SoylentNews

upstart writes:

PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks:

Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets.

The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024.

"CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP," Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. "The vulnerability itself lies in how Unicode characters are converted into ASCII."

The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge.

This included exploits designed to deliver a remote access trojan called Gh0st RAT, cryptocurrency miners like RedTail and XMRig, and a DDoS botnet named Muhstik.

"The attacker sent a request similar to the others seen previous RedTail operations, abusing the soft hyphen flaw with '%ADd,' to execute a wget request for a shell script," the researchers explained. "This script makes an additional network request to the same Russia-based IP address to retrieve an x86 version of the RedTail crypto-mining malware."

Last month, Imperva also revealed that CVE-2024-4577 is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of the file-encrypting malware.

Users and organizations relying on PHP are recommended to update their installations to the latest version to safeguard against active threats.

"The continuously shrinking time that defenders have to protect themselves after a new vulnerability disclosure is yet another critical security risk," the researchers said. "This is especially true for this PHP vulnerability because of its high exploitability and quick adoption by threat actors."

See also:

• Versions of PHP PHP : Versions and number of related security vulnerabilities

Original Submission

Freeman writes:

https://arstechnica.com/security/2024/07/threat-actors-exploited-windows-0-day-for-more-than-a-year-before-microsoft-fixed-it/

Threat actors carried out zero-day attacks that targeted Windows users with malware for more than a year before Microsoft fixed the vulnerability that made them possible, researchers said Tuesday.

The vulnerability, present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft decommissioned in 2022 after its aging code base made it increasingly susceptible to exploits. Following the move, Windows made it difficult, if not impossible, for normal actions to open the browser, which was first introduced in the mid-1990s.

[...] The company fixed the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program. The vulnerability, which resided in the MSHTML engine of Windows, carried a severity rating of 7.0 out of 10.

The researchers from security firm Check Point said the attack code executed "novel (or previously unknown) tricks to lure Windows users for remote code execution." A link that appeared to open a PDF file appended a .url extension to the end of the file, for instance, Books_A0UJKO.pdf.url, found in one of the malicious code samples.

[...] "From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated," Haifei Li, the Check Point researcher who discovered the vulnerability, wrote. "For example, if the attacker has an IE zero-day exploit—which is much easier to find compared to Chrome/Edge—the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didn't use any IE remote code execution exploit. Instead, they used another trick in IE—which is probably not publicly known previously—to the best of our knowledge—to trick the victim into gaining remote code execution."

[...] The Check Point post includes cryptographic hashes for six malicious .url files used in the campaign. Windows users can use the hashes to check if they have been targeted. [Article seemed to be missing this link to the Check Point article]

Original Submission

upstart writes:

Starlink satellites lost on Falcon 9 upper stage failure:

SpaceX says it will not be able to recover the 20 Starlink satellites left in a very low orbit after a malfunction of a Falcon 9 upper stage on a July 11 launch.

In a statement July 12, the company said that the 20 satellites on the Group 9-3 launch have been unable to raise the orbit because the electric propulsion systems on the spacecraft cannot counteract the high atmospheric drag the satellites encounter in their very low orbits.

The rocket's upper stage engine "experienced an anomaly and was unable to complete its second burn," the company stated, which would have circularized the orbit of the stage before satellite deployment. While the stage was able to deploy the satellites, they were left in an orbit with a perigee, or low point, of just 135 kilometers.

That kept them in what SpaceX called an "enormously high-drag environment" that reduced the perigee by at least five kilometers per orbit. "At this level of drag, our maximum available thrust is unlikely to be enough to successfully raise the satellites. As such, the satellites will re-enter Earth's atmosphere and fully demise."

SpaceX Chief Executive Elon Musk posted a few hours after the anomaly that satellite controllers were trying to fire the spacecraft's electric thrusters at maximum levels to overcome atmospheric drag. "We're updating satellite software to run the ion thrusters at their equivalent of warp 9," he stated. "Unlike a Star Trek episode, this will probably not work, but it's worth a shot."

The company added that the satellites "do not pose a threat to other satellites in orbit or to public safety" given their very low orbits and a design that is intended to break up completely on reentry.

The SpaceX statement provided few additional details about the problem with the upper stage. It noted that there was a liquid oxygen leak on the second stage noticed during the first burn of the single Merlin engine. That would explain the unusual ice buildup seen on parts of the engine.

