Ars Technica - Technology Lab

Advisories: "Brazen” Russian ransomware hackers target hundreds of US hospitals

Thu, 29 Oct 2020 04:55:48 GMT

Enlarge (credit: Getty Images)

Russian hackers are targeting hundreds of US hospitals and healthcare providers just as the Corona Virus is making a comeback and the US presidential election is in its final stretch, officials from three government agencies and the private sector are warning.

The hackers typically use the TrickBot network of infected computers to penetrate the organizations and after further burrowing into their networks deploy Ryuk, a particularly aggressive piece of ransomware, a joint advisory published by the FBI, Health and Human Services, and the Cybersecurity & Infrastructure Security agency said.

“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” Wednesday evening’s advisory stated. “CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

Read 9 remaining paragraphs | Comments

In a first, researchers extract secret key used to encrypt Intel CPU code

Wed, 28 Oct 2020 20:20:02 GMT

Enlarge (credit: Intel)

Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured.

The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.

“At the moment, it is quite difficult to assess the security impact,” independent researcher Maxim Goryachy said in a direct message. “But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.” Goryachy and two other researchers—Dmitry Sklyarov and Mark Ermolov, both with security firm Positive Technologies—worked jointly on the project.

Read 10 remaining paragraphs | Comments

Trump’s website defaced with claim that Trump admin created coronavirus

Wed, 28 Oct 2020 17:04:08 GMT

Enlarge / President Trump's campaign website during its brief defacement. (credit: Gabriel Lorenzo Greschler)

President Trump's website last night was briefly defaced by hackers who pitched a cryptocurrency scam and claimed that Trump has "criminal involvement" with election manipulation and that his administration was involved in creating the coronavirus.

Donaldjtrump.com is back to normal now, seeking donations and urging Trump supporters to register to vote. The defacement reportedly lasted less than 30 minutes on Tuesday evening. Trump-campaign spokesperson Tim Murtaugh issued a statement saying the campaign is "working with law enforcement authorities to investigate the source of the attack. There was no exposure to sensitive data because none of it is actually stored on the site. The website has been restored."

The website during its defacement had Department of Justice and FBI logos above a typo-filled message that said:

Read 5 remaining paragraphs | Comments

SpaceX Starlink public beta begins: It’s $99 a month plus $500 up front

Tue, 27 Oct 2020 14:26:39 GMT

Enlarge / A SpaceX Starlink user terminal/satellite dish. (credit: SpaceX)

SpaceX has begun sending email invitations to Starlink's public beta and will charge beta users $99 per month plus a one-time fee of $499 for the user terminal, mounting tripod, and router. The emails are being sent to people who previously registered interest in the service on the Starlink website. One person in Washington state who got the email posted it on Reddit. Another person who lives in Wisconsin got the Starlink public-beta invitation and passed the details along to Ars via email.

SpaceX is calling it the "Better Than Nothing" beta, perhaps partly because the Starlink satellite service will be most useful to people who cannot get cable or fiber broadband. But the email also says, "As you can tell from the title, we are trying to lower your initial expectations."

The rest of the email reads as follows:

Read 7 remaining paragraphs | Comments

Study shows which messengers leak your data, drain your battery, and more

Mon, 26 Oct 2020 21:31:52 GMT

Enlarge (credit: Getty Images)

Link previews are a ubiquitous feature found in just about every chat and messaging app, and with good reason. They make online conversations easier by providing images and text associated with the file that’s being linked.

Unfortunately, they can also leak our sensitive data, consume our limited bandwidth, drain our batteries, and, in one case, expose links in chats that are supposed to be end-to-end encrypted. Among the worst offenders, according to research published on Monday, were messengers from Facebook, Instagram, LinkedIn, and Line. More about that shortly. First a brief discussion of previews.

