Enlarge (credit: The_Grim_Sleeper)

Bandai Namco, publisher of the Dark Souls role-playing game series, has taken down its player-versus-player servers while it investigates reports of a serious vulnerability that allows players to execute malicious code on the PCs of fellow players.

Word of the critical remote-code-execution flaw emerged over the weekend in Reddit threads here and here. An exploit that hit a user named The_Grim_Sleeper was captured in a video stream posted over the weekend. Starting around 1:20:22, the user’s game crashed, and a robotic voice mocked his gameplay and maturity level.

“What the fuck,” The_Grim_Sleeper said in response. “My game just crashed, and immediately Powershell opened up and started narrating a fucking” screed. “I didn’t even know that shit was possible.”

Enlarge (credit: Getty Images | zf L)

AT&T has started offering 2Gbps and 5Gbps symmetrical Internet speeds over its fiber-to-the-home network, the telecom company announced today. The multi-gigabit speeds are available to "nearly 5.2 million customer locations in parts of more than 70 metro areas, such as LA, Atlanta, and Dallas," AT&T said.

AT&T is charging $110 a month plus taxes for its 2Gbps home-Internet plan and $180 a month plus taxes for the 5Gbps home-Internet plan. Business fiber prices are $225 a month for 2Gbps and $395 for 5Gbps. Base prices for other fiber home-Internet plans are $55 for 300Mbps, $65 for 500Mbps, and $80 for 1Gbps. The fine print notes that a "$99 installation fee may apply."

AT&T imposes data caps on lower-end home-Internet plans but provides unlimited data on tiers with speeds of 100Mbps and above. AT&T's announcement said its new fiber plans have "no equipment fees, no annual contract, no data caps, and no price increase at 12 months." The 1Gbps and multi-gigabit plans also include HBO Max access.

Enlarge / Servicemen of Russia's Eastern Military District units attend a welcoming ceremony as they arrive in Belarus to take part in joint military exercises. Russia's military is combining its own means of transport with train travel. (credit: Getty Images)

Hacktivists in Belarus said on Monday they had infected the network of the country’s state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine.

Referring to the Belarus Railway, a group calling itself Cyber ​​Partisans wrote on Telegram:

BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the "Peklo" cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed.

Dozens of databases have been cyberattacked, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, pass.rw.by, uprava, IRC, etc.

Automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations.

The group also announced the attack by Twitter.

Enlarge / Patriot Front members spray painting in Springfield, IL. (credit: Unicornriot.ninja)

Chat messages, images, and videos leaked from the server of a white supremicist group called the Patriot Front purport to show its leader and rank-and-file members conspiring in hate crimes, despite their claims that they were a legitimate political organization.

Patriot Front, or PF, formed in the aftermath of the 2017 Unite the Right rally, a demonstration in Charlottesville, Virginia, that resulted in one death and 35 injuries when a rally attendee rammed his car into a crowd of counter-protesters. PF founder Thomas Rousseau, started the group after an image posted online showed the now-convicted killer, James Alex Fields, Jr., posing with members of Vanguard America shortly before the attack. Vanguard America soon dissolved, and Rousseau rebranded it as PF with the goal of hiding any involvement in violent acts.

Since then, PF has strived to present itself as a group of patriots who are aligned with the ideals and values of the founders who defeated the tyranny of British colonists in the 18th century and paved the way for the United States to be born. In announcing the the formation of PF in 2017, Rousseau wrote:

Enlarge / Sam Zeloof completed this homemade computer chip with 1,200 transistors, seen under a magnifying glass, in August 2021. (credit: Sam Kang)

In August, chipmaker Intel revealed new details about its plan to build a “mega-fab” on US soil, a $100 billion factory where 10,000 workers will make a new generation of powerful processors studded with billions of transistors. The same month, 22-year-old Sam Zeloof announced his own semiconductor milestone. It was achieved alone in his family’s New Jersey garage, about 30 miles from where the first transistor was made at Bell Labs in 1947.

