In today’s edition: ‘Inception’ Attack, AMD Zen, Downfall Attack, Intel, Cloudflare, Microsoft, LOLBAS, Japan, UK Elections, Qilin Ransomware, QakBot.
A powerful new transient execution attack named ‘Inception’ has been uncovered by researchers, revealing its capability to exploit unprivileged processes and leak sensitive information from all AMD Zen CPUs, including the latest models. This attack leverages the speculative execution feature in modern processors and combines the techniques of ‘Phantom speculation’ and ‘Training in Transient Execution’ to manipulate CPU behavior and retrieve privileged data. Even CPUs with mitigations against other speculative execution attacks like Spectre are vulnerable to Inception, making it a significant hardware-level security concern.
A Google research scientist has uncovered a vulnerability named Downfall affecting various Intel microprocessor families. This vulnerability allows threat actors to exploit the CPUs and steal sensitive information like passwords, encryption keys, and private data, even from users sharing the same computer. The flaw, tracked as CVE-2022-40982, is a transient execution side-channel issue affecting Intel microarchitectures Skylake through Ice Lake, and it enables attackers to extract information protected by Intel’s hardware-based memory encryption. Despite Intel’s efforts to provide a microcode update to mitigate the issue, the researcher has warned that addressing the root cause is necessary to prevent further vulnerabilities.
In the latest Patch Tuesday release, Microsoft addresses a total of 87 vulnerabilities, with particular emphasis on two zero-day vulnerabilities that have been actively exploited. These vulnerabilities include 23 remote code execution (RCE) flaws, with six classified as ‘Critical.’ Among the actively exploited vulnerabilities, one is related to Microsoft Office, where a security bypass flaw allowed attackers to craft malicious Office documents to bypass security warnings. The second zero-day affects .NET applications and Visual Studio, potentially causing distributed denial of service (DDoS) attacks, and while patched, the exact attack details and discovery remain undisclosed.
Researchers have exposed the exploitation of Cloudflare Tunnels by threat actors to establish concealed communication channels and maintain persistent access to compromised hosts. Cloudflared, a command-line tool for Cloudflare Tunnel, is being used by attackers to create secure connections between an origin web server and Cloudflare’s data center, concealing IP addresses and providing a shield against DDoS and brute-force attacks. This technique allows threat actors with elevated access to set up a foothold and manipulate tunnel functionality for covert activities, evading detection and exposing a new layer of vulnerability.
Cybersecurity researchers have unearthed a collection of 11 living-off-the-land binaries-and-scripts (LOLBAS) that could serve as tools for malicious post-exploitation activities. LOLBAS refers to a technique that capitalizes on system binaries and scripts for illicit purposes, making it challenging for security teams to differentiate between legitimate and harmful actions. The findings include nine LOLBAS downloaders and three executors that could enable attackers to both download and execute more potent malware, thus camouflaging their activities within trusted system utilities. Pentera, the Israeli cybersecurity company behind the discovery, emphasizes the potential risk posed by these binaries, highlighting the importance of enhanced vigilance and detection capabilities to counter such threats.
Classified defense networks of Japan were reportedly breached in 2020 by a Chinese cyberespionage group, leading to a breach that was challenging to eliminate even after discovery. The breach provided hackers access to sensitive Ministry of Defense plans and information regarding military capabilities and vulnerabilities, as revealed by unnamed senior U.S. officials. Despite the breach’s gravity, both the head of the National Security Agency and U.S. Cyber Command, Army Gen. Paul M. Nakasone, along with then-White House Deputy National Security Adviser Matthew Pottinger, rushed to Tokyo to brief the defense minister.
The UK Electoral Commission has announced a significant data breach that exposed voters’ personal information spanning from 2014 to 2022. This breach came to light after the Commission detected suspicious activity in its systems in October 2022, revealing that hostile actors had gained unauthorized access since August 2021. The breach impacted the Commission’s email servers, control systems, and copies of electoral registers, potentially compromising a range of personal details such as names, addresses, email addresses, and contact numbers. While the Commission assures that the breach did not directly affect elections or voter registration, the potential for combining this exposed information with other data for fraudulent activities like identity theft and phishing highlights the need for affected individuals to remain vigilant against suspicious communications.
