Old news again, but... Mar 18, 2022 2:31 pm

When code with millions of downloads nukes user files, bad things can happen. 

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software.

The application, node-ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
A deliberate and dangerous act

Two weeks ago, the node-ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node-ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.

To conceal the malice, node-ipc author Brandon Nozaki Miller base-64-encoded the changes to make things harder for users who wanted to visually inspect them to check for problems.
This is what those developers saw:

Quote:Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. 
The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

"This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library," software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.
Researchers have spent the weekend gathering clues. Here's what we know so far.

What is xz Utils?
xz Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. xz Utils provides critical functions for compressing and decompressing data during all kinds of operations. xz Utils also supports the legacy .lzma format, making this component even more crucial.

What happened?
Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.
Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to xz Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor. Thomas Roccia, a researcher at Microsoft, published a graphic on Mastodon that helps visualize the sprawling extent of the nearly successful endeavor to spread a backdoor with a reach that would have dwarfed the SolarWinds event from 2020.



What does the backdoor do?
Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it's not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware.

Wait, how can a compression utility manipulate a process as security sensitive as SSH?
Any library can tamper with the inner workings of any executable it is linked against. Often, the developer of the executable will establish a link to a library that's needed for it to work properly. OpenSSH, the most popular sshd implementation, doesn’t link the liblzma library, but Debian and many other Linux distributions add a patch to link sshd to systemd, a program that loads a variety of services during the system bootup. Systemd, in turn, links to liblzma, and this allows xz Utils to exert control over sshd.

How did this backdoor come to be?
It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.
The following year, JiaT75 submitted a patch over the xz Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to xz Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in xz Utils affairs. For instance, Tan replaced Collins' contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to xz Utils.
In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of xz Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into the following releases, according to security firm Tenable:

Fedora Rawhide
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Fedora Rawhide is the development distribution of Fedora Linux
Fedora 41
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.
https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Tumbleweed and openSUSE MicroOS
https://news.opensuse.org/2024/03/29/xz-backdoor/
Backdoored version of xz was included in Tumbleweed and MicroOS between March 7 and March 28
Kali Linux
https://www.kali.org/blog/about-the-xz-backdoor/
Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28

There’s more about Tan and the timeline here.

Can you say more about what this backdoor does?
In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.
Multiple people who have reverse-engineered the updates have much more to say about the backdoor.
Developer Sam James provided this overview:
This backdoor has several components. At a high level:

• The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub.
  
• There are crafted test files in the tests/ folder within the git repository too. These files are in the following commits:
  • tests/files/bad-3-corrupt_lzma2.xz (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)
    
  • tests/files/good-large_compressed.lzma (cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0, 74b138d2a6529f2c07729d7c77b1725a8e8b16f1)
    
• A script called by build-to-host.m4 unpacks this malicious test data and uses it to modify the build process.
  
• IFUNC, a mechanism in glibc that allows for indirect function calls, is used to perform runtime hooking/redirection of OpenSSH's authentication routines. IFUNC is a tool that is normally used for legitimate things, but in this case it is exploited for this attack path.
  

Normally, upstream publishes release tarballs that are different than the automatically generated ones in GitHub. In these modified tarballs, a malicious version of build-to-host.m4 is included to execute a script during the build process.
This script (at least in versions 5.6.0 and 5.6.1) checks for various conditions like the architecture of the machine. Here is a snippet of the malicious script that gets unpacked by build-to-host.m4 and an explanation of what it does:
if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

• If amd64/x86_64 is the target of the build
  
• And if the target uses the name linux-gnu (mostly checks for the use of glibc)
  

It also checks for the toolchain being used:
if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
exit 0
fi
if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
exit 0
fi
LDv=$LD" -v"
if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
exit 0
And if you are trying to build a Debian or Red Hat package:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
This attack thusly seems to be targeted at amd64 systems running glibc using either Debian or Red Hat derived distributions. Other systems may be vulnerable at this time, but we don't know.
In an online interview, developer and reverse-engineer HD Moore confirmed the Sam James suspicion that the backdoor targeted either Debian or Red Hat distributions.

