Thomas Hawk posted a photo:
Network breakdowns compounded by daily blackouts of up to 12 hours caused by fuel shortages
Cuba’s power grid collapsed on Saturday leaving the country without electricity for a third time in March as the communist government battles with a decaying infrastructure and a US-imposed oil blockade.
The Cuban Electric Union, which reports to the Ministry of Energy and Mines, announced a total blackout across the island without initially giving a cause for the outage.
Continue reading...Energy minister says war on Iran creating ‘uncertain environment’ but insists government doing ‘all the preparatory work’
Get our breaking news email, free app or daily news podcast
Six oil ships bound for Australia have been cancelled in recent days but the federal government is not yet considering any drastic measures, the energy minister, Chris Bowen, says.
Bowen said on Sunday that six ships from Malaysia, Singapore and South Korea, that had been expected to arrive next month, were cancelled or deferred. The federal government was working to replace the ships, with some already substituted, the minister told ABC TV.
Continue reading...White House says talks ‘constructive’ but Russian negotiators not present; more civilians killed in country’s south-east by Moscow attacks. What we know on day 1,488
Ukrainian and US negotiators trying to secure a peace settlement of Russia’s invasion opened their latest round of talks in Florida on Saturday, with more discussions planned through the weekend. Russian representatives did not attend the meeting. “We continued discussing key issues and the next steps within the negotiation track,” the chief Ukrainian negotiator, Rustem Umerov, posted on X. Russian and Ukrainian negotiators met at two sets of US-brokered talks in the United Arab Emirates this year and a round in Geneva last month. Moscow and Kyiv agreed on prisoner exchanges, but no breakthroughs were achieved.
The White House described the latest meeting as “constructive”, with discussions “focused on narrowing and resolving remaining items to move closer to a comprehensive peace agreement”.
Russian attacks killed four people in south-eastern Ukraine and left much of the northern region of Chernihiv without power on Saturday, officials said. Zaporizhzhia governor, Ivan Fedorov, said the morning attack on the city killed a man and a woman, and injured six others, including two children. In the adjacent Dnipropetrovsk region, officials said two people died in an area south-east of the main regional centre, Dnipro. Five people were injured in attacks at multiple places. In his nightly video address, President Volodymyr Zelenskyy said power had been cut to parts of Chernihiv region, where efforts were under way to fix damage after a drone strike on an energy facility. Power and water supplies have also been cut to parts of Kyiv.
Ukrainian forces shelled a public building in Russia’s border region of Belgorod on Saturday, killing four people, the regional governor said. Vyacheslav Gladkov, writing on Telegram, said the attack hit a “social site” in the village of Smorodino, without giving further details. The bodies of two women were pulled from under rubble, he said. Belgorod has come under frequent Ukrainian attack during the four-year war.
Authorities in nearly a dozen Russian regions in recent weeks cited various excuses to prevent demonstrations against internet censorship and the blocking of the popular messaging app Telegram. In most cases, they succeeded. Mindful of a crackdown on dissent since the invasion of Ukraine, activists decided not to risk holding unauthorised rallies, even if they weren’t about the war. Some went to court to challenge government refusals to authorise pickets, while others scaled them back to smaller indoor gatherings.
Tens of thousands of Czechs filled a large plain in Prague to rally against the government of the billionaire prime minister, Andrej Babi, on Saturday, slamming it for “arrogance of power”. The Million Moments for Democracy movement organising the protest has criticised the government for “playing down” threats from Russia invading Ukraine. Protesters, some carrying Ukrainian flags, criticised its refusal to provide military aid to Ukraine. Babis leads a three-party nationalist cabinet comprising his catch-all ANO party, the far-right SPD and the rightwing Eurosceptic Motorists. “[The government] is doing everything to drag us towards Russia and, together with Hungary and Slovakia, to dent the EU,” Marek Perutka, a conservationist carrying a Ukrainian flag told Agence France-Presse.
Continue reading...
"We have removed all malicious artifacts from the affected registries and channels," Trivy maintainer Itay Shakury posted today, noting that all the latest Trivy releases "now point to a safe version." But "On March 19, we observed that a threat actor used a compromised credential..."
And today The Hacker News reported the same attackers are now "suspected to be conducting follow-on attacks that have led to the compromise of a large number of npm packages..." (The attackers apparently leveraged a postinstall hook "to execute a loader, which then drops a Python backdoor that's responsible for contacting the ICP canister dead drop to retrieve a URL pointing to the next-stage payload.")
The development marks the first publicly documented abuse of an ICP canister for the explicit purpose of fetching the command-and-control (C2) server, Aikido Security researcher Charlie Eriksen said... Persistence is established by means of a systemd user service, which is configured to automatically start the Python backdoor after a 5-second delay if it gets terminated for some reason by using the "Restart=always" directive. The systemd service masquerades as PostgreSQL tooling ("pgmon") in an attempt to fly under the radar...
In tandem, the packages come with a "deploy.js" file that the attacker runs manually to spread the malicious payload to every package a stolen npm token provides access to in a programmatic fashion. The worm, assessed to be vibe-coded using an AI tool, makes no attempt to conceal its functionality. "This isn't triggered by npm install," Aikido said. "It's a standalone tool the attacker runs with stolen tokens to maximize blast radius."
To make matters worse, a subsequent iteration of CanisterWorm detected in "@teale.io/eslint-config" versions 1.8.11 and 1.8.12 has been found to self-propagate on its own without the need for manual intervention... [Aikido Security researcher Charlie Eriksen said] "Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats."
