Search This Blog

Showing posts with label Research. Show all posts

Rapid7 Report: Attackers are Launching Exploits Faster Than Ever Before


Rapid7 has released its latest Vulnerability Intelligence Report, which examines 50 of the most significant security vulnerabilities and high-impact cyberattacks in 2022. The report examines attacker use cases and highlights exploitation trends, as well as provides a framework for understanding new security threats as they emerge. 

According to the report, attackers are developing and deploying exploits faster than ever before. The report includes 45 vulnerabilities that were exploited in the wild, 44% of which were caused by zero-day exploits. In contrast, 56% of the vulnerabilities in the report were exploited within seven days of their public disclosure, a 12% increase over 2021 and an 87% increase over 2020. 

Furthermore, the median time for exploitation in 2022 was only one day. As per the Rapid7 report, only 14 of the vulnerabilities have been exploited to carry out ransomware attacks. Despite ongoing ransomware activity, it is a 33% decrease from 2021.

The decline could imply that ransomware operations have become less reliant on security flaws, but it could also be due to other factors, such as lower reporting of ransomware incidents. Other vulnerability and exploit trends covered in this report include ransomware ecosystem complexity, network perimeter privilege escalation, and the long tail of exploitation across older vulnerabilities.

Caitlin Condon, Rapid7 vulnerability research manager and lead author of the Vulnerability Intelligence Report stated, “Rapid7’s team of vulnerability researchers work around the clock to thoroughly investigate and provide critical context into emergent threats. We produce the annual Vulnerability Intelligence Report to help organizations understand attack trends and proactively address the unique and shared threats they face. The ransomware ecosystem and the cybercrime economy have continued to mature and evolve. As a result, we saw many more ransomware families actively compromising organizations in 2022, which naturally creates challenges for threat tracking and reporting."

Security, IT, and other teams tasked with vulnerability management and risk reduction work in high-pressure, high-stakes environments where separating signal from noise is critical. When a new potential threat arises, information security professionals often need to translate vague descriptions and unproven research artefacts into actionable intelligence for their particular risk models.

Condon further concluded, “Rapid7 is known for its ongoing research initiatives that keep its customers and the broader business community safer. The company is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 10,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. The Rapid7 Insight Platform collects data from across your environment, making it easy for teams to manage vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate your operations.”

One-fifth of British Folks Have Fallen Victim to Online Fraudsters


As per F-Secure, millions of UK adults have been victims of digital scammers in the past, but a quarter has no security controls in place to safeguard their online activity. As part of a global Living Secure study into cybersecurity awareness and behavior, the Finnish security vendor polled 1000 Britons. 

It discovered that 19%, or approximately 12.6 million British citizens, had previously been duped by online fraud such as a phishing attack. According to F-Secure, the consequences of these incidents ranged from identity theft to data and password loss and even the theft of life savings. 

Despite spending an average of eight hours per day on the internet, a significant minority still do not protect themselves online, based on a report. One reason could be that many people are scared of the prospect: 60% of respondents said cybersecurity is too complicated.

The report also emphasized a disparity in respondents' attitudes and awareness. While more than three-quarters (77%) said they could spot a scam, nearly two-thirds said they are concerned about their own and their families' online safety, and half (48%) said they have no idea if their devices are secure or not.

According to the FBI, phishing was the most common type of cybercrime in 2021, with identity theft, romance fraud, tech support scams, and investment fraud also ranking among the top ten.

“Our research has highlighted a clear disconnect between what we do online and how vulnerable we feel online, versus the concrete actions we take to reduce that vulnerability,” argued F-Secure CEO, Timo Laaksonen.

“Despite many Britons often feeling unsafe online they still aren’t putting adequate security measures in place. In the physical world you wouldn’t willingly give out passwords and personal data to strangers, so why go online and do it, and risk being a target for online criminals?”

According to the same report, investment and romance fraud cost cybercriminals a total of $2.4 billion that year. The conclusions of the F-Secure report appear to indicate a risk for businesses if employees exhibit the same low levels of security awareness in the workplace as they do at home.

A Majority of Security Experts Prioritize Prevention Over Detection

As per a recent report finding, a majority of organizations prefer prevention over detection when it comes to safeguarding their systems. However, a large number of businesses are consequently witnessing data breaches and other cyberattacks, with the severity of these incidents worsening day by day. 

In a survey of 500 IT security experts, Exabeam researchers discovered that nearly two-thirds of their respondents (65%) prioritize prevention over detection as their number one endpoint security objective. For the remaining third (33%), detection remained their utmost priority. 

