Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for GPU.zip attack in si ...

 Business

Researchers from four U.S. universities have published a study detailing a potential, intriguing attack on computer graphics subsystems — specifically targeting common integrated GPUs manufactured by both AMD and Intel. The attack was named GPU.zip, alluding to its two main features: (i) stealing secrets from the   show more ...

graphics system, and (ii) exploiting data compression algorithm vulnerabilities. In this post, we try as usual to explain the new research as simply as possible. But mainly well just marvel at how elegant and complex it is — while well also cringe at how, ultimately (in its current form), completely impractical it is. About compression algorithms Before delving into the GPU.zip attack itself, lets discuss some aspects of compression algorithms. These algorithms can be broadly categorized into lossy compression algorithms (like MP3) and lossless compression algorithms (like RAR or ZIP). The latter ones compress data in such a way that it can be completely restored. The simplest method of compression is to store repeating data only once, and then indicate where specific sets of characters or numbers should be placed. For example, the length of this post could be significantly reduced by recording all the places where the word data appears and storing the word itself only once. From an information security perspective, compression algorithms have a vulnerability of sorts. Lets imagine that were transmitting some data over the internet using compression. The volume of information depends on how effective the compression algorithm is — the better the compression, the smaller the data size. Back in 2002, it was shown that this feature could be exploited to steal secrets even if the data is encrypted. One of the relatively practical attacks confirming this possibility was demonstrated in 2012. It was found that in some cases, if information between a browser and a server is transmitted simultaneously in both compressed and encrypted forms, the compression algorithm could reveal secret information even if the encryption algorithm isnt hacked. If attackers can send numerous requests to the server, they can observe how the size of compressed data changes based on the content. And from this they can calculate the secret information character by character. It remains to be seen whether unchecked compression of graphics subsystem data can also lead to leakage of secrets. About the features of computer graphics Today, were discussing the graphics subsystem — or, simply put, video cards, although theyre often integrated directly into the processor. Discrete GPUs are separate computational modules, usually with their own RAM. Computer gamers are familiar with the situation when the latest cool game struggles to run on a not-so-powerful video card: the frame refresh rate drops below optimal, the image is no longer smooth, and sometimes it even freezes for a fraction of a second. There can be two reasons for such behavior. Most often, the video card cant handle the calculations required to create 3D images quickly enough. Sometimes, however, the required data is transmitted too slowly from the main RAM to the graphics subsystem memory. This problem can be solved by using data compression algorithms. Games use lossy compression algorithms to compress textures. The authors of the paper found that, at least in Intel and AMD integrated GPUs, lossless compression algorithms are used as well — to transmit any graphic information that needs to be displayed on the screen (desktop, browser windows, and so on). These algorithms cannot be disabled and, moreover, are proprietary – no one but the manufacturer knows how they work. The researchers studied them in black box mode: the very existence of the compression algorithm was determined based on indirect signs, such as the amount of data transferred from RAM to video memory, which varied depending on the image. Transmitting graphic patterns made entirely of black pixels, black and white pixels in a specific order, and random patterns, showed that when easily compressible data is sent to the video system, less information is transferred between the main RAM and video memory: exactly the way data compression should work. Most of the study is dedicated to reverse engineering these proprietary data compression algorithms. This research was deemed necessary to understand exactly how such algorithms work — for example, how graphics information is divided into blocks before compression. The researchers found that different algorithms are applied depending on the manufacturer or even the model of the graphics subsystem. The problem is that the time it takes to compress data also depends on the data itself. If we have a poorly compressible set of information (random data without any repeating elements), the processing time will differ compared to simple data. Meanwhile, an attacker can measure this time — for instance, by creating a special webpage. The beauty… and uselessness of the GPU.zip attack Imagine someone creating a malicious webpage that also contains a request to embed another page from which they want to steal data. This person has the ability to measure the time it takes to render their page in the browser, but nothing more. If, for example, a window with the targets work email is embedded in the page, the attacker wont gain access to the content of that window. Why? Such an action is strictly prohibited by the same-origin policy rule — you can place code on a site to track user actions, for example, but it wont work on the embedded foreign webpage. There is one exception, however: styling rules can be applied to the embedded page. The authors of the GPU.zip attack took advantage of this and began applying specific graphics patterns to the target page. This led to changes in the time required to process compressed graphic data, thereby slightly altering the duration of page rendering. Which can be measured. The original image and its stolen copies extracted using the features of Intel and AMD graphics systems. Source Weve finally reached the practical implementation of this attack. Heres how it works: the attacker somehow lures the user to the malicious webpage. The page contains code embedding another page from a completely different site — in this case, Wikipedias main page. Lets assume the browser user has a Wikipedia account and is logged in. Their username will be displayed on the embedded page. By applying effects to this page and measuring the time it takes to render, the attacker can reconstruct the content of the target page from this single parameter alone. More specifically, the attackers can obtain the username. In this way, they can identify the visitor of their malicious site — even if the visitor tries to remain anonymous, for example. This is a typical side-channel attack: the attacker uses an indirect parameter that they can measure (the time it takes to render a web page) to steal data they dont have access to. But now, lets discuss the impracticality of this attack… The content of the target web page is reconstructed pixel by pixel. The attacker has a timer and the ability to slightly modify the appearance of the page in the browser. As a result, it takes half an hour on an AMD Ryzen processor with integrated graphics to reconstruct not the entire page but only a small piece, as shown in the screenshot above. On an Intel processor, the algorithm works even slower — the reconstruction takes more than three hours! This means the potential victim has to open the page and forget about it for quite a while, without closing it. During all this time, the page will be refreshing, which puts a heavy load on the system. However, the accuracy of the data reconstruction is quite high (97-98%) and, most importantly, the method works even when a large volume of other data is transmitted through the video card. The researchers had a YouTube video playing in the background. Unlike previous studies, this attack works reliably even with a significant amount of such background noise. The final argument against the feasibility of this particular attack is that most websites cannot be embedded into other web pages if they display confidential content. This means that you cant sneakily screenshot email messages or chat conversations in this way. The example with the Wikipedia page was actually chosen because its a rare case where a website with a visible username can be embedded. To sum it up. Unlike other hardware vulnerabilities, it cant be said with certainty that GPU developers made a mistake in this case. Were talking about extremely complex interactions among different components — the properties of which can be exploited to steal data. The theft itself is not mind-blowing yet, but further research may well discover a more effective method. We hope that GPU developers will take this study into account and adapt their algorithms so that they dont leak sensitive information. The quality of this study should not be underestimated either. Forgetting all the practical difficulties for a moment, the researchers essentially demonstrated a method of remote data theft and took screenshots of secret information. All this was achieved through a detailed examination of a minor feature in the operation of GPUs — and manufacturers tend not to publicize anything about the operation of their CPUs. Still, its an impressive piece of research — even if it has no practical consequences… for now.

image for Phishers Spoof USPS, ...

 A Little Sunshine

The fake USPS phishing page. Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a   show more ...

dozen other countries. KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain usps.informedtrck[.]com. The landing page generated by the phishing link includes the USPS logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information. The remaining buttons on the phishing page all link to the real USPS.com website. After collecting your address information, the fake USPS site goes on to request additional personal and financial data. This phishing domain was recently registered and its WHOIS ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in Developer Tools, a set of debugging features built into Firefox, Chrome and Safari that allow one to closely inspect a webpage’s code and operations. Check out the bottom portion of the screenshot below, and you’ll notice that this phishing site fails to load some external resources, including an image from a link called fly.linkcdn[.]to. Click the image to enlarge. A search on this domain at the always-useful URLscan.io shows that fly.linkcdn[.]to is tied to a slew of USPS-themed phishing domains. Here are just a few of those domains (links defanged to prevent accidental clicking): usps.receivepost[.]com usps.informedtrck[.]com usps.trckspost[.]com postreceive[.]com usps.trckpackages[.]com usps.infortrck[.]com usps.quicktpos[.]com usps.postreceive].]com usps.revepost[.]com trackingusps.infortrck[.]com usps.receivepost[.]com usps.trckmybusi[.]com postreceive[.]com tackingpos[.]com usps.trckstamp[.]com usa-usps[.]shop usps.infortrck[.]com unlistedstampreceive[.]com usps.stampreceive[.]com usps.stamppos[.]com usps.stampspos[.]com usps.trckmypost[.]com usps.trckintern[.]com usps.tackingpos[.]com usps.posinformed[.]com As we can see in the screenshot below, the developer tools console for informedtrck[.]com complains that the site is unable to load a Google Analytics code — UA-80133954-3 — which apparently was rejected for pointing to an invalid domain. Notice the highlighted Google Analytics code exposed by a faulty Javascript element on the phishing website. Click to enlarge. That code actually belongs to the USPS. The valid domain for that Google Analytics code is the official usps.com website. According to dnslytics.com, that same analytics code has shown up on at least six other nearly identical USPS phishing pages dating back nearly as many years, including onlineuspsexpress[.]com, which DomainTools.com says was registered way back in September 2018 to an individual in Nigeria. A different domain with that same Google Analytics code that was registered in 2021 is peraltansepeda[.]com, which archive.org shows was running a similar set of phishing pages targeting USPS users. DomainTools.com indicates this website name was registered by phishers based in Indonesia. DomainTools says the above-mentioned USPS phishing domain stamppos[.]com was registered in 2022 via Singapore-based Alibaba.com, but the registrant city and state listed for that domain says “Georgia, AL,” which is not a real location. Alas, running a search for domains registered through Alibaba to anyone claiming to reside in Georgia, AL reveals nearly 300 recent postal phishing domains ending in “.top.” These domains are either administrative domains obscured by a password-protected login page, or are .top domains phishing customers of the USPS as well as postal services serving other countries. Those other nations include the Australia Post, An Post (Ireland), Correos.es (Spain), the Costa Rican post, the Chilean Post, the Mexican Postal Service, Poste Italiane (Italy), PostNL (Netherlands), PostNord (Denmark, Norway and Sweden), and Posti (Finland). A complete list of these domains is available here (PDF). A phishing page targeting An Post, the state-owned provider of postal services in Ireland. The Georgia, AL domains at Alibaba also encompass several that spoof sites claiming to collect outstanding road toll fees and fines on behalf of the governments of Australia, New Zealand and Singapore. An anonymous reader wrote in to say they submitted fake information to the above-mentioned phishing site usps.receivepost[.]com via the malware sandbox any.run. A video recording of that analysis shows that the site sends any submitted data via an automated bot on the Telegram instant messaging service. The traffic analysis just below the any.run video shows that any data collected by the phishing site is being sent to the Telegram user @chenlun, who offers to sell customized source code for phishing pages. From a review of @chenlun’s other Telegram channels, it appears this account is being massively spammed at the moment — possibly thanks to public attention brought by this story. Meanwhile, researchers at DomainTools recently published a report on an apparently unrelated but equally sprawling SMS-based phishing campaign targeting USPS customers that appears to be the work of cybercriminals based in Iran. Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In June, the United Parcel Service (UPS) disclosed that fraudsters were abusing an online shipment tracking tool in Canada to send highly targeted SMS phishing messages that spoofed the UPS and other brands. With the holiday shopping season nearly upon us, now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites. Update: Added information about the Telegram bot and any.run analysis.

image for Cybersecurity Talent ...

 Feed

It's past time to reimagine how to best nurture talent and expand recruiting and training to alleviate the shortage of trained cybersecurity staff. We need a diverse talent pool trained for tomorrow's challenges.

 Identity Theft, Fraud, Scams

Taking over legitimate email accounts, whether belonging to employees or students, is an effective tactic for sending out phishing emails as the sender appears to be trustworthy.

 Malware and Vulnerabilities

As per Cisco Talos, Qakbot malware actors have continued their campaign, distributing Ransom Knight ransomware and the Remcos backdoor, despite the FBI-led takedown of their infrastructure. Besides, the study asserts that the Ransom Knight payload is an updated variant of the Cyclops ransomware, rewritten from scratch.   show more ...

As a preventive measure, individuals and organizations should exercise caution with unfamiliar emails and regularly back up data.

