Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for StormBamboo’s DNS ...

 Cybersecurity News

A sophisticated hacking group by the name of StormBamboo has successfully compromised an internet service provider (ISP) to launch a DNS poisoning attack, targeting organizations through insecure software update mechanisms. This attack, detected by security researchers in mid-2023, exploits vulnerabilities in   show more ...

automatic update processes to install malware on both macOS and Windows systems. StormBamboo DNS Poisoning Attack Vector StormBamboo's method involves altering DNS query responses for specific domains tied to automatic software updates. By targeting applications that use insecure update mechanisms, such as HTTP, and don't properly validate digital signatures, the group redirects update requests to their own servers. This results in the installation of malware instead of legitimate updates. [caption id="attachment_85285" align="alignnone" width="1430"] Source: https://www.volexity.com[/caption] Cybersecurity firm Volexity confirmed that the DNS poisoning occurred at the ISP level, not within the target organization's infrastructure. The poisoned DNS records resolved to an attacker-controlled server in Hong Kong. When the ISP finally investigated and took various network components offline, the DNS poisoning immediately stopped. This attack bears similarities to a previous incident attributed to DriftingBamboo, another threat actor possibly related to StormBamboo. Both groups have used DNS poisoning to facilitate initial access to target networks. Malware Deployment and Post-Exploitation Activity StormBamboo deployed several malware families, including new variants of MACMA for macOS and POCOSTICK (also known as MGBot) for Windows. The latest version of MACMA shows significant code similarities to the GIMMICK malware family, suggesting a convergence in their development. In one case, following the compromise of a macOS device, StormBamboo deployed a malicious Google Chrome extension called RELOADEXT. This extension, disguised as a tool for loading pages in Internet Explorer compatibility mode, actually exfiltrates browser cookies to an attacker-controlled Google Drive account. The extension also contained obfuscated JavaScript code that was used to exfiltrate data to the attacker's Google Drive account. The data was encrypted using AES with the key opizmxn!@309asdf and encoded with base64 prior to exfiltration. This incident highlights the vulnerability of software that relies on insecure update mechanisms. It also demonstrates the sophisticated tactics employed by threat actors like StormBamboo, who can compromise third-party infrastructure to reach their intended targets. To protect against attacks similar to StormBamboo, organizations should: Implement and enforce the use of HTTPS for all software update processes. Regularly audit and update network infrastructure, especially DNS-related components. Use robust digital signature verification for all software updates. Monitor for unusual DNS activity and unexplained changes in DNS responses. Employ network security monitoring tools capable of detecting DNS poisoning attempts. The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested in actively supported payloads for not only macOS and Windows, but also network appliances.

image for Unveiling the SLUBSt ...

 Firewall Daily

The SLUBStick cross-cache attack has emerged as a groundbreaking method for exploiting vulnerabilities in the Linux kernel. Discovered by researchers from Graz University of Technology, this sophisticated technique affects Linux kernel versions 5.9 to 6.2 and enables attackers to gain arbitrary memory read-and-write   show more ...

