Misconfigured Cloud Servers Targeted with Linux Malware for New Cryptojacking Campaign

Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. “A Docker command was received…” they write, “that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server’s root directory…”
Typically, this is exploited to write out a job for the Cron scheduler to execute… In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.

The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker’s Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server… To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh

“Multiple user mode rootkits are deployed to hide malicious processes,” they note. And one of the shell scripts “makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker’s session from being appended to the history file… Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn’t appear in the shell history once a new session has been spawned.”

The same script also inserts “an attacker-controlled SSH key to maintain access to the compromised host,” according to the article, retrieves a miner for the Monero cryptocurrency and then “registers persistence in the form of systemd services” for both the miner and an open source Golang reverse shell utility named Platypus.

It also delivers “various utilities,” according to the blog Security Week, “including ‘masscan’ for host discovery.” Citing CADO’s researchers, they write that the shell script also “weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents.”
The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet… [“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” the researchers writes.]

“This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers,” Cado notes. “It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments.”

Read more of this story at Slashdot.

Does Reddit Represent the Return of the Junk Stock IPO?

An article in Inc notes a “wild projection” in Reddit’s SEC filing that Reddit’s global market opportunity by 2027 is $1.4 trillion.”
Some of the numbers lead back to a single individual: Sam Altman. The co-founder and chief executive of ChatGPT-maker OpenAI owns an 8.7 percent stake in Reddit, more than its co-founder and CEO, Steve Huffman, who owns 3.3 percent… Altman, through various funds and holding companies he owns or manages, controls more than a million shares of Reddit at $60 million in aggregate purchase price — and holds more than 9 percent of voting rights…
Discussing Reddit’s future, financial analyst and journalist Herb Greenberg recently told CNBC, “This is an AI play.”

But the senior investing editor for Kiplinger.com argues that retail investors “may want to hold tight before rushing out to buy the Reddit IPO.”
While IPO stocks tend to have strong first-day showings, returns for the first year are generally weak, says the team of analysts at Trivariate Research, a market research firm based in New York. And since 2020, “the average IPO has lagged its industry average by 30% over the subsequent three years following its first closing price…”

Other commenters have noted that Reddit’s allotment of shares to select Redditors could lower demand on the first day of trading, which would work against any IPO pop.

“Over the past few years, there have been a bunch of IPOs in the U.S. in which overhyped names enjoyed flashy stock-market debuts only to drop sharply soon after,” notes the Street.
Notable examples include Coinbase, which plummeted by almost 90% after its debut, Robinhood, still down 53% since its IPO, and Rivian, down over 91% since its debut. However, it’s crucial to note that all of these IPOs occurred in 2021 amid market euphoria fueled by low interest rates, significant economic stimulus, and the lingering effects of the Covid-19 pandemic. Although the current macroeconomic landscape differs from three years ago, valuations of tech and growth stocks remain stretched.

Kiplingers.com concludes it “boils down to your own personal investing goals and risk tolerance. If you do decide to buy Reddit stock when it first begins trading, do so in a small amount that you can afford to lose.”

But they also cite analysis from David Trainer, CEO of New Constructs, a research firm powered by artificial intelligence. “Reddit’s IPO marks the return of the junk IPO,” Trainer wrote in Forbes. “[The valuation] implies that Reddit will grow its user base to 26 times current levels, which would be nearly five times the size of [Snapchat-maker] Snap, and a highly unlikely feat. Reddit looks overvalued, and we think investors should pass on this IPO.”
Trainer writes:
[T]he company has never been profitable and should not be a publicly traded company… I think the company may never monetize its platform without angering its users and the entire premise of Reddit is user-generated content. This business model is inescapably built on a catch-22: make money or please users… Reddit looks overvalued, and I think investors should pass on this IPO.

Buyers and analysts told the site Marketing Brew “that they see the platform as nice-to-have, but that it is not an essential part of their media plans, like Meta or Google are.”

“They’ve always been solidly in the second or third tier of social networks,” alongside Snap, Pinterest, and X, Brian Wieser, a former GroupM exec who’s now author of the industry newsletter Madison and Wall, told Marketing Brew.