“The attack was sneaky in that it only did the final steps of the backdoor if you were building the library on amd64 (intel x86 64-bit) and were building a Debian or a RPM package (instead of using it for a local installation),” he wrote.
Paraphrasing observations from researchers who collectively spent the weekend analyzing the malicious updates, he continued:
When verifying an SSH public key, if the public key matches a certain fingerprint function, the key contents are decrypted using a pre-shared key before the public key is actually verified. The decrypted contents are then passed directly to system.
If the fingerprint doesn't match or the decrypted contents don't match a certain format, it falls back to regular key verification and no-one's the wiser.
The backdoor is super sneaky. It uses a little-known feature of the glibc to hook a function. It only triggers when the backdoored xz library gets loaded by a /usr/bin/sshd process on one of the affected distributions. There may be many other backdoors, but the one everyone is talking about uses the function indirection stuff to add the hook. The payload was encoded into fake xz test files and runs as a shellcode effectively, changing the SSH RSA key verification code so that a magic public key (sent during normal authentication) let the attacker gain access
Their grand scheme was:
1) sneakily backdoor the release tarballs, but not the source code
2) use sockpuppet accounts to convince the various Linux distributions to pull the latest version and package it
3) once those distributions shipped it, they could take over any downstream user/company system/etc
Researchers from networking firm Akamai also explain well how the backdoor works:
The backdoor is quite complex. For starters, you won’t find it in the xz GitHub repository (which is currently disabled, but that’s besides the point). In what seems like an attempt to avoid detection, instead of pushing parts of the backdoor to the public git repository, the malicious maintainer only included it in source code tarball releases. This caused parts of the backdoor to remain relatively hidden, while still being used during the build process of dependent projects.
The backdoor is composed of many parts introduced over multiple commits:

• Using IFUNCs in the build process, which will be used to hijack the symbol resolve functions by the malware
  
• Including an obfuscated shared object hidden in test files
  
• Running a script set during the build process of the library that extracts the shared object (not included in the repository, only in releases, but added to .gitignore)
  
• Disabling landlocking, which is a security feature to restrict process privileges
  

The execution chain also consists of multiple stages:

• The malicious script build-to-host.m4 is run during the library’s build process and decodes the “test” file bad-3-corrupt_lzma2.xz into a bash script
  
• The bash script then performs a more complicated decode process on another “test” file, good-large_compressed.lzma, decoding it into another script
  
• That script then extracts a shared object liblzma_la-crc64-fast.o, which is added to the compilation process of liblzma
  

This process is admittedly hard to follow. We recommend Thomas Roccia’s infographic for a great visual reference and in-depth analysis.
The shared object itself is compiled into liblzma, and replaces the regular function name resolution process. During (any) process loading, function names are resolved into actual pointers to the process memory, pointing at the binary code. The malicious library interferes with the function resolving process, so it could replace the function pointer for the OpenSSH function RSA_public_decrypt (Figure 1).
It then points that function to a malicious one of its own, which according to research published by Filippo Valsorda, extracts a command from the authenticating client’s certificate (after verifying that it is the threat actor) and passes it on to the system() function for execution, thereby achieving RCE prior to authentication.



What more do we know about Jia Tan?

At the moment, extremely little, especially for someone entrusted to steward a piece of software as ubiquitous and as sensitive as xz Utils. This developer persona has touched dozens of other pieces of open source software in the past few years. At the moment, it’s unknown if there was ever a real-world person behind this username or if Jia Tan is a completely fabricated individual.
Additional technical analysis is available from the above Bluesky thread from Valsorda, researcher Kevin Beaumont, and Freund’s Friday disclosure.

Is there a CVE tracking designation?
Yes, it's CVE-2024-3094.

