China censoring open-source code
Earlier this month, the popular Chinese code repository platform Gitee made open-source code from thousands of developers private and hidden from view. The platform explained that the code was being manually reviewed before it could be published, saying it “didn’t have a choice” in the policy. This new policy requires developers to submit an application and confirm their code doesn’t contain anything that would violate copyrights or Chinese law. Although projects are being restored after submitting applications, developers worry this could lead to decreased collaboration and reluctance to contribute open-source code going forward.
Follina zero-day hits Office
Late last week, the security researcher nao_sec discovered a malicious Word document in Virus Total, tied to an IP address in Belarus. This contained a command line string able to execute malicious PowerShell commands through the Microsoft Diagnostic Tool, even if macro scripts are disabled. Security researcher Kevin Beaumont clarified that this appears to use the remote replate feature to fetch an HTML file from a remote server, although Office’s Protected View feature does warn of a potentially malicious document. This can be avoided if the file is changed to a Rich Text Format. Researchers have dubbed this zero-day Follina and were successfully able to reproduce it. Microsoft was informed of the issue in April, initially saying it wasn’t security related, but marked it as fixed on April 12th. Bleeping Computer reached out to Microsoft for more details.
EnemyBot botnet acts fast
This Linux-based botnet recently expanded its capabilities, now able to target recent security vulnerabilities across web servers, Android devices, and CMS platforms. Researchers at AT&T Alien Labs warn that EnemyBot proved its able to rapidly adopt new zero-day vulnerabilities to expand its reach. It’s also recently made changes to help to find new hosts, incorporating a new scanner to search random IP addresses associated with public-facing assets for vulnerabilities. The source code for EnemyBot is currently available on GitHub, although its README file says it’s not responsible for any damage it causes and is “considered art.”
Turns out China is good at SEO
The Brookings Institution and the Alliance for Securing Democracy issued a report showing that Chinese state news agencies are very good at optimizing for search engines. At least one Chinese state news article appeared in the top 10 searches for “Xinjiang” around 88% of the time on Google and Bing, and 98% of the time on Youtube. They’re even better when it comes to news-focused sections. Chinese state media accounted for 22% of observed pages in Google News and Bing News related to Xinjiang and coronavirus origins vs. 6% on web search.
Thanks to today’s episode sponsor, Feroot
Learn more at www.feroot.com.
Attackers didn’t cause TerraUSD collapse
The crypto research firm Nansen reports that the collapse of the stablecoin can’t be attributed to a single attacker. Rather it seems the precipitous decline can be tied to a series of trades from a number of actors, including the lender Celsius Network. There is no evidence that trading activity was designed to destabilize the coin, rather it may have been made to conform to risk-management constraints or reduce their exposure due to turbulent economic conditions. The result was that on May 11, two wallets, one tied to Celsius, withdrew roughly 420 million UST from Anchor Protocol, “significantly impacting” the UST stablecoin’s de-pegging from the US dollar.
Google bans deepfake training on Colab
Google’s Colaboratory or Colab service provides free computing resources for researchers to run Python code in the browser. This includes GPU resources, making it ideal to train machine learning projects like deepfake models. Earlier this month, Google quietly added deepfakes to its list of disallowed projects. It’s unclear if this was done over ethical concerns surrounding deepfakes or just that significant resources were being tied up by frequent use for these projects. Other projects already banned on Colab include cryptomining, password cracking, running DDoSes, and downloading torrents.
Academics’ credentials leak online
The FBI published a new Private Industry Notification, warning relevant institutions that credentials belonging to higher education organizations in the US have been advertised for sale on dark web marketplaces. FBI data shows that these sales began as of January 2022, offering credentials to several US-based colleges and universities, preceded by a dump of 36,000 email and password credentials available on Telegram in May 2021. No specifics on how these credentials were obtained, but the FBI said it was likely from a combination of phishing, ransomware or another cyber intrusion.
And now your “should have patched” Tuesday update: government edition
The Cybersecurity And Infrastructure Security Agency added three batches of bugs to its Known Exploited Vulnerabilities Catalog, for a total of 75 over the course of three days. Federal Civilian agencies have 14 days to patch them. Several of the vulnerabilities are quite old, including ones for Adobe Flash Player and a Microsoft Silverlight bug dating back to 2013. Bugs for Windows, the Linux kernel, and Internet Explorer also made the list. Several Oracle Java remote code execution bugs get the distinction of being the oldest, going back to 2010.
(ZDNet)