capabilities. With a success rate of 99% in converting restricted heap vulnerabilities into broad memory manipulation, SLUBStick represents a significant evolution in kernel exploitation techniques. Its ability to bypass advanced kernel defenses such as Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR) highlights its potent threat level. Decoding the SLUBStick Cross-Cache Attack The SLUBStick cross-cache attack exploits timing side-channel vulnerabilities in the Linux kernel’s SLUB memory allocator. It operates in several stages, from timing side-channel exploitation to controlling memory recycling and reclamation precisely. Attackers monitor allocation and deallocation timings to predict and manipulate memory reuse. Once side-channel data is collected, SLUBStick forces the recycling of memory pages that have write capabilities by first freeing a writable memory object and then allocating new objects to reclaim the same slab page for sensitive object types. This leads to a cross-cache attack where the reclaimed slab page is used to overwrite sensitive memory, turning a limited heap vulnerability into a full arbitrary read-and-write primitive. SLUBStick has been demonstrated to be effective across various Linux kernel versions and configurations. Researchers validated its potency using synthetic and real-world vulnerabilities, including nine Common Vulnerabilities and Exposures (CVEs), showing its ability to escalate privileges and escape containers on both 32-bit and 64-bit systems. This versatility underscores SLUBStick’s significant impact on kernel security. Despite modern kernel defenses such as SMEP, SMAP, and KASLR, SLUBStick remains effective. These defenses are intended to prevent unauthorized memory access and mitigate exploit attempts, but SLUBStick’s advanced approach to memory manipulation and timing attacks allows it to circumvent these protections. The attack’s success across various scenarios highlights its potential threat to Linux-based systems. Presentation and Technical Analysis SLUBStick will be detailed at the upcoming Usenix Security Symposium, with a technical paper already published. This paper provides an exhaustive analysis of the attack, including its execution and potential exploitation scenarios. The researchers explain how SLUBStick employs timing side-channel techniques, memory allocation patterns, and methods to overcome previous limitations in cross-cache attacks. SLUBStick represents a significant threat to kernel security due to its ability to exploit limited heap vulnerabilities with high reliability. The attack’s success rate surpasses earlier techniques, making it a critical concern for systems utilizing Linux kernels. The threat model assumes that an attacker has unprivileged code execution and that the kernel incorporates all modern defense mechanisms, such as WˆX, KASLR, SMAP, and kernel control-flow integrity (kCFI). This highlights the ongoing challenge of protecting kernel memory in complex systems and the need for continuous improvements in kernel security measures. SLUBStick’s technical approach to arbitrary memory read-and-write capabilities involves a multi-stage process. Initially, it exploits a heap vulnerability to acquire a Memory Write Primitive (MWP), which allows writing to memory locations previously freed. SLUBStick then triggers the recycling of the slab’s memory chunk by deallocating all objects within it, with the MWP remaining valid and referring to the recycled memory. In the second stage, the attack reclaims this recycled memory chunk for use in page tables, crucial for translating user space addresses.  SLUBStick allocates page tables that point to the recycled memory, which stores important information such as page frame numbers and access permissions. The final stage involves using the MWP to overwrite memory referenced by the page table, enabling the attacker to alter page frame numbers and permissions. This manipulation provides access to any physical page, including modifying kernel code or sensitive files like /etc/passwd. SLUBStick has demonstrated its ability to evade existing kernel defenses with remarkable success, achieving over 99% reliability for single-page-size chunks and up to 82% for multi-page-size chunks. SLUBStick Addresses Several Technical Challenges SLUBStick addresses the instability of cross-cache attacks by employing a timing side-channel attack on the SLUB allocator to reliably trigger memory recycling. By measuring allocation times, SLUBStick ensures precise control over when targeted memory chunks are recycled. It converts kernel heap vulnerabilities, such as double-free or use-after-free, into a functional Memory Write Primitive (MWP) by managing dangling pointers and extending the time window for their use, thus overcoming Kernel Address Space Layout Randomization (KASLR) randomness.  SLUBStick’s approach includes grouping allocated objects by their slabs and using precise timing methods like the add_key syscall to ensure accurate recycling. Experimental validation shows that SLUBStick is effective, with high success rates for single-page-size chunks and reliable performance despite noise and interference. This technique marks a significant advancement in kernel exploitation, demonstrating its capacity to bypass modern defenses and escalate privileges.  The research highlights the need for enhanced kernel security measures to address such sophisticated threats and highlights SLUBStick's role in driving ongoing improvements in safeguarding kernel memory.

image for Panamorfi Campaign L ...

 Cybersecurity News

A new Distributed Denial of Service (DDoS) campaign, named "Panamorfi," operated by the threat actor yawixooo exploits misconfigured Jupyter notebooks exposed online. The attackers deploy a publicly available Minecraft server DDoS tool to a Discord channel to perform the attack operation, with the aim of   show more ...

overwhelming target servers. Data practitioners such as data engineers, data analysts, and data scientists who rely on Jupyter notebook are thought to be the primary victims of such campaigns and should take special precaution. The Anatomy of Panamorfi Attack Researchers from Aqua Nautilus reported that the attack operation using an exposed honeypot Jupyter notebook targeted by yawixooo. They observed that the attack begins with the threat actor gaining initial access to internet-facing notebooks, then executing a command to download a zip file from a file-sharing platform: wget https://filebin.net/archive/h4fhifnlykw224h9/zip The zip file, with a random name and an MD5 hash of 42989a405c8d7c9cb68c323ae9a9a318, is approximately 17 MB in size and contains two Jar files. These files, conn.jar and mineping.jar, were both new to Virus Total and had only one detection for each file from a security company. [caption id="attachment_85319" align="alignnone" width="1400"] Source: https://www.aquasec.com/blog/[/caption] The 'conn.jar' file, which contains the initial execution code, utilizes Discord to control the DDoS attack. The victim's machine connects to the specified Discord channel, loading the 'mineping.jar' file – a known Minecraft server DDoS tool available on GitHub that contains contains 12 java file to facilitate loading of http sockets, use of proxies, option to flood a victim, and the creation of connection-related details. [caption id="attachment_85318" align="alignnone" width="1000"] Source: https://www.aquasec.com/blog/[/caption] This tool is then employed to launch a TCP flood DDoS attack, aiming to consume the resources of the target server. The attackers have configured the tool to write the results to the Discord channel. The threat actor yawixooo, has an active presence on GitHub, where they maintain a Minecraft server configuration and a website that is currently under construction. Mitigation Against The Attack The researchers were able to successfully halt the progression of the attack with a runtime  policy blocks the file conn.jar from running. This de-facto kills the entire attack. To defend against such campaigns: Restrict access to Jupyter notebooks through secure practices. Block the runtime of files associated with the campaign such as conn.jar and mineping.jar. Limit code execution Regularly update with the latest security patches available. Security researchers have generally advised against the sharing of sensitive information or credentials on Jupyter notebooks which can be ripe targets for threat actor campaigns.

image for Google Ads Suffered ...