How do I know if the backdoor is present on my device?
There are several ways. One is this page from security firm Binarly. The tool detects implementation of IFUNC and is based on behavioral analysis. It can automatically detect invariants in the event a similar backdoor is implanted elsewhere.
There's also a project called xzbot. It provides the following:

• honeypot: fake vulnerable server to detect exploit attempts
  
• ed448 patch: patch liblzma.so to use our own ED448 public key
  
• backdoor format: format of the backdoor payload
  
• backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

https://arstechnica.com/security/2024/04...the-world/

https://arstechnica.com/information-tech...d-belarus/

https://www.zdnet.com/article/minix-inte...ng-system/

https://www.reddit.com/r/technology/comm...ael_plant/

https://www.reuters.com/technology/intel...023-12-26/

https://www.theguardian.com/world/2021/j...ess-latifa

Quote:WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware.
Over the past couple of years, information-stealing malware has become a scourge to security defenders worldwide as stolen credentials are used to breach networks and steal data.
Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware.
In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

ClickFix campaigns have become increasingly common this year, with threat actors compromising sites to display banners showing fake errors for Google Chrome, Google Meet conferences, Facebook, and even captcha pages.
Malicious WordPress plugins
Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns.
"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko.
"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."
The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names.
The list of malicious plugins seen in this campaign between June and September 2024 are:

LiteSpeed Cache Classic Custom CSS Injector MonsterInsights Classic Custom Footer Generator Wordfence Security Classic Custom Login Styler Search Rank Enhancer Dynamic Sidebar Manager SEO Booster Pro Easy Themes Manager Google SEO Enhancer Form Builder Pro Rank Booster Pro Quick Cache Cleaner Admin Bar Customizer Responsive Menu Builder Advanced User Manager SEO Optimizer Pro Advanced Widget Manage
Simple Post Enhancer Content Blocker Social Media Integrator

Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign.
When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site.

Code:

<script type="text/javascript" src="https://[infected.site]t/wp-content/plugins/custom-css-injector/cci-script.js" id="custom-css-injector-js"> </script>

When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners.

From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.
As you can see from the image below, the threat actors log in via a single POST HTTP request rather than first visiting the site's login page. This indicates that it is being done in an automated manner after the credentials have been already obtained.
Once the threat actor logs in, they upload and install the malicious plugin.

While it is unclear how the threat actors are obtaining the credentials, the researcher notes it could be through previous brute force attacks, phishing, and information-stealing malware.
If you are a WordPress operation and are receiving reports of fake alerts being displayed to visitors, you should immediately examine the list of installed plugins, and remove any that you did not install yourself.
If you find unknown plugins, you should also immediately reset the passwords for any admin users to a unique password only used at your site.

Quote:Quietly merged into this week's Linux 6.12-rc4 kernel was a patch that removes a number of kernel maintainers from being noted in the official MAINTAINERS file that recognizes all of the driver and subsystem maintainers.

Sent out last week by Linux's second-in-command Greg Kroah-Hartman was the patch dropping a dozen maintainers from the kernel. Greg simply commented in there:
"Remove some entries due to various compliance requirements. They can come back in the future if sufficient documentation is provided."

This includes the maintainer of the Acer Aspire 1 EC driver, Cirrus Logic CLPS711X ARM architecture, Baikal-T1 PVT hardware monitor driver, Libata PATA drivers, libata SATA AHCI Synopsys DWC controller drivers, ASCOT2E media drivers, MIPS Baikal-T1 platform driver, NTB IDT driver, PPTP driver, Renesas R-Car SATA driver, Renesas Super-H Ethernet Driver, and the UFS file-system. Just the maintainer entries are being removed and not the actual drivers themselves.

The commonality of all these maintainers being dropped? They appear to all be Russian or associated with Russia. Most of them with .ru email addresses.

In response on the Linux kernel mailing list it was asked by others what are the "compliance requirements" and "sufficient documentation" needed... So far there isn't any public comment by Greg Kroah-Hartman. Presumably this is due to sanctions on Russia involving the war in Ukraine.