Yet Trainer notes that “98% of Reddit’s revenue in 2023 came from third-party advertising on the site and 28% of all revenue came from ten customers,” and “Reddit’s cost of revenue, sales & marketing, general & administrative, and research & development costs were 117% of revenue in 2023.”

Trainer concludes “Reddit is nowhere near breakeven. Reddit is an unprofitable social media company fighting for users.”

Bloomberg adds that the subreddit r/WallStreetBets “has threatened to bet against the stock, with many people noting that the company still loses money two decades into its existence. (Reddit lost $90.8 million last year, down from $158.6 million the year before.)”

Some have complained that the invitation to invest fails to make up for the unpaid labor they’ve invested making the site work… In 2021 the platform’s WallStreetBets forum ignited a meme-stock frenzy, propelling skyward the stocks of nostalgic but struggling companies like GameStop Corp. and AMC Entertainment Holdings Inc. and sending shockwaves through the financial industry… When it goes public, the platform that invented meme stocks runs the risk of becoming one itself.

Reddit noted the possibility as a risk in its IPO filing. “Given the broad awareness and brand recognition of Reddit, including as a result of the popularity of r/wallstreetbets among retail investors,” the company warned that its stock could “experience extreme volatility … which could cause you to lose all or part of your investment if you are unable to sell your shares at or above the initial offering price.”
Users on WallStreetBets got a kick out of the fact that the company listed the forum as a risk factor, posting about it with a sly smiling emoji…

Meanwhile, reports that marketers are infiltrating subreddits have been confirmed. Over 200 businesses have “integrated Reddit Pro into their digital strategies,” reports Search Engine Land, including “well-known names such as Taco Bell, the NFL, and The Wall Street Journal…
“During the initial alpha testing phase with approximately 20 businesses, Reddit reported its Pro partners, on average, generated 11 additional posts and comments per month.”

Read more of this story at Slashdot.

Mock ‘News’ Sites With Russian Ties Pop Up in U.S.

An anonymous reader shared this story from the New York Times:

Into the depleted field of journalism in America, a handful of websites have appeared in recent weeks with names suggesting a focus on news close to home: D.C. Weekly, the New York News Daily, the Chicago Chronicle and a newer sister publication, the Miami Chronicle. In fact, they are not local news organizations at all. They are Russian creations, researchers and government officials say, meant to mimic actual news organizations to push Kremlin propaganda by interspersing it among an at-times odd mix of stories about crime, politics and culture.

While Russia has long sought ways to influence public discourse in the United States, the fake news organizations — at least five, so far — represent a technological leap in its efforts to find new platforms to dupe unsuspecting American readers. The sites, the researchers and officials said, could well be the foundations of an online network primed to surface disinformation ahead of the American presidential election in November…

The Miami Chronicle’s website first appeared on Feb. 26. Its tagline falsely claims to have delivered “the Florida News since 1937.”

Amid some true reports, the site published a story last week about a “leaked audio recording” of Victoria Nuland, the U.S. under secretary of state for political affairs, discussing a shift in American support for Russia’s beleaguered opposition after the death of the Russian dissident Aleksei A. Navalny. The recording is a crude fake, according to administration officials who would speak only anonymously to discuss intelligence matters.

From the Raw Story:
The network was discovered by Clemson University’s Media Forensics Hub by researchers Patrick Warren and Darren Linvill, who tell the Times that its websites are designed to lend journalistic credibility to slickly produced propaganda.

“The page is just there to look realistic enough to fool a casual reader into thinking they’re reading a genuine, U.S.-branded article,” Linvill told the Times.

Read more of this story at Slashdot.

‘Canonical Turns 20: Shaping the Ubuntu Linux World’

“2004 was already an eventful year for Linux,” writes ZDNet’s Jack Wallen. “As I reported at the time, SCO was trying to drive Linux out of business. Red Hat was abandoning Linux end-user fans for enterprise customers by closing down Red Hat Linux 9 and launching the business-friendly Red Hat Enterprise Linux (RHEL). Oh, and South African tech millionaire and astronaut Mark Shuttleworth [also a Debian Linux developer] launched Canonical, Ubuntu Linux’s parent company.