When a sender includes a link in a message, the app will display the conversation along with text (usually a headline) and images that accompany the link. It usually looks something like this:

Read 9 remaining paragraphs | Comments

SpaceX Starlink to go South for first time with planned deployment in Texas

Mon, 26 Oct 2020 19:16:43 GMT

Enlarge / Starlink logo imposed on stylized image of the Earth. (credit: Starlink)

SpaceX has agreed to provide Internet service to 45 families in a Texas school district in early 2021 and to an additional 90 families later on, the school district announced last week. The announcement by Ector County Independent School District (ECISD) in Odessa said it will be the "first school district to utilize SpaceX satellites to provide Internet for students."

"The project will initially provide free Internet service to 45 families in the Pleasant Farms area of south Ector County," the district said. "As the network capabilities continue to grow, it will expand to serve an additional 90 Ector County families."

The Texas location is notable because the ongoing, limited Starlink beta exists only in the northern US, and SpaceX CEO Elon Musk has said an upcoming public beta will only be for the northern US and "hopefully" southern Canada. SpaceX has over 700 Starlink satellites in orbit, and will be able to expand the service area as it deploys more of the nearly 12,000 it has been authorized to launch. In Washington state, Starlink has been deployed to rural homes, a remote tribe, and emergency responders and families in wildfire-stricken areas.

Read 10 remaining paragraphs | Comments

Hackers behind life-threatening attack on chemical maker are sanctioned

Fri, 23 Oct 2020 22:11:37 GMT

Enlarge / Oil and gas industry and sunrise at a refinery in Fujian (credit: Getty Images)

Russian state nationals accused of wielding life-threatening malware specifically designed to tamper with critical safety mechanisms at a petrochemical plant are now under sanction by the US Treasury Department.

The attack drew considerable concern because it’s the first known time hackers have used malware designed to cause death or injury, a prospect that may have actually happened had it not been for a lucky series of events. The hackers—who have been linked to a Moscow-based research lab owned by the Russian government—have also targeted a second facility and been caught scanning US power grids.

Now the Treasury Department is sanctioning the group, which is known as the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics or its Russian abbreviation TsNIIKhM. Under a provision in the Countering America’s Adversaries Through Sanctions Act, or CAATSA, the US is designating the center for “knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.”

Read 8 remaining paragraphs | Comments

T-Mobile screwups caused nationwide outage but FCC isn’t punishing carrier

Fri, 23 Oct 2020 19:13:34 GMT

Enlarge / T-Mobile advertisement in New York City's Times Square on October 15, 2020. (credit: Getty Images | SOPA Images)

The Federal Communications Commission has finished investigating T-Mobile for a network outage that Chairman Ajit Pai called "unacceptable." But instead of punishing the mobile carrier, the FCC is merely issuing a public notice to "remind" phone companies of "industry-accepted best practices" that could have prevented the T-Mobile outage.

After the 12-hour nationwide outage on June 15 disrupted texting and calling services, including 911 emergency calls, Pai wrote that "The T-Mobile network outage is unacceptable" and that "the FCC is launching an investigation. We're demanding answers—and so are American consumers."

Pai has a history of talking tough with carriers and not following up with punishments that might have a greater deterrence effect than sternly worded warnings. That appears to be what happened again yesterday when the FCC announced the findings from its investigation into T-Mobile. Pai said that "T-Mobile's outage was a failure" because the carrier didn't follow best practices that could have prevented or minimized it, but he announced no punishment. The matter appears to be closed based on yesterday's announcement, but we contacted Chairman Pai's office today to ask if any punishment of T-Mobile is forthcoming. We'll update this article if we get a response.

Read 16 remaining paragraphs | Comments

Bot orders $18,752 of McSundaes every 30 min. to find if machines are working

Fri, 23 Oct 2020 16:49:22 GMT

Enlarge / This 2019 photo was taken in Poland, but McDonald's main virtue is that you pretty much know what you're getting with it anywhere in the world. (credit: Michal Fludra | NurPhoto | Getty Images)

Burgers, fries, and McNuggets are the staples of McDonald's fare. But the chain also offers soft-serve ice cream in most of its 38,000+ locations. Or at least, theoretically it does. In reality, the ice cream machines are infamously prone to breaking down, routinely disappointing anyone trying to satisfy their midnight McFlurry craving.