This is just dropping Russian maintainers from the kernel but isn't clear if patches from them will be accepted moving forward. Similarly, the driver code remains within the kernel -- including for Russian hardware such as around the Baikal CPUs from Russia's Baikal Electronics. So right now it appears to be little more than just not officially recognizing any formal kernel maintainers that are Russian.

Cutting videos in the terminal with chafa and ffmpeg

September 2024

I've been working on a video editor for the terminal: demo.webm. 

This might be my favorite project yet. I'm excited to share a progress update.
SUCCESSES

It looks pretty! Terminal graphics libraries always look pretty. AA-lib, for example, makes ASCII art in the terminal. And catimg makes pixel art. But I'm using a library called chafa. Chafa looks better, especially at small sizes, because it uses a variety of symbols. I recommend browsing chafa's blog posts and gallery to see all the pretty examples.

It's performant! At first, I was getting only a few frames per second with full CPU usage. But after tweaking some parameters with chafa and ffmpeg, I can play videos at 2x speed with 20-30 frames per second. That's enough for smooth video playback.

I'm happy! I wanted to make a terminal video editor two years ago, but that was too ambitious for me at the time. Now it's a reality. I love making my own tools. That's the thrill of programming -- you wish something existed, and then you make it happen.

SOME FFMPEG RECIPES
The whole program centers around two ffmpeg commands. The first command decodes a video into frames of pixels:

Quote:fmpeg \
  -ss 0.000 \
  -i video.mp4 \
  -vf scale=iw/2:ih/2 \
  -f rawvideo \
  -pix_fmt rgb24 \
  pipe:

1. Input any video: mp4, mkv, mov, etc, or even a URL to a video
   
2. Downsize the video with -vf scale=iw/2:ih/2 to make the program faster
   
3. Start anywhere; for example, if jumping to the middle of a 60 minute video, start decoding from -ss 1800.000
   
4. Output pixels with -f rawvideo and -pix_fmt rgb24
   
5. Stream pixels through an output pipe: into the main program
   

Quote:ffmpeg \
  -ss 5.000 \
  -i screencast.mp4 \
  -to 10.000 \
  -c copy \
  trimmed.mp4

Quote:        ____________________
                /                                     \       
      stdout -->  always reading pixels --> main program
    /          \____________________/               
    / 
ffmpeg             
    \            ____________________
    \          /      lots of messages           \   
      stderr -->    kept piling up   
                \____________________/

Quote:frame=  495 fps=329 q=-0.0 size= 1503562kB time=00:00:08.25 bitrate=1492992.0kbits/s speed=5.49x
frame=  624 fps=311 q=-0.0 size= 1895400kB time=00:00:10.40 bitrate=1492992.0kbits/s speed=5.19x
frame=  752 fps=300 q=-0.0 size= 2284200kB time=00:00:12.53 bitrate=1492992.0kbits/s speed=  5x
frame=  874 fps=291 q=-0.0 size= 2654775kB time=00:00:14.56 bitrate=1492992.0kbits/s speed=4.84x
frame= 1005 fps=286 q=-0.0 size= 3052688kB time=00:00:16.75 bitrate=1492992.0kbits/s speed=4.76x

Quote:#!/bin/bash

ffmpeg \
  -f lavfi -i color=black \
  -loop 1 \
  -f null /dev/null \
  2>&1 \
  | tee >(sleep 270) \
  | wc -c

# Returns ~60500 for me.
# If you account for extra stderr messages in production,
# like video metadata and encoding information,
# that's right around 65536.

IsraHELL GENOCIDERS! :P

Quote:Once thought a haven from Israeli strikes, a Christian town in Lebanon is now a scene of carnage
Pervading everything was the overwhelming stench of rotting flesh mixed with concrete dust at the scene where 23 people including two children were killed, according to local officials.
A dead baby inside a destroyed pickup truck; a child’s severed arm buried in nearby rubble; toddler clothing and books shredded; flies swarming as officials collected body parts, some too small for body bags ending up in clear ziplock bags.