With a collection of salvaged and homemade equipment, Zeloof produced a chip with 1,200 transistors. He had sliced up wafers of silicon, patterned them with microscopic designs using ultraviolet light, and dunked them in acid by hand, documenting the process on YouTube and his blog. “Maybe it’s overconfidence, but I have a mentality that another human figured it out, so I can too, even if maybe it takes me longer,” he says.

Enlarge (credit: Getty Images)

Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on “quite a few” sites running the open source content management system.

The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

Unknowingly providing access to the attacker

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean.

Enlarge (credit: Getty Images)

The Red Cross on Wednesday pleaded with the threat actors behind a cyberattack that stole the personal data of about 515,000 people who used a program that works to reunite family members separated by conflict, disaster or migration.

"While we don't know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them," Robert Mardini, the director-general of the International Committee for the Red Cross, said in a release. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world's least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data."

Wednesday’s release said the personal data was obtained through the hack of a Switzerland-based subcontractor that stores data for the Red Cross. The data was compiled by at least 60 different Red Cross and Red Crescent National Societies worldwide. The ICRC said it has no "immediate indications as to who carried out this cyber-attack" and is so far unaware of any of the compromised information being leaked or shared publicly.

Enlarge (credit: Western Digital)

Western Digital has patched three critical vulnerabilities—one with a severity rating of 9.8 and another with a 9.0—that make it possible for hackers to steal data or remotely hijack storage devices running version 3 of the company’s My Cloud OS.

CVE-2021-40438, as one of the vulnerabilities is tracked, allows remote attackers with no authentication to make devices forward requests to servers of the attackers’ choosing. Like the other two flaws Western Digital fixed, it resides in the Apache HTTP Server versions 2.4.48 and earlier. Attackers have already successfully exploited it to steal hashed passwords from a vulnerable system, and exploit code is readily available.

The vulnerability with a severity rating of 9 out of a maximum 10 stems from a Server-Side Request Forgery. This class of bug lets attackers funnel malicious requests to internal systems that are behind firewalls or otherwise not accessible outside a private network. It works by inducing server-side applications to make HTTP requests to an arbitrary domain of the attacker's choosing.

Enlarge / A Boeing 777. (credit: Boeing)

The Federal Aviation Administration today said it has cleared 62 percent of US commercial airplanes to perform low-visibility landings at airports where AT&T and Verizon are deploying 5G on C-band spectrum this week.

Several international airlines previously canceled some flights to the US after Boeing issued a recommendation to not fly the 777 into airports where carriers are deploying 5G on the C-band. However, the 777 planes—or at least those that have altimeters capable of filtering out C-band transmissions—were on the FAA's new list of cleared aircraft. The FAA has been granting Alternate Means of Compliance (AMOCs) to operators with altimeters that are safe to use.

"Airplane models with one of the five cleared altimeters include some Boeing 717, 737, 747, 757, 767, 777, MD-10/-11 and Airbus A300, A310, A319, A320, A330, A340, A350 and A380 models," the FAA said in a statement issued shortly after 2 pm EST today. These airplanes are now authorized "to perform low-visibility landings at airports where wireless companies deployed 5G C-band," the FAA said. The word "some" indicates that not every plane with the mentioned model numbers has an approved altimeter.

Enlarge (credit: Aurich Lawson)

Microsoft's monthly Patch Tuesday updates for Windows are generally meant to fix problems, but that isn't how it always goes. January's updates, released last week, caused a handful of problems for businesses in particular. The most serious, especially for people still dealing with pandemic-driven remote-work setups, was a bug that broke certain kinds of VPN connections. Microsoft has provided fixes for this and other issues as of today, a few days after acknowledging the problem on its Known Issues page.

According to Microsoft's documentation and reporting from Bleeping Computer, the VPN connection issues affected "IPSEC connections which contain a Vendor ID," as well as L2TP and IPSEC IKE VPN connections in Windows 10, Windows 11, and Windows Server versions 2022, 20H2, 2019, and 2016. Windows' built-in VPN client seems to be the most commonly affected, but third-party VPN clients using these kinds of connections could also run into the error.