So far affected packages include 28 in the @EmilGroup scope and 16 packages in the @opengov scope, according to the article, blaming the attack on "a cloud-focused cybercriminal operation known as TeamPCP."
Ars Technica explains that Trivy had "inadvertently hardcoded authentication secrets in pipelines for developing and deploying software updates," leading to a situation where attacks "compromised virtually all versions" of the widely used Trivy vulnerability scanner:
Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The attack began in the early hours of Thursday. When it was done, the threat actor had used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to use malicious dependencies... "If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately," Shakury wrote.
Security firms Socket and Wiz said that the malware, triggered in 75 compromised trivy-action tags, causes custom malware to thoroughly scour development pipelines, including developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and whatever other secrets may live there. Once found, the malware encrypts the data and sends it to an attacker-controlled server. The end result, Socket said, is that any CI/CD pipeline using software that references compromised version tags executes code as soon as the Trivy scan is run... "In our initial analysis the malicious code exfiltrates secrets with a primary and backup mechanism. If it detects it is on a developer machine it additionally writes a base64 encoded python dropper for persistence...."
Although the mass compromise began Thursday, it stems from a separate compromise last month of the Aqua Trivy VS Code extension for the Trivy scanner, Shakury said. In the incident, the attackers compromised a credential with write access to the Trivy GitHub account. Shakury said maintainers rotated tokens and other secrets in response, but the process wasn't fully "atomic," meaning it didn't thoroughly remove credential artifacts such as API keys, certificates, and passwords to ensure they couldn't be used maliciously.
"This [failure] allowed the threat actor to perform authenticated operations, including force-updating tags, without needing to exploit GitHub itself," Socket researchers wrote.
Pushing to a branch or creating a new release would've appeared in the commit history and trigger notifications, Socket pointed out, so "Instead, the attacker force-pushed 75 existing version tags to point to new malicious commits." (Trivy's maintainer says "we've also enabled immutable releases since the last breach.")
Ars Technica notes Trivy's vulnerability scanner has 33,200 stars on GitHub, so "the potential fallout could be severe."
And today The Hacker News reported the same attackers are now "suspected to be conducting follow-on attacks that have led to the compromise of a large number of npm packages..." (The attackers apparently leveraged a postinstall hook "to execute a loader, which then drops a Python backdoor that's responsible for contacting the ICP canister dead drop to retrieve a URL pointing to the next-stage payload.")
The development marks the first publicly documented abuse of an ICP canister for the explicit purpose of fetching the command-and-control (C2) server, Aikido Security researcher Charlie Eriksen said... Persistence is established by means of a systemd user service, which is configured to automatically start the Python backdoor after a 5-second delay if it gets terminated for some reason by using the "Restart=always" directive. The systemd service masquerades as PostgreSQL tooling ("pgmon") in an attempt to fly under the radar...
In tandem, the packages come with a "deploy.js" file that the attacker runs manually to spread the malicious payload to every package a stolen npm token provides access to in a programmatic fashion. The worm, assessed to be vibe-coded using an AI tool, makes no attempt to conceal its functionality. "This isn't triggered by npm install," Aikido said. "It's a standalone tool the attacker runs with stolen tokens to maximize blast radius."
To make matters worse, a subsequent iteration of CanisterWorm detected in "@teale.io/eslint-config" versions 1.8.11 and 1.8.12 has been found to self-propagate on its own without the need for manual intervention... [Aikido Security researcher Charlie Eriksen said] "Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats."
So far affected packages include 28 in the @EmilGroup scope and 16 packages in the @opengov scope, according to the article, blaming the attack on "a cloud-focused cybercriminal operation known as TeamPCP."
Ars Technica explains that Trivy had "inadvertently hardcoded authentication secrets in pipelines for developing and deploying software updates," leading to a situation where attacks "compromised virtually all versions" of the widely used Trivy vulnerability scanner:
Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The attack began in the early hours of Thursday. When it was done, the threat actor had used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to use malicious dependencies... "If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately," Shakury wrote.
Security firms Socket and Wiz said that the malware, triggered in 75 compromised trivy-action tags, causes custom malware to thoroughly scour development pipelines, including developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and whatever other secrets may live there. Once found, the malware encrypts the data and sends it to an attacker-controlled server. The end result, Socket said, is that any CI/CD pipeline using software that references compromised version tags executes code as soon as the Trivy scan is run... "In our initial analysis the malicious code exfiltrates secrets with a primary and backup mechanism. If it detects it is on a developer machine it additionally writes a base64 encoded python dropper for persistence...."
Although the mass compromise began Thursday, it stems from a separate compromise last month of the Aqua Trivy VS Code extension for the Trivy scanner, Shakury said. In the incident, the attackers compromised a credential with write access to the Trivy GitHub account. Shakury said maintainers rotated tokens and other secrets in response, but the process wasn't fully "atomic," meaning it didn't thoroughly remove credential artifacts such as API keys, certificates, and passwords to ensure they couldn't be used maliciously.
"This [failure] allowed the threat actor to perform authenticated operations, including force-updating tags, without needing to exploit GitHub itself," Socket researchers wrote.
Pushing to a branch or creating a new release would've appeared in the commit history and trigger notifications, Socket pointed out, so "Instead, the attacker force-pushed 75 existing version tags to point to new malicious commits." (Trivy's maintainer says "we've also enabled immutable releases since the last breach.")
Ars Technica notes Trivy's vulnerability scanner has 33,200 stars on GitHub, so "the potential fallout could be severe."
Read more of this story at Slashdot.
