Monthly Archives: May 2020

Researcher Spots New Malware Claimed to be ‘Tailored for Air‑Gapped Networks’

A cybersecurity researcher at ESET today published an analysis of a new piece of malware, a sample of which they spotted on the Virustotal malware scanning engine and believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks.

Dubbed ‘Ramsay,’ the malware is still under development with two more variants (v2.a and v2.b) spotted in the wild and doesn’t yet appear to be a complex attacking framework based upon the details researcher shared.

However, before reading anything further, it’s important to note that the malware itself doesn’t leverage any extraordinary or advanced technique that could let attackers jump air-gapped networks to infiltrate or exfiltrate data from the targeted computers.

According to ESET researcher Ignacio Sanmillan, Ramsay infiltrates targeted computers through malicious documents, potentially sent via a spear-phishing email or dropped using a USB drive, and then exploits an old code execution vulnerability in Microsoft Office to take hold on the system.

‘Several instances of these same malicious documents were found uploaded to public sandbox engines, labeled as testing artifacts such as access_test.docx or Test.docx denoting an ongoing effort for trial of this specific attack vector,’ the researcher said.
Ramsay malware primarily consists of two main functionalities:

  • Collecting all existing Word documents, PDFs, and ZIP archives within the target’s filesystem and storing them to a pre-defined location on the same system or directly to a network or removable drives.
  • Spreading itself to other computers being used within the same isolated facility by infecting all executable files available on a network shares and removable drives.

According to the researcher, the Ramsay samples they found do not have a network-based C&C communication protocol, nor does any attempt to connect to a remote host for communication purposes.

airgap malware

Now the question arises, how the attackers are supposed to exfiltrate data from a compromised system.

Honestly, there’s no clear answer to this at this moment, but researcher speculate that the malware might have been ‘tailored for air‑gapped networks’ with similar scenarios—considering that the only option left is to physically access the machine and steal the collected data with a weaponized USB.

‘It is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control document retrieval,’ the ESET researcher said.

“This assesses the relationship between Ramsay’s spreading and control capabilities showing how Ramsay’s operators leverage the framework for lateral movement, denoting the likelihood that this framework has been designed to operate within air-gapped networks.’

‘The current visibility of targets is low; based on ESET’s telemetry, few victims have been discovered to date. We believe this scarcity of victims reinforces the hypothesis that this framework is under an ongoing development process, although the low visibility of victims could also be due to the nature of targeted systems being in air-gapped networks,’ he added.

However, a lack of technical and statistical evidence doesn’t support this theory yet and remains a broad guess.

Moreover, since the malware is still under development, it’s too early to decide if the malware has only been designed to target air-gapped networks.

It likely possible that the future versions of the malware could have an implication to connect with a remote attacker-controlled server for receiving commands and exfiltrating data.

We have reached out to ESET researcher for more clarity on the ‘air-gap’ claim and will update this story once he responds.

UPDATE: Researcher Explains ‘Air Gap’ Scenarios

Researcher Ignacio Sanmillan, who discovered and analyzed Ramsay malware, has provided the following explanation for our readers.

“We only have a copy of the Ramsay agent, which only has code to aggregate and compress the stolen data in a very decentralized and covert way on the local filesystem of the infected host. Based on this, we assume that another component is responsible for scanning the filesystem, locating the compressed files, and performing the actual exfiltration.”

On asking if the attacker needs to rely on the physical access for data exfiltration, Sanmillan said:


“There are several ways the attacker might do this. We have not seen this operation performed; however, we have a few hypotheses on how the attacker could do this. Those are only our best-educated guess and pure speculation at this point, so please treat those two hypothetical scenarios as such.”

Scenario 1 — Imagine System A, connected to the Internet and under full control of the Ramsay operators, and System B, an air-gapped computer infected by the Ramsay agent. Then imagine a legitimate user of those systems occasionally transferring files between both systems using a removable drive.”

“When the drive is inserted into System A, the attacker could decide to place a special control file on the removable drive which, when connected to System B, would cause the Ramsay agent to execute the Ramsay exfiltrator which would be built to retrieve the staged stolen data and copy it to the removable drive for later retrieval once the removable drive gets connected to System A. This scenario is a variation of how Sednit / APT28 operated USBStealer.”

“USBStealer systematically copied the stolen data on the removable drive used between System A and System B, while Ramsay stages the stolen data locally for a future explicit exfiltration.”

