"The official Python software package repository, PyPI, is getting flooded with spam packages..." Bleeping Computer reported Thursday.

"Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once..." PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-... Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI... The web page for these bogus packages contain spam keywords and links to movie streaming sites, albeit of questionable legitimacy and legality...

February of this year, PyPI had been flooded with bogus "Discord", "Google", and "Roblox" keygens in a massive spam attack, as reported by ZDNet. At the time, Ewa Jodlowska, Executive Director of the Python Software Foundation had told ZDNet that the PyPI admins were working on addressing the spam attack, however, by the nature of pypi.org, anyone could publish to the repository, and such occurrences were common.

Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages... As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging...

In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated. Threat actors have been caught flooding software repositories with malware, malicious dependency confusion copycats, or simply vigilante packages to spread their message. As such, securing these repositories has turned into a whack-a-mole race between threat actors and repository maintainers.

Slashdot reader storagedude writes: That's right, Microsoft's CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet.

Dual-use tool exploitation was the top threat category noted by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.

"Based on Cisco's research, PowerShell is the source of more than a third of critical threats," noted Gedeon Hombrebueno, Endpoint Security Product Manager for Cisco Secure.

Cisco recommends a number of protection steps that are, of course, made easier with Cisco Secure Endpoint, and other EDR tools are effective against PowerShell exploits also.

But there are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.

An anonymous reader shares a report: One month ago the University of Minnesota was banned from contributing to the Linux kernel when it was revealed the university researchers were trying to intentionally submit bugs into the kernel via new patches as "hypocrite commits" as part of a questionable research paper. Linux kernel developers have finally finished reviewing all UMN.edu patches to address problematic merges to the kernel and also cleaning up / fixing their questionable patches. Sent in on Thursday by Greg Kroah-Hartman was char/misc fixes for 5.13-rc3. While char/misc fixes at this mid-stage of the kernel cycle tend to not be too exciting, this pull request has the changes for addressing the patches from University of Minnesota researchers. [...] Going by the umn.edu Git activity that puts 37 patches as having been reverted with this pull request. The reverts span from ALSA to the media subsystem, networking, and other areas. That is 37 reverts out of 150+ patches from umn.edu developers over the years.

Lanodonal shares a report from the BBC: Hackers responsible for causing widespread disruption to the Irish health system have unexpectedly gifted it with the tool to help it recover. The Conti ransomware group was reportedly asking the Irish health service for $20 million to restore services after the "catastrophic hack." But now the criminals have handed over the software tool for free.The Irish government says it is testing the tool and insists it did not, and would not, be paying the hackers. Taoiseach (Irish prime minister) MicheÃl Martin said on Friday evening that getting the software tool was good, but that enormous work is still required to rebuild the system overall.

Conti is still threatening to publish or sell data it has stolen unless a ransom is paid. On its darknet website, it told the Health Service Executive (HSE), which runs Ireland's healthcare system, that "we are providing the decryption tool for your network for free." "But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation." It was unclear why the hackers gave the tool -- known as a decryption key -- for free, said Health Minister Stephen Donnelly. In an alert made public Thursday by the American Hospital Association, the FBI said the Conti group has also hit at least 16 U.S. medical and first response networks in the past year.

The Federal Bureau of Investigation said that the same group of online extortionists blamed for striking the Irish health system last week have also hit at least 16 U.S. medical and first response networks in the past year. From a report: In an alert made public Thursday by the American Hospital Association, the FBI said the cybercriminals using the malicious software dubbed 'Conti' have targeted law enforcement, emergency medical services, dispatch centers, and municipalities. The alert did not name the victims or go into detail about the nature or severity of the breaches, saying only that they were among more than 400 organizations worldwide targeted by "Conti actors."

Microsoft has open-sourced today a tool that can be used to build lab environments where security teams can simulate attacks and verify the detection effectiveness of Microsoft security products. The Record reports: Named SimuLand, the tool was specifically built to help security/IT teams that use Microsoft products such as Microsoft 365 Defender, Azure Defender, and Azure Sentinel. Currently, SimuLand comes with only one lab environment, specialized in detecting Golden SAML attacks. However, Microsoft said it's working on adding new ones. Community contributions are also welcomed, and the reason the project has been open-sourced on GitHub, with Microsoft hoping to get a helping hand from the tens of thousands of security teams that run its software.