One enterprising software engineer, Rashiq Zahid, decided it's better to know if the ice cream machine is broken before you go. The solution? A bot to check ahead. Thus was born McBroken, which maps out all the McDonald's near you with a simple color-coded dot system: green if the ice cream machine is working and red if it's broken.

The bot basically works through McDonald's mobile app, which you can use to place an order at any McDonald's location. If you can add an ice cream order to your cart, the theory goes, the machine at that location is working. If you can't, it's not. So Zahid took that idea and scaled up.

Read 9 remaining paragraphs | Comments

AT&T loses another 600,000 TV customers as it seeks buyer for DirecTV

Thu, 22 Oct 2020 20:11:58 GMT

Enlarge / AT&T's logo and share price displayed on a monitor at the New York Stock Exchange on Tuesday, Jan. 22, 2019. (credit: Getty Images | Bloomberg)

AT&T lost 627,000 TV customers in Q3 2020, an improvement over previous quarters as the company continues its attempt to sell the failing DirecTV division.

In earnings results reported today, AT&T said it lost 590,000 "Premium TV" customers, a category that includes DirecTV satellite, U-verse wireline TV, and the online service known as AT&T TV. AT&T also lost 37,000 customers from AT&T TV Now, the streaming service formerly known as DirecTV Now.

The Premium TV loss of 590,000 customers in Q3 is the best result since AT&T lost 544,000 subscribers in Q1 2019. AT&T's Premium TV losses ranged from 778,000 to 1.16 million customers per quarter from Q2 2019 through Q2 2020. AT&T currently has 17.1 million Premium TV customers, down from over 25 million in early 2017.

Read 9 remaining paragraphs | Comments

Hacker says he correctly guessed Trump’s Twitter password—it was "maga2020!”

Thu, 22 Oct 2020 17:59:27 GMT

Enlarge (credit: Aurich Lawson)

A security researcher reportedly logged in to President Trump's Twitter account last week by guessing the password—it was "maga2020!"—and then alerted the US government that Trump needed to upgrade his Twitter security practices.

Security researcher Victor Gevers reportedly guessed Trump's password on the fifth attempt and was dismayed that the president had not enabled two-step authentication. The news was reported today by de Volkskrant, a Dutch newspaper, and the magazine Vrij Nederland. Both reports had quotes from Gevers, while Vrij Nederland also published a screenshot that Gevers says he took when he had access to the @realdonaldtrump account.

Gevers reportedly gained access to Trump's Twitter account on Friday last week. He says he tried passwords such as "MakeAmericaGreatAgain" and "Maga2020" before hitting on the correct password of "maga2020!" Gevers is a well-known security researcher and has been quoted in several Ars articles on other security topics going back to 2017. He is a researcher at the nonprofit GDI Foundation and chair of the Dutch Institute for Vulnerability Disclosure.

Read 12 remaining paragraphs | Comments

Trickbot—the for-hire botnet Microsoft attacked—is scrambling to stay alive

Wed, 21 Oct 2020 02:00:08 GMT

Enlarge (credit: Aurich Lawson / Ars Technica)

Operators of Trickbot—a for-hire botnet that has infected more than 1 million devices since 2016—are looking for new ways to stay afloat after Microsoft and a host of industry partners took coordinated action to disrupt it last week.

In an update published on Tuesday, Microsoft Corporate VP for Security & Trust Tom Burt said the operation initially managed to take down 62 of the 69 servers Trickbot was known to be using to control its vast network of infected devices. Trickbot operators responded by quickly spinning up 59 new servers, and Microsoft was able to eliminate all of them except for one.

In all, the industrywide operation has taken down 120 of 128 servers identified as belonging to Trickbot. Now, Trickbot is responding by using a competing criminal group to distribute the Trickbot malware.

Read 10 remaining paragraphs | Comments

Adblockers installed 300,000 times are malicious and should be removed now

Tue, 20 Oct 2020 17:47:26 GMT

Enlarge (credit: Getty Images)

Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users’ social media accounts thanks to malware its new owner introduced a few weeks ago, according to technical analyses and posts on Github.

(credit: Cyril Gorlla)

Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google’s Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which often are installed together, have about 300,000 installations total.

Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code.