Scenario 2 — Imagine Ramsay agent running for days or weeks in an air-gapped network, staging on the local filesystem all the data it can find on network drives and all the removable drives that got connected to the system.”

“Then at some point, the attacker decides it is exfiltration time. He would need to gain physical access to the infected system and either obtain code execution to run the Ramsay exfiltrator, or in case the system does not have full-disk encryption, boot the system from a removable drive, mount the filesystem, parse it to retrieve the well-staged stolen data and leave.”

“This scenario is more elaborate and requires the physical presence of an operative/accomplice, but it could still be plausible as it would allow for a very quick on-site operation.”

To answer if the malware author can integrate remote C&C communication module in future versions, the researcher said:
“Ramsay has a series of common functionality implemented across their versions, which is the control-file based protocol and how artifacts involved in this protocol are retrieved from Removable media and Network Shares.”

“This denotes that evaluation for these techniques was taken into account while designing this malware, all of which point towards the implementation of capabilities for operation without the need for any network connection.”

“It seems that if attackers would leverage techniques relying on Network artifacts would not correlate to the philosophy of this malware. We indeed think that Ramsay can be under development, but we are highly inclined to believe that they won’t introduce a Network-based exfiltration component.”


via:  thehackernews

Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases

More than 4,000 Android apps that use Google’s cloud-hosted Firebase databases are ‘unknowingly’ leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

“4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication,” Comparitech said.

Acquired by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and even engage with users via in-app messaging features.

With the vulnerable apps in question — mostly spanning games, education, entertainment, and business categories — installed 4.22 billion times by Android users, Comparitech said: “the chances are high that an Android user’s privacy has been compromised by at least one app.”

Given that Firebase is a cross-platform tool, the researchers also warned that the misconfigurations are likely to impact iOS and web apps as well.

The full contents of the database, spanning across 4,282 apps, included:

  • Email addresses: 7,000,000+
  • Usernames: 4,400,000+
  • Passwords: 1,000,000+
  • Phone numbers: 5,300,000+
  • Full names: 18,300,000+
  • Chat messages: 6,800,000+
  • GPS data: 6,200,000+
  • IP addresses: 156,000+
  • Street addresses: 560,000+

Diachenko found the exposed databases using known Firebase’s REST API that’s used to access data stored on unprotected instances, retrieved in JSON format, by simply suffixing “/.json” to a database URL (e.g. “https://~project_id~.firebaseio.com/.json”).

firebase database security

Aside from 155,066 apps having publicly exposed databases, the researchers found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.

Complicating the matter further is the indexing of Firebase database URLs by search engines such as Bing, which exposes the vulnerable endpoints for anyone on the Internet. A Google search, however, returns no results.

After Google was notified of the findings on April 22, the search giant said it’s reaching out to affected developers to patch the issues.

This is not the first time exposed Firebase databases have leaked personal information. Researchers from mobile security firm Appthority found a similar case two years ago, resulting in the exposure of 100 million data records.

Leaving a database exposed without any authentication is an open invite for bad actors. It’s therefore recommended that app developers adhere to Firebase database rules to secure data and prevent unauthorized access.

Users, for their part, are urged to stick to only trusted apps and be cautious about the information that’s shared with an application.


via:  thehackernews

Facebook Launches ‘Discover,’ A Secure Proxy to Browse the Internet for Free

Free Internet with Facebook Discover Proxy

More than six years after Facebook launched its ambitious Free Basics program to bring the Internet to the masses, the social network is back at it again with a new zero-rating initiative called Discover.

The service, available as a mobile web and Android app, allows users to browse the Internet using free daily data caps.


Facebook Discover is currently being tested in Peru in partnership with local telecom companies such as Bitel, Claro, Entel, and Movistar.

Unlike the regular rich-content browsing, Facebook’s latest connectivity project only provides low-bandwidth text-only based browsing, meaning other forms of data-intensive content such as audio and video are not supported.

Another key differentiator is that it treats all websites equally, whereas users of Free Basics are limited to a handful of sites that are submitted by developers and meet technical criteria set by Facebook.

The move, ultimately, drew criticism for violating principles of net neutrality, leading to its ban in India in 2016.

A Secure Web-Based Proxy

But how does Discover actually work? It’s a lot similar to Free Basics in that all traffic is routed through a proxy. As a result, the device only interacts with the proxy servers, which acts as a “client” to the website users have requested for.


