Slashdot reader storagedude quotes eSecurityPlanet : The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) joined counterparts in the UK and Australia Wednesday to announce the top 30 vulnerabilities exploited since the start of the pandemic.

The list, a joint effort with the Australian Cyber Security Centre (ACSC) and the UK's National Cyber Security Centre (NCSC), details vulnerabilities — primarily Common Vulnerabilities and Exposures (CVEs) — "routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021."

Many of the vulnerabilities are known ones for which patches exist, so they can typically be easily fixed. The agencies also recommended a centralized patch management system to prevent such oversights going forward.

Most of the vulnerabilities targeted in 2020 were disclosed during the last two years. "Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic," said a CISA statement. "The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching."

The vulnerabilities include a number of well publicized ones from major vendors like Citrix, Microsoft, Fortinet, VMware and others, so a good portion of the blame can be placed on those who just aren't being vigilant with patching.

Remote working seems like a boon to smaller cities, Reuters reports: About 30 per cent of remote workers plan on moving, according to two recent surveys: an April poll of 1,000 tech workers by nonprofit One America Works and a June survey of 1,006 national remote workers for MakeMyMove, focused on intentions for the next 18 months... [T]he numbers mean a lot for some towns and cities that have seen "brain drains" to larger metropolitan areas, said Prithwiraj Choudhury, associate professor at the Harvard Business School.
But smaller cities are now also competing with big-tech recruiters, reports the Wall Street Journal: Some of the biggest names in tech aren't just allowing existing workers to relocate out of the Bay Area, they are also starting to hire in places they hadn't often recruited from before. The result is the most geographically distributed tech labor market to date. That's leading to above-market rates for workers in smaller hubs, forcing local companies to raise wages to keep up with the cost of living and fend off deeper-pocketed rivals from California.

Tribune News Services says we're now experiencing the "hottest job market for tech workers since dot-com era" There's an air of desperation among tech employers this summer. Software talent, it seems, is in such high demand that companies are morphing how they hire. And workers are the ones with the power. Good and experienced tech workers are being treated like local celebrities — hounded by recruiters, courted by managers and bestowed a bevy of options before choosing their next boss...

The demand has been attributed to all sorts of things. During the pandemic, businesses that had been slow to adopt enterprise software began rapidly catching up. A tidal wave of productivity software, conferencing and collaboration tools, and e-commerce tech flooded the world. The same was true for consumer tech, with video game development, entertainment tech and social platforms booming. Many of these jobs are going unfilled, as competition for new hires ramps up. Simultaneously, remote work became the status quo in the tech industry. Suddenly, software talent could pick and choose from a massive pool of job opportunities...

To win a bid on a quality engineer, companies are offering things like flexible hours, sign-on bonuses and permanent remote work, the last of which has become a requirement for much of the workforce. Dice, a website and staffing firm that focuses on tech talent, published a report in June that found only 17% of technologists wanted to work in an office full time, while 59% wanted remote and hybrid approaches.

An anonymous reader quotes The Record: A Chinese cyber-espionage group known as APT31 (or Zirconium) has been seen hijacking home routers to form a proxy mesh around its server infrastructure in order to relay and disguise the origins of their attacks.

In a security alert, the French National Cybersecurity Agency, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), published a list of 161 IP addresses that have been hijacked by APT31 in recent attacks against French organizations. French officials said that APT31's proxy botnet was used to perform both reconnaissance operations against their targets, but also to carry out the attacks themselves. The attacks started at the beginning of 2021 and are still ongoing...

The Record understands that APT31 used proxy meshes made of home routers as a way to scan the internet and then launch and disguise its attacks against Exchange email servers earlier this year; however, the technique was also used for other operations as well.

In January America's federal Justice Department said there was no evidence that Russian hackers behind the massive SolarWinds breach had accessed classified systems, remembers the Associated Press. But today? The department said 80% of Microsoft email accounts used by employees in the four U.S. attorney offices in New York were breached. All told, the Justice Department said 27 U.S. Attorney offices had at least one employee's email account compromised during the hacking campaign.