 Malware and Vulnerabilities

A group of experts noted a rapid evolution in Balada Injector's infrastructure and attack methods, which resulted in a significant number of compromised WordPress sites. Balada malware injection attacks have been found exploiting a vulnerable tagDiv premium theme plugin to target Newspaper and Newsmag websites. It is recommended to remove all unwanted admin users and redundant plugins to stay safe.

 Feed

Ubuntu Security Notice 6421-1 - It was discovered that Bind incorrectly handled certain control channel messages. A remote attacker with access to the control channel could possibly use this issue to cause Bind to crash, resulting in a denial of service.

 Feed

Ubuntu Security Notice 6420-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that   show more ...

Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

 Feed

Gentoo Linux Security Advisory 202310-6 - Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC. Versions greater than or equal to 7.8.0-r1 are affected.

 Feed

Debian Linux Security Advisory 5519-1 - Maxim Suhanov discovered multiple vulnerabilities in GURB2's code to handle NTFS filesystems, which may result in a Secure Boot bypass.

 Feed

Kibana versions prior to 7.6.3 suffer from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value you can execute arbitrary code. Code execution is possible through two different ways. Either by sending data directly to Elastic, or using Kibana to submit the same   show more ...

queries. Either method enters the polluted prototype for Kibana to read. Kibana will either need to be restarted, or collection happens (unknown time) for the payload to execute. Once it does, cleanup must delete the .kibana_1 index for Kibana to restart successfully. Once a callback does occur, cleanup will happen allowing Kibana to be successfully restarted on next attempt.

 Feed

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current stable release.

 Feed

Simple Packet Sender (SPS) is a Linux packet crafting tool. It supports IPv4, IPv6 (but not extension headers yet), and tunneling IPv6 over IPv4. Written in C on Linux with GUI built using GTK+. Both source and binaries are included. Features include packet crafting and sending one, multiple, or flooding packets of   show more ...

type TCP, ICMP, or UDP. All values within ethernet frame can be modified arbitrarily. Supports TCP, ICMP and UDP data as well, with input from either keyboard as UTF-8/ASCII, keyboard as hexadecimal, or from file. Various other features exist as well.

 Feed

A Gaza-based threat actor has been linked to a series of cyber attacks aimed at Israeli private-sector energy, defense, and telecommunications organizations. Microsoft, which revealed details of the activity in its fourth annual Digital Defense Report, is tracking the campaign under the name Storm-1133. "We assess this group works to further the interests of Hamas, a Sunni militant group that is

 Feed

Senior executives working in U.S.-based organizations are being targeted by a new phishing campaign that leverages a popular adversary-in-the-middle (AiTM) phishing toolkit named EvilProxy to conduct credential harvesting and account takeover attacks. Menlo Security said the activity started in July 2023, primarily singling out banking and financial services, insurance, property management and

 Feed

In today's rapidly evolving technological landscape, the integration of Artificial Intelligence (AI) and Large Language Models (LLMs) has become ubiquitous across various industries. This wave of innovation promises improved efficiency and performance, but lurking beneath the surface are complex vulnerabilities and unforeseen risks that demand immediate attention from cybersecurity professionals

 Feed

"Of course, here's an example of simple code in the Python programming language that can be associated with the keywords "MyHotKeyHandler," "Keylogger," and "macOS," this is a message from ChatGPT followed by a piece of malicious code and a brief remark not to use it for illegal   show more ...

purposes. Initially published by Moonlock Lab, the screenshots of ChatGPT writing code for a keylogger malware is yet

 Feed

Multiple high-severity security vulnerabilities have been disclosed in ConnectedIO's ER2000 edge routers and the cloud-based management platform that could be exploited by malicious actors to execute malicious code and access sensitive data. "An attacker could have leveraged these flaws to fully compromise the cloud infrastructure, remotely execute code, and leak all customer and device

 Feed

The maintainers of the Curl library have released an advisory warning of two security vulnerabilities that are expected to be addressed as part of an forthcoming update set for release on October 11, 2023. This includes a high-severity and a low-severity flaw tracked under the identifiers CVE-2023-38545 and CVE-2023-38546, respectively. Additional details about the issues and the exact version

 Feed

An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme. The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an 

2023-10
Aggregator history
Monday, October 09
SUN
MON
TUE
WED
THU
FRI
SAT
OctoberNovemberDecember