Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for 4 years since Sperct ...

 Business

Four years have passed since the first publication of the research on Spectre and Meltdown, hardware vulnerabilities in modern processors. Since then, researchers discovered several similar flaws, that are potentially capable of leaking confidential data. The researchers also showed examples of attacks using these   show more ...

vulnerabilities, although most of them are unlikely to be used in the wild. In this post we look at the state of these hardware issues today and on their potential use to attack businesses. Several variants of Spectre The original August 2018 announcement revealed three vulnerabilities: Spectre v1 and v2, and Meltdown. Those vulnerabilities have several common features: Their exploitation usually involves the execution of malicious code on a vulnerable system, albeit with low privileges. The most dangerous option is an attack through a browser when visiting an infected web page. Practical exploitation requires a number of conditions, in particular, the code of the attacked application must allow data leakage, have a so-called gadget, access to which makes the attack possible. The data leak itself occurs through side channels. Because of this, the speed of the data leak is extremely low. A successful attack may leave no traces of unauthorized data access at all. The last argument is precisely what aroused particular interest in this seemingly theoretical scientific work. In all cases, researchers exploited the branch prediction system. This mechanism was introduced more than 20 years ago, it allows you to speed up performance by executing a set of instructions even before an explicit request for their execution from the program. If the prediction was correct, the processor resources will be used more efficiently. If the prediction is wrong, the calculations are just discarded. POC for the Spectre v1 showed that the processor will read data that should be inaccessible by the program. It is stored in the cache and can be retrieved from there through side channels. This mechanism was considered safe, because that erroneously read secret was not transmitted to the program. But researchers have found ways to indirectly read that data. After the publication of work on Spectre and Meltdown, several more similar vulnerabilities were discovered. Researchers continue to look for new methods for extracting secret data by exploiting the vulnerabilities of processors. Intels summary table lists more than 20 of these issues, in addition to the original three. How to fight Spectre Theoretically there are three ways to make a processor vulnerability less exploitable: vendors can issue a microcode update for existing processors, they can modify new CPUs, or try to solve the problem through the software updates. Often true mitigation requires a combination of firmware and software updates. The new microcode covering some of the vulnerabilities has been available for Intel processors since the 2013 Haswell generation. Hardware solutions were first implemented in the eighth generation of Intel processors, as well as in AMDs Zen 2 CPUs. Software solutions can be quite tricky: as an example, you can look at the possible modifications in the Linux kernel against Spectre v1 and v2. A wide range of measures were discussed, depending on the goals and objectives of a particular system, including the complete disabling of speculative code execution with serious consequences for CPU performance. For most organizations whose business model depends on the performance of a large fleet of servers such performance drop will be the most noticeable impact of anti-Spectre measures. A relatively recent benchmark on the Phoronix website, which examines the performance of various server applications, shows a 25% performance decrease on average when all anti-Spectre precautions in the Linux OS are enabled. Practical attacks and proofs of concept Despite the large number of attack types, the threat of data theft using Spectre is still theoretical. Although each research contains some code that demonstrates the leak, this does not mean that this code can be used against a real system. The typical limitations of these demos or proof of concept are as follows: They demonstrate a random data leak. It may not have a practical value, it is just random information that the attacker did not previously have access to. Researchers created ideal conditions for the attack. For example, they had an unlimited access to the system. In this case, it is not necessary to use complex data exfiltration methods. It demonstrates a real data breach, but in highly unlikely conditions. The most impressive theoretical work (in terms of possible consequences) is the NetSpectre attack. The researchers managed to demonstrate remote exploitation with data exfiltration at a speed of 15 to 60 bits per hour. The limitations of the attack are clear: low data transmission rate, exfiltrated data contains a huge amount of junk traffic, plus vulnerable code on the attacked server in the right place for success. Two practical attacks, as close as possible to ITW conditions, were shown last year. In March, Google showed a leaky.page concept: a web page that can extract data from the RAM. In September, a Spook.js attack on the latest (at the time of research) version Google Chrome (92) with Spectre protection (isolation of web pages in separate browser processes) was demonstrated. This method allowed real data theft: researchers accessed credentials for a social network, password manager data, and an image uploaded by a user to a private cloud. But in all that cases, the successful data lead required to have an infected page located on the same domain. For example, stealing a Tumblr password involves uploading malicious Javascript code to another page on the same social network. So how dangerous is the threat? The Spook.js was neutralized with a software patch for the Google Chrome browser. Therefore, at this moment, there is no immediate threat of exploitation of Spectre vulnerabilities in real conditions. All known attacks are extremely complex and require the highest skill of the attacker. Most realistic proofs of concept were patched, and even without patches, their exploitation requires a large set of conditions. Even though media reports about real Spectre exploits have not been confirmed, security vendors have added tools to detect known attacks just in case, so most likely existing malware detection mechanisms can help to protect your company. However, we should not completely ignore the Spectre: it is important that research continues. There is a small chance that over time, the worst-case scenario will be discovered: an attack that does not require installation of malware that allows to data leak that leaves no trace. Theoretically it is possible to conduct a targeted attack using hardware vulnerabilities if the value of the stolen data justifies it. Protection against such risks requires serious investments in identifying potential attack vectors, following the recommendations of OS developers, or implementing protection even at the cost of a serious performance drop. But for most, even large companies, it is enough to rely on the software and operating system developers, processor manufacturers, and security solutions.