The Justice Department said in a statement that it believes the accounts were compromised from May 7 to Dec. 27, 2020. Such a timeframe is notable because the SolarWinds campaign, which infiltrated dozens of private-sector companies and think tanks as well as at least nine U.S. government agencies, was first discovered and publicized in mid-December... Jennifer Rodgers, a lecturer at Columbia Law School, said office emails frequently contained all sorts of sensitive information, including case strategy discussions and names of confidential informants, when she was a federal prosecutor in New York. "I don't remember ever having someone bring me a document instead of emailing it to me because of security concerns," she said, noting exceptions for classified materials...

The Associated Press previously reported that SolarWinds hackers had gained access to email accounts belonging to the then-acting Homeland Security Secretary Chad Wolf and members of the department's cybersecurity staff...

"America reported 122,000 new COVID-19 cases on Friday, the highest single-day spike since February," reports Business Insider. But when it comes to anti-Covid measures like vaccine mandates, America's technology companies have been "decisive trend setters," according to the New York Times' On Tech newsletter. (Alternate URL) Last year, some high-profile tech companies were relatively early to close their corporate offices as coronavirus outbreaks started in the United States, and they continued to pay many hourly workers who couldn't do their jobs remotely. Those actions from companies including Microsoft, Salesforce, Facebook, Google, Apple and Twitter probably helped save lives in the Bay Area and perhaps beyond. Now many of the same tech companies — along with schools and universities, health care institutions and some government employers in the United States — have started to announce vaccine mandates for staff, the resumption of requirements to wear masks, delayed reopenings of offices or on-site workplace vaccinations to help slow the latest wave of infections.

America's tech companies, which deserve criticism for misusing their power, also should get credit for using their power to take decisive action in response to virus risks. Those steps helped make it palatable for other organizations to follow. And in some cases, tech companies have acted more quickly in response to health threats and communicated about them more effectively than federal or local government leaders.
Disney, the world's largest entertainment company, is also requiring all salaried and nonunion hourly employees in the U.S. to be fully vaccinated, according to the Washington Post. Walmart, the nation's largest private employer at almost 1.6 million employees, announced all of its corporate staff members and regional managers would need to be fully vaccinated by Oct. 4. Though the mandate does not apply to store and warehouse staffers, which make up the bulk of the company's workforce, Walmart is offering a $150 bonus as incentive for those unvaccinated employees to get inoculated... While companies are pushing for vaccinations, they must contend with employees who are seeking exceptions for medical or religious reasons. Walmart said in a statement that while a "small percentage" of employees are unable to be vaccinated due to such reasons, those workers "must follow all social distancing standards, wear a mask while working, and receive weekly Covid-19 testing provided by Walmart...."

The news comes after corporate giants Google, Facebook and Uber announced their own vaccine mandates for employees this week. Companies such as Apple, Twitter, Lyft and the New York Times said they are delaying their return to the office due to the rising cases.
More examples from CNN:

• BlackRock the world's largest asset manager, is currently allowing only vaccinated employees to return to the office
• Morgan Stanley's New York office is banning all unvaccinated staff and clients from entering its headquarters.
• Luxury department store chain Saks Fifth Avenue is requiring that all employees be vaccinated.
• All new hires and current employees of the Washington Post will be required to demonstrate proof of full Covid-19 vaccinations.
• As of August 2, all employees working in Lyft's offices are required to be vaccinated
• If Uber employees want to come back to the office, they must be fully vaccinated

A previously undocumented Android-based remote access trojan (RAT) has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud. The Hacker News reports: Dubbed "Vultur" due to its use of Virtual Network Computing (VNC)'s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named "Protection Guard," attracting over 5,000 installations. Banking and crypto-wallet apps from entities located in Italy, Australia, and Spain were the primary targets. "For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said in a write-up shared with The Hacker News. "The actors chose to steer away from the common HTML overlay development we usually see in other Android banking Trojans: this approach usually requires a larger time and effort investment from the actors to create multiple overlays capable of tricking the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result."

Vultur [...] takes advantage of accessibility permissions to capture keystrokes and leverages VNC's screen recording feature to stealthily log all activities on the phone, thus obviating the need to register a new device and making it difficult for banks to detect fraud. What's more, the malware employs ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public internet over secure tunnels, to provide remote access to the VNC server running locally on the phone. Additionally, it also establishes connections with a command-and-control (C2) server to receive commands over Firebase Cloud Messaging (FCM), the results of which, including extracted data and screen captures, are then transmitted back to the server.