Read 11 remaining paragraphs | Comments

Microsoft’s new data center in a box will use SpaceX Starlink broadband

Tue, 20 Oct 2020 17:17:52 GMT

Microsoft today unveiled a modular data center that can be deployed to remote areas, as well as a partnership with SpaceX to connect those data centers to the Internet with Starlink satellite broadband. Microsoft said the Azure Modular Datacenter (MDC) is "for customers who need cloud computing capabilities in hybrid or challenging environments, including remote areas" for scenarios such as "mobile command centers, humanitarian assistance, military mission needs, [and] mineral exploration."

The MDC is "a self-contained datacenter unit" that "can operate in a wide range of climates and harsh conditions in a ruggedized, radio frequency (RF) shielded unit," Microsoft said. It can be deployed in areas "where temperature, humidity, and even level surfaces" would normally pose a big problem.

Microsoft's Azure Modular Datacenter. [credit: Microsoft ]

Bringing Internet connectivity to remote areas is often a challenge, and that's where SpaceX comes in. Microsoft is also using SES satellites as part of what it calls a "multi-orbit, multi-band, multi-vendor" approach to connectivity. MDCs will be able to use satellite service either as a backup or as the primary Internet connection.

Read 12 remaining paragraphs | Comments

Six Russians accused of the world’s most destructive hacks indicted

Mon, 19 Oct 2020 19:04:08 GMT

Enlarge (credit: US Justice Department)

Six men accused of carrying out some of the world's most destructive hacks—including the NotPetya disk wiper and power grid attacks that knocked out electricity for hundreds of thousands of Ukrainians—have been indicted in US federal court.

The indictment said that all six men are officers in a brazen hacker group best known as Sandworm, which works on behalf of Unit 74455 of the Russian Main Intelligence Directorate, abbreviated from Russian as GRU. The officers are behind the "most disruptive and destructive series of computer attacks ever attributed to a single group," prosecutors said. The alleged goal: to destabilize foreign nations, interfere with their internal politics, and cause monetary losses.

Among the hacks is NotPetya, the 2017 disk-wiping worm that shut down the operations of thousands of companies and government agencies around the world. Disguised as ransomware, NotPetya was in fact malware that permanently destroyed petabytes of data. The result, among other things, was hospitals that turned away patients, shipping companies that were paralyzed for days or weeks, and transportation infrastructure that failed to function.

Read 7 remaining paragraphs | Comments

QAnon/8chan sites back online after being ousted by DDoS-protection vendor

Mon, 19 Oct 2020 16:42:53 GMT

Enlarge (credit: Aurich Lawson / Getty)

A few dozen QAnon and 8chan-related sites were knocked offline temporarily yesterday when a DDoS-protection vendor disabled their access, according to an article by security reporter Brian Krebs.

The websites—with names like 8kun.net, 8kun.top, 8chan.se, and qanonbin.com—are connected to the Internet via the US-based ISP VanwaTech, which in turn "had a single point of failure on its end," Krebs wrote. "The swath of Internet addresses serving the various 8kun/QAnon sites were being protected from otherwise crippling and incessant distributed-denial-of-service (DDoS) attacks by Hillsboro, Ore. based CNServers LLC."

That changed yesterday when security researcher Ron Guilmette called CNServers, which apparently didn't realize it was providing security protection to the websites. "Within minutes of that call, CNServers told its customer—Spartan Host Ltd., which is registered in Belfast, Northern Ireland—that it would no longer be providing DDoS protection for the set of 254 Internet addresses that Spartan Host was routing on behalf of VanwaTech," Krebs wrote. Those 254 addresses included the few dozen related to QAnon and 8chan, which is now known as 8kun.

Read 7 remaining paragraphs | Comments

The Internet is full of business cats: Dealing with the breakdown of the work/home divide

Mon, 19 Oct 2020 13:00:38 GMT

Enlarge / Artist's impression of how little your cat cares about your video call. (credit: Aurich Lawson / Getty Images)

The Friday "beer-thirty" Zoom conferences began for me not too long into the lockdown. A co-worker scheduled them as a form of stress release and socialization as we all prepared for what we already knew was going to be at least a year of not seeing each other in person—and for someone who had just started with the company a few weeks prior, I needed it.