This web-based proxy service runs within a whitelisted domain under “freebasics.com” that the operator makes the service available for free (e.g. “https://example.com” is rewritten as “https://https-example-com.0.freebasics.com”), which then fetches the webpages on behalf of the user and deliver them to their device.

Free Internet with Facebook Discover Proxy

“There is extensive server-side logic in place to make sure links and hrefs are correctly transformed,” the company said. “This same logic helps ensure that even HTTP-only sites are delivered securely over HTTPS on Free Basics between the client and the proxy.”

In addition, the cookies used by the websites are stored in an encrypted fashion on the server to prevent mobile browsers from hitting cookie storage limits. The encryption key (called internet cookie key or “ick”) is stored on the client so that the contents of the key cannot be read without knowing the user’s key.

“When the client provides the ick, it is forgotten by the server in each request without ever being logged,” Facebook noted.

But allowing JavaScript content from third-party websites also opens up avenues for attackers to inject malicious code, and worse, even lead to session fixation.

To mitigate this attack, Facebook Discover makes use of an authentication tag (called “ickt”) that’s derived from the encryption key and a second browser identifier cookie (named “datr”), which is stored on the client.

Free Internet with Facebook Discover Proxy

The tag, which is embedded in every proxy response, is then compared with the ‘ickt’ on the client-side to check for any signs of tampering. If there’s a mismatch, the cookies are deleted. It also makes use of a “two-frame solution” that embeds the third-party site within an iframe that’s secured by an outer frame, which makes use of the aforementioned tag to ensure the integrity of the content.

But for websites that disable the loading of the page in a frame to counter clickjacking attacks, Discover works by removing that header from the HTTP response, but not before validating the inner frame.

Furthermore, to prevent impersonation of the Discover domain by phishing sites, the service blocks navigation attempts to such links by sandboxing the iframe, thus preventing it from executing untrusted code.

“This architecture has been through substantial internal and external security testing,” Facebook’s engineering team concluded. “We believe we have developed a design that is robust enough to resist the types of web application attacks we see in the wild and securely deliver the connectivity that is sustainable for mobile operators.”

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.


via:  thehackernews

Cybersecurity Threats to the Food Supply Chain

When Smithfield Foods closed its Sioux Falls pork processing plant – joining other meat and poultry closures from Tyson Foods, Cargill and JBS USA – headlines suggested that the country was ‘perilously close to the edge’ of food shortages. So, just how safe is the food supply?

The recent closures have been forced by the COVID-19 pandemic. This is likely to be a transient risk, but all modern plants face an ever-present consistent risk from cyber-attack. COVID-19 has merely focused minds on an under-considered risk: how safe is the food supply chain?

It’s a question that needs to be asked. Food supply is a fundamental pillar of ordered societies, and a catastrophic lack of food would rapidly lead to social disorder. This would likely be more rapid and severe in the western democracies that have not experienced serious food shortages for more than 70 years since the end of World War II.

Cyber risk and threat

There is no risk if there is no threat. The first question, then, is whether there is a cyber threat to food supply. Are cyber criminals likely to attack the food industry?

The answer is clearly ‘yes’; and there are at least three obvious channels: hacktivists, cyber-criminal gangs, and nation states. And a fourth, that needs to be mentioned: competitors. “Increased levels of espionage and sabotage from competitors will also heighten as organizations do battle for technological supremacy in this space,” warns Daniel Norman, research analyst with the Information Security Forum (ISF).

Hacktivists

There is a growing social movement to use the re-emergence from the COVID lockdown as an opportunity to ‘reboot’ the way society operates. Environmental pollution has dropped rapidly, and nature has recovered from its effects quickly. Environmental activists are calling for governments to invest in green technology as a post-pandemic economic stimulus.

Where this does not happen, and where the old polluting industries revert to their traditional practices, activists are likely to ‘punish’ the worst offenders. This is likely to be two-pronged: environmentalists concerned about increasing pollution, and animal rights activists objecting to the return to mass animal slaughter.

This punishment may come in the form of large-scale DDoS attacks, or even direct attacks against individual plants.

Cyber-criminal gangs

Criminal gangs are driven by two related issues – opportunity and money. The pandemic will have focused attention on the food supply chain, and both issues are apparent. The pandemic will be followed by recession, which could potentially be followed by a deeper depression. Even in the best scenario, there will be many areas of society operating on drastically reduced incomes in the foreseeable future.