Pervading everything, the overwhelming stench of rotting flesh mixed with concrete dust at the scene where 23 people including two children were killed, according to local officials.
This was the aftermath of an airstrike Monday on the Lebanese Christian village of Aitou that Israel said had targeted a position held by Hezbollah, the Lebanese militant group.
Until then, this region of hilly olive groves and winding, sea-view roads had been a relative haven, one that felt far away from the war dominating Beirut and the country’s south.
Just last week, the area “was calm; everything was quiet,” Illy Edwan told NBC News as he surveyed the wreckage of his villa, which was reduced to rubble in the blast, its insulation and inner structure ripped to pieces, an adjacent vehicle twisted open like a burnt pretzel.
“My house used to be three-story, but look at it today,” he added.
Surrounding homes had glass and twisted metal strewn across their patios. Some nearby olive trees, laden with fruit ahead of the upcoming harvest, were also destroyed, their green leaves covered in gray soot from the explosion.
Hezbollah doesn’t usually have a presence here. But Edwan, who was not at home at the time of the bombing, said an official from the group had been visiting houses donating money to displaced people, some of whom had fled from southern Lebanon to escape the Israeli invasion, and asking about their concerns.
The Israel Defense Forces said in a statement that it had struck “a target belonging to the Hezbollah terrorist organization in northern Lebanon,” and that the reports of civilian casualties were “under review” and “being examined.”

xD

Wow poor salmon, poor animals

Quote:More than 1m farmed salmon die at supplier to leading UK retailers

Mowi Scotland, which supplies Tesco, Asda and Sainsbury’s, blames a rise in sea temperatures for the deaths, while campaigners say expanding farms will make things worse

More than a million dead fish, the biggest mass die-off of farmed salmon in Scotland in a decade, have been recorded at a farm belonging to the UK’s largest supplier.

The deaths at two adjacent Mowi Scotland sites in Loch Seaforth on the Outer Hebrides – licensed as one farm by the Scottish government – rose to just over a million during the year-and-a-half production cycle that it usually takes to raise a salmon in seawater, and which in this case began in spring 2023. Mowi supplies salmon to retailers including Sainsbury’s, Tesco, Asda and Ocado. Many of its farms, including those in the Hebrides, are certified under the RSPCA Assured label, which guarantees higher animal welfare standards.

The data, analysed from government statistics by Scotland’s Coastal Communities Network (CCN), which exists to protect Scotland’s coastal and marine environments, and NGO Free Salmon, is “deeply concerning”, said John Aitchison, speaking on behalf of CCN’s 30 member groups. Mass deaths of farmed salmon are a growing problem, he said, and can in some cases be an indicator of poor welfare.

At the end of last year, when mortality in Scotland’s farms hit record levels, Chris Packham called for a halt to the expansion of the Scottish salmon farming industry. Despite this, salmon remains the UK’s second most popular fish (after tuna), with sales in the year to June worth £1.3bn.

“This is the first time since 2014 [when regular reporting began] that more than a million farmed salmon deaths have been reported at a single farm site in one production cycle,” said Aitchison. “We expect to see more salmon deaths in Scotland because farms are becoming even larger.”

Meanwhile, activist group Animal Rising filmed salmon at Seaforth during the same production cycle in which the million deaths occurred, with the video appearing to show sick fish with patches of raw, descaled flesh, scraped mouths and swollen or burst eyeballs.

Mowi Scotland confirmed the death total of 1.05 million fish, which it said was a combined figure for two sites, Seaforth and Noster.

Ben Hadfield, Mowi Scotland’s chief operating officer, rejected any suggestions mass mortality is a sign of poor welfare and said the deaths were due to an unprecedented rise in sea temperatures which resulted in jellyfish blooms, a problem blighting Scottish production. Jellyfish stings to salmons’ eyes, skin and gills risk health problems and death. “[Any] suggestion that this is caused by bad farming, fixation with profits [or] overstocking is … very false and misleading,” Hadfield said.