image for How to protect from ...

 Threats

Possibly the biggest story of 2021 — an investigation by the Guardian and 16 other media organizations, published in July — suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. Pegasus is a so-called legal surveillance software developed   show more ...

by the Israeli company NSO. The report, called the Pegasus Project, alleged that the malware was deployed widely through a variety of exploits, including several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty Internationals Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders and many other activists, human rights advocates, dissidents and opposition figures. Later in July, representatives from the Israeli government visited the offices of NSO as part of an investigation into the claims. In October, Indias Supreme Court commissioned a technical committee to investigate the use of Pegasus to spy on its citizens. Apple announced, in November, that it was taking legal action against NSO Group for developing software that targets its users with malicious malware and spyware. Last but not least, in December, Reuters published that US State Department phones were hacked with the NSO Pegasus malware, as alerted by Apple. Over the past few months I have received a lot of questions from concerned users worldwide on how to protect their mobile devices from Pegasus and other similar tools and malware. We are trying to address this in the current article, with the observation that no list of defence techniques can ever be exhaustive. Additionally, as attackers change their modus operandi, protection techniques should also be adapted. How to stay safe from Pegasus and other advanced mobile spyware First of all, we should start by saying that Pegasus is a toolkit sold to nation states at relatively high prices. The cost of a full deployment may easily reach millions of USD. Similarly, other APT mobile malware may be deployed through zero-click 0-day exploits. These are extremely expensive — as an example, Zerodium, an exploit brokerage firm pays up to $2.5 million for an Android zero-click infection chain with persistence: From the start, this draws an important conclusion — nation state sponsored cyberespionage is a vastly resourceful endeavor. When a threat actor can afford to spend millions, potentially tens of millions or even hundreds of millions of USD on their offensive programs, it is very unlikely that a target will be able to avoid getting infected. To put this in simpler words, if you are targeted by such an actor, its not a question of whether you can get infected, its actually just a matter of time and resources before you get infected. Now, for the good news — exploit development and offensive cyberwarfare are often more of an art rather than an exact science. Exploits need to be tuned for specific OS versions and hardware and can be easily thwarted by new OS releases, new mitigation techniques or even small things such as random events. With that in mind, infection and targeting is also a question of cost and making things more difficult for the attackers. Although we may not always be able to prevent the successful exploitation and infection of the mobile device, we can try to make it as hard as possible for the attackers. How do we do this in practice? Heres a simple checklist. How to protect from advanced spyware on iOS Reboot daily. According to research from Amnesty International and Citizen Lab, the Pegasus infection chain often relies on zero-click 0-days with no persistence, so regular reboot helps clean the device. If the device is rebooted daily, the attackers will have to re-infect it over and over again. In time, this increases the chances of detection; a crash might happen or artifacts could be logged that give away the stealthy nature of the infection. Actually, this is not just theory, its practice — we analyzed one case in which a mobile device was targeted through a zero-click exploit (likely FORCEDENTRY). The device owner rebooted their device regularly and did so in the next 24 hours following the attack. The attackers tried to target them a few more times but eventually gave up after getting kicked a few times through reboots. NoReboot: A fake restart to gain a foothold in the system Disable iMessage. iMessage is built into iOS and is enabled by default, making it an attractive exploitation vector. Because its enabled by default, it is a top delivery mechanism for zero-click chains and for many years, iMessage exploits were in high demand, with top payouts at exploit brokerage companies. During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that weve recently started refusing some (of) them, Zerodiums founder Chaouki Bekrar wrote back in 2019 to WIRED. We realize life without iMessage may be very difficult for some (more on that later), but if Pegasus and other high-end APT mobile malware is in your threat model, this is a tradeoff worth taking. Disable Facetime. Same advice as above. Keep the mobile device up to date; install the latest iOS patches as soon as they are out. Not everyone can afford zero-click 0-days, actually many of the iOS exploit kits we are seeing are targeting already patched vulnerabilities. Nevertheless, many people run older phones and postpone updates for various reasons. If you want to be ahead of (at least some) nation state