Late to the Party 

To make the situation worse, the businesses actually act on this idea. The majority (59%) allocate the same amount to detection, investigation, and response, while nearly three-quarters (71%) spend between 21% and 50% of their IT security resources on prevention. 

According to Steve Moore, chief security strategist at Exabeam, the issue with this strategy is that the businesses concentrate on prevention while threat actors are already there, rendering their efforts useless. 

“As is well known, the real question is not whether attackers are on the network, but how many there are, how long they have had access and how far they have gone[…]Teams need to raise awareness of this question and treat it as an unwritten expectation to realign their investments and where they need to perform, paying due attention to adversary alignment and response to incidents. Prevention has failed,” says Moore. 

The majority of responders said yes when asked if they are confident, they can prevent attacks. In fact, 97% of respondents indicated they felt confident in the ability of their tools and processes to detect and stop attacks and data breaches. 

Only 62% of respondents agreed when asked if they could easily inform their boss that their networks were not compromised at the time, implying that over a third were still unsure. 

Exabeam explains that security teams are overconfident and have data to support it. The company claims that 83% of organizations experienced more than one data breach last year, citing industry reports. 

Among the many approaches implemented in order to combat security affairs, most organizations appear to be inclined towards the prevention-based strategy. The reason is, it strives to make systems more resistant to attack. Contrary to detection-based security, this approach is more effective in a variety of situations. 

Implementing a preventive approach could aid a company in significantly reducing the risk of falling prey to a potential cyberattack if it applies appropriate security solutions like firewalls and antivirus software and patches detected vulnerabilities.

AI Models Produces Photos of Real People and Copyrighted Images

The infamous image generation models are used in order to produce identifiable photos of actual people. This leads to the privacy infringement of numerous individuals, as per a new research. 

The study demonstrates how these AI systems can be programmed to reproduce precisely copyrighted artwork and medical images. It is a result that might help artists who are suing AI companies for copyright violations.  

Research: Extracting Training Data from Diffusion Models 

Researchers from Google, DeepMind, UC Berkeley, ETH Zürich, and Princeton obtained their findings by repeatedly prompting Google’s Imagen with image captions, like the user’s name. Following this, they analyzed if any of the images they produced matched the original photos stored in the model's database. The team was successful in extracting more than 100 copies of photos from the AI's training set. 

These image-generating AI models are apparently produced over vast data sets, that consist of images with captions that have been taken from the internet. The most recent technology works by taking images in the data sets and altering pixels individually until the original image is nothing more than a jumble of random pixels. The AI model then reverses the procedure to create a new image from the pixelated mess. 

According to Ryan Webster, a Ph.D. student from the University of Caen Normandy, who has studied privacy in other image generation models but is not involved in the research, the study is the first to demonstrate that these AI models remember photos from their training sets. This could also serve as an implication for startups wanting to use AI models in health care since it indicates that these systems risk leaking users’ private and sensitive data. 

Eric Wallace, a Ph.D. scholar who was involved in the study group, raises concerns over the privacy issue and says they hope to raise alarm regarding the potential privacy concerns with these AI models before they are extensively implemented in delicate industries like medicine. 

“A lot of people are tempted to try to apply these types of generative approaches to sensitive data, and our work is definitely a cautionary tale that that’s probably a bad idea unless there’s some kind of extreme safeguards taken to prevent [privacy infringements],” Wallace says. 

Another major conflict between AI businesses and artists is caused by the extent to which these AI models memorize and regurgitate photos from their databases. Two lawsuits have been filed against AI by Getty Images and a group of artists who claim the company illicitly scraped and processed their copyrighted content. 

The researchers' findings will ultimately aid artists to claim that AI companies have violated their copyright. The companies may have to pay artists whose work was used to train Stable Diffusion if they can demonstrate that the model stole their work without their consent. 

According to Sameer Singh, an associate professor of computer science at the University of California, Irvine, these findings hold paramount importance. “It is important for general public awareness and to initiate discussions around the security and privacy of these large models,” he adds.  

OTPs: Researchers Rekindle One-Time Program Cryptographic Concept

Technological advances over the past decade have made it possible for academics to make progress in designing so-called OTP (one-time programs). OTPs were initially proposed by researchers Goldwasser, Kalai, and Rothblum. 

OTPs, originally presented at the Crypto’08 conference were described as a type of cryptographically obfuscated computer program that can only be run once. This significant property makes them useful for numerous applications. 

The basic concept is that "Alice" could send "Bob" a computer program that was encrypted in a way that: 

1. Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs. 