The threat is not new. Theft of food has always existed: those who have none are forced to steal from those who have plenty. In the distant past, this was small-scale – effectively petty theft. In the more recent past, criminal gangs have become involved in more large-scale theft from distribution (cargo theft) and warehouses.

This is continuing: recent data from Transported Asset Protection Association (TAPA) suggests that cargo theft has increased by 114% over the last 12 months. On May 3, 2020, FreightWaves reported, “Trucks carrying food and other essentials have been popular with thieves along Mexico’s highways in recent weeks. Cargo theft of trucks has increased 25% during the coronavirus pandemic period, according to a survey conducted by LoJack Mexico.”

Cybercrime, however, could take this to a new level. Entire shipments of food could be redirected and stolen. Entire food companies can be extorted for large sums of money. IT and OT networks can be compromised by ransomware, and the rapid spoilage of food in production would be an incentive to pay the ransom. With much of the food industry comprising small local businesses, it will often become a question of paying up or going under – and this equation will attract additional attackers.

Nation states

The importance of the food supply chain is not lost on the military. In 1812, when Napoleon invaded Russia, the Russian army withdrew but operated a scorched earth policy to deny food supplies to Napoleon’s army. Without supplies, Napoleon was forced to retreat from Moscow, which arguably and ultimately led to his downfall.

“It is a well-known fact,” comments the ISF’s Norman, “that during times of conflict, the party that can destroy the food supply chain will inevitably win. It is therefore conceivable that cyber-attacks from nation state-backed actors and terrorist groups will begin targeting organizations dependent on new technologies, disrupting global supply chains.”

Cyber brings the opportunity of large-scale adversarial interference in food supplies. In military terms this could be a precursor to kinetic warfare, but the cyber age has introduced a new style of cyberwar. The U.S. experienced it in 2016 with Russian interference in the presidential election. The purpose may not have been to directly influence the outcome of the election, but to demoralize the American population. With a demoralized population, a nation’s effectiveness on the world stage is inevitably weakened.

“One way to weaken your adversary is to cause internal conflict,” added IOActive’s Sheehy. “Well, you can survive about three minutes without air, three days without water, and about three weeks without food. People will riot very quickly if they cannot get food. Even in this relatively civilized COVID lockdown, the stresses on the food supply chain have caused very high tensions among people.”

Continued interruption to the food supply chain would inevitably demoralize the population. In extreme circumstances it would lead to rioting in the streets and food looting. The possibility of such a threat from an adversarial nation should not be ignored.

The security of the food supply chain

The food industry is no different to any other industry – it has undergone rapid evolution into the fourth industrial revolution. IT and OT are being converged, and OT uses the same ICS devices with the same vulnerabilities as other industries. The same priority of continued production over updating systems prevails, and continued use of Windows 98 is still found. But just as older, vulnerable systems continue to be used, the industry is adopting new and not yet battle-tested technology with advanced sensors, robotics, drones and autonomous vehicles.

“One of the trends we see broadly in the food industry,” comments Sheehy, “is a move towards more automation. Partly this is a response to the pandemic – robots won’t be sent home in any similar or repeated scenario. Labor is more of a business risk than robots. However, moving to more significant automation is going to change the risk profile in a way that a lot of organizations haven’t formerly had to manage – operational technology has not been considered a high-risk priority.”

It’s exacerbated, added Matt Rahman (IOActive’s COO), “by the structure of the industry. About 74% of food manufacturers have less than 20 employees. About 97% have fewer than 500 employees. They don’t have the staff nor expertise to properly manage their cyber security.”

It is also worth noting that the food supply chain is more complex than the supply chains for most industries. Elsewhere, the supply chain primarily comprises third-party suppliers, product or parts delivery, and the manufacturer. With food it is third party suppliers (normally farmers), product delivery, food processing (the manufacturer), and then a further complex distribution to groceries/supermarkets and/or consumer. Each stage of this chain can be threatened.

“Technology adoption has skyrocketed in virtually every segment of our agriculture sector including food production, processing, and distribution,” comments Parham Eftekhari, founder and chairman of the Institute for Critical Infrastructure Technology (ICIT), “and experts predict this trend to continue with robotics and self-driving freight carriers paving the way for an autonomous future. This creates significant opportunity for disruption to our supply chain and food safety concerns.”

He continued, “Today, we are already hearing stories of processing plants shutting down and the potential of food shortages. What if manufacturing and storage facilities of perishable food products have their cooling systems hacked during a time of a national food shortage? It would only take a handful of high-profile attacks to create panic among citizens that could lead to a rush on grocery stores and threaten an already fragile food supply.”