hackers, update as soon as possible and teach yourself not to need Emojis to install the patches. Dont ever click on links received in messages. This is simple advice yet effective. Not all Pegasus customers can afford to buy zero-click 0-day chains at a cost of millions so they rely on 1-click exploits. These arrive in the form of a message, sometimes by SMS, but can also be via other messengers or even e-mail. If you receive an interesting SMS (or by any other messenger) with a link, open it on a desktop computer, preferably using TOR Browser, or better yet using a secure non-persistent OS such as Tails. SMS with a malicious link used to target a political activist. Source: Citizen Lab Browse the Internet with an alternate browser such as Firefox Focus instead of Safari or Chrome. Despite the fact that all browsers on iOS pretty much use the same engine, Webkit, some exploits do not work well (see LightRighter / TwoSailJunk APT case) on some alternate browsers: LightRiver exploit kit check for Safari in the user agent string User agent strings on iOS from Safari, Chrome and Firefox Focus browsers: Safari: Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Mobile/15E148 Safari/604.1 Chrome: Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/96.0.4664.53 Mobile/15E148 Safari/604.1 Firefox Focus: Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/39 Mobile/15E148 Version/15.0 Always use a VPN that masks your traffic. Some exploits are delivered through GSM operator MitM attacks, when browsing HTTP sites or by DNS hijack. Using a VPN to mask the traffic makes it difficult for your GSM operator to target you directly over the Internet. It also complicates the targeting process if the attackers have control over your data stream, such as while in roaming. Please note that not all VPNs are the same and not any VPN is fine to use. Without favoring any specific VPN provider, heres a few things to consider when you shop for a VPN subscription with anonymity being a top priority: Purchase means just that — no free VPNs. Look for services that you can accept payment with cryptocurrencies. Look for services that do not require you to provide any registration info. Try to avoid VPN apps — instead, use open-source tools such as OpenVPN, WireGuard and VPN profiles. Avoid new VPN services and look for established services that have been around for some time. Install a security application that checks and warns if the device is jailbroken. Frustrated from getting kicked over and over, the attackers will eventually deploy a persistence mechanism and jailbreak your device in the process. This is where the chance of catching them increases tenfold and we can take advantage of the fact that the device is jailbroken. Make iTunes backups once per month. this allows diagnosing and finding infections later, through the use of the wonderful MVT package from Amnesty International (more on that later). Trigger sysdiags often and save them to external backups. Forensics artifacts can help you determine at a later time if you have been targeted. Triggering a sysdiag depends on the phone model — for instance, on some iPhones, this is done by pressing Volume Up + Volume Down + Power at the same time. You may need to play with this a couple of times, until the phone buzzes. Once the sysdiag is created, it will appear in diagnostics: How to protect from advanced spyware on Android A similar list for Android users (for details and reasoning check the list for iOS above): Reboot daily. Persistence on the latest Android versions is difficult, many APTs and exploit sellers avoid persistence whatsoever! Keep phone up to date; install latest patches. Dont ever click on links received in text messages. Browse the internet with an alternate browser such as Firefox Focus instead of the default Chrome. Always use a VPN that masks your traffic. Some exploits are delivered through GSM operator MitM attacks, when browsing HTTP sites or by DNS hijack. Install a security suite that scans for malware and checks and warns if the device is rooted. At a more sophisticated level — both for iOS and Android — always check your network traffic using live IoCs. A good setup might include a Wireguard always-on VPN to a server under your control, that uses pihole to filter out bad stuff and logs all the traffic for further inspection. How to get by without iMessage I was talking to my friend Ryan Naraine recently, and he said — iMessage and FaceTime — these are the reasons why people use iPhones! and for sure, hes right. Ive myself been an iPhone user since 2008 and think iMessage and FaceTime were two of the greatest things Apple added to this ecosystem. When I realized that these are also some of the most exploited features that let nation states spy on your phone, I tried to escape the iMessage Hotel California. The hardest thing? Getting the family to stop using it too. Surprising as it may sound, this was one of the most difficult things in this whole security saga. At first, I tried to switch everyone to Telegram. This didnt go too well. Then, Signal got better and better, implemented Video calls and group calling. In time, more and more friends started moving to Signal. And this worked well with my family too. Im not saying you should do the same. Perhaps you can keep iMessage enabled and live happily and malware free — truth be