2. Bob can learn nothing about the secret program by running it. 

The run-only-once requirements encounter difficulties because it would be an easier task to install a run-once-only program on multiple virtual machines, trying different inputs on each one of them. Consequently, this would violate the entire premise of the technology. 

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob. No such tokens were ever made, so the whole idea has lain dormant for more than a decade.  

OTP revived: 

Recently, a team of computer scientists from Johns Hopkins University and NTT Research have established the basis of how it might be possible to create one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services. 

They have hacked ‘counter lockbox’ technology and utilized the same for an unintended purpose. Counter lockboxes secure an encryption key under a user-specified password, administering a limited number of incorrect password guesses (usually 10) before having the protected information erased. 

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to deceive the system – the focus of the research. 

Garbled circuits: 

The research works show how multiple counter lockboxes might be linked together in order to form ‘garbled circuits’, i.e. a construction that might be utilized to build OTPs. 

A paper illustrating this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography Conference (TCC 2022). 

Hardware-route discounted: 

One alternative means of constructing one-time programs, considered in the research, is using tamper-proof hardware, although it would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Mathew, a professor at Johns Hopkins University and one of the co-authors of the paper. 

“This would be costly and worse, [and] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” explains Green. 

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome. 

A bastion against brute-force attacks: 

Harry Eldridge, from Johns Hopkins University, lead author of the paper, told The Daily Swig that one-time programs could have multiple uses. 

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords […] For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.” Eldridge explained. “However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords [such as a four-digit PIN] can actually be pretty secure.”

Furthermore, this could as well be applied to other forms of authentication – for instance, if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan. 

‘Autonomous’ Ransomware Risk

One of the drawbacks led via the approach is that threat actors might utilize the technique to develop ‘autonomous’ ransomware. 

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs, however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.” 

Although, the feedback on the work so far has been “generally positive”, according to Eldridge. “[Most agree] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high. There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.” 

Here’s List of the World’s Riskiest Connected Devices


IoT devices ranging from video conferencing systems to IP cameras are among the five riskiest IoT devices connected to networks, according to research highlighted by Forescout's cybersecurity research arm, Vedere Labs. 

In their recent research, the company identified recurring themes, showcasing the increasing attack surface as more devices are connected to enterprise networks, as well as how threat actors are able to leverage these devices to achieve their goals. 

“IP cameras, VoIP and video-conferencing systems are the riskiest IoT devices because they are commonly exposed on the internet, and there is a long history of threat actor activity targeting them,” The Forescout report said.

With the addition of IoMT in healthcare, the attack surface now includes IT, IoT, and OT in almost every organisation. Organizations must be aware of dangerous devices in all categories. Forescout recommends that companies implement automated controls and that they do not rely on siloed security in the IT network, OT network, or for specific types of IoT devices.

This latest study updates the company's findings from 2020, in which networking equipment, VoIP, IP cameras, and programmable logic controllers (PLCs) were listed as the riskiest devices across IT, IoT, OT, and IoMT in 2022.

New entrants, such as hypervisors and human-machine interfaces (HMIs), however, are indicative of trends such as critical vulnerabilities and increased OT connectivity.

Vedere Labs examined device data in Forescout's Device Cloud between January 1 and April 30. The anonymized data comes from Forescout customer deployments and contains information on nearly 19 million devices, which the company claims are growing on a daily basis.

A device's overall risk was calculated based on three factors: configuration, function, and behaviour. Vedered Labs calculated averages per device type after measuring the risk of each individual device to determine which are the riskiest.

That 'Clean' Google Translate App is Actually Windows Crypto-mining Malware


The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.

"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.

Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.

"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."

After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.

One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.

Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.

Homeland Security Warns Log4j’s 'Endemic' Threats for Years to Come


The US Department of Homeland Security (DHS) published the Cyber Safety Review Board's (CSRB) first report into the December 2021 Log4j incident, when a variety of vulnerabilities with this Java-based logging framework were revealed, this week. 

The report's methodology comprised 90 days of interviews and information requests with around 80 organisations and individuals, including software developers, end users, security specialists, and businesses. 

This was done to ensure that the board met with a wide range of representatives and understand the complexities of how different attack surfaces are constructed and defended. According to the report, although standardised and reusable "building blocks" are essential for developing and expanding software, they also allow any possible vulnerability to be mistakenly included in multiple software packages, putting any organization that uses those programs at risk. 

According to the report, while Log4j remains dangerous, the government-wide approach helped tone down the vulnerability. The board also noted the need for extra financing to help the open-source software security community, which is primarily comprised of volunteers. 

Industry experts, such as Michael Skelton, senior director of security operations at Bugcrowd, said of Log4J: “Dealing with it is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities.” 