 Cybersecurity News

A major reporting glitch in Google Ads has left some advertisers without access to critical performance data and had earlier exposed sensitive competitor information, sparking concerns over data security and the potential for unfair business practices. The issue, which began on July 30, 2024, resulted in the temporary   show more ...

unavailability of key reporting tools and product management features, making it difficult for businesses to manage their campaigns effectively. Impact of Google Ads Glitch The root concern of the glitch was the exposure of sensitive competitor information. Between July 30-31, 2024, a small fraction of advertisers were able to see unrelated item IDs, product titles, and Merchant Center information from other accounts. This breach allowed advertisers to identify direct competitors by searching the exposed product titles, raising serious privacy concerns. Due to the glitch, certain features of Google Ads such as the Report Editor, Dashboards, and Saved Reports in the web interface were unavailable, while Products, Product Groups, and Listing Groups pages were down across the web interface, API, and Google Ads Editor. [caption id="attachment_85251" align="alignnone" width="1148"] Source: X.com (@adsliaison)[/caption] This temporary outage left advertisers unable to access critical performance data, including information about their competitors' products and advertising strategies. While the leaked data does not include sensitive personal information, it can provide valuable insights into competitors' products and advertising strategies, which could be used to gain an unfair advantage, raising serious concerns over data security and the potential for unfair business practices. Google's Response and Ongoing Efforts Google has acknowledged the issue and is actively working to resolve it. Ginny Marvin, a Google Ads liaison, had earlier stated on X (previously Twitter) that the team is 'actively looking into' the issue and will provide updates as more information becomes available. However, the company has provided limited information about the cause of the glitch and the number of affected individuals. [caption id="attachment_85254" align="alignnone" width="1131"] Source: https://ads.google.com[/caption] Despite the lack of information, some agencies have begun encrypting sensitive information within client accounts to prevent future breaches. As of August 4, 2024, Google reported via its dashboard and product liaison handle on X that some accounts may remain impacted while services have been fully restored to other accounts. For accounts that have not been affected by this issue, all reporting services have been restored. Thank you for your patience during this time and we apologize for the inconvenience. For accounts affected by this issue, we are still working to restore reporting services for Report Editor and the Products tab. We will continue to provide further updates as soon as we have more information. We will reach out to all impacted customers directly with further details on this incident. As noted earlier, campaigns are serving as expected across all customers. Advertisers are advised to exercise caution when accessing their Google Ads accounts and avoid acting on any data until Google confirms the issue is fully resolved. The ongoing efforts by Google to bring all reports back online are a positive step towards restoring data security and confidence in the platform.

image for DARPA Unveils TRACTO ...

 Firewall Daily

In a groundbreaking move, the US Defense Advanced Research Projects Agency (DARPA) is embarking on an ambitious project to modernize programming practices. The new initiative, named TRACTOR, stands for TRanslating All C TO Rust, and aims to revolutionize the way legacy C code is converted to the more secure Rust   show more ...