Ukrainian security services successfully thwarted a cyberattack orchestrated by Russian state-controlled hackers aimed at infiltrating the battlefield management system employed by the Ukrainian military. The attack, attributed to the notorious Sandworm hacking group working on behalf of Russia’s military intelligence agency, sought to compromise Android tablets used by the military for operational planning. The attempt involved multiple variants of new custom malware, with the hackers meticulously disguising malicious software as legitimate programs. The Ukrainian authorities managed to intercept the operation during the planning phase, highlighting the ongoing cybersecurity challenges faced by the country.
The Qilin ransomware group has set its sights on Thonburi Energy Storage Systems, a leading battery manufacturer in Thailand, marking another high-profile victim in their cyber onslaught. With claims of non-communication from the company, the hackers have begun a wave of document releases, further intensifying the cyber threat landscape. The breach, highlighted by the Threat Intelligence Service Falcon Feeds, underscores the urgent need for cybersecurity vigilance as ransomware attacks continue to target critical industries and infrastructure.
In a recent cyberattack on Hospitality Staffing Solutions (HSS), attackers managed to breach the company’s defenses, compromising the personal details, including sensitive financial account information, of over 100,000 individuals. The Atlanta-based firm, which offers hospitality staffing services across the US, fell victim to the breach in early June this year. The breached data includes names, Social Security numbers, driver’s license numbers, and financial account numbers, leaving victims susceptible to identity theft, phishing, and financial fraud. Despite the company’s offer of identity protection services for a year, experts emphasize that the repercussions of such breaches can extend beyond the immediate scope, underscoring the ongoing threat of cyberattacks and data exposure in the digital landscape.
In response to the escalating wave of ransomware attacks targeting state and local governments, the US Department of Homeland Security has unveiled a significant move, pledging $375 million to reinforce cyber resilience at the grassroots level. The initiative is part of the State and Local Cybersecurity Grant Program (SLCGP), now in its second year, aimed at equipping state, local, and territorial governments to fend off cyber threats. With a spotlight on ransomware and other cyberattacks, this funding will empower communities across the nation to fortify their cybersecurity posture, ensuring the safety of residents and critical infrastructure.
Cybersecurity experts have uncovered that the operators behind the QakBot (QBot) malware have established 15 additional command-and-control (C2) servers by late June 2023. This development follows a history of QakBot taking a summer hiatus, raising questions about whether this break is used for refining and enhancing their infrastructure. The research highlights the intricate tiered architecture of QakBot’s C2 network and notes that its activity patterns have changed, with a significant decrease in certain C2 servers’ communication. Additionally, the report underscores the implications of QakBot’s tactics, including the potential double impact on compromised victims and the protection achieved by null-routing certain layers of the infrastructure.
Interpol and cybersecurity firms have successfully taken down the notorious 16shop phishing-as-a-service (PhaaS) platform. These platforms provide cybercriminals with all the necessary tools for conducting phishing attacks, making them accessible even to inexperienced criminals. The 16shop platform, responsible for over 150,000 phishing pages targeting major brands like Apple and PayPal, compromised at least 70,000 users from 43 countries. The operation led to the arrest of the platform’s operator and two facilitators, highlighting the effectiveness of global cooperation in combating cybercrime.
Horizon3.ai, a prominent player in autonomous security testing solutions, has successfully concluded a Series C funding round, raising $40 million. Craft Ventures spearheaded the funding round, joined by Signal Fire. Horizon3.ai’s NodeZero platform, renowned for offering autonomous pentesting as a self-service SaaS solution, empowers organizations to bolster their security stance and reduce vulnerabilities. The newly acquired funds will be instrumental in integrating pentesting, SOAR, and detection engineering into the platform, amplifying global growth, and further strengthening Horizon3.ai’s pivotal role in the cybersecurity landscape.
Protect AI has introduced a specialized platform, Huntr, dedicated to identifying vulnerabilities within AI and ML systems. This initiative comes as part of Protect AI’s acquisition of Huntr.dev, a platform that rewards security researchers for pinpointing vulnerabilities in open-source software. CEO Ian Swanson emphasized the importance of addressing security concerns in the AI supply chain and pledged to offer the “highest paying AI/ML bounties” through Huntr to foster a community of skilled researchers. The inaugural challenge, focusing on HuggingFace Transformers, features a substantial $50,000 reward, and Protect AI aims to empower researchers to strengthen AI/ML security while also providing financial incentives and professional growth opportunities.