0-Days Sold By Austrian Firm Used To Hack Windows Users, Microsoft Says

Longtime Slashdot reader HnT shares a report from Ars Technica: Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren’t necessarily the countries in which the DSIRF customers who paid for the attack resided.

“MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks,” Microsoft researchers wrote. “These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF.”

Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).

Read more of this story at Slashdot.

Scientists Use Dead Spider As Gripper For Robot Arm, Label It a ‘Necrobot’

New submitter know-nothing cunt shares a report from The Register: Scientists from Rice University in Texas have used a dead spider as an actuator at the end of a robot arm — a feat they claim has initiated the field of “necrobotics.” “Humans have relied on biotic materials — non-living materials derived from living organisms — since their early ancestors wore animal hides as clothing and used bones for tools,” the authors state in an article titled Necrobotics: Biotic Materials as Ready-to-Use Actuators. The article, published by Advanced Science, also notes that evolution has perfected many designs that could be useful in robots, and that spiders have proven especially interesting. Spiders’ legs “do not have antagonistic muscle pairs; instead, they have only flexor muscles that contract their legs inwards, and hemolymph (i.e., blood) pressure generated in the prosoma (the part of the body connected to the legs) extends their legs outwards.”

The authors had a hunch that if they could generate and control a force equivalent to blood pressure, they could make a dead spider’s legs move in and out, allowing them to grip objects and release them again. So they killed a wolf spider “through exposure to freezing temperature (approximately -4C) for a period of 5-7 days” and then used a syringe to inject the spider’s prosoma with glue. By leaving the syringe in place and pumping in or withdrawing glue, the researchers were able to make the spider’s legs contract and grip. The article claims that’s a vastly easier way to make a gripper than with conventional robotic techniques that require all sorts of tedious fabrication and design efforts. “The necrobotic gripper is capable of grasping objects with irregular geometries and up to 130 percent of its own mass,” the article notes.

Read more of this story at Slashdot.

‘Stop Trying To Be TikTok’: User Backlash Over Instagram Changes

Instagram’s head defended the app against a user backlash, after the social network launched a series of changes intended to make it more like its arch-rival TikTok. The Guardian reports: The changes, which include an extremely algorithmic main feed, a push for the service’s TikTok-style “reels” videos, and heavy promotion of the TikTok-style “remix” feature, have resulted in users struggling to find content from friends and family, once the bread and butter of the social network. “We’re hearing a lot of concerns from all of you,” Adam Mosseri said in a video posted to Twitter. “I’m hearing a lot of concerns about photos, and how we’re shifting to video. We’re going to continue to support photos, but I need to be honest: more and more of Instagram is going to become video over time. We’re going to have to lean in to that shift while continuing to support photos.”

The Instagram boss also defended the platform’s new “recommendations” feature, which puts content from people users do not follow on to their feed. “The idea is to help you discover new and interesting things on Instagram that you might not even know exist,” he said. “You can snooze all recommendations for up to a month, but we’re going to try and get better at recommendations because we think it’s one of the best ways to help creators reach a new audience and grow their following. He added: “We’re going to need to evolve, because the world is changing quickly and we’re going to need to change with it.”

Instagram’s makeover is widely seen as a response to TikTok’s continued growth, in particular among younger American users. […] By boosting algorithmic recommendations, allowing users to “remix” posts (akin to TikTok’s “Duet” feature), and promoting full-screen vertical video above photos, Instagram is attempting to turn its main app experience into something similar to that of the Chinese-owned upstart. In a widely shared story, Kardashian clan member and social media star, Kylie Jenner, called on the service to “make Instagram Instagram again.” She added: “Stop trying to be TikTok, I just want to see cute photos of my friends.”

Read more of this story at Slashdot.

A Newly Discovered Malware Hijacks Facebook Business Accounts

An ongoing cybercriminal operation is targeting digital marketing and human resources professionals in an effort to hijack Facebook Business accounts using a newly discovered data-stealing malware. TechCrunch reports: Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail and found evidence to suggest that a Vietnamese threat actor has been developing and distributing the malware since the latter half of 2021. The firm added that the operations’ motives appear to be purely financially driven. The threat actor first scouts targets via LinkedIn where it selects employees likely to have high-level access to Facebook Business accounts, particularly those with the highest level of access. The threat actor then uses social engineering to convince the target to download a file hosted on a legitimate cloud host, like Dropbox or iCloud. While the file features keywords related to brands, products, and project planning in an attempt to appear legitimate, it contains data-stealing malware that WithSecure says is the first malware that they have seen specifically designed to hijack Facebook Business accounts.

