5M Linux Servers Hacked via One Print Job: Fortune 500 Port 631 Exposed

TL;DR

• APT28 (Forest Blizzard) scales DNS hijacking campaign, compromising 200+ organizations via TP-Link routers to enable AITM attacks
• Chaos malware evolves with SOCKS proxy capability, targeting misconfigured Hadoop deployments and Linux cloud servers in new 64-bit ELF variant
• CUPS 2.4.16 and older versions vulnerable to unauthenticated root RCE via CVE-2026-34980 and CVE-2026-34990, no patch available as of April 2026

🐻‍❄️ 8M IPv4 Betrayed: APT28 DNS Hijack Hits 120 Nations, $1B Tab

8M IPs just asked a Kremlin DNS server for your Outlook password—like handing your house key to a bear wearing a tutu 🐻‍❄️💔 That’s every IPv4 in Belgium + Denmark, but sure, keep the factory “admin123”. Taxpayers foot the $1B clean-up so GRU can read your “confidential” lunch plans—who’s still running unpatched TP-Link in YOUR office closet?

Picture 8 million IP addresses—every soul in New York City plus half of Los Angeles—quietly asking a Kremlin-run traffic cop where “outlook.com” lives. That’s what Forest Blizzard achieved by pwning 5,000 bargain-bin TP-Link boxes and rerouting their owners to look-alike log-in pages. No zero-day wizardry, just factory passwords left unchanged since 2019.

How did a $0 exploit scale to 200 orgs?

• Initial poke: Scan for admin/admin → push new DNS resolver via 6-year-old CVEs.
• Persistence: One line in DHCP options forces every phone, laptop, thermostat to chat with GRU servers.
• Pay-off: TLS is stripped on the fly, credentials vacuumed, OAuth cookies gift-wrapped.

Impacts in parallel

• Privacy: 8 M IP queries hijacked → your inbox is their RSS feed.
• Financial: >$1 B global cleanup → every un-patched router becomes a quarterly write-off.
• Geopolitical: 120 countries hit → diplomacy by credential leak.

Institutional response (a.k.a. the patch piñata)

TP-Link finally shipped firmware; CISA mailed “check your DNS, champ” memos; FBI sink-holed 18,000 GRU IPs—yet uptake lags because grandma won’t flash ROM between bridge games.

Outlook

• Q3 2026: Script-kiddie forks code → 15% of SOHO routers still open, AiTM volume doubles.
• 2027: EU mandates secure-by-design; prices rise 20%, black-market 2025 firmware lives on.
• 2028: Attack migrates to smart-fridges; defenders still asking routers for their resolver IP like it’s a new concept.

Bottom line: If you won’t spend five minutes changing defaults, Russia spends zero to own your cloud. Upgrade or enjoy serving state-sponsored spam à la carte.

🩸 Chaos Malware Hijacks 1-Click Hadoop Clusters for Proxy-Resale Botnet

1-click + 0 auth = instant root on your Hadoop cluster 🤡 Chaos malware now sells your bandwidth like a cheap VPN 🩸 30 % more infections next quarter—because patching is “optional” 🙃 Admins in China/EMEA, enjoy explaining that 3 a.m. ransom call to finance 💸 Who’s still leaving YARN naked in 2026?

Chaos, the router-bothering botnet that cut its teeth on grandma’s Wi-Fi, just graduated to 64-bit Linux and is squatting inside any Hadoop YARN ResourceManager dumb enough to leave the HTTP door unlatched. One GET request later it drops a systemd service named “chaos.service” (subtle, right?) and spins up a throw-away SOCKS5 proxy that vanishes after it’s done tunneling whatever sketchy traffic pays the rent. Darktrace caught it selling bandwidth by the gigabyte; Lumen saw it ping-ponging through Hong Kong IPs. Same malware, new hustle: your cloud CPU is now an AirBnB for crooks.

Asset pain: root shell on every un-auth Hadoop node → ransomware Christmas list.
Network pain: 159.89.46.92 becomes your new “upstream” → goodbye compliance budget.
Wallet pain: SOCKS-as-a-service undercuts legit VPNs at $2 per 100 GB → your cloud bill births a second cloud bill.