Salmon mortality at Mowi Scotland has fallen by two-thirds this year due to normalisation of temperatures, the company said.

Of the Animal Rising footage, Hadfield said it was selective. “What the video shows is fish with eye damage after, you would think, jellyfish stings or wounds that are healing after jellyfish blooms. It does not show the majority of the population.”

Much of the salmon sold in UK supermarkets comes with the RSPCA Assured label. Last month, the RSPCA suspended three Scottish salmon farming sites from the scheme after the release of covert video footage by an animal rights group that showed alleged breaches of welfare regulations.

‘Unacceptable greenwashing’: Scottish farmed salmon should not be labelled organic, say charities
Read more
An RSPCA Assured spokesperson said it had removed Fiunary salmon farm, owned by Scottish Sea Farms, from the scheme, while Mowi’s Loch Alsh and Bakkafrost’s Ardcastle were sanctioned and are receiving extra, unannounced inspections. After this, Scottish Sea Farms and Bakkafrost told the news website West Coast Today they had taken immediate remedial action at the affected sites, while Mowi said it was carrying out its own internal investigation and that the Loch Alsh site was not currently supplying any of its customers.

In the case of the one million salmon deaths at Mowi’s Loch Seaforth sites, neither the video nor the record deaths have threatened Mowi’s higher welfare label, an RSPCA Assured spokesperson told the Guardian, because jellyfish-linked disease outbreaks and “other waterborne insults” were beyond the supplier’s control.

Quote:Why is Ukraine’s army facing a desertion crisis?
Thousands of men have abandoned their posts, blaming poor conditions on the front lines and open-ended service.

More Ukrainian soldiers have deserted the army this year than ever since the onset of a war that analysts say has seen both sides make gains and report losses.
Prosecutions for desertion from Ukraine’s army are thought to have hit at least 30,000 – quite possibly much more – already this year. This is several times the number in 2022, the year the war began when citizens and foreigners voluntarily poured into the military to push Russia back.

Those found guilty are given between five and 12 years in prison. However, some defectors say that is a better option than facing what might be an endless, undefined period on the battlefield.
Desertion has become so common that Ukraine’s parliament, the Verkhovna Rada, took the unprecedented step of decriminalising first-time attempts to flee the army on August 20, 2024, as long as those caught agree to return to duty.
Here’s why analysts say more men are leaving the army and why it is not just a problem for Ukraine:

According to the Kyiv Post, it is believed that about 60,000 people have been facing criminal charges for fleeing their posts since the war started. The Ukrainian daily cited documents from the prosecutor general, with almost half of those cases initiated this year.
However, British daily The Times also cited figures from the prosecutor general which, it said, showed some 51,000 criminal cases were initiated for desertion and abandonment of a military unit between January and September of this year. El Pais newspaper cited a closer figure of 45,543 desertions between January and August this year, which it said was data from the Prosecutor General’s Office which had been leaked to the Ukrainian press.
All these figures are much higher than the 22,000 criminal charges filed for the same offence in 2023 and just 9,000 cases in 2022.
It is unclear if those fleeing the army are mostly conscripts, or if some who earlier volunteered are also abandoning their posts. Volunteers who are not Ukrainian are allowed to withdraw from the army after six months of fighting.
However, for Ukrainian conscripts – that is, those mandated to join the fighting by a general mobilisation law that has been in force since March 2022 – conscription is for life. There is no time limit placed on it.
Why are so many soldiers deserting?
Low morale caused by exhaustion is the main reason.
Soldiers complain of having to grind through for days on end under heavy fire without a pause because there is no one to relieve them. Those on the front lines have told the media that they have gone from battle to battle with little rest since Russia’s invasion in 2022.
Troops are allowed to take 10 days off twice a year, but manpower shortages sometimes delay even those vacations. Soldiers and their families are pushing for breaks that range between a month’s vacation and a three-year rotation.
One soldier placed under investigation for desertion – Serhii Hnezdilov, who is also a journalist – told The Times newspaper in the UK: “At least in prison you know when you will be able to leave.” He was arrested after writing about his decision to leave the army on Facebook in protest against conditions in the army.