Freeman writes:

https://arstechnica.com/security/2024/07/new-blast-radius-attack-breaks-30-year-old-protocol-used-in-networks-everywhere/

One of the most widely used network protocols is vulnerable to a newly discovered attack that can allow adversaries to gain control over a range of environments, including industrial controllers, telecommunications services, ISPs, and all manner of enterprise networks.

Short for Remote Authentication Dial-In User Service, RADIUS harkens back to the days of dial-in Internet and network access through public switched telephone networks. It has remained the de facto standard for lightweight authentication ever since and is supported in virtually all switches, routers, access points, and VPN concentrators shipped in the past two decades.
[...]
The protocol was developed in 1991 by a company known as Livingston Enterprises. In 1997 the Internet Engineering Task Force made it an official standard, which was updated three years later. Although there is a draft proposal for sending RADIUS traffic inside of a TLS-encrypted session that's supported by some vendors, many devices using the protocol only send packets in clear text through UDP (User Datagram Protocol).
[...]
Since 1994, RADIUS has relied on an improvised, home-grown use of the MD5 hash function. First created in 1991 and adopted by the IETF in 1992
[...]
For a cryptographic hash function, it should be computationally impossible for an attacker to find two inputs that map to the same output. Unfortunately, MD5 proved to be based on a weak design: Within a few years, there were signs that the function might be more susceptible than originally thought to attacker-induced collisions, a fatal flaw that allows the attacker to generate two distinct inputs that produce identical outputs. These suspicions were formally verified in a paper published in 2004 by researchers Xiaoyun Wang and Hongbo Yu and further refined in a research paper published three years later.

The latter paper—published in 2007 by researchers Marc Stevens, Arjen Lenstra, and Benne de Weger—described what's known as a chosen-prefix collision
[...]
This type of collision attack is much more powerful because it allows the attacker the freedom to create highly customized forgeries.

Arthur T Knackerbracket has processed the following story:

Scientists in California tested a way to coax certain fat cells to burn calories, rather than simply store energy. In new research involving mice, the team found it was possible to convert existing white fat cells into calorie-burning beige fat cells. The findings could pave the way to a new class of obesity treatments, the study authors say.

Scientists at the University of California San Francisco were trying to get to the root of a problem that has long stymied others in the field. Our fat cells come into three basic flavors: white, brown, and beige. White fat cells are primarily designed to store energy, while brown fat cells play a key role in keeping our body temperature stable. When we’re cold, these cells will burn sugar and fat to heat the body up. The more recently discovered beige fat cells, meanwhile, can carry out the functions of either type, storing or burning energy as needed. These cells are nestled within deposits of white fat cells.

[...] For a long time, scientists have theorized that finding a way to reliably switch white fat cells into either brown or beige fat cells could help prevent or treat these related issues (our bodies can naturally convert white into brown/beige fat cells, though typically only in small amounts from exercise or cold exposure). But so far, these efforts haven’t yet yielded safe and successful treatments. In this latest study, published in the Journal of Clinical Investigation, the UCSF team say they have landed on a new promising approach.

Working with mice, the group had earlier found evidence that a protein called KLF-15 was important to the distinction between white and beige/brown fat cells. In their mice, KLF-15 was much more present in brown and beige fat cells compared to white fat cells. So they decided to breed mice whose white fat cells lacked KLF-15 entirely. Once they did, the mice’s white fat cells suddenly became much more efficient at converting into beige fat cells.

upstart writes:

Expletives fly as admins deal with recommendation to move to Power Automate workflows:

Microsoft has thrown some enterprises into a spin after confirming that, with only a few months' notice, Office 365 connectors within Teams will be cut.

The connectors and webhooks are used to plumb workflows into a Teams channel. For example, users might use them to post an update into a chat stream. This means you can read content and service updates directly in a Teams channel that originated from something like a ticketing platform or a notification from a CI/CD system.

This is the sort of glue that enterprises depend on to make different systems communicate. Or at least it was. From August 15, 2024, Microsoft will block all Connector creation within all clouds. From October 1, 2024, all connectors within all clouds will stop working.

Microsoft has been a little vague on exactly why it is doing this. Its recommendation is for users to switch to Power Automate workflows to "ensure that your integrations are built on an architecture that can grow with your business needs and provide maximum security of your information."

[...] Users have been less than impressed by the news. Comments to the company's post have passed the 100 mark and are generally negative, with some describing the plans as "a greedy cash grab" and others reacting with bewilderment at Microsoft's decision:

[...] Register readers have also been in touch to share the impact the change is having on them. One, who uses RSS feeds and webhooks to send CI/CD notifications to channels, agreed with comments that the change was a "PITA with no benefit to the customer" and noted that the precious few months of notice given wasn't very long.

Original Submission

upstart writes:

Aggressive scratching is a stress response; small children are a common source of stress:

Ah, cats. We love our furry feline overlords despite the occasional hairball and their propensity to scratch the furniture to sharpen their claws. The latter is perfectly natural kitty behavior, but overly aggressive scratching is usually perceived as a behavioral problem. Veterinarians frown on taking extreme measures like declawing or even euthanizing such "problematic" cats. But there are alternative science-backed strategies for reducing or redirecting the scratching behavior, according to the authors of a new paper published in the journal Frontiers in Veterinary Science.

This latest study builds on the group's prior research investigating the effects of synthetic feline facial pheromones on undesirable scratching in cats, according to co-author Yasemin Salgirli Demirbas, a veterinary researcher at Ankara University in Turkey. "From the beginning, our research team agreed that it was essential to explore broader factors that might exacerbate this issue, such as those influencing stress and, consequently, scratching behavior in cats," she told Ars. "What's new in this study is our focus on the individual, environmental, and social dynamics affecting the level of scratching behavior. This perspective aims to enhance our understanding of how human and animal welfare are interconnected in different scenarios."

[...] The team concluded that there are several factors that influence the scratching behavior of cats, including environmental factors, high levels of certain kinds of play, and increased nocturnal activity. But stress seems to be the leading driver. "Cats might scratch more as a way to relieve stress or mark their territory, especially if they feel threatened or insecure," said Demirbas. And the top source of such stress, the study found, is the presence of small children in the home.

"The presence of children can definitely influence a cat's stress levels, but it is a complex situation," said Demirbas. "Children, especially when young, tend to move quickly and unpredictably, which can be challenging for cats. Their loud noises and sudden movements can be distressing for cats. Additionally, children might not always understand how to approach cats properly. Rough handling, in particular, can make cats feel threatened and stressed. Another factor is that children can invade the cat's safe spaces, playing or resting in areas the cat considers its own core territories."

Japan Deploys Humanoid Robot for Railway Maintenance

upstart writes:

Japan deploys humanoid robot for railway maintenance:

It resembles a malevolent robot from 1980s sci-fi but West Japan Railway's new humanoid employee was designed with nothing more sinister than a spot of painting and gardening in mind.

Starting this month, the machine with a crude head and coke-bottle eyes mounted on a truck -- which can drive on rails -- will be put to use for maintenance work on the firm's network.

Its operator sits in a cockpit on the truck, "seeing" through the robot's eyes via cameras and operating its powerful limbs and hands remotely. With a vertical reach of 12 metres (40 feet), the machine can use various attachments for its arms to carry objects as heavy as 40 kilograms (88 pounds), hold a brush to paint or use a chainsaw.

[...] The technology will help fill worker shortages in ageing Japan as well as reduce accidents such as workers falling from high places or suffering electric shocks, the company says. "In the future, we hope to use machines for all kinds of maintenance operations of our infrastructure," and this should provide a case study for how to deal with the labour shortage, company president Kazuaki Hasegawa told a recent press conference.

JR West to Introduce Humanoid Robot for Railroad Maintenance; Looking to Expand its Use in Japan

upstart writes:

JR West to Introduce Humanoid Robot for Railroad Maintenance; Looking to Expand its Use in Japan:

West Japan Railway Co. (JR West) will introduce a humanoid robot to handle maintenance work, such as painting emplacements along railroad tracks and cutting down fallen trees.

JR West said Thursday that it plans to put the robot into operation in the Kyoto-Osaka-Kobe area in July.

The railroad expects to make improvements in labor and safety by using the robot to perform dangerous and laborious work at elevated positions.

Mounted on a construction vehicle, the robot will be able to work at heights of up to 12 meters with its two arms.

[...] The weight and feel of objects gripped by the robot are transmitted to the control lever, "allowing operators to move the robot as if they were doing the work themselves," JR West President Kazuaki Hasegawa said.

With the introduction of the robot, the manpower required for the work will be reduced by around 30%, according to the firm. JR West will consider expanding the number of units in use and marketing them to other companies while verifying the effectiveness of the robot.

Original Submission #1  Original Submission #2 

upstart writes:

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories:

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain attack.

"This attack stands out due to the high variability across packages," Phylum said in an analysis published last week.

"The attacker has cleverly hidden the malware in the seldom-used 'end' function of jQuery, which is internally called by the more popular 'fadeTo' function from its animation utilities."

[...] The malicious changes, per Phylum, have been introduced in a function named "end," allowing the threat actor to exfiltrate website form data to a remote URL.

Further investigation has found the trojanized jQuery file to be hosted on a GitHub repository associated with an account called "indexsc." Also present in the same repository are JavaScript files containing a script pointing to the modified version of the library.

"It's worth noting that jsDelivr constructs these GitHub URLs automatically without needing to upload anything to the CDN explicitly," Phylum said.

"This is likely an attempt by the attacker to make the source look more legitimate or to sneak through firewalls by using jsDelivr instead of loading the code directly from GitHub itself."

The development comes as Datadog identified a series of packages on the Python Package Index (PyPI) repository with capabilities to download a second-stage binary from an attacker-controlled server depending on the CPU architecture.

See also:

• How npm install scripts can be weaponized: A real-world example of a harmful npm package
• Why NPM and Yarn f*cking suck | HackerNoon

Original Submission

Freeman writes:

https://arstechnica.com/gadgets/2024/07/immensely-disappointing-nike-killing-app-for-350-self-tying-sneakers/

In 2019, Nike got closer than ever to its dreams of popularizing self-tying sneakers by releasing the Adapt BB. Using Bluetooth, the sneakers paired to the Adapt app that let users do things like tighten or loosen the shoes' laces and control its LED lights. However, Nike has announced that it's "retiring" the app on August 6, when it will no longer be downloadable from Apple's App Store or the Google Play Store; nor will it be updated.

In an announcement recently spotted by The Verge, Nike's brief explanation for discontinuing the app is that Nike "is no longer creating new versions of Adapt shoes." The company started informing owners about the app's retirement about four months ago.
[...]
Adapt BB owners have shared disappointment after learning the news. One Reddit user who claimed to own multiple pairs of the shoes called the news "hyper bullshit," while another described it as "immensely disappointing."

Some hope that Nike will open-source the app so that customers can maintain their shoes' original and full functionality. But Nike hasn't shared any plans to do so. Ars Technica asked the company about this but didn't hear back ahead of press time.
[...]
Some may be unsurprised that Nike's attempt at commercializing the shoes from Back to the Future Part II has run into a wall. Nike, for instance, also discontinued NikeConnect, its app for $200 NBA jerseys announced in 2017 that turned wearers into marketing gold.

Casual sneaker wearers would overlook the Adapt BB's flashy features, but the shoe had inherent flaws that could frustrate sneaker fanatics, too. It didn't take long, for example, for a recommended software update to break the shoes, including making them unwearable to anyone who wanted to tighten the laces (at the time, Nike said the problem affected a small number of owners).

Original Submission

Arthur T Knackerbracket has processed the following story:

My friend recently wanted to bring an old laptop back to life. Her aging Intel MacBook was no longer supported by Apple, and instead of letting the machine wind up in a landfill somewhere, she decided to install Linux, an OS she'd never used before.

She started her quest with Linux Mint, which is always a good place to start. Unfortunately, the installation failed for her (mostly because of the doggedly slow nature of the machine), so she reached out.

Given her hardware, there was only one logical suggestion to make -- Linux Lite. This installation went well for her, except the keyboard layout was automatically selected incorrectly. Fortunately, that was an easy fix.

[...] As per usual with a lightweight Linux distribution, Linux Lite performed about as well as any desktop OS I've ever tried. It was fast. I gave the virtual machine I used 3GB of RAM and two CPU cores, and this distribution performed as if it had four times that power. Anyone with a machine that doesn't have the resources to power the latest version of Windows would do very well with this distribution, especially if speed is your thing.

[...] The one thing I did find missing from Linux Lite was a universal package manager, such as Snap or Flatpak. No problem. From within Synaptic, I was able to quickly search for, and install, both.

[...] If my friend, who'd never touched Linux in her life, was able to easily get Linux Lite installed and working, you probably can too. Like I tell everyone… if you can install a Windows app, you can install modern Linux. It really is that simple, and Linux Lite proves that hypothesis.

This lightweight Linux distribution is ideal for anyone new to the open-source operating system or who needs to bring an old machine back to life.

Original Submission

Arthur T Knackerbracket has processed the following story:

A federal judge could block the Federal Trade Commission’s impending ban on noncompete agreements from going into effect. Noncompete agreements are intended to make it difficult for employees to switch to similar positions at other companies or start businesses of their own, and they’ve been a contentious issue within tech companies in particular.