programming language using advanced artificial intelligence (AI) techniques. The driving force behind TRACTOR is to address one of the most pressing issues in software development: memory safety. Memory safety bugs, such as buffer overflows, are notorious for causing critical vulnerabilities in software systems. By transitioning legacy code from C, a language with known memory safety issues, to Rust, which is designed to prevent such vulnerabilities, DARPA seeks to enhance the security of software applications significantly. DARPA’s New Initiative TRACTOR According to DARPA’s official statement, “Eliminating Memory Safety Vulnerabilities Once and For All DARPA initiates a new program to automate the translation of the world’s highly vulnerable legacy C code to the inherently safer Rust programming language.” This initiative addresses the prevalent issue of memory safety vulnerabilities that affect computer memory by either allowing direct manipulation or resulting in undefined behaviors when the language standard is unclear. The move towards Rust is supported by a consensus in the software engineering community that mere bug-finding tools are insufficient to tackle these issues. The Office of the National Cyber Director has emphasized the need for proactive measures to combat memory safety vulnerabilities, highlighting the urgency of this initiative. The challenge, however, lies in the vast scale of rewriting legacy code. Since its inception in the 1970s, C has become deeply entrenched in various applications, from modern smartphones to complex defense systems. The Department of Defense, in particular, relies heavily on C, making the task of updating these systems even more critical. TRACTOR Aims to Leverage Modern Technology Recent advancements in machine learning, including large language models (LLMs), have created new opportunities for tackling this problem. TRACTOR aims to leverage these technologies to automate the conversion process, making it feasible to update extensive codebases efficiently. Dr. Dan Wallach, DARPA’s program manager for TRACTOR, explains, “You can go to any of the LLM websites, start chatting with one of the AI chatbots, and all you need to say is ‘here's some C code, please translate it to safe idiomatic Rust code,’ cut, paste, and something comes out, and it's often very good, but not always.” He adds, “The research challenge is to dramatically improve the automated translation from C to Rust, particularly for program constructs with the most relevance.” The goal of TRACTOR is not just to automate code conversion but to achieve the high quality and style of Rust code that a skilled developer would produce manually. By doing so, the program aims to eradicate the class of memory safety vulnerabilities inherent in C programs. In addition to leveraging software analysis methods, including static and dynamic analysis, TRACTOR will incorporate LLM-powered solutions and host public competitions to showcase and test these innovations. “Rust forces the programmer to get things right,” Wallach remarks. “It can feel constraining to deal with all the rules it forces, but when you acclimate to them, the rules give you freedom. They're like guardrails; once you realize they're there to protect you, you'll become free to focus on more important things.” DARPA will hold a Proposers Day on August 26, 2024, providing an opportunity for participants to learn more about the initiative, either in person or virtually. Interested parties must register by August 19, 2024. More details and registration information are available on SAM.Gov.

image for RailTel and Cylus Jo ...

 Firewall Daily

In a significant move to bolster cybersecurity in Indian Railways, RailTel has announced a strategic partnership with Cylus, a leading cybersecurity firm specializing in rail industry solutions, to implement advanced cybersecurity measures across Indian Railways' extensive infrastructure. This collaboration,   show more ...

revealed on Friday, is set to enhance the cybersecurity framework of Indian Railways, addressing the growing need for robust protection in the sector. RailTel is a prominent public sector enterprise known for its telecommunications and ICT solutions. The partnership's primary goal is to fortify the security of critical railway systems, including signaling, trackside operations, onboard systems, and SCADA networks. Cybersecurity in Indian Railway: RailTel Will Integrate Cylus Technology In their new partnership, RailTel and Cylus are set to significantly bolster cybersecurity in Indian Railways. RailTel will incorporate Cylus' advanced technology, CylusOne, into its existing systems, focusing particularly on protecting the railway’s signaling and control systems. These components are essential for the smooth and reliable operation of the rail network, making their security a top priority. [caption id="attachment_85238" align="alignnone" width="857"] Source: RailTel[/caption] The collaboration aims to bring Cylus' sophisticated cyber defense solutions to the Indian market, enhancing cybersecurity across both railway and public transport sectors. By integrating these cutting-edge technologies, the partnership seeks to address and mitigate emerging cyber threats, thereby strengthening the overall security of critical infrastructure. In addition, Cylus will provide expert services to ensure the seamless integration of CylusOne into RailTel’s systems, which will improve cybersecurity across various areas, including railway signaling and telecom networks. To further bolster the sector’s defenses, Cylus will also partner with RailTel’s Digital Service Partner, Rail Edutech Pvt Ltd, to offer specialized cybersecurity training programs.  These programs are designed to elevate cybersecurity in the Indian railway, contributing to a more secure and resilient infrastructure. RailTel and Cylus are committed to advancing the safety and reliability of Indian Railways by enhancing its cybersecurity framework. Major Upgrades in Cybersecurity in Indian Railways Sanjai Kumar, Chairman, and Managing Director of RailTel, emphasized the importance of this collaboration, stating, "Indian Railways is undergoing a major technological upgrade, with cybersecurity being a top priority. We are excited to partner with Cylus to safeguard our mission-critical infrastructure against escalating cyber threats. Ashish Upadhyay, Cylus' Director for Asia Pacific, expressed enthusiasm about the partnership, saying, "Our collaboration with RailTel highlights our commitment to securing critical railway infrastructure. We are eager to deploy our advanced cybersecurity solutions and offer comprehensive training to enhance the capabilities of railway personnel." This strategic alliance between RailTel and Cylus marks a significant advancement in the field of cybersecurity in Indian Railways. By leveraging Cylus' expertise and technology, RailTel is poised to enhance the protection and resilience of India's railway infrastructure against online cyber threats.

2024-08
Aggregator history
Sunday, August 04
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober