Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Data exfiltration th ...

 Business

Researchers at Korea University in Seoul have published a paper detailing a new method of data theft from a computer that has maximum protection; that is — placed in an isolated room and surrounded with an air gap (i.e., connected to neither the internet nor a local network). This type of attack may serve as a last   show more ...

resort for a malicious actor when no other, simpler methods are feasible. Data exfiltration in this case uses the computers speaker: not some plug-in device, but a relic of the first personal computers — the internal speaker, also known as the PC speaker. Motherboards still typically feature one for compatibility, and it turns out that such a speaker can be used for data exfiltration. Background Weve published several stories on data-theft methods. This one, for instance, is about wiretapping smartphones by using their built-in accelerometer. This story is about data being stolen by manipulating the radio signal from the CPU power supply. Data exfiltration via the speaker mounted on the motherboard might appear unsophisticated in comparison with those two methods, but lets not forget that the simpler the attack — the higher the odds of success. Besides, an attacker needs no specialized equipment to obtain the precious data: all it takes is bringing a smartphone close to the target computer. Any research of this kind starts with a description of a hypothetical attack scenario. In this case, its this one: lets take a government or corporate computer that holds secret information. The data is so highly classified that the computer is isolated from the internet, and possibly even the LAN, for enhanced security; but the scenario implies that the computer still gets infected with spyware one way or another. However, finding out exactly how this occurred isnt the subject of the researchers paper. Suppose a spy managed to get a flash drive into the secured room and plug it into the computer. Or, the computer could have been infected via a supply-chain attack even before it was delivered to the organization. So, the spy program has collected the secrets, but now the attacker needs a way to get them out of there. In the scenario used by the Korean researchers, the spy physically enters the room where the computer is, bringing with them a smartphone with basic sound recording software running. The spyware broadcasts the data in the form of audio signals at a frequency so high that most humans ears cant hear it. The smartphone records that sound, which is then decoded by the attackers to restore the data. Importantly, research on data exfiltration through speakers has been carried out before. This 2018 research paper from Israel demonstrates a way for two computers to communicate via ultrasound using loudspeakers and a built-in microphone. That theoretical attack method has one flaw, though: imagine a computer that controls valuable equipment. Would company really fit it with additional external audio devices for the operators comfort? Thus, this attack is feasible only if the protected information is stored on a laptop, because laptops usually have integrated audio speakers. The challenges of pulling off an ultrasound heist The Korean researchers suggest that their attacker would use the built-in PC speaker. Back in 1981, that was the only sound device on the first IBM PC. Although PC speaker mostly produced only squeaky noises, some video game developers managed to use its crude capabilities to create decent soundtracks. Modern PCs seldom use the internal speaker for anything but diagnostics. If the computer just wont boot up, a technician can identify the errors by the number and duration of tones that the built-in speaker is emitting. The original eighties PC speaker was a separate unit attached to the motherboard connectors. Modern circuit boards typically have a tiny speaker soldered onto them. The Korean researchers needed to demonstrate a reliable data-transfer channel that uses the speaker and, more importantly, a practical one. The transmission part was fairly simple: malware running on an Ubuntu Linux-powered machine alternated between short 18kHz and 19kHz beeps, with the former being the dot, and the latter — the dash. This could be used for sending information in Morse code, which is typically used for radio communication. If you record this sound transmission (inaudible to most humans) on a smartphone, you get something like this: Spectrogram of signals through the built-in speaker and recorded on a smartphone. The lines at the top are dots and dashes that make up the data being transmitted. Source. The spectrogram shows the sounds used for encoding the word covert. It took roughly four seconds to transfer just six characters, so the exfiltration process is slow but still usable for certain types of information such as passwords and encryption keys. The lines at 18kHz and 19kHz are the signals produced by the computer speaker. Their volume is similar to the background noise inside the room, which can be seen in the bottom portion of the spectrogram. The researchers conducted multiple experiments to arrive at ideal conditions for data transfer: the data rate had to stay at or below 20 bits per second for data to be received reliably from a distance of up to 1.5 meters. Slowing down the transmission even further could increase that distance by about half a meter. Placing the phone centimeters away from the system unit allowed doubling the data transfer rate. Anything but brief snippets of data would take hours to transmit, making an attack impractical. An air gap does not guarantee a secure system Ultrasound data transfer is a well-researched method thats sometimes used for consumer purposes. In a secured environment, this side channel poses a threat. The Korean researchers suggest removing the speaker from the motherboard as a safeguard against this type of attack. However, as we know from other studies, when the stakes are high and the adversary is committed to spending both time and resources to achieve their goal, its hard to protect against every possible data exfiltration trick. Removing the built-in speaker still leaves the possibility of capturing radio waves from SATA cables, the CPU or the monitor, albeit by using far more sophisticated methods. Maximum isolation of any computer that stores secret data is imperative. However, its so much more practical to invest in a malware detection system, remembering that every espionage scenario begins with attackers installing malware on the target system. Nonetheless, the Korean researchers work teaches us about new covert channels that can be used for data theft.

image for FBI Seizes Bot Shop ...

 A Little Sunshine

Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. Sources tell KrebsOnsecurity the domain seizures coincided with   show more ...

“dozens” of arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data. Several websites tied to the cybercrime store Genesis Market had their homepages changed today to this seizure notice. Active since 2018, Genesis Market’s slogan was, “Our store sells bots with logs, cookies, and their real fingerprints.” Customers could search for infected systems with a variety of options, including by Internet address or by specific domain names associated with stolen credentials. But earlier today, multiple domains associated with Genesis had their homepages replaced with a seizure notice from the FBI, which said the domains were seized pursuant to a warrant issued by the U.S. District Court for the Eastern District of Wisconsin. The U.S. Attorney’s Office for the Eastern District of Wisconsin did not respond to requests for comment. The FBI declined to comment. But sources close to the investigation tell KrebsOnSecurity that law enforcement agencies in the United States, Canada and across Europe are currently serving arrest warrants on dozens of individuals thought to support Genesis, either by maintaining the site or selling the service bot logs from infected systems. The seizure notice includes the seals of law enforcement entities from several countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the United Kingdom. When Genesis customers purchase a bot, they’re purchasing the ability to have all of the victim’s authentication cookies loaded into their browser, so that online accounts belonging to that victim can be accessed without the need of a password, and in some cases without multi-factor authentication. “You can buy a bot with a real fingerprint, access to e-mail, social networks, bank accounts, payment systems!,” a cybercrime forum ad for Genesis enthused. “You also get all previous digital life (history) of the bot – most services won’t even ask for login and password and identify you as their returning customer. Purchasing a bot kit with the fingerprint, cookies and accesses, you become the unique user of all his or her services and other web-sites. The other use of our kit of real fingerprints is to cover-up the traces of your real internet activity.” The Genesis Store had more than 450,000 bots for sale as of Mar. 21, 2023. Image: KrebsOnSecurity. The pricing for Genesis bots ranged quite a bit, but in general bots with large amounts of passwords and authentication cookies — or those with access to specific financial websites such as PayPal and Coinbase — tended to fetch far higher prices. New York based cyber intelligence firm Flashpoint says that in addition to containing a large number of resources, the most expensive bots overwhelmingly seem to have access to accounts that are easy to monetize. “The high incidence of Google and Facebook is expected, as they are such widely used platforms,” Flashpoint noted in an analysis of Genesis Market, observing that all ten of the ten most expensive bots at the time included Coinbase credentials. Genesis Market has introduced a number of cybercriminal innovations throughout its existence. Probably the best example is Genesis Security, which is a custom Web browser plugin which can load a Genesis bot profile so that the browser mimics virtually every important aspect of the victim’s device, from screen size and refresh rate to the unique user agent string tied to the victim’s web browser. Flashpoint said the administrators of Genesis Market claim they are a team of specialists with “extensive experience in the field of systems metrics.” They say they developed the Genesis Security software by analyzing the top forty-seven browser fingerprinting and tracking systems, as well as those utilized by 283 different banking and payment systems. Cybersecurity experts say Genesis and a handful of other bot shops are also popular among cybercriminals who work to identify and purchase bots inside corporate networks, and then turn around and resell that access to ransomware gangs. Michael Debolt, chief intelligence officer for Intel 471, said so-called “network access brokers” will scour automated bot shops for high value targets, and then resell them for a bigger profit. “From ‘used’ or ‘processed’ logs — it is actually quite common for the same log to be used by multiple different actors who are all using it for different purposes – for instance, some actors are only interested in crypto wallet or banking credentials so they bypass credentials that network access brokers are interested in,” Debolt said. “These network access brokers buy these ‘used’ logs for very cheap (or sometimes for free) and search for big fish targets from there.” In June 2021, hackers who broke into and stole a wealth of source code and game data from the computer gaming giant EA told Motherboard they gained access by purchasing a $10 bot from Genesis Market that let them log into a company Slack account. One feature of Genesis that sets it apart from other bot shops is that customers can retain access to infected systems in real-time, so that if the rightful owner of an infected system creates a new account online, those new credentials will get stolen and displayed in the web-based panel of the Genesis customer who purchased that bot. “While some infostealers are designed to remove themselves after execution, others create persistent access,” reads a March 2023 report from cybersecurity firm SpyCloud. “That means bad actors have access to the current data for as long as the device remains infected, even if the user changes passwords. SpyCloud says Genesis even advertises its commitment to keep the stolen data and the compromised systems’ fingerprints up to date. “According to our research, Genesis Market had more than 430,000 stolen identities for sale as of early last year – and there are many other marketplaces like this one,” the SpyCloud report concludes. This is a developing story. Any updates will be added with notice and timestamp here.

image for What RASP Should Hav ...

 Feed

When runtime application self-protection is held to a higher standard, it can secure thousands of applications and prevent burnout in security teams.

 Malware and Vulnerabilities

A new ransomware group with two victims listed on its leak site has been observed making million-dollar ransom demands. The group, called Money Message, has listed an Asian airline, which has revenue close to $1 billion, as one of its victims. Adversaries have shared a screenshot of the accessed file system as proof of the breach.

 Trends, Reports, Analysis

To strengthen their cybersecurity posture, companies must spend valuable resources on maintaining or updating systems, hiring and training staff, and implementing security software — resources and options that many don’t have readily available.

 Malware and Vulnerabilities

Google’s TAG shared details on zero-day and n-day vulnerabilities affecting Android and iOS devices that are under exploitation by highly-targeted spyware campaigns. It didn’t reveal the spyware vendors involved or identify the number of victims targeted in this campaign. Organizations are suggested to leverage the IOCs shared by Google and other security agencies to strengthen their security posture.

 Malware and Vulnerabilities

A Chinese state-sponsored threat group has been linked to a unique malware, dubbed Mélofée, targeting Linux servers. The threat group’s infrastructure overlaps mostly with Winnti. Researchers observed another AlienReverse implant being used during the campaign.

 Expert Blogs and Opinion

As advanced threats become more common, layered security that incorporates memory defense is becoming essential. Without it, there is no effective way to stop threats targeting device memory.

 Govt., Critical Infrastructure

The Chief Digital and Artificial Intelligence Office (CDAO) Directorate for Digital Services (DDS), Craig Martell, unveiled the website last Thursday. It will help DoD organizations, vendors, and researchers understand how to conduct a bug bounty.

 Trends, Reports, Analysis

The rapid pace of cloud transformation and democratization of data has created a new innovation attack surface, leading to 3 in 4 organizations experiencing a cloud data breach in 2022, according to Laminar.

 Companies to Watch

The new funding, Cybereason says, will help it advance its XDR, EDR, and EPP solutions and support global growth. In addition to the investment, Cybereason also announced that SoftBank’s executive vice president, Eric Gan, will become its new CEO.

 Trends, Reports, Analysis

Roughly one in three (32%) remote and hybrid workers use apps or software not approved by IT, and 92% of remote workers use a personal tablet or smartphone device to do work tasks.

 Feed

Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

 Feed

Red Hat Security Advisory 2023-1556-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

 Feed

Red Hat Security Advisory 2023-1586-01 - The pesign packages provide the pesign utility for signing UEFI binaries as well as other associated tools. Issues addressed include a privilege escalation vulnerability.

 Feed

Red Hat Security Advisory 2023-1560-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

 Feed

Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files. That's going

 Feed

The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. Russian cybersecurity firm Kaspersky, which has been internally tracking the versatile backdoor under the name Gopuram since 2020, said it observed an increase in the number of infections in March 2023 coinciding with the 3CX breach.

 Feed

The threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022. Symantec, which is tracking the group under its insect-themed moniker Mantis, said the adversary is "going to great lengths to maintain a persistent presence on targeted networks." Also known by the names APT-C-23 and Desert

 Feed

Collaboration sits at the essence of SaaS applications. The word, or some form of it, appears in the top two headlines on Google Workspace’s homepage. It can be found six times on Microsoft 365’s homepage, three times on Box, and once on Workday. Visit nearly any SaaS site, and odds are ‘collaboration’ will appear as part of the app’s key selling point.  By sitting on the cloud, content within

 Feed

Clouded vision CTI systems are confronted with some major issues ranging from the size of the collection networks to their diversity, which ultimately influence the degree of confidence they can put on their signals. Are they fresh enough and sufficiently reliable to avoid any false positives or any poisoning? Do I risk acting on outdated data? This difference is major since a piece of

 Feed

Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called Rorschach that's both sophisticated and fast. "What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware," Check Point Research said in a new report. "In fact, Rorschach is one

 Feed

Chromium-based web browsers are the target of a new malware called Rilide that masquerades itself as a seemingly legitimate extension to harvest sensitive data and siphon cryptocurrency. "Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring  browsing history, taking screenshots,

2023-04
Aggregator history
Tuesday, April 04
SAT
SUN
MON
TUE
WED
THU
FRI
AprilMayJune