"If you would like to share a new end-to-end attacker path, let us know by opening an issue in our GitHub repository, and we would be happy to collaborate and provide some resources to make it happen," Microsoft said today in a blog post. But Microsoft doesn't want only lab environments specialized in executing well-known techniques or adversary tradecraft. The OS maker is also encouraging the community to contribute improved detection rules for the attacks they're sharing, so everyone can benefit from the shared knowledge.

CNA Financial, among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, Bloomberg News reported Thursday. From a report: The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren't authorized to discuss the matter publicly. In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker's identity with the FBI and the Treasury Department's Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.

Microsoft today open-sourced a tool that can be used to build lab environments where security teams can simulate attacks and verify the detection effectiveness of Microsoft security products. From a report: Named SimuLand, the tool was specifically built to help security/IT teams that use Microsoft products such as Microsoft 365 Defender, Azure Defender, and Azure Sentinel. Currently, SimuLand comes with only one lab environment, specialized in detecting Golden SAML attacks.

However, Microsoft said it's working on adding new ones. Community contributions are also welcomed, and the reason the project has been open-sourced on GitHub, with Microsoft hoping to get a helping hand from the tens of thousands of security teams that run its software. "If you would like to share a new end-to-end attacker path, let us know by opening an issue in our GitHub repository, and we would be happy to collaborate and provide some resources to make it happen," Microsoft said today in a blog post. But Microsoft doesn't want only lab environments specialized in executing well-known techniques or adversary tradecraft. The OS maker is also encouraging the community to contribute improved detection rules for the attacks they're sharing, so everyone can benefit from the shared knowledge.

The Microsoft security team has published details about a malware campaign that is currently spreading a remote access trojan named STRRAT that steals data from infected systems while masquerading as a ransomware attack. From a report: According to the Microsoft Security Intelligence team, the campaign is currently leveraging a mass-spam distribution vector to bombard users with emails containing malicious PDF file attachments. "Attackers used compromised email accounts to launch the email campaign," Microsoft said in a series of tweets last night. "The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware." First spotted in June 2020, STRRAT is a remote access trojan (RAT) coded in Java that can act as a backdoor on infected hosts. According to a technical analysis by German security firm G DATA, the RAT has a broad spectrum of features that vary from the ability to steal credentials to the ability to tamper with local files.

Craig Federighi is currently testifying during the Apple vs. Epic lawsuit. While facing questioning from Apple's lawyers, Federighi made some interesting comments about security, particularly noting that the Mac currently has a level of malware that Apple "does not find acceptable." 9to5Mac reports: One of Federighi's goals is to paint the iPhone ecosystem, including the App Store and lack of side-loading support, as a secure and trusted environment for users. To do this, it appears that part of Federighi's strategy is to throw the Mac under the bus. Judge Yvonne Gonzalez Rogers, who is presiding over the Epic vs. Apple case, asked Federighi about why the Mac can have multiple app stores, but not the iPhone. "It is regularly exploited on the Mac," Federighi explained. "iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today." "Today, we have a level of malware on the Mac that we don't find acceptable," Federighi added.

The Apple executive also pointed to Android as another example of a platform with multiple app stores that suffers from security problems. "It's well understood in the security community that Android has a malware problem," he explained. "iOS has succeeded so far in staying ahead of the malware problem." Federighi added that Apple is essentially playing "an endless game of whack-a-mole" with malware on the Mac and has to block "many instances" of infections that can affect "hundreds of thousands of people" every week. Since last May, Federighi testified there have been 130 types of Mac malware, and one of them infected 300,000 systems. When asked whether side-loading would affect security on iOS, Federighi said things would change "dramatically. No human policy review could be enforced because if software could be signed by people and downloaded directly, you could put an unsafe app up and no one would check that policy," he said.

The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company's chief executive came to a difficult conclusion: He had to pay. From a report: Joseph Blount, CEO of Colonial Pipeline, told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back. Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise, given the stakes involved in a shutdown of such critical energy infrastructure. The Colonial Pipeline provides roughly 45% of the fuel for the East Coast, according to the company. "I know that's a highly controversial decision," Mr. Blount said in his first public remarks since the crippling hack. "I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country," he added.