The food industry supply chain is vulnerable at every stage. “Farmers are using GPS technology and robotics to custom fertilize and plant their land to optimize yield,” said Eftekhari. What if these systems are hacked – without their knowledge – resulting in crops that underperform expectations across the nation.”

Norman added, “5G environments will enable precision agriculture and farming at the individual crop or livestock level but will use poorly secured IoT devices and drones to monitor soil fertilization, nitrogen levels, pest control, water and sunlight requirements. Automated robotic combine harvesters will operate on private 5G networks, with machine learning systems calculating and monitoring optimum conditions across larger and interconnected ecosystems. The danger of attacks on the integrity of information could significantly alter the production process.”

At a local level, this could be a punitive attack by a hacktivist group objecting to use of certain pesticides, or genetically modified crops in general. “The agricultural industry is one of the biggest contributors to greenhouse gas emissions in the world,” says Norman. “Extreme levels of methane, nitrous oxide output and water usage consistently make them a prime target for activism. With greater dependency on technology, hacktivists will turn their attention to disrupting the technology underpinning the supply chain.”

At a national level, as part of modern geopolitical disruption, the aim could be to reduce yields in complete crops – shortages in wheat, corn and soybean crops would be both economically and socially damaging.

Distribution, both from farmer to processor and from processor to distributor, has long been subject to cargo theft by criminals – and the cyber element is growing. “Criminals hack into distribution firms,” comments IOActive’s Rahman, “to learn about shipments, create false invoices, bills of lading and manifests to falsify delivery/collection times when they can simply pick up the stolen cargo.”

The food processing plant is the obvious primary target for cyber criminals, especially for extortion. Ransomware is already targeting manufacturing. “Today, we are hearing stories of processing plants shutting down and the potential of food shortages,” said Eftekhari. “What if manufacturing and storage facilities of perishable food products have their cooling systems hacked during a time of a national food shortage? It would only take a handful of high-profile attacks to create panic among citizens that could lead to a rush on grocery stores and threaten an already fragile food supply.”

Here the worst scenario might come from terrorist groups rather than nation-states or criminal gangs. The motivation would be to seek harm rather than sow discord or acquire money. Such groups would be worried about neither attribution nor retribution, but could seek to break into processing plants either to damage equipment or poison supplies.

Beyond the processing plant, the food supply chain continues to the sales outlets. For now, the threat is physical redirection or old-fashioned cargo theft. This will change in future years as more and more supplies are delivered by autonomous trucks. Autonomous vehicles are proven to be hackable. Experts expect the recent trend of the food industry adopting new technology to continue, warns Eftekhari, “with robotics and self-driving freight carriers paving the way for an autonomous future. This creates significant opportunity for disruption to our supply chain and food safety concerns.”

But the threat already exists with current connected trucks. “The heavy vehicle cabs are exposed to potential cyber-attack,” warns Sheehy, “as well as their refrigerated trailers. The more modern refrigerated trailers often have their own monitoring systems which can be remotely accessible over mobile networks. They are also often attached to the controller area network (CAN bus) of the vehicle, providing a potential attack point to compromise the overall security of the vehicle.”

The COVID-19 pandemic has highlighted the fragility of the global food chain. This fragility will not be lost on cyber criminals. As the world moves from pandemic lockdown to economic recession, criminals will almost certainly look closely at the food supply chain as a means of making money. The risk is not to any one specific part of the chain nor any one type of criminal – the whole chain is at risk.

“If an attacker wants to provide some type of disruption to the food supply, one area could be transportation; a second is in food processing; but a third would be in food safety,” says Sheehy. “If the cold storage facility is not kept at the appropriate temperature, products will spoil. Even though different parts of the supply chain may have successfully done the production, the transportation and processing securely, you may still be in a situation where you have a constraint on supply due to a compromise in the integrity of the safety processes.”


via:  securityweek

Cynet Offers IR Specialists Grants up to $1500 for each IR Engagement

In the past, the autonomous breach protection company Cynet announced that it is making Cynet 360 threat detection and response platform available at no charge for IR (incident response) service providers and consultants.


Today Cynet takes another step and announces a $500 grant for Incident Responders for each IR engagement in which Cynet 360 was used, with an additional $1,000 grant if the customer if the customer purchases an annual Cynet 360 subscription after the IR process is concluded.
Learn about this new offering here.