ThreatFabric's investigation also connected Vultur with another well-known piece of malicious software named Brunhilda, a dropper that utilizes the Play Store to distribute different kinds of malware in what's called a "dropper-as-a-service" (DaaS) operation, citing overlaps in the source code and C2 infrastructure used to facilitate attacks. These ties, the Amsterdam-based cybersecurity services company said, indicate Brunhilda to be a privately operating threat actor that has its own dropper and proprietary RAT Vultur.

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday. Ars Technica reports: In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times. [...] Different packages from Thursday's haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name. The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It's not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Karas told me that the first six packages had the ability to infect the developer computer but couldn't taint the code developers wrote with malware. "For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible." he said in a direct message. "After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don't have evidence that this was actually done."

Security researchers say they have uncovered an ongoing hacking campaign carried out by suspected Russian spies who are continuing to stage attacks amid U.S. pressure on the Kremlin to curtail its alleged cyber-intrusions. From a report: The California-based cybersecurity firm RiskIQ Inc. said in a report released on Friday that it had uncovered more than 30 command and control servers -- used by cybercriminals to send orders to compromised networks or receive stolen data -- associated with the state-sponsored hacking group, which is known as APT29 or Cozy Bear. The group is using the servers to deploy malicious software named WellMess, according to RiskIQ. APT stands for "advanced persistent threat," and is a term often used to describe state-sponsored hacking groups.

In July last year, government agencies from the U.S., U.K., and Canada, said that APT29 was "almost certainly" part of the Russian intelligence services and accused it of hacking organizations involved in the development of the Covid-19 vaccine and stealing intellectual property. The same group was also allegedly involved in the 2016 hack on the Democratic National Committee and the breach of SolarWinds, which was disclosed last year, according to U.S. officials. The Russian embassy in Washington referred to an earlier statement, in which it urged journalists to stop "sweeping accusations" and said it was confident that discussions with the U.S. related to cyberspace would "improve the security of the information infrastructure of our countries."

Estonian officials said they arrested last week a local suspect who used a vulnerability to gain access to a government database and downloaded government ID photos for 286,438 Estonians. From a report: The attack took place earlier this month, and the suspect was arrested last week on July 23, Estonian police said in a press conference yesterday, July 28. The identity of the attacker was not disclosed, and he was only identified as a Tallinn-based male. Officials said the suspect discovered a vulnerability in a database managed by the Information System Authority (RIA), the Estonian government agency which manages the country's IT systems.

Microsoft has released the first beta of Windows 11, available to those enrolled in its Windows Insider Program. From a report: Until today, getting access to Windows 11 meant installing the Dev preview, which Microsoft says is for "highly technical users" as it has "rough edges." According to Microsoft, the beta release is less volatile, with builds being validated by Microsoft (though it's still probably something you'll want to install on a test machine or second partition). Of course, to install the beta you'll need a compatible computer. Figuring out if your hardware will work with the next version of Windows has been notoriously tricky to pin down, but Microsoft's article about preparing for Insider builds directs people to its system requirements page. The company has said that it will be paying close attention to how well 7th Gen Intel and AMD Zen 1 CPUs work during the testing period, so it's possible those systems could be allowed to run the beta but not the final release.

Security researchers have discovered a novel piece of Android malware that uses the VNC technology to record and broadcast a victim's smartphone activity, allowing threat actors to collect keyboard presses and app passwords. From a report: First spotted in March 2021 by Dutch security firm ThreatFabric, this new piece of malware, named Vultur, is a departure from other Android malware strains that usually rely on fake login screens floating on top of legitimate apps to collect a victim's credentials. Instead, Vultur opens a VNC server on the infected phone, and broadcasts screen captures to an attacker command and control server, where the Vultur operator extracts passwords for desired apps.