What condition is the army in?

It is not clear how many men Ukraine has lost in the war, but analysts say they might be in the tens of thousands. Western estimates put it at 80,000 soldiers.
Experts say the rising number of desertion cases comes as Ukraine faces a shortage of soldiers on the battlefield – a problem it is trying to solve by forcefully mobilising fighters.
As few as five to seven Ukrainian soldiers are having to face some 30 soldiers from the Russian side in some cases, Simon Schlegel, an analyst with the Crisis Group, told Radio Free Europe, a Prague-based publication.

Analysts estimate there are about one million military personnel in the Ukrainian army compared with some 2.4 million on the Russian side, but neither country publishes those figures. Ukrainian army commanders put the ratio of Russian versus Ukrainian combatants at 10 to 1.

Insufficient manpower is an old problem for Ukraine, even before the start of the war and despite early enthusiasm to join the military right after the invasion, analyst Keir Giles of the United Kingdom’s Chatham House think tank told Al Jazeera.
“Ukraine has been grappling with this for a long time,” he said, adding that the low numbers could also be fuelling further desertions. “There’s exhaustion, there’s shell shock … The initial flush of excitement about the war has worn off, and some people have started to realise that this is for the long haul.”
Alongside the mental and physical fatigue that many soldiers are suffering from prolonged periods at the front line, the Ukrainian army has to deal with inadequate weaponry and ammunition as well.

Despite some wins, including a major incursion into Russia’s Kursk region in August, Ukrainian troops have often found themselves on the back foot in the nearly 32-month-long war with Russia.
Crucially, soldiers say they are poorly armed and complain of having the enemy in sight, watching them advance, and being unable to fire because they have no ammunition, according to accounts from soldiers reported by CNN. Many said they felt guilt for not being able to provide infantry units with adequate cover. Commanders have also told journalists that they have been forced to watch men from entire units die in the war because of the weapons shortage.
Speaking in the United States Congress during a testimony on April 10, General Christopher Cavoli, head of US European Command, described Russia’s five-to-one advantage in artillery shells, predicting that would soon grow to 10 to one.
Why is the army in such a poor state?
Ukrainian officials blame Western allies – the European Union and the US – for being too slow to provide military aid. President Volodymyr Zelenskyy has repeatedly urged Washington, with Congress split on the issue of allocating more aid to Ukraine, to speedily deliver promised funds to allow the country to buy more artillery shells and air defence systems.

On April 24 this year, the US passed a bill after a delay of almost a year, granting a $61bn aid package largely meant for Ukraine. Military aid deliveries to the country as part of the package included vehicles, Stinger air defence munitions, ammunition for high-mobility artillery rocket systems and antitank munitions.
In a statement on April 29, Zelenskyy thanked the US government and said the support had “started arriving” but reiterated a need for speedier help.
“The speed of deliveries means stabilising the front,” Zelenskyy said.

European countries collectively delivered 118.2 billion euros ($128.2bn) to Ukraine between April 2022 and September 2024, while the US has delivered 84.7 billion euros ($91.9bn), according to data from the Germany-based Kiel Institute. Analysts say the upcoming US election that could see former President Donald 

Trump return to the White House is causing more uncertainty for Ukraine. Trump has repeatedly threatened to cut US funding to the country and many of his Republican Party members back him on the topic.
Are conscription laws fuelling desertions?

Ukraine’s martial law, which entered into force at the start of the war, mandates young men to join the military.
Zelenskyy’s government says the army needs to enlist 500,000 out of about 3.7 million men of fighting age who are eligible for service.
Since the president signed a renewed mobilisation law in April 2024, men between the ages of 25 and 60 are now eligible. Previously, the range was 27 to 60.

The updated law obliges men of fighting age to update their information with the authorities and tightens punishments for draft dodging, with fines increased from about $13 to $215 and violators facing several days in detention.