Incident response investigations come in a thousand different variations, but most can be broken down into two main parts. The first is discovering the few suspicious machines, user accounts, and network connections out of the mass activities within the attacked environment.


The second part follows these discoveries and involves a surgical-like collection and analysis of forensic artifacts to refute or validate the suspicion and if validated to disclose the full attack root cause and impact.


While IR pros have a wide array of commonly used open-source tools to perform a deep dive forensic investigation on a single or few suspicious machines, there is a crying shortage of available tools for the first part.


That’s mainly because to find the proverbial compromised needle in a haystack of a mostly non-compromised environment, one must have complete visibility into the entire process execution network traffic and user activity.


This is where Cynet 360 comes in. With an enterprise-grade distribution infrastructure providing seamless deployment across thousands of endpoints in minutes, Cynet 360 empowers responders to effortlessly gain the required visibility into the initial part of the investigation, easily pinpointing the entities that should be further investigated.


Cynet 360 provides incident responders with the following capabilities that cover both the investigation and the remediation parts of the response process.

Full Environment Visibility
  • Gain instant visibility into any host, files, process, Logs, network traffic, and user activities.
  • Get a verdict, attack scope, and all indicators immediately.
  • Use Cynet’s central management to distribute other open source IR tools across the environment.
Precise Threat Knowledge
  • Get real-time, accurate threat knowledge auto-generated by the Cynet 360 correlation engine.
  • For deep-dive investigations, leverage granular forensic tools to conduct an end-to-end investigation to determine the attack’s scope and impact.
  • Trust your own skills – Proactively hunt
Complete Recovery Actions
  • Isolate infected hosts, disable compromised user accounts, remove malicious files, and block risky network connections.
  • Craft your own remediation policies for automated threat block and removal.

Learn more about this new offering for incident responders here.



via:  thehackernews

7 New Flaws Affect All Thunderbolt-equipped Computers Sold in the Last 9 Years

A cybersecurity researcher today uncovers a set of 7 new unpatchable hardware vulnerabilities that affect all desktops and laptops sold in the past 9 years with Thunderbolt, or Thunderbolt-compatible USB-C ports.

Collectively dubbed ‘ThunderSpy,’ the vulnerabilities can be exploited in 9 realistic evil-maid attack scenarios, primarily to steal data or read/write all of the system memory of a locked or sleeping computer—even when drives are protected with full disk encryption.

In a nutshell, if you think someone with a few minutes of physical access to your computer—regardless of the location—can cause any form of significant harm to you, you’re at risk for an evil maid attack.

According to Björn Ruytenberg of the Eindhoven University of Technology, the ThunderSpy attack “may require opening a target laptop’s case with a screwdriver, [but] it leaves no trace of intrusion and can be pulled off in just a few minutes.”


In other words, the flaw is not linked to the network activity or any related component, and thus can’t be exploited remotely.

“Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption,” the researcher said.

Besides any computer running Windows or Linux operating systems, Thunderbolt-powered Apple MacBooks, except retina versions, sold since 2011 are also vulnerable to Thunderspy attack, but partially.

ThunderSpy Vulnerabilities

The following list of seven Thunderspy vulnerabilities affects Thunderbolt versions 1, 2 and 3, and can be exploited to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally, obtain PCIe connectivity to perform DMA attacks.

  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backward compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp

For those unaware, Direct memory access (DMA) attacks against the Thunderbolt port is not new and has previously been demonstrated with ThunderClap attacks.

DMA-based attacks let attackers compromise targeted computers in a matter of seconds just by plugging a malicious hot-plug devices—such as an external network card, mouse, keyboard, printer, or storage—into Thunderbolt port or the latest USB-C port.

In brief, DMA attacks are possible because Thunderbolt port works at a very low-level and with high privileged access to the computer, allowing connected peripherals to bypass operating system security policies and directly read/write system memory, which may contain sensitive information including your passwords, banking logins, private files, and browser activity.

thunderbolt intel hacking

To prevent DMA attacks, Intel introduced some countermeasures, and one of them was ‘security levels’ that prevents unauthorized Thunderbolt PCIe-based devices from connecting without user authorization.

“To further strengthen device authentication, the system is said to provide ‘cryptographic authentication of connections’ to prevent devices from spoofing user-authorized devices,” the researcher said.

However, by combining the first three Thunderspy flaws, an attacker can break the ‘security levels’ feature, and load an unauthorized malicious Thunderbolt device by forging Thunderbolt device identities, as shown in a video demonstration shared by Ruytenberg.