An anonymous reader quotes a report from Ars Technica: A security update will be applied to Drive," Google's weird new email reads. If you visit drive.google.com, you'll also see a message saying, "On September 13, 2021, a security update will be applied to some of your files." You can even see a list of the affected files, which have all gotten an unspecified "security update." So what is this all about? Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a "get link" option (where anyone with the link can access the file). The "get link" option works the same way as unlisted YouTube videos -- it's not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn't affect links you've shared in the past, and soon Google is going to require your old links to change, which can break them. Google's new link scheme adds a "resourcekey" to the end of any shared Drive links, making them harder to guess. So a link that used to look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/" will now look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w." The resource key makes it harder to guess. If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you'll see a button on the right to remove or apply the security update. "Applied" means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while "removed" means the resourcekey isn't required and any links out there should keep working. YouTube is also making similar changes. "In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven't shared the link with them," says YouTube in a support page.

YouTube creators can decide to opt out of this change. They also have the option of making Unlisted pre-2017 videos public or re-uploading as a new Unlisted video at the expense of stats.

Israeli government officials visited the offices of the hacking company NSO Group on Wednesday to investigate allegations that the firm's spyware has been used to target activists, politicians, business executives, and journalists, the country's Ministry of Defense said in a statement today. From a report: An investigation published last week by 17 global media organizations, claims that phone numbers belonging to notable figures have been targeted by Pegasus, the notorious spyware that is NSO's best-selling product. The Israeli Ministry of Defense did not specify which government agencies were involved in the investigation, but Israeli media previously reported that the Foreign Ministry, Justice Ministry, Mossad, and Military Intelligence were also looking into the company following the publication of the Pegasus Project. NSO Group CEO Shalev Hulio confirmed to MIT Technology Review that the visit had taken place, but continued the company's denials that the list published by reporters was linked to Pegasus.

"That's true," he said. "I believe it's very good that they are checking, since we know the truth and we know that the list never existed and is not related to NSO." The reports focused largely on the successful hacking of 37 smartphones of business leaders, journalists, and human rights activists. But they also pointed to a leaked list of over 50,000 more phone numbers of interest in countries that are reportedly clients of NSO Group. The company has repeatedly denied the reporting. At this point, both the source of and meaning of the list remain unclear, but numerous phones on the list were hacked according to technical analysis by Amnesty International's Security Lab. When asked if the government's investigation process will continue, Hulio said he hopes it will be ongoing. "We want them to check everything and make sure that the allegations are wrong," he added.

The White House is signaling to U.S. critical infrastructure companies, such as energy providers that they must improve their cyber defenses because additional potential regulation is on the horizon. From a report: U.S. President Joseph Biden signed a national security memorandum on Wednesday, launching a new public-private initiative that creates "performance controls" for cybersecurity at America's most critical companies, including water treatment and electrical power plants. The recommendations are voluntary in nature, but the administration hopes it will cause companies to improve their cybersecurity ahead of other policy efforts, said a senior administration official. The announcement comes after multiple high profile cyberattacks this year crippled American companies and government agencies, including a ransomware incident which disrupted gasoline supplies. "These are the thresholds that we expect responsible owners and operators to go," said the official. "The absence of mandated cybersecurity requirements for critical infrastructure is what in many ways has brought us to the level of vulnerability that we have today."

Google has announced a new platform and community designed to host all its Vulnerability Rewards Programs (VRP) under the same roof. From a report: Since launching its first VRP more than ten years ago, the company has rewarded 2,022 security researchers from 84 different countries worldwide for reporting over 11,000 bugs. [...] "To celebrate our anniversary and ensure the next 10 years are just as (or even more) successful and collaborative, we are excited to announce the launch of our new platform, bughunters.google.com," Google said.

"This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues." The new VRP platform should provide researchers with per-country leaderboards, healthier competition via gamification, awards/badges for specific bugs, and more opportunities for interaction. Google also launched a new Bug Hunter University, which would allow bug hunters to brush up on their skills or start a hunting learning streak.