told, Apple greatly improved the security sandbox around iMessage with BlastDoor in iOS 14. Nevertheless, the FORCEDENTRY exploit used by NSO to deliver Pegasus bypassed BlastDoor and of course, no security feature is ever 100% hack-proof. So, what is the best of both worlds, you may ask? Some people, including myself, have several phones — one where iMessage is disabled, and a honeypot iPhone where iMessage is enabled. Both are nicely associated with the same Apple ID and phone number. If someone decides to target me this way, theres a good chance they will end up in the honeypot phone. How to detect Pegasus and other advanced mobile malware Detecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by the security features of modern operating systems such as iOS and Android. Based on our observations, this is further complicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many forensics frameworks require a device jailbreak, which in turn requires a reboot, this results in the malware being removed from memory during the reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. MVT (Mobile Verification Toolkit) from Amnesty International is free, open source and allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators of compromise) collected from high profile cases and made available by Amnesty International. What to do if you got infected with Pegasus So you followed all these recommendations carefully and still got infected. Sadly, this is the reality we live in nowadays. I feel for you, really. You may not be a bad guy at all — on the contrary, Im sure youre one of the good guys. Perhaps you spoke against powerful people, or participated in some protests against a questionable decision from certain political figures, or simply used encryption software or been in the wrong place at the wrong time. Look on the bright side — you know youve been infected, because artifacts and knowledge allowed you to determine that. Think of the following things: Who targeted you and why? Try to figure out what it was that brought you into the attention of the big guys. Is this something that you can avoid in the future through more stealthy behavior? Can you speak about it? The thing that eventually brought down many surveillance companies was bad publicity. Reporters and journalists writing about abuses and exposing the lies, wrongdoing and all the evil. If youve been targeted try to find a journalist and tell them your story. Change your device — if you were on iOS, try moving to Android for a while. If you were on Android, move to iOS. This might confuse attackers for some time; for instance, some threat actors are known to have purchased exploitation systems that only work on a certain brand of phone and OS. Get a secondary device, preferably running GrapheneOS, for secure comms. Use a prepaid card in it, or, only connect by Wi-Fi and TOR while in airplane mode. Avoid messengers where you need to provide your contacts with your phone number. Once an attacker has your phone number they can easily target you across many different messengers via this — iMessage, WhatsApp, Signal, Telegram, they are all tied to your phone number. An interesting new choice here is Session, which automatically routes your messages through an Onion-style network and doesnt rely on phone numbers. Try to get in touch with a security researcher in your area and constantly discuss best practices. Share artifacts, suspicious messages or logs whenever you think something is odd. Security is never a single snapshot solution that is 100% proof; think of it like a stream that flows and you need to adjust your sailing depending on the speed, currents and obstacles. At the end of this, Id like to leave you with a thought. If you get targeted by nation states, that means you are important. Remember: its nice to be important, but its more important to be nice. Alone, we are weak, together, we are strong. The world may be broken, but I believe we are living at a time when we can still change things. According to a report from the nonprofit group Committee to Protect Journalists, 293 journalists were imprisoned in 2021, the highest number CPJ has ever reported since it started tracking it, in 1992. Its up to us to shape how the world will look like for us in 10 years, for our children and our childrens children. You, the people have the power — the power to create machines. The power to create happiness! You, the people, have the power to make this life free and beautiful, to make this life a wonderful adventure. Then — in the name of democracy — let us use that power — let us all unite. Let us fight for a new world — a decent world that will give men a chance to work — that will give youth a future and old age a security. By the promise of these things, brutes have risen to power. But they lie! They do not fulfil that promise. They never will! Dictators free themselves but they enslave the people! Now let us fight to fulfil that promise! Let us fight to free the world — to do away with national barriers — to do away with greed, with hate and intolerance. Let us fight for a world of reason, a world where science and progress will lead to all mens happiness. Soldiers! in the name of democracy, let us all unite! Final speech from The Great Dictator This post originally ran as a series of op-eds in Dark Reading (part 1, part 2).