“Thunderbolt controllers store device metadata in a firmware section referred to as Device ROM (DROM). We have found that the DROM is not cryptographically verified. Following from the first issue, this vulnerability enables constructing forged Thunderbolt device identities,” he added.

“In addition, when combined with the second issue, forged identities may partially or fully comprise arbitrary data.”


“In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort,” he added.

“We conclude this report by demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.”

According to Ruytenberg, some latest systems available in market since 2019 include Kernel DMA protection that partially mitigates Thunderspy vulnerabilities.

To know if your system is affected by Thunderspy vulnerabilities, Ruytenberg has also released a free and open-source tool, called Spycheck.

Interestingly, when the researcher reported Thunderspy vulnerabilities to Intel, the chip company revealed it had already been aware of some of them—with no plans to patch or disclose it to the public.

Ruytenberg claims to have found more potential vulnerabilities in Thunderbolt protocol, which is currently are part of an ongoing researcher and expected to be revealed soon as ‘Thunderspy 2.’

In conclusion, if you consider yourself a potential target to evil-maid attacks and carrying a Thunderbolt system with you, always avoid leaving your devices unattended or power off the system completely, or at least consider using hibernation instead of sleep mode.

Besides this, if you want to be more paranoid, avoid leaving your Thunderbolt peripherals unattended or lending them to anybody.


via:  thehackernews

Google Authenticator Users Can Now Transfer 2SV Secrets Between Devices

Google announced that Google Authenticator users can now transfer 2-Step Verification (2SV) secrets between devices.

The new feature is meant to make it easier for users to manage their Google Authenticator 2SV codes across multiple devices.

The 2SV secrets represent the data that is used to generate 2SV codes across devices that have Google Authenticator installed. With the new feature, users can transfer the data to a new device when upgrading, Google says.

The much anticipated feature is now available in the latest version of Google Authenticator on Android (version 5.10), the Internet company announced.

“Using 2SV, 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is critical to protecting your accounts from unauthorized access. With these mechanisms, users verify their identity through their password and an additional proof of identity, such as a security key or a passcode,” Google said.

Google Authenticator aims not only to provide an easy way to use 2SV on accounts, but also to improve the security of the login process, compared to options such as receiving passcodes via text messages.

To ensure that users can keep their accounts safe, Google also took a series of measures to minimize the attack surface in spite of the newly announced feature.

Thus, no data is sent to Google’s servers when the user transfers 2SV secrets, as the communication takes place between the two devices only.

“Your 2SV secrets can’t be accessed without having physical access to your phone and the ability to unlock it,” the Internet giant notes.

Furthermore, alerting mechanisms and in-app logs were implemented, so as to make users fully aware of the fact that the transfer function has been used.


via:  securityweek

Nearly 1 Million WordPress Sites Targeted via Old Vulnerabilities

A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week.

The attacks were initially discovered on April 28, but showed a massive spike on May 3, when more than half a million websites were hit. Likely the work of a single threat actor, the campaign is aimed at injecting the target websites with malicious JavaScript designed to redirect visitors to malvertising sites.

Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3. The researchers discovered that, over the past month, over 24,000 distinct IP addresses were used to attack more than 900,000 sites.

“Due to the sheer volume and variety of attacks and sites that we’ve seen targeted, it is possible that your site may be exposed to these attacks, and the malicious actor will likely pivot to other vulnerabilities in the future,” Defiant says.

The targeted vulnerabilities are not new and have been abused in previous attacks as well. These include Cross-Site Scripting (XSS) vulnerabilities in the Easy2Map plugin (removed from the WordPress repository in August 2019), Blog Designer (patched in 2019), and Newspaper theme (patched in 2016), and options update bugs in WP GDPR Compliance (patched in late 2018), and Total Donations (removed in early 2019).

“Although it is not readily apparent why these vulnerabilities were targeted, this is a large scale campaign that could easily pivot to other targets,” Defiant says.

The JavaScript code the attackers attempt to insert into the targeted websites is located at count[.]trackstatisticsss[.]com/stm and also checks whether the victim has any WordPress login cookies set. The attackers hope that the script would be executed in an administrator’s browser.

Admins who are not logged in and are not on the login page are redirected to a malvertising site. Otherwise, the script attempts to inject a malicious PHP backdoor into the current theme’s header, along with a second malicious JavaScript.