John Bambenek, the principal threat hunter at Netenrich, was more critical of the report’s timing, believing that “anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly.” 

The CSRB report went on to state that, thankfully, it is unaware of any large Log4j-based attacks on critical infrastructure assets or systems, and that efforts to hack Log4j happened at a lesser level than many experts expected. 

The paper, however, emphasises that the Log4j incident is "not over" and will continue to be an "endemic vulnerability" for many years, with considerable risk persisting. The research concluded with 19 actionable recommendations for government and business, which were divided into four divisions. They were as follows:
  • Address Continued Risks of Log4j
  • Drive Existing Best Practices for Security Hygiene
  • Build a Better Software Ecosystem
  • Investments in the Future

Chinese Hackers Disseminating SMS Bomber Tool with Hidden Malware


A threat cluster linked to the Tropic Trooper hacking group has been identified employing previously undocumented malware developed in Nim language to attack targets as part of a newly revealed operation. 

The new loader, codenamed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' malware that is most likely illegally circulated through the Chinese-speaking web," according to a report by Israeli cybersecurity firm Check Point. "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. 

"Therefore the entire bundle works as a trojanized binary." SMS Bomber, as the name implies, allows the user to enter a phone number (not their own) in order to flood the victim's device with messages, perhaps rendering it useless in a denial-of-service (DoS) attack. 

The fact that the binary functions as both an SMS Bomber and a backdoor show that the assaults are not just directed at individuals who use the tool — a "somewhat unorthodox target" — but are also highly targeted. 

Tropic Trooper, also known as Earth Centaur, KeyBoy, and Pirate Panda, has a history of attacking targets in Taiwan, Hong Kong, and the Philippines, especially in the government, healthcare, transportation, and high-tech industries. 

Trend Micro last year referred to the Chinese-speaking collective as particularly clever and well-equipped, highlighting the group's capacity to develop its TTPs to stay under the radar and rely on a wide range of proprietary tools to compromise its targets. 

Check Point's most recent attack chain begins with the tainted SMS Bomber tool, the Nimbda loader, which runs an embedded executable, in this case, the legal SMS bomber payload, while simultaneously injecting a second piece of shellcode into a notepad.exe process. This initiates a three-tier infection process, which includes downloading a next-stage malware from an obfuscated IP address given in a markdown file ("") published in an attacker-controlled GitHub or Gitee repository. The retrieved binary is an improved version of the 

Yahoyah trojan, is designed to gather data about local wireless networks in the victim machine's proximity and other system metadata and send it to a command-and-control (C2) server. Yahoyah, for its role, serves as a conduit for the final-stage malware, which is downloaded from the C2 server in the form of an image. The steganographically encoded payload is a backdoor known as TClient, which the group has used in past attacks. 

The researchers concluded, "The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind."

"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."

Elasticsearch Database Mess Up Exposed Login, Leaked Personal Data of 30K Students


The cybersecurity investigation team at SafetyDetectives, led by Anurag Sen, discovered a misconfigured Elasticsearch server that exposed Transact Campus app data. According to their findings, the server was internet-connected and did not require a password to access data. As a result, over 1 million records were compromised, disclosing personally identifiable information for roughly 30,000 to 40,000 students. 

Transact Campus is a payment software supplier based in Phoenix, Arizona. The firm provides technology solutions for combining several payment functions into a single mobile platform. Its software solutions are primarily used to expedite payment procedures for universities and students and to facilitate student purchases at higher education establishments. 

According to the report by SafetyDetectives, the 5GB database released by the server contains information about students who had Transact Campus accounts. The majority of those affected are US citizens. The following details of students among the information were exposed: 

It should be noted that the login information, including the username and password, was saved in plain text format. The credit card information, on the other hand, includes the banking identity number, which consists of the first six and final four digits of the credit card number, bank information, and the card's expiration date. Furthermore, the bought meal plans and meal plan balances of the students were included in the hacked data. 

Transact Campus’ Response

SafetyDetectives notified Transact Campus about the exposed database in December 2021, and the corporation responded in January 2022, more than a month later. However, the incident's specifics were only revealed last week. 

During this time, researchers attempted to contact them multiple times and also alerted US-CERT, after which it was secured. Transact Campus stated that the disclosed server was not under their control and that the data was fictitious. The corrupted Elasticsearch database appeared to belong to Transact Campus, a US-based software solution company. 

Transact Campus stated, “Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data.” 

However, according to SafetyDetectives, the server in issue was constantly being updated even when it was found. They examined the data using freely available technologies and discovered that it belonged to genuine persons. 