[...] Mr. Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization behind the attacks. He and others involved declined to detail who assisted in those negotiations. Colonial said it has cyber insurance, but declined to provide details on ransomware-related coverage. In return for the payment, made in the form of bitcoin, about 75 in all, according to a person familiar with the matter, the company received a decryption tool to unlock the systems hackers penetrated. While it proved to be of some use, it was ultimately not enough to immediately restore the pipeline's systems, the person said.

The same technology that powers Google Duplex to call businesses and make appointments for you is being used to help you automatically change your password to a website that's been compromised in a security breach. TechCrunch reports: This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome's password-syncing feature. It's worth noting that this won't work for every site just yet. As a Google spokesperson told us, "the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future."

A software bug that's now been fixed allowed some Eufycam owners to stream video from strangers' homes instead of their own. The Register reports: These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people's homes -- even those in other countries -- and feared they were being watched, too. The privacy breakdown sparked an eruption of complaints on Reddit and Anker's support forum.

A spokesperson for Anker told us just a small number of customers were affected: "Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001 per cent) of our users were able to access video feeds from other users' cameras. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST." We're told customers in the US, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were affected though not GDPR-armed Europe. "We realize that as a security company we didn't do good enough," the spokesperson added. "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again." Eufy recommends users unplug and then reconnect their devices, log out of the Eufy security app, and log in again to fix the issue.

Google announced a new feature for its Chrome browser today that alerts you when one of your passwords has been compromised and then helps you automatically change your password with the help of... wait for it ... Google's Duplex technology. From a report: This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome's password-syncing feature. It's worth noting that this won't work for every site just yet. As a Google spokesperson told us, "the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future."

Now you may remember Duplex as the somewhat controversial service that can call businesses for you to make hairdresser appointments or check opening times. Google introduced Duplex at its 2018 I/O developer conference and launched it to a wider audience in 2019. Since then, the team has chipped away at bringing Duplex to more tasks and brought it the web, too. Now it's coming to Chrome to change your compromised passwords for you.

Nvidia is extending its cryptocurrency mining limits to newly manufactured GeForce RTX 3080, RTX 3070, and RTX 3060 Ti graphics cards. From a report: After nerfing the hash rates of the RTX 3060 for its launch in February, Nvidia is now starting to label new cards with a "Lite Hash Rate" or "LHR" identifier to let potential customers know the cards will be restricted for mining. "This reduced hash rate only applies to newly manufactured cards with the LHR identifier and not to cards already purchased," says Matt Wuebbling, Nvidia's head GeForce marketing.

"We believe this additional step will get more GeForce cards at better prices into the hands of gamers everywhere." These new RTX 3060 Ti, RTX 3070, and RTX 3080 cards will start shipping later this month, and the LHR identifier will be displayed in retail product listings and on the box. Nvidia originally started hash limiting with the RTX 3060, and the company has already committed to not limiting the performance of GPUs already sold.

Brian Krebs: In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed -- such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick. The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations.

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities. In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country's borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies. [...] Here's the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.

Politico's technology site Protocol reports that some U.S. lawmakers are getting angry about an unpopular but widespread corporate policy -- the non-compete agreement: Non-compete agreements prohibit employees who leave their jobs from taking similar positions with potential competitors for a certain period of time. In the U.S., somewhere between 27.8% and 46.5% of private-sector workers are subject to non-compete agreements, according to a 2019 Economic Policy Institute study.

Such agreements are unenforceable in California and limited in nearby Washington, but they can still have adverse effects on employees nationwide. That's why a current piece of legislation, the Workforce Mobility Act, seeks at the federal level to restrict the use of non-compete agreements in most situations. Sens. Chris Murphy and Todd Young introduced the bill, which would only allow non-competes in certain "necessary" situations... Non-compete legislation also has the support of President Joe Biden, who said during his campaign he would support such a bill. John Lettieri, president and CEO of the Economic Innovation Group, is a proponent of the Workforce Mobility Act and suggested the bill should enjoy broad support. "We believe we're in a position where it's possible for this to become law," Lettieri told Protocol.