The latest round of Patch Tuesday updates also caused some problems for Windows Server, including unexpected reboots for domain controllers and failed boots for Hyper-V virtual machines. These problems have all been resolved by other out-of-band patches, though not before causing problems for beleaguered IT admins.

Enlarge (credit: Getty Images)

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin—meaning the protocol, domain name, and port of a given webpage or app—from interacting with resources from other origins. Without this policy, malicious sites—say, badguy.example.com—could access login credentials for Google or another trusted site when it’s open in a different browser window or tab.

Obvious privacy violation

Since September’s release of Safari 15 and iOS and iPadOS 15, this policy has been broken wide open, research published late last week found. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites.

Enlarge (credit: Getty Images)

Over the past few months, geopolitical tensions have escalated as Russia amassed tens of thousands of troops along Ukraine’s border and made subtle but far-reaching threats if Ukraine and NATO don’t agree to Kremlin demands.

Now, a similar dispute is playing out in cyber arenas, as unknown hackers late last week defaced scores of Ukrainian government websites and left a cryptic warning to Ukrainian citizens who attempted to receive services.

Be afraid and expect the worst

“All data on the computer is being destroyed, it is impossible to recover it,” said a message, written in Ukrainian, Russian, and Polish, that appeared late last week on at least some of the infected systems. “All information about you has become public, be afraid and expect the worst."

Enlarge (credit: Jeremy Brooks / Flickr)

Researchers have uncovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines.

Researchers from security firm Intezer said they discovered SysJoker—the name they gave the backdoor—on the Linux-based Webserver of a “leading educational institution.” As the researchers dug in, they found SysJoker versions for both Windows and macOS as well. They suspect the cross-platform malware was unleashed in the second half of last year.

The discovery is significant for several reasons. First, fully cross-platform malware is something of a rarity, with most malicious software being written for a specific operating system. The backdoor was also written from scratch and made use of four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for previously unseen Linux malware to be found in a real-world attack.

Enlarge

The past year saw a breathtaking rise in the value of cryptocurrencies like Bitcoin and Ethereum, with Bitcoin gaining 60 percent in value in 2021 and Ethereum spiking 80 percent. So perhaps it's no surprise that the relentless North Korean hackers who feed off that booming crypto economy had a very good year as well.

North Korean hackers stole a total of $395 million worth of crypto coins last year across seven intrusions into cryptocurrency exchanges and investment firms, according to blockchain analysis firm Chainalysis. The nine-figure sum represents a nearly $100 million increase over the previous year's thefts by North Korean hacker groups, and it brings their total haul over the past five years to $1.5 billion in cryptocurrency alone—not including the uncounted hundreds of millions more the country has stolen from the traditional financial system. That hoard of stolen cryptocurrency now contributes significantly to the coffers of Kim Jong-un's totalitarian regime as it seeks to fund itself—and its weapons programs—despite the country's heavily sanctioned, isolated, and ailing economy.

Enlarge (credit: Getty Images)

Russian law enforcement authorities said on Friday that they have arrested 14 people associated with REvil, a top ransomware group that has disrupted critical operations of wealthy targets and held their data hostage.

The action, carried out by Russia’s FSB, the successor agency to the KGB, is a rare example of the country’s government cracking down on cybercrime by its citizens. The US and Russia have no extradition treaty in place, and critics have said the Kremlin routinely harbors cybercriminals as long as they don’t target organizations located in the former Soviet Union. The arrests come as tensions between Russia and the US escalate over a standoff involving Ukraine.

Big-game hunter neutralized

“The FSB of Russia established the full composition of the criminal community ‘REvil’ and the involvement of its members in the illegal circulation of means of payment and documented illegal activities,” Russian officials wrote. “In order to implement the criminal plan, these persons developed malicious software and organized the theft of funds from the bank accounts of foreign citizens and their cashing, including by purchasing expensive goods on the Internet.”