Fossbytes has an article detailing how you can check to see if your mobile device is infected with the "Pegasus" spyware. What's Pegasus you ask? It's phone-penetrating spy software developed by NSO Group and sold to governments to target journalists and activists around the world. The CEO of NSO Group says law-abiding citizens have "nothing to be afraid of," but that doesn't help us sleep any better. Here's how to check if your device has been compromised (heads up: it's a bit of a technical and lengthy process): First off, you'll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you'll have to install libimobiledevice beforehand for that. Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system -- if you don't have it already. Here's how you can install the same for Windows, macOS, and Linux. After that, go through Amnesty's manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line. Now, let's go through the steps for detecting Pegasus on an iPhone backup using MVT.

First of all, you have to decrypt your data backup. To do that, you'll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path: "mvt-ios decrypt-backup -p password -d /decrypted /backup". Note: Replace "/decrypted" with the directory where you want to store the decrypted backup and "/backup" with the directory where your encrypted backup is located.

Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder. To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path: "mvt-ios check-backup -o /output -i /pegasus.stix2 /backup". Note: Replace "/output" with the directory where you want to store the scan result, "/backup" with the path where your decrypted backup is stored, and "/pegasus.stix2" with the path where you downloaded the latest IOCs.

After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix "_detected," then that means your iPhone data is most likely Pegasus-infected. However, the IOCs are regularly updated by Amnesty's team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.

In what is, at least so far, the biggest cybersecurity blunder of the Tokyo Olympics, an Italian TV announcer did not realize he was on air when he asked the password for his computer. Motherboard reports: "Do you know the password for the computer in this commentator booth?" he asked during the broadcast of the Turkey-China volleyball game, apparently not realizing he was still on air. "It was too hard to call the password Pippo? Pippo, Pluto or Topolino?" he complained, referring to the Italian names for Goofy, Pluto and Mickey Mouse. The snafu was immortalized in a video posted on Twitter by cybersecurity associate professor Stefano Zanero, who works at the Polytechnic University of Milan. A source who works at Eurosport, the channel which was broadcasting the volleyball game, confirmed that the video is authentic.

A colleague of the announcer can be heard in the background saying the password depends on the Olympics organizers, and asking the announcer if it's on a paper or post it close-by. Turns out the password was "Booth.03" after the number of the commentator's booth. "Even the dot to make it more complicated, as if it was NASA's computer," he said on the air. "Next time they will even put a semicolon." "Ma porca miseria," he concluded, using a popular italian swearing that literally means "pork's misery" but is more accurately translated to "for god's sake."

Chris Lee, a former staff interaction designer at Google, writes in a blog post: Chrome Home was an ambitious redesign of mobile Chrome's main UI. It brought Chrome's toolbar to the bottom of the screen and turned in into a peeking panel that could be swiped to expose additional controls. I created the original concept and pitch for Chrome Home in 2016. It was based off two insights:

1. Phones were growing in size, and we had opportunity to innovate in creating a gestural, spatial interface that would still be usable with one hand.
2. Mobile Chrome was also growing in features - but because its minimalist interface kept everything behind a "three dot" menu, these features were underutilized and hard to access.

The idea caught traction internally, eventually becoming a Chrome org priority. I then led a team to execute and iterate on the concept. Executing on Chrome Home required rethinking not just the toolbar, but almost all of Chrome's UI: search, bookmarks, tabs, prompts, etc. To inform our decisions, we used a variety of prototyping and testing approaches of increasing fidelity. Ultimately, such a fundamental change to a web browser required nothing short of building it into the product and testing it in longitudinal studies and live beta experiments. We heard a mixture of reactions. The feature gained a cult following among the tech community. But for some mainstream users, the change felt disorienting. Chrome serves billions of users around the globe with varying tech literacy. I became increasingly convinced that launching Chrome Home would not serve all our users well. So just as I strongly as I had pitched the original concept, I advocated for us to stop the launch -- which took not a small amount of debate. Lee adds, "oh, and Safari in iOS 15 picked up some similar ideas and criticisms."

The threat intelligence team for Microsoft's 365 Defender security suite recently focused on an example of "modern mining malware infrastructure," describing how "Anything that can gain access to machines — even so-called commodity malware — can bring in more dangerous threats."

Specifically, it offered a case study of LemonDuck. The blog post's title? "When coin miners evolve..." Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck's threat to enterprises is also in the fact that it's a cross-platform threat. It's one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns... Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access... LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.

LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities... Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck's operation.