Lazarus Group rises again, this time with fake FOSS • The Register

Infosec In Transient North Korea’s Lazarus Group has modified techniques and is now creating malware-laden open supply software program.

Software program provide chain administration vendor Sonatype final week published analysis during which it claimed that Lazarus Group has created lots of of “shadow downloads” that seem like well-liked open supply software program growth instruments however are filled with malware.

The corporate says it discovered 234 distinctive malware packages constructed by Lazarus within the first half of 2025 alone.

“Lazarus has more and more pivoted from disruption to long-term infiltration, utilizing tailor-made malware, modular payloads, and infrastructure evasion methods to realize persistent entry to high-value targets — together with the open supply software program ecosystem,” the corporate’s researchers wrote.

Lazarus Group’s rap sheet consists of the 2014 Sony Photos hack, the 2016 attack on banks in Bangladesh, and 2017’s WannaCry ransomware assault.

Like many different North Korean operatives, Lazarus Group shifted to cryptocurrency theft. Builders who don’t fastidiously examine downloads seem like the gang’s newest targets. – Simon Sharwood

MFA mess prices Canucks large bucks

Gradual rollout of two-factor authentication has value the Canadian metropolis of Hamilton CAD$5 million ($3.6 m).

In February 2024 the town was crippled for weeks by a ransomware assault that noticed criminals demand CAD$18.5 million ($13.4m) in change for the decryption keys. Town informed them no after which spent CAD$18.4 million ($13.3m) fixing the issue by constructing a safer community.

At a city assembly final Wednesday, officers stated the town’s insurance coverage firm declined to pay out CAD$5 million ($3.6 million) in prices, saying that the town had damaged the contract by not putting in multi-factor authentication throughout its total community. In 2022 the insurers required the town to put in MFA and Hamilton commenced a pilot program the next yr

Earlier than the town accomplished its rollout, the ransomware scum attacked.

“This has been a take a look at of our system and a take a look at of our management,” said Mayor Andrea Horwath final Wednesday. “We aren’t sweeping this underneath the rug. We’re proudly owning it, we’re fixing it and we’re studying from it.”

Cyrus Tehrani, performing chief info officer for the town, disputes the claims {that a} lack of MFA was in charge for the ransomware assault, as the town confronted a “extremely subtle assault on an exterior, internet-facing server, gaining unauthorized entry to the Metropolis of Hamilton methods.”

And there are a few upsides to the saga. Firstly the criminals misplaced out on their large payday, and secondly the town’s infrastructure is rather more up-to-date, the Mayor stated.

“This metropolis wanted to vary,” she opined. “This metropolis wanted to turn out to be extra modernized. After I acquired right here I felt this was a metropolis time forgot.” We’ll see how the voters agree.

Bug bounties all spherical!

Fancy turning into an prompt millionaire (earlier than tax)? All you may want is to discover a zero-click flaw in WhatsApp that enables code execution, fly to Dublin on October 21, and show it on the newest Pwn2Own competitors.

WhatsApp is a spotlight of this yr’s competitors, which can pay $500,000 for a single click on crack of Meta’s messaging device.

Different large cash prizes on provide embrace successful $300,000 to remotely crack an iPhone 16 or a Pixel 9 handset, $150,000 for no-interaction distant code execution on Meta’s Quest 3 and Ray-Ban headsets, and a bunch of smaller prizes, with a specific focus this yr on sensible house units and printers. As ever, in the event you hack a tool you additionally get to maintain it.

Final yr over 70 zero-day flaws had been demonstrated and contestants walked away with mixed winnings of $1,066,625 in whole.

To not be outdone, this week Microsoft announced will increase within the bounties it affords for .NET vulnerabilities. Discover one thing fallacious with .NET and ASP.NET Core (together with Blazor and Aspire) and now you can win rewards of as much as $40,000 for essentially the most severe flaws, up from $30,000 final yr.

Redmond was a relative latecomer to the bug bounty crowd, starting its first program in 2013 on the prompting of safety maven Katie Moussouris. Microsoft was thought of one of many worst corporations for this form of factor – making authorized threats to researchers and refusing to compensate them for his or her discoveries. Nevertheless it started to see the advantages and in 2008 publicly vowed to not resort to authorized threats.

Groups touched up

Whereas we’re speaking Microsoft, final week it introduced that Groups admins could have a barely simpler time of it due to some new code.

Groups already has an audit logging system that enables admins to shortly examine for suspicious exercise equivalent to customers who’ve inappropriate management rights or are sharing materials that’s not applicable given their entry privileges.

An improved logging system Microsoft launched final week added higher timestamp monitoring, plus the flexibility to log screensharing periods and all who take part in them.

This will likely be useful for stopping the lack of company info, both to rivals, company espionage, and – in fact – leaky juicy titbits to journalists (trace, trace).

CISA swings hammer of Thorium

The Cybersecurity and Infrastructure Safety Company (CISA) final week launched Thorium, a digital forensics device developed in partnership with Sandia Nationwide Laboratories. The device permits huge scaling up of file evaluation and incident response instances and may absorb and analyze greater than 10 million information per hour.

“Thorium allows groups that regularly analyze information to realize scalable automation and outcomes indexing inside a unified platform,” the company stated. “Analysts can combine command-line instruments as Docker photos, filter outcomes utilizing tags and full-text search, and handle entry with strict group-based permissions.”

Thorium runs at scale on Kubernetes and ScyllaDB methods and has a strict permissions database that controls who can see its output.

CISA says it will be significantly helpful for operating customized instructions for inspecting Docker photos, in addition to industrial, open supply, and proprietary code.

Republicans and Democrats agree on banning stingray scanners

The usage of stingray cellphone monitoring towers by US regulation enforcement may very well be curtailed if bipartisan laws launched within the Home and Senate passes.

Stingrays are pretend cellphone towers that data the IMEI quantity and placement of any handset within the space. They’ve been used for practically a decade however the tech has sparked concerns that the units are used to conduct mass surveillance. There have additionally been multiple reports that unknown entities are utilizing such package for espionage functions.

The Cell Site Simulator Warrant Act, launched by Senators Ron Wyden (D-OR) and Steve Daines (R-MT), and Representatives Ted Lieu (D-CA), and Tom McClintock, (R-CA) final Thursday, would require police to get a warrant primarily based on possible trigger earlier than utilizing the units, apart from in some emergencies.

If the invoice passes, an Inspector Basic would audit all stingray use, and any choose ruling on a case utilizing stingray knowledge must be knowledgeable on its potential flaws. Police would even be restricted to solely gathering straight related knowledge.

“Legislation enforcement businesses want clear and clear guidelines about when it’s acceptable to make use of stingray telephone surveillance, to allow them to correctly examine crimes with out endangering Individuals’ privateness or violating their constitutional rights,” Wyden said.

“Our bipartisan invoice protects Individuals towards warrantless stingray surveillance whereas setting clear guidelines for regulation enforcement about when and the way they’ll use these units.”

The proposed regulation may also embrace a $250,000 effective for anybody illegally stingray units to spy. Constructing your individual stingray is relatively simple, all it takes is about $1,000-worth of package and the precise software program.

The invoice consists of exceptions for these utilizing homebrewed package for educating or professional analysis. ®