Enlarge / An Ukrainian Military Forces serviceman watches through spyglass in a trench on the frontline with Russia-backed separatists near to Avdiivka, southeastern Ukraine, on January 9, 2022. (credit: Anatolii Stepanov | Getty Images)

Ukraine said it was the target of a “massive cyber attack” after about 70 government websites ceased functioning.

On Friday morning targets included websites of the ministerial cabinet, the foreign, education, agriculture, emergency, energy, veterans affairs and environment ministries. Also out of service were the websites of the state treasury and the Diia electronic public services platform, where vaccination certificates and electronic passports are stored.

“Ukrainians! All your personal data has been uploaded to the public network,” read a message temporarily posted on the foreign ministry’s website. “All data on your computer is being erased and won’t be recoverable. All information about you has become public, fear and expect the worst.”

Enlarge (credit: Getty Images)

For more than a decade, the Internet has remained vulnerable to a class of attacks that uses browsers as a beachhead for accessing routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.

Starting in Chrome version 98, the browser will begin relaying requests when public websites want to access endpoints inside the private network of the person visiting the site. For the time being, requests that fail won't prevent the connections from happening. Instead, they'll only be logged. Somewhere around Chrome 101—assuming the results of this trial run don't indicate major parts of the Internet will be broken—it will be mandatory for public sites to have explicit permission before they can access endpoints behind the browser.

The planned deprecation of this access comes as Google enables a new specification known as private network access, which permits public websites to access internal network resources only after the sites have explicitly requested it and the browser grants the request. PNA communications are sent using the CORS, or Cross-Origin Resource Sharing, protocol. Under the scheme, the public site sends a preflight request in the form of the new header Access-Control-Request-Private-Network: true. For the request to be granted, the browser must respond with the corresponding header Access-Control-Allow-Private-Network: true.

Enlarge (credit: James Brey / iStockPhoto / Getty Images)

The developer who sabotaged two of his own open source code libraries, causing disruptions for thousands of apps that used them, has a colorful past that includes embracing a QAnon theory involving Aaron Swartz, the well-known hacktivist and programmer who died by suicide in 2013.

Marak Squires, the author of two JavaScript libraries with more than 21,000 dependent apps and more than 22 million weekly downloads, updated his projects late last week after they remained unchanged for more than a year. The updates contained code to produce an infinite loop that caused dependent apps to spew gibberish, prefaced by the words “Liberty Liberty Liberty.” The update sent developers scrambling as they attempted to fix their malfunctioning apps.

What really happened with Aaron Swartz?

Squires provided no reason for the move, but in a readme file accompanying last week’s malicious update, he included the words “What really happened with Aaron Swartz?”

Enlarge (credit: Getty Images)

Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, the UK’s publicly funded healthcare system is warning.

CVE-2021-44228 is one of the most severe vulnerabilities to come to light in the past few years. It resides in Log4J, a system-logging code library used in thousands if not millions of third-party applications and websites. That means there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install Web shells, which provide a command window for executing highly privileged commands on hacked servers.

The remote-code execution flaw in Log4J came to light in December after exploit code was released before a patch was available. Malicious hackers quickly began actively exploiting CVE-2021-44228 to compromise sensitive systems.

Enlarge (credit: Getty Images)

Apple has been taking its time fixing an iOS bug that makes it easy for miscreants to completely disable an iOS device unless the victim performs a factory restore and follows other cumbersome steps, a researcher said.

HomeKit is an Apple-designed communication protocol that allows people to use their iPhones or iPads to control lights, TVs, alarms, and other home or office appliances. Users can configure their devices to automatically discover appliances on the same network, and they can also share those settings with other people so they can use their own iPhones or iPads to control the appliances. The sharing feature makes it easy to allow new people—say, a housesitter or babysitter—to control a user’s appliances.

Trevor Spiniolas, a self-described programmer and “beginning security researcher,” said recently that a bug in the feature allows someone to send an iOS device into an unending crash spiral. It can be triggered by using an extremely long name—up to 500,000 characters in length—to identify one of the smart devices and then getting a user to accept an invitation to that network.