Some criticise the conscription decree as a whole for its seeming rigidity: there are no legal ways to leave the military as a conscript, unless under special circumstances such as raising a minor or a child with a disability or caring for a spouse with a disability or severe sickness.

Debates around drafting ages are also raging: some factions want to keep more young men at home to run the economy. Others, especially those in the military, say more active men are needed on the battlefield.
Under Ukraine’s martial law, men are first drafted into military service in readiness for mobilisation or “call-up” when they actually go to fight.

President Zelenskyy faced some pressure before agreeing to sign the April law, reducing the drafting age to 25, according to Ukrainian media, amid calls to lower the drafting age to 20 or 18.
Videos on social media show men from the Ukrainian army raiding bars and restaurants and forcefully dragging young men away if they refuse to be drafted under the new law. The decree requires eligible men, at home or abroad, to register and carry their drafting papers on them at all times.
Elena Davlikanova, a professor at Ukraine’s Sumy State University (SSU), says the age debate fails to focus on the real reasons why people do not want to sign up.
“It is the lack of weapons and munitions that is the major stopper from mobilisation,” Davlikanova told Al Jazeera. “It would have been way cheaper to supply enough air defence systems on time than plan Ukraine’s reconstruction, the cost of which is close to half a trillion US dollars,” she added, referring to the estimated cost of rebuilding the devastated country.

Is there any way to avoid conscription?

Not officially. Martial law means those in the drafting age groups and categories are not allowed to leave the country. However, hundreds of young men have fled to neighbouring countries fearing conscription. Some have risked the freezing waters of the Tysa River, on the border with Romania, to get away, and many have drowned, according to Ukraine’s border patrol, which did not give specific numbers.
Those caught trying to leave the country are often fined and then released.

Is Russia facing the same problem?

Manpower and weaponry problems are also putting pressure on the Russian side, experts say. However, there are still more Russian soldiers than Ukrainian at the moment, and Russia has taken about 19 percent of Ukraine’s territory since the war started.
“We have to keep this context in mind when we talk about Ukraine because we don’t see what’s happening on the other end – Russia has years and years of practice keeping its information about losses secret,” Giles said.
Russian men aged between 18 and 30 are eligible to be drafted for a year. At present, conscripts are supposed to be legally exempt from combat if they do not have at least four months of training, although this is not happening in practice, analysts say.
Since the war started, Russian courts have tried some 8,000 cases of violations involving military personnel, more than 80 percent being desertions, according to Russian media outlet Mediazona.
Earlier this year, however, Ukrainian military intelligence reported that 18,000 soldiers in Russia’s southern military district had deserted.
The main reasons some give are a fear of getting wounded – or worse, dying – in a war that has no end in sight. By May, at least 500,000 Russian soldiers had either died or been wounded since the war began, according to the UK’s Ministry of Defence.
Alex Gatopoulos, Al Jazeera’s defence editor, noted that while Russia’s troop numbers might be bigger, “they’re not necessarily better”. The country is just catching up with Ukraine’s effective drone strategy, but Russian troops have lost an “exceptionally high number of tanks to Ukrainian attacks” as well as troops, he said.
“For Russia, the only path to a military victory is through attrition and the use of its larger armed forces to grind down the smaller Ukrainian army,” Gatopoulos said, referring to a “meat grinder” strategy that sees Russia push soldiers to the front lines despite high death tolls.
Russia has tried to entice men to join the army. Authorities in August quadrupled a one-time payment for enlistment since August. Soldiers who sign up now receive nearly 1 million roubles ($11,500) – almost 23 times the average monthly pay of about $500.
However, there is still little enthusiasm for joining up, analyst Kseniya Kirillova wrote in a paper for the US-based Center for European Policy Analysis.
“Russia’s regions only achieved 50-60 percent of their recruitment targets in 2023 … some recruitment offices are now focusing on coercing conscripts,” Kirillova noted.