect mobile spyware. On Tuesday, the mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company’s customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus.

The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries.

“The really fascinating thing is that the people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, people in government positions,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “It looks a lot more like the targeting profile of your average piece of malware or your average APT group than it does the narrative that’s been out there that mercenary spyware is being abused to target activists. It is doing that, absolutely, but this cross section of society was surprising to find.”

Read full article

Comments

Hackers pocketed as much as $155,000 by sneaking a backdoor into a code library used by developers of smart contract apps that work with the cryptocurrency known as Solana.

The supply-chain attack targeted solana-web3.js, a collection of JavaScript code used by developers of decentralized apps for interacting with the Solana blockchain. These “dapps” allow people to sign smart contracts that, in theory, operate autonomously in executing currency trades among two or more parties when certain agreed-upon conditions are met.

The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7. These backdoored versions were available for download during a five-hour window between 3:20 pm UTC and 8:25 pm UTC on Tuesday.

Read full article

Comments

On Wednesday, OpenAI CEO Sam Altman announced a “12 days of OpenAI” period starting December 5, which will unveil new AI features and products for 12 consecutive weekdays.

Altman did not specify the exact features or products OpenAI plans to unveil, but a report from The Verge about this “12 days of shipmas” event suggests the products may include a public release of the company’s text-to-video model Sora and a new “reasoning” AI model similar to o1-preview. Perhaps we may even see DALL-E 4 or a new image generator based on GPT-4o’s multimodal capabilities.

Altman’s full tweet included hints at releases both big and small:

Read full article

Comments

The week before Thanksgiving, Marshall Brain sent a final email to his colleagues at North Carolina State University. “I have just been through one of the most demoralizing, depressing, humiliating, unjust processes possible with the university,” wrote the founder of HowStuffWorks.com and director of NC State’s Engineering Entrepreneurs Program. Hours later, campus police found that Brain had died by suicide.

NC State police discovered Brain unresponsive in Engineering Building II on Centennial Campus around 7 am on November 20, following a welfare check request from his wife at 6:40 am, according to The Technician, NC State’s student newspaper. Police confirmed Brain was deceased when they arrived.

Brian Gordon, a reporter for The News and Observer in Raleigh, obtained a copy of Brain’s death certificate and shared it with Ars Technica, confirming the suicide. It marks an abrupt end to a life rich with achievement and the joy of spreading technical knowledge to others.

Read full article

Comments

A Russian court has issued a life sentence to a man found guilty of being the kingpin of a dark web drug marketplace that supplied more than a metric ton of narcotics and psychotropic substances to customers around the world.

On Monday, the court found that Stanislav Moiseyev oversaw Hydra, a Russian-language market that operated an anonymous website that matched sellers of drugs and other illicit wares with buyers. Hydra was dismantled in 2022 after authorities in Germany seized servers and other infrastructure used by the sprawling, billion-dollar enterprise and a stash of bitcoin worth millions of dollars. At the time, Hydra was the largest crime forum, having facilitated $5 billion in transactions for 17 million customers. The market had been in operation since 2015.

One-stop cybercrime shop

“The court established that from 2015 to October 2018, the criminal community operated in various regions of the Russian Federation and the Republic of Belarus,” the state prosecutor’s office of the Moscow Region said. “The well-covered activities of the organized criminal group were aimed at systematically committing serious and especially serious crimes related to the illegal trafficking of drugs and psychotropic substances.”

Read full article

Comments

OpenAI’s ChatGPT is more than just an AI language model with a fancy interface. It’s a system consisting of a stack of AI models and content filters that make sure its outputs don’t embarrass OpenAI or get the company into legal trouble when its bot occasionally makes up facts about people that may be harmful.

Recently, that reality made the news when people discovered that the name “David Mayer” breaks ChatGPT. 404 Media also discovered that the names “Jonathan Zittrain” and “Jonathan Turley” caused ChatGPT to cut conversations short. And we know another name, likely the first, that started the practice last year: Brian Hood. More on that below.

The chat-breaking behavior occurs consistently when users mention these names in any context, and it results from a hard-coded filter that puts the brakes on the AI model’s output before returning it to the user.

Read full article

Comments

Companies have been discussing migrating off of VMware since Broadcom’s takeover a year ago led to higher costs and other controversial changes. Now we have an inside look at one of the larger customers that recently made the move.

According to a report from The Register today, Beeks Group, a cloud operator headquartered in the United Kingdom, has moved most of its 20,000-plus virtual machines (VMs) off VMware and to OpenNebula, an open source cloud and edge computing platform. Beeks Group sells virtual private servers and bare metal servers to financial service providers. It still has some VMware VMs, but “the majority” of its machines are currently on OpenNebula, The Register reported.

Beeks’ head of production management, Matthew Cretney, said that one of the reasons for Beeks migration was a VMware bill for “10 times the sum it previously paid for software licenses,” per The Register.

Read full article

Comments

Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices by exploiting a year-old firmware vulnerability when it remains unpatched on affected models.

The critical vulnerability is one of a constellation of exploitable flaws discovered last year and given the name LogoFAIL. These exploits are able to override an industry-standard defense known as Secure Boot and execute malicious firmware early in the boot process. Until now, there were no public indications that LogoFAIL exploits were circulating in the wild.

The discovery of code downloaded from an Internet-connected web server changes all that. While there are no indications the public exploit is actively being used, it is reliable and polished enough to be production-ready and could pose a threat in the real world in the coming weeks or months. Both the LogoFAIL vulnerabilities and the exploit found on-line were discovered by Binarly, a firm that helps customers identify and secure vulnerable firmware.

Read full article

Comments

Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines.

Researchers at security firm ESET said Wednesday that Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

The ASCII logo that Bootkitty is capable of rendering.
Credit:
ESET

Be prepared

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines.

Read full article

Comments

A recent firmware pushed to QNAP network attached storage (NAS) devices left a number of owners unable to access their storage systems. The company has pulled back the firmware and issued a fixed version, but the company’s response has left some users feeling less confident in the boxes into which they put all their digital stuff.

As seen on a QNAP community thread, and as announced by QNAP itself, the QNAP operating system, QTS, received update 5.2.2.2950, build 20241114, at some point around November 19. After QNAP “received feedbacks from some users reporting issues with device functionality after installation,” the firm says it withdrew it, “conducted a comprehensive investigation,” and re-released a fixed version “within 24 hours.”

The community thread sees many more users of different systems having problems than the shortlist (“limited models of TS-x53D series and TS-x51 series”) released by QNAP. Issues reported included owners being rejected as an authorized user, devices reporting issues with booting, and claims of Python not being installed to run some apps and services.

Read full article

Comments