Working from home has always been isolating, but it has become even more so in 2020. And for those of us who've worked from home full-time in the past—well, at least for those of us who have done that and have loud families and kids with no concept of personal space—it has also become a lot harder to maintain a division between home life and work life. Our spouses and kids (and in some cases, adult kids) are all home at the same time, working or studying or playing or just breathing too loudly in the same space as us.

Meow mix

For those of you who've never enjoyed the solitude of a home office when everyone else is out of the house, trust me: what we have right now is not what working at home has been like for the past 25 years for me. To adjust to this, organizations must figure out how to keep teams cohesive in the absence of regular social contact. They also must find a balance between being communicative and being intrusive into the home life of employees, all while still keeping some kind of coherent work environment going so people can talk to each other and get work done.

Read 15 remaining paragraphs | Comments

Fancy Bear imposters are on a hacking extortion spree

Sat, 17 Oct 2020 12:00:56 GMT

Enlarge

Ransomware attacks that tear through corporate networks can bring massive organizations to their knees. But even as these hacks reach new popularity highs—and new ethical lows—among attackers, it's not the only technique criminals are using to shake down corporate victims. A new wave of attacks relies instead on digital extortion—with a side of impersonation.

On Wednesday, the Web security firm Radware published extortion notes that had been sent to a variety of companies around the world. In each of them, the senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The communications threaten that if the target doesn’t send a set number of bitcoin—typically equivalent to tens or even hundreds of thousands of dollars—the group will launch powerful distributed denial of service attacks against the victim, walloping the organization with a fire hose of junk traffic strategically directed to knock it offline.

Read 12 remaining paragraphs | Comments

Hackers are using a severe Windows bug to backdoor unpatched servers

Fri, 16 Oct 2020 19:50:08 GMT

Enlarge (credit: Getty Images)

One of the most critical Windows vulnerabilities disclosed this year is under active attack by hackers who are trying to backdoor servers that store credentials for every user and administrative account on a network, a researcher said on Friday.

Zerologon, as the vulnerability has been dubbed, gained widespread attention last month when the firm that discovered it said it could give attackers instant access to active directories, which admins use to create, delete, and manage network accounts. Active directories and the domain controllers they run on are among the most coveted prizes in hacking because once hijacked, they allow attackers to execute code in unison on all connected machines. Microsoft patched CVE-2020-1472, as the security flaw is indexed, in August.

On Friday, Kevin Beaumont, working in his capacity as an independent researcher, said in a blog post that he had detected attacks on the honeypot he uses to keep abreast of attacks hackers are using in the wild. When his lure server was unpatched, the attackers were able to use a powershell script to successfully change an admin password and backdoor the server.

Read 6 remaining paragraphs | Comments

Thousands of infected IoT devices used in for-profit anonymity service

Fri, 16 Oct 2020 12:00:18 GMT

Enlarge (credit: Aurich Lawson / Ars Technica)

Some 9,000 devices—mostly running Android, but also the Linux and Darwin operating Systems—have been corralled into the Interplanetary Storm, the name given to a botnet whose chief purpose is creating a for-profit proxy service, likely for anonymous Internet use.

The finding is based on several pieces of evidence collected by researchers from security provider Bitdefender. The core piece of evidence is a series of six specialized nodes that are part of the management infrastructure. They include a:

proxy backend that pings other nodes to prove its availability
proxy checker that connects to a bot proxy
manager that issues scanning and brute-forcing commands
backend interface responsible for hosting a Web API
node that uses cryptography keys to authenticate other devices and sign authorized messages
development node used for development purposes

Keeping it on the down-low

Together, these nodes “are responsible for checking for node availability, connecting to proxy nodes, hosting the web API service, signing authorized messages, and even testing the malware in its development phase,” Bitdefender researchers wrote in a report published on Thursday. “Along with other development choices, this leads us to believe that the botnet is used as a proxy network, potentially offered as an anonymization service.”

Read 9 remaining paragraphs | Comments