 Malware and Vulnerabilities

A new DeadBolt ransomware group encrypted more than 3,600 network-attached storage (NAS) devices worldwide by exploiting a zero-day with the most affected countries being the U.S., France, Taiwan, Italy, and the U.K. QNAP has warned customers to protect their devices by updating the QTS software version and disabling port forwarding and UPnP.

 Threat Actors

Even after the recent arrest of the members of the REvil ransomware group, researchers have found multiple samples being deployed across targets. After the arrests, the number of REvil implants dipped to 24 per day, but that again increased to 26 implants a day. Today, it is highly obscure whether these raids and arrests of high-profile arrests of affiliates are actually making a difference.

 Threat Actors

Lazarus APT group, infamous for targeting the defense industry, now abuses Windows Update Client to spread malware. It was recently observed masquerading as Lockheed Martin in spear-phishing campaigns. For the first time in this campaign, the group had used GitHub as a C2 for targeted and short-term attacks. Take the right measure to safeguard your national security systems.

 Feed

Red Hat Security Advisory 2022-0397-03 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include a null pointer vulnerability.

 Feed

Red Hat Security Advisory 2022-0368-03 - The RPM Package Manager is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.

 Feed

Red Hat Security Advisory 2022-0350-04 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2022-0345-03 - IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR7.

 Feed

As many as 23 new high severity security vulnerabilities have been disclosed in different implementations of Unified Extensible Firmware Interface (UEFI) firmware used by numerous vendors, including Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo, among others. The vulnerabilities reside in Insyde Software's InsydeH2O UEFI firmware, according to enterprise firmware security company Binarly,

 Feed

A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff

 Feed

A WordPress plugin with over one million installs has been found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites. The plugin in question is Essential Addons for Elementor, which provides WordPress site owners with a library of over 80 elements and extensions to help design and customize pages and posts. "This vulnerability allows

 Feed

The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years. According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted

 Feed

We hear about the need for better visibility in the cybersecurity space – detecting threats earlier and more accurately. We often hear about the dwell time and the time to identify and contain a data breach. Many of us are familiar with IBM’s Cost of a Data Breach Report that has been tracking this statistic for years. In the 2021 report, IBM found that, on average, it takes an average of 212

 Threat Lab

Threat actors are becoming more sophisticated, agile and relentless in their pursuit of stealing personal information for financial gain. Rapid and evolving shifts in the threat landscape require the knowledge and solutions to prepare and prevent threats that could spell disaster for organizations’ reputations and   show more ...

operations. Organizations of all sizes remain at risk. Small to medium-sized businesses (SMBs) and managed service providers (MSPs) are especially vulnerable to the stealth efforts of bad actors. With fewer financial resources, a ransomware payment demand could mean the difference between staying in business and closing up shop. Government entities are also prone to attack. In December 2021, Belgium’s Ministry of Defence experienced a cyberattack exploiting the Log4j vulnerability that paralyzed the ministry’s computer network. Within the same month, Australia’s utility company, CS Energy, experienced a ransomware attack involving the well-known ransomware Conti. Evolving cyber threats can be unpredictable, but that doesn’t mean businesses have to tackle them alone. A robust security stack can help businesses stay protected and prepared. Establishing this level of resilience involves partnering with a provider that has human-powered threat hunting resources. What is threat hunting? Threat hunting involves actively searching for adversaries before an attack is carried out. Threat hunting involves the use of tools, intelligence and analytics combined with human intervention. Threat hunting centers around the proactive containment and identification of potentially damaging files before malicious vectors can cause severe damage to an organization’s operations. What does a threat research analyst do? “At Webroot, we focus our efforts on analyzing customer data. Our threat research analysts examine this data to determine if malicious files are present. Our analysts are constantly looking for files that possess certain characteristics that make up various types of malware. If we identify and determine that critical elements of a suspicious file are present, we classify and block them. Making determinations can be approached in different ways. One avenue of determination is carried out by creating isolated conditions to run the suspicious file to see what results it presents,” says Marcus Moreno, manager, threat research at Carbonite + Webroot, OpenText companies. “Since our database is comprised of mass quantities of SMB and MSP data, we can continue to make determinations from a large and evolving data set. This is why SMBs and MSPs can derive value from partnering with Webroot,” adds Moreno. Take your security stack to the next level Cyberattacks will continue to be a concern for businesses, governments and individuals. Combatting cyber threats means adopting a cyber resilience approach. Cyber resilience is the ability to remain operational in the face of threats – whether human or maliciously-based. One important element of a solid cyber resilience strategy is to remain in a pre-emptive and proactive stance. Avoid costly ransomware payment demands, bolster customer confidence and minimize downtime for business operations by investing in a solutions provider backed by threat hunting capabilities. Discover how Webroot’s solutions can protect your business. The post Threating hunting: Your best defense against unknown threats appeared first on Webroot Blog.

2022-02
Aggregator history
Wednesday, February 02
TUE
WED
THU
FRI
SAT
SUN
MON
FebruaryMarchApril