“Little did I — or anyone else — suspect that Canonical would become one of the world’s major Linux companies.”

Mark Shuttleworth answered questions from Slashdot reader in 2005 and again in 2012. And this year, Canonical celebrates its 20th anniversary. ZDNet reports:
Canonical’s purpose, from the beginning, was to support and share free software and open-source software… Then, as now, Ubuntu was based on Debian Linux. Unlike Debian, which never met a delivery deadline it couldn’t miss, Ubuntu was set to be updated to the latest desktop, kernel, and infrastructure with a new release every six months. Canonical has kept to that cadence — except for the Ubuntu 6.06 release — for 20 years now…

Released in October 2004, Ubuntu Linux quickly became synonymous with ease of use, stability, and security, bridging the gap between the power of Linux and the usability demanded by end users. The early years of Canonical were marked by rapid innovation and community building. The Ubuntu community, a vibrant and passionate group of developers and users, became the heart and soul of the project. Forums, wikis, and IRC channels buzzed with activity as people from all over the world came together to contribute code, report bugs, write documentation, and support each other….

Canonical’s influence extends beyond the desktop. Ubuntu Linux, for example, is the number one cloud operating system. Ubuntu started as a community desktop distribution, but it’s become a major enterprise Linux power [also widely use as a server and Internet of Things operating system.]

The article notes Canonical’s 2011 creation of the Unity desktop. (“While Ubuntu Unity still lives on — open-source projects have nine lives — it’s now a sideline. Ubuntu renewed its commitment to the GNOME desktop…”)

But the article also argues that “2016, on the other hand, saw the emergence of Ubuntu Snap, a containerized way to install software, which –along with its rival Red Hat’s Flatpak — is helping Linux gain some desktop popularity.”

Read more of this story at Slashdot.

PFAS ‘Forever Chemicals’ To Officially Be Removed from Food Packaging, FDA Says

An anonymous Slashdot reader shared this article from Live Science:

Manufacturers will no longer use harmful “forever chemicals” in food packaging products in the U.S., according to the U.S. Food and Drug Administration (FDA).

In a statement released February 28, the agency declared that grease-proofing materials that contain per- and polyfluoroalkyl substances (PFAS) will not be used in new food packaging sold in the U.S. These include PFAS used in fast-food wrappers, microwave popcorn bags, takeout boxes and pet food bags. The FDA’s announcement marks the completion of a voluntary phase-out of the materials by U.S. food packaging manufacturers.

This action will eliminate the “major source of dietary exposure to PFAS,” Jim Jones, deputy commissioner for human foods at the FDA, said in an associated statement. Companies told the FDA that it could take up to 18 months to completely exhaust the market supply of these products following their final date of sale. However, most of the affected manufacturers phased out the products faster than they initially predicted, the agency noted…

The FDA’s new announcement marks a “huge win for the public,” Graham Peaslee, a professor of physics at the University of Notre Dame who studies PFAS, told The Washington Post.

Read more of this story at Slashdot.

Linux Variants of Bifrost Trojan Evade Detection via Typosquatting

“A 20-year-old Trojan resurfaced recently,” reports Dark Reading, “with new variants that target Linux and impersonate a trusted hosted domain to evade detection.”

Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that’s been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which “raises concerns among security experts and organizations,” researchers Anmol Murya and Siddharth Sharma wrote in the company’s newly published findings.

Moreover, there is evidence that cyberattackers aim to expand Bifrost’s attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said… “As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets.”

Read more of this story at Slashdot.

Google’s Newest Office Has AI Designers Toiling In a Wi-Fi Desert

Google’s swanky new office building located on the Alphabet’s Mountain View, California headquarters has been “plagued for months by inoperable, or, at best, spotty Wi-Fi,” reports Reuters citing six people familiar with the matter. “Its recliner-laden collaborative workspaces do not work well for teams carting around laptops, since workers must plug into ethernet cables at their desks to get consistent internet service. Some make do by using their phones as hotspots.” From the report: The company promoted the new building and surrounding campus in a 229-page glossy book highlighting its cutting-edge features, such as “Googley interiors” and “an environment where everyone has the tools they need to be successful.”