Researchers were unable to determine whether or not unauthorised third parties or malicious actors gained access to the database before it was secured. If it was accessible, hackers might target students in a variety of attacks, such as frauds, phishing, spam marketing, or even account takeover, because login credentials were saved on the server in an unencrypted form.

Hardware Bugs Provide Bluetooth Chipsets Unique Traceable Fingerprints


A recent study from the University of California, San Diego, has proven for the first time that Bluetooth signals may be fingerprinted to track devices (and therefore, individuals). At its root, the identification is based on flaws in the Bluetooth chipset hardware established during the manufacturing process, leading to a "unique physical-layer fingerprint."

The researchers said in a new paper titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices, "To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals." 

The assault is made feasible by the pervasiveness of Bluetooth Low Energy (BLE) beacons, which are constantly delivered by current smartphones to allow critical tasks such as contact tracking during public health situations. 

The hardware flaws come from the fact that both Wi-Fi and BLE components are frequently incorporated into a specialised "combo chip," effectively subjecting Bluetooth to the same set of metrics that may be utilized to uniquely fingerprint Wi-Fi devices: carrier frequency offset and IQ imbalance. 

Fingerprinting and monitoring a device, therefore, includes calculating the Mahalanobis distance for each packet to ascertain how similar the characteristics of the new packet are to its previously registered hardware defect fingerprint. 

"Also, since BLE devices have temporarily stable identifiers in their packets [i.e., MAC address], we can identify a device based on the average over multiple packets, increasing identification accuracy," the researchers stated. 

However, carrying out such an attack in an adversarial situation has numerous obstacles, the most significant of which is that the ability to uniquely identify a device is dependent on the BLE chipset employed as well as the chipsets of other devices in close physical distance to the target. Other key aspects that may influence the readings include device temperature, variations in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio utilised by the malicious actor to carry out the fingerprinting assaults. 

The researchers concluded, "By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified. BLE does present a location tracking threat for mobile devices. However, an attacker's ability to track a particular target is essentially a matter of luck."

Bad Bot Traffic is Significantly Contributing to Rise of Online Scam


Recently, many organizations have been left wrestling with the challenge of overcoming the rise in bot traffic, which is also sometimes referred to as non-human traffic. According to an Imperva analysis, bad bots, or software applications that conduct automated operations with malicious intent, accounted for a record-breaking 27.7% of all global internet traffic in 2021, up from 25.6 percent in 2020. Account takeover (ATO), content or price scraping, and scalping to purchase limited-availability items were the three most typical bot attacks. 

Bot traffic has the potential to damage organisations if they do not learn how to recognise, control, and filter it. Sites that rely on advertising in addition to sites that sell limited-quantity products and merchandise are particularly vulnerable. Bad bots are frequently the first sign of online fraud, posing a threat to both digital enterprises and their customers. 

Evasive bad bots accounted for 65.6 percent of all bad bot traffic in 2021, a grouping of moderate and advanced bad bots that circumvent ordinary security protections. This type of bot employs the most advanced evasion strategies, such as cycling through several IP addresses, using anonymous proxies, changing identities, and imitating human behaviour. 

Bad bots make it possible to exploit, misuse, and assault websites, mobile apps, and APIs at high speed. Personal information, credit card details, and loyalty points can all be stolen if an attack is successful. Organizations' non-compliance with data privacy and transaction requirements is exacerbated by automated misuse and online fraud. 

Bad bot traffic is increasing at a time when businesses are making investments to improve online customer experiences. More digital services, greater online functionality, and the creation of broad API ecosystems have all emerged.

Unfortunately, evil bot operators will use this slew of new endpoints to launch automated assaults. The key findings of the research are:
  • Account takeover grew148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading origin country of ATO attacks (54%) in 2021. The implications of account takeover are extensive; successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
  • Travel, retail, and financial services targeted by bad bots: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
  • The proportion of bad bot traffic differs by country: In 2021, Germany (39.6%), Singapore (39.1%), and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States (29.1%) and the United Kingdom (29.7%) were also higher than the global average (27.7%) of bad bot traffic.
  • 35.6% of bad bots disguise as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
According to the findings, no industry will be immune to negative bot activity in 2021. Bots hoarding popular gaming consoles and clogging vaccine appointment scheduling sites gained attention in 2021, but any degree of bot activity on a website can create considerable downtime, degrade performance, and reduce service reliability.

Conti, REvil, LockBit Ransomware Flaws Exploited to Block Encryption


A researcher has demonstrated how a flaw common to numerous ransomware families can be used to