"Whether you're a free market conservative or whether you're a pro-worker progressive, you can come from either of those ends of the spectrum and end up in the same place. And this is a special issue for that reason... Competition is generally good and for workers, competition among businesses for your labor is the most fundamental bargaining power you've got," he said. But if companies hinder that with non-compete agreements, they create "a downstream series of consequences that really are bad for the worker, they're bad for the broader labor market and it's increasingly clear they're bad for the broader economy as well...."

Companies such as Amazon and Microsoft — both headquartered in Seattle, Washington — and New York-headquartered IBM have all sued employees for breaking the terms of their non-compete agreements.

The Colonial Pipeline cyberattack has spurred new efforts in the U.S. Congress "to require critical companies to tell the government when they've been hacked." Politico reports: Even leading Republicans are expressing support for regulations after this week's chaos — a sharp change from past high-profile efforts that failed due to GOP opposition. The swift reaction from lawmakers reflects the disruptive impact of the ransomware attack on Colonial...

The vast majority of private companies don't have to report cyberattacks to any government entity — not even those, like Colonial, whose disruptions can wreak havoc on U.S. economic and national security. And often, they choose to keep quiet. That information gap leaves the rest of the country in the dark about how frequently such attacks occur and how they're perpetrated. It also leaves federal authorities without crucial information that could help protect other companies from similar attacks. Without reporting from companies, "the United States government is completely blind to what is happening," Brandon Wales, the acting director of DHS' Cybersecurity and Infrastructure Security Agency, told reporters on Thursday. "That just weakens our overall cyber posture across our entire country."

Wales said the solution was for Congress to require companies to report cyber incidents. Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government. The planned legislation predates the pipeline attack — lawmakers began drafting it soon after learning about last year's massive SolarWinds espionage campaign, in which suspected Russian hackers infiltrated nine federal agencies and roughly 100 companies. But the Colonial strike has added urgency to the effort. The group expects to introduce the legislation within weeks, a Senate aide said. "You couldn't have a better reason" for such a mandate than seeing the economic impact of Colonial and SolarWinds, said Senate Intelligence Chair Mark Warner (D-Va.), one of the leaders of the legislation along with Republican Sen. Marco Rubio of Florida.

Warner said the intent is to provide a "public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse..." In the case of Colonial, CISA's Wales said the company did not provide the administration with technical information about the breach until Wednesday night — five days after it was reported — and even then the data was not comprehensive... Companies typically choose not to voluntarily share data with the government for legal and reputational reasons. They fear that the notoriously leak-prone government won't protect their information, leading to embarrassing and potentially actionable revelations.
Politico adds that "The incident reporting situation has become untenable, many cybersecurity experts say,"

"Nation-state hackers are using vulnerable companies as springboards into their customers and partners, and criminal groups are attacking hospitals, schools and energy companies in ways that, if reported, could be tracked and prevented elsewhere."

Slashdot reader storagedude writes: The MITRE cybersecurity product evaluations use adversarial attack techniques instead of basic malware samples, and as a result are the best tests of enterprise security products — particularly in light of dramatic recent attacks on SolarWinds and Colonial Pipeline.

What's especially interesting is just how well first-generation antivirus vendors like Symantec, McAfee and Trend Micro have fared in the MITRE tests. An eSecurity Planet article analyzes the data and speculates on why the old guard may have a built-in advantage over the hot upstarts:

"They may have been overshadowed in recent years by some of the flashy marketing of the upstarts, but that long history gives the old guard a product depth that's tough to beat," eSecurity Planet wrote. "Just one example: Symantec was prepared for last year's SolarWinds hack because it long ago faced attacks when hackers tried to disable endpoint agents, a primary vector for the Sunburst malware.

"In cybersecurity, experience still counts for something."

ITWire reports on how Norwegian firm Volue Technology handled a ransomware attack that began on May 5th: The company has set up a Web page with information about the attack and also links to frequent updates about the status of its systems. There was no obfuscation about the attack, none at all. The company said: "The ransomware attack on Volue Technology ('Powel') was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems."

What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him. Not some underling.
ITWire argues this response "demonstrated to the rest of the world how a ransomware attack should be handled."