The backdoor downloads another payload from https://stat[.]trackstatisticsss[.]com/n.txt and attempts to execute it by including it in the theme header.

“This method would allow the attacker to maintain control of the site, as they could simply change the contents of the file at https://stat[.]trackstatisticsss[.]com/n.txt to code of their choice which could be used to embed a webshell, create a malicious administrator, or even delete the entire contents of the site,” Defiant says.

The final payload used in this attack was designed to prepend a variant of the initial script to every JavaScript file on the site, as well as to all .htm, .html, and .php files named “index.” It also rechecks the infected site every 6,400 seconds and re-infects it if necessary.

Site owners are advised to keep all of their plugins updated and to deactivate and delete those plugins that have been removed from the WordPress plugin repository, to ensure their websites are protected.


via: securityweek

Firefox 76 Brings Security Patches, Breached Password Alerts

Mozilla this week released Firefox 76 to the stable channel with an updated password manager, alerts for breached passwords, and patches for 11 vulnerabilities.

Starting with the new release, the browser aims to help users better keep their accounts secure and easily generate strong passwords, courtesy of the new Firefox Lockwise password manager.

On shared devices, the feature keeps passwords secure by prompting users for their account password before making saved logins available to them. Furthermore, the credentials are made available for five minutes only, Mozilla says.

The Lockwise dashboard, the browser maker explains, is powered by Firefox Monitor, which alerts users when their credentials were part of a data breach.

Firefox alerts users when one of the passwords they use is identical with a password that has been compromised, but also when the username and password were part of a breach (additional details about the breach are also included).

“Don’t worry, Firefox doesn’t know your actual passwords. This new feature automatically checks your encrypted list of passwords against the breached website information, helping you to stay on top of your online accounts that may have been compromised,” Mozilla explains.

The organization also points out that users can now leverage Firefox Lockwise to generate passwords of a minimum of 12 random letters, numbers and symbols.

Furthermore, Mozilla has made Firefox Lockwise available for iOS and Android as well, allowing users to access their passwords while on the go and easily sync their logins.

Firefox 76 also arrived with patches for 11 vulnerabilities, including three assessed with a critical severity rating.

The first of the critical bugs is a use-after-free during worker shutdown (CVE-2020-12387), which could lead to an exploitable crash, the second is a sandbox escape (CVE-2020-12388) that impacts Windows only, while the third (CVE-2020-12395) refers to memory safety bugs in both Firefox 75 and Firefox ESR 68.7.

The new browser release also patches three high severity issues (CVE-2020-12389 – sandbox escape; CVE-2020-6831 – buffer overflow; and CVE-2020-12396 – memory safety bugs), four moderate risk bugs (CVE-2020-12390 – incorrect serialization; CVE-2020-12391 – Content-Security-Policy bypass; CVE-2020-12392 – arbitrary local file access; CVE-2020-12393 – potential command injection), and one low severity issue (CVE-2020-12394 – URL spoofing in location bar when unfocussed).

This week, Google too released an update for its Chrome browser, to address a total of three vulnerabilities, including two reported by external researchers. Both of these bugs are high severity issues: CVE-2020-6831 – a stack buffer overflow in SCTP, and CVE-2020-6464 – type confusion in Blink.

via:  securityweek

Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere

Microsoft announced a new security research challenge that encourages white hat hackers to find and responsibly disclose vulnerabilities in the company’s Azure Sphere solution.

Azure Sphere is an IoT security solution designed to provide end-to-end security across hardware, operating system and the cloud.

In an effort to identify potentially serious vulnerabilities in Azure Sphere, Microsoft has decided to run a three-month application-only challenge.

Hackers can apply for the Azure Sphere Research Challenge until May 15, and the challenge will run between June 1 and August 31. Researchers whose applications have been accepted will receive an email from Microsoft.

This new initiative, an expansion of the Azure Security Lab project announced last year, invites researchers to find vulnerabilities that would allow them to execute code on the Pluton security subsystem, which is the hardware-based secured root of trust for Azure Sphere, or in the Secure World operating environment of the Azure Sphere application platform. Microsoft is prepared to pay out up to $100,000 for these types of exploits.

While this research focuses on the Azure Sphere OS, vulnerabilities in other components could still receive a reward through the public Azure bug bounty program.

For the Azure Sphere Research Challenge, Microsoft has teamed up with several cybersecurity solutions providers, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler.

“While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk,” Microsoft said.


via:  securityweek