But, a Google spokeswoman acknowledged, “we’ve had Wi-Fi connectivity issues in Bay View.” She said Google “made several improvements to address the issue,” and the company hoped to have a fix in coming weeks. According to one AI engineer assigned to the building, which also houses members of the advertising team, the wonky Wi-Fi has been no help for Google pushing a three day per week return-to-office mandate. “You’d think the world’s leading internet company would have worked this out,” he said.

Managers have encouraged workers to stroll outside or sit at the adjoining cafe where the Wi-Fi signal is stronger. Some were issued new laptops recently with more powerful Wi-Fi chips. Google has not publicly disclosed the reasons for the Wi-Fi problems, but workers say the 600,000-square-foot building’s swooping, wave-like rooftop swallows broadband like the Bermuda Triangle.

Read more of this story at Slashdot.

Gemini Nano Won’t Come To Pixel 8 Due To Hardware Limitations

An anonymous reader quotes a report from MobileSyrup: Google’s new smart assistant, Gemini, is available on multiple devices but Gemini Nano, the multimodal large language model, isn’t coming to all Pixel smartphones. Gemini Nano is only available on the Google Pixel 8 Pro and the Samsung Galaxy S24 series; however, we’ve recently learned that it’s not making its way to the base Pixel 8, according to Terence Zhang, an engineer at Google and reporter by Mishaal Rahman.

Zhang told everyone that Gemini Nano isn’t coming to the Pixel 8 because of hardware limitations, but it’s unclear what the hardware limitations are. Many would assume it’s due to the Pixel 8 housing only 8GB of RAM compared to the Pixel 8 Pro’s 12GB. That said, the Galaxy S24 series starts at 8GB of RAM and can use Nano. This must mean that some other hardware limitations are holding back Gemini Nano. Hopefully, more information will come in the future, but right now, it seems like only high-end devices will get the Gemini Nano experience.

Read more of this story at Slashdot.

Warner Bros. is Now Erasing Games As It Plans To Delist Adult Swim-Published Titles

Michael McWhertor reports via Polygon: Warner Bros. Discovery is telling developers it plans to start “retiring” games published by its Adult Swim Games label, game makers who worked with the publisher tell Polygon. At least three games are under threat of being removed from Steam and other digital stores, with the fate of other games published by Adult Swim unclear. The media conglomerate’s planned removal of those games echoes cuts from its film and television business; Warner Bros. Discovery infamously scrapped plans to release nearly complete movies Batgirl and Coyote vs. Acme, and removed multiple series from its streaming services. If Warner Bros. does go through with plans to delist Adult Swim’s games from Steam and digital console stores, 18 or more games could be affected.

News of the Warner Bros. plan to potentially pull Adult Swim’s games from Steam and the PlayStation Store was first reported by developer Owen Reedy, who released puzzle-adventure game Small Radios Big Televisions through the label in 2016. Reedy said on X Tuesday the game was being “retired” by Adult Swim Games’ owner. He responded to the company’s decision by making the Windows PC version of Small Radios Big Televisions available to download for free from his studio’s website. Polygon reached out to other developers who had worked with Adult Swim Games as a publisher. Two studios responded to say that they’d received a similar warning from Warner Bros. Discovery, but they are still in the dark about what it means for their games. […]

Polygon reached out to 10 studios and solo developers who had their games published by Adult Swim Games to see what they’ve heard. Some say they haven’t been contacted by WB Discovery, but they expect to. “From what I’ve heard from others, I will probably be hearing from them soon,” developer Andrew Morrish, who published Kingsway and Super Puzzle Platformer Deluxe through Adult Swim, told Polygon. “It’s not looking good.” Molinari said that if and when his game Soundodger+ is pulled from Steam, he’ll republish it there “with as little downtime as possible between the two versions.” The game is also available from Molinari’s itch page.

Read more of this story at Slashdot.