Once installed on a victim’s system, the Ducktail malware steals browser cookies and hijacks authenticated Facebook sessions to steal information from the victim’s Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has sufficient access to simply by adding their email address to the compromised account, which prompts Facebook to to send a link, via email, to the same email address. The recipient — in this case, the threat actor — then interacts with the emailed link to gain access to that Facebook Business. The threat actors then leverage their new privileges to replace the account’s set financial details in order to direct payments to their accounts or to run Facebook Ad campaigns using money from the victimized firms.

Read more of this story at Slashdot.

Saudi Arabia Plans IPO of $500 Billion For Its Megacity ‘Neom’

Saudi Arabia’s Crown Prince Mohammed bin Salman said they are planning an initial public offering of the Kingdom’s $500 billion megaproject Neom as soon as 2024. Arabian Business reports: Talking to reporters in Jeddah, the crown prince said the Kingdom is setting aside $80 billion for Neom Investment Fund, where it would invest in companies that agree to operate in the futuristic city, Bloomberg has reported. The announcement was witnessed by global investors including Bridgewater Associates founder Ray Dalio, Tim Collins of Ripplewood, Saudi Prince Alwaleed bin Talal and Kuwaiti retail billionaire Mohammed Alshaya.

The Saudi crown prince also unveiled funding details of Neom. First phase, which runs until 2030, will cost 1.2 trillion riyals, with about half of that covered by the Public Investment Fund. Officials will then seek to raise another 600 billion riyals from other sovereign wealth funds in the region, private investors in Saudi Arabia and abroad, and the planned IPO on Tadawul. The IPO, which could happen by 2024, will add more than 1 trillion riyals to the Kingdom’s stock market, the crown prince noted. In addition to the news about the IPO, a teaser video was released, revealing the design for The Line: a “vertical city” some 500 meters tall, 170 kilometers in length, and covered in mirrors.

“Although it looks like a wall, The Line is actually supposed to be comprised of two huge parallel buildings, connected via walkways and divided into neighborhoods that are supposed to offer all the amenities of city life within a five-minute walking distance,” reports The Verge.

“Vegetables will be ‘autonomously harvested and bundled’ from community farms; ‘a high-speed train will run under the mirrored buildings’; the Line will include a stadium ‘up to 1,000 feet above the ground,’ and there’ll be a marina for yachts under an arch between the buildings.” A report from the Wall Street Journal in 2019 also noted robots will outnumber humans and hologram teachers will education genetically-enhanced students.

Read more of this story at Slashdot.

Source Code For Rust-Based Info-Sealer Released On Hacker Forums

The source code for an information-stealing malware coded in Rust has been released for free on hacking forums, with security analysts already reporting that the malware is actively used in attacks. BleepingComputer reports: The malware, which the author claims to have developed in just six hours, is quite stealthy, with VirusTotal returning a detection rate of around 22%. As the info-stealer is written in Rust, a cross-platform language, it allows threat actors to target multiple operating systems. However, in its current form, the new info-stealer only targets Windows operating systems.

Analysts at cybersecurity firm Cyble, who sampled the new info-stealer and named it “Luca Stealer,” report that the malware comes with standard capabilities for this type of malware. When executed, the malware attempts to steal data from thirty Chromium-based web browsers, where it will steal stored credit cards, login credentials, and cookies. The stealer also targets a range of “cold” cryptocurrency and “hot” wallet browser addons, Steam accounts, Discord tokens, Ubisoft Play, and more. Where Luca Stealer stands out against other info-stealers is the focus on password manager browser addons, stealing the locally stored data for 17 applications of this kind. In addition to targeting applications, Luca also captures screenshots and saves them as a .png file, and performs a “whoami” to profile the host system and send the details to its operators.

Read more of this story at Slashdot.