The ban had been set to go into force on September 4th, but on Wednesday, Judge Ada Brown issued a preliminary injunction in a lawsuit brought against the FTC. For those plaintiffs, the FTC’s ban will no longer go into effect on September 4th. Brown says she plans to rule on their entire challenge to the FCC “on or before August 30, 2024,” potentially stopping the FTC from blocking noncompetes nationwide.

Tax firm Ryan LLC filed the lawsuit against the FTC the same day the ban was announced in April, arguing that the ban is “an unauthorized, unconstitutional attempt to eliminate a long-established private economic arrangement.” The US Chamber of Commerce and Business Roundtable are among those who have joined the suit since its filing.

[...] The FTC voted 3-2 in support of the ban. At the time, the FTC argued that the ban would allow for more than 8,500 new businesses to be made each year.

Original Submission

upstart writes:

Hippos can get airborne when moving at high speeds over land, according to a new study:

This is the first time that the animals, which can weigh more than 2,000 kilograms (2.2 tons) and spend much of their time in water, have been found to lift all four limbs off the ground when moving quickly, according to a statement from the Royal Veterinary College (RVC) in the UK.

After analyzing videos showing 169 movement cycles from 32 hippos, researchers found that the fastest-moving animals spend around 15% of each stride off the ground.

John Hutchinson, study lead author and a professor of evolutionary biomechanics at the RVC, told CNN that very little was known about the way that hippos move on land.

"Hippos were a big missing part of the puzzle," he said. "They're really hard to study."

[...] The team also found that hippos almost exclusively trot – with two diagonal limbs moving in the same direction at the same time, and then the two other diagonal limbs – no matter what speed they are moving at, whereas other mammals such as horses switch from a walk to a trot to a gallop depending on their speed.

"Hippos are one of the very few four legged animals at all that just trot," said Hutchinson. "That was a pretty neat finding."

Journal Reference:
Hutchinson JR, Pringle EV. 2024. Footfall patterns and stride parameters of Common hippopotamus (Hippopotamus amphibius) on land. PeerJ 12:e17675 https://doi.org/10.7717/peerj.17675

Original Submission

Freeman writes:

https://arstechnica.com/tech-policy/2024/07/court-ordered-penalties-for-15-teens-who-created-naked-ai-images-of-classmates/

A Spanish youth court has sentenced 15 minors to one year of probation after spreading AI-generated nude images of female classmates in two WhatsApp groups.

The minors were charged with 20 counts of creating child sex abuse images and 20 counts of offenses against their victims' moral integrity.

[...] Many of the victims were too ashamed to speak up when the inappropriate fake images began spreading last year. Prior to the sentencing, a mother of one of the victims told The Guardian that girls like her daughter "were completely terrified and had tremendous anxiety attacks because they were suffering this in silence."

[...]   Teens using AI to sexualize and harass classmates has become an alarming global trend. Police have probed disturbing cases in both high schools and middle schools in the US, and earlier this year, the European Union proposed expanding its definition of child sex abuse to more effectively "prosecute the production and dissemination of deepfakes and AI-generated material." Last year, US President Joe Biden issued an executive order urging lawmakers to pass more protections.

[...] In an op-ed for The Guardian today, journalist Lucia Osborne-Crowley advocated for laws restricting sites used to both generate and surface deepfake pornography, including regulating this harmful content when it appears on social media sites and search engines.

[...] An FAQ said that "WhatsApp has zero tolerance for child sexual exploitation and abuse, and we ban users when we become aware they are sharing content that exploits or endangers children," but it does not mention AI.

Previously on SoylentNews:
A High School's Deepfake Porn Scandal is Pushing US Lawmakers Into Action - 20231203
Cheer Mom Used Deepfake Nudes and Threats to Harass Daughter's Teammates, Police Say - 20210314

upstart writes:

Scientists in China say they have discovered that a type of moss would survive on Mars:

Syntrichia caninervis is type of moss usually found in remote and harsh environments on Earth, such an Antarctica or the Mojave desert in the US.

But now, scientists have discovered that it can survive Mars-like-conditions including drought, high levels of radiation and extreme cold.

The researches tested the moss under Martian conditions.

Including an atmosphere that was made from 95% of carbon dioxide gas, a temperature as low as -196°C, high ultra violet(UV) radiation from the Sun and low atmospheric pressure.

Researchers in China said the desert moss not only survived but rapidly recovered from almost complete loss of water.

[...] Scientists think the experiment with the moss is an encouraging step towards humans eventually growing plants on the Martian surface.

It's hoped that in the future the moss can be brought to the Moon or Mars to test its growth away from Earth.

Original Submission