How the sausage is stuffed

1. Scan for http://your-cluster:8088/ws/v1/cluster/apps/new-application
2. POST a one-liner that curls the ELF, chmod +x, systemd enable.
3. Localhost:1080 opens, tunnels, then self-destructs—no forensic crumbs, just the smell of burnt Ops budget.

Reaction scorecard

• Corporate Hadoop vendors: “We recommend Kerberos” → translation: “We recommend you read the manual we never wrote.”
• Cloud providers: added yet another “best-practice” PDF to the console nobody opens.
• Open-source detectors: 3 new YARA rules, 0 patch for the 0-day—classic.

Outlook (bring band-aids)

• Q3 2026: Chaos plug-ins for Spark & Kafka; expect +30 % scan noise and a fresh wave of “why is my Kafka selling sneakers?” tickets.
• 2027: Encrypted SOCKS over TLS 1.3; DPI becomes an expensive hobby.
• 2028: Proxy market share hits 12 %; Chaos IPO probably on a dark-web Times Square billboard.

Close: If your big-data box still greets strangers with “Welcome, root!” you’re not running a cluster—you’re running a public utility for anonymous jerks. Lock the YARN gate, burn port 1080, or keep paying the bandwidth tab for every hoodie on the planet.

😱 5 Million Linux Servers Open to Root-RCE via CUPS Print Queue: No Patch Yet

5 MILLION Linux boxes pwnd by a PRINT JOB 😱—that’s every Debian server in the Fortune 500, minus the patch. One PostScript file → root shell, zero auth, lulz. Your “secure” DC? Just became a paper jam. Who’s still exposing port 631 like it’s 1999?

Your “harmless” office printer just became a $0.95 vending machine for crown-jewel access. Two fresh zero-days—CVE-2026-34980 & CVE-2026-34990—let any schmuck on the internet print themselves a root shell. No auth, no patch, no kidding.

How the hack works (spoiler: it’s stupidly simple)

1. Fire a malformed PostScript job at TCP/631.
2. CUPS swallows newline-goblin bytes and coughs up a forged cupsFilter2 line.
3. Daemon runs your evil filter as user “lp” → instant code execution.
4. Abuse a race in CUPS-Create-Local-Printer, grab an admin token, rewrite /etc/sudoers.d/pwn.
5. Welcome to uid 0, population: you.

Impacts – the corporate pain parade

• Downtime: 100% compromise → rebuild or re-image every affected host.
• Data: every file, credential, customer DB → now an open book.
• Compliance: HIPAA/PCI fines start at $250k per box → boardroom heartburn.
• Reputation: “We lost the payroll DB to a printer” is not a great earnings-call sound-bite.

Institutional response so far

• Upstream: commit hints at 2.4.17 “eventually”; no ETA, no code.
• Vendors: Snort/Suricata sigs drop daily—whack-a-mole on a bullet.
• Enterprises: scramble to firewall port 631; half still forget IPv6 listens too.
• Community: GitHub gists full of one-liner mitigations; Slack channels roasting CUPS devs.

Timeline – mark your misery calendar

• Now–May 2026: botnets scan 631 at 20k hosts/hr; expect ransomware grafting print-to-root chains.
• Jun 2026: first Fortune-500 breach disclosure; stock dips 8%.
• Aug 2026: CUPS 2.4.17 ships; distros back-port by October.
• Q1 2027: compliance frameworks finally add “disable shared queues” checkbox—after the horse has bolted, sold the farm, and started a crypto-coin.

TL;DR

If your Linux still serves printers to the world, you’re one nc away from becoming a cautionary tweet. Kill shared queues, firewall 631, and for the love of root, stop treating print daemons like harmless puppies—they’re rabid raccoons in a tie.

In Other News

• GRU hackers compromise routers across Ukraine, Europe, and US to intercept data, SBU and FBI uncover operation
• Covert acoustic eavesdropping attack turns fiber optic cables into listening devices
• FBI warns U.S. users of foreign-developed apps stealing data under national security laws
• XRP Ledger adds ML-DSA post-quantum digital signatures to AlphaNet test environment, generating 2,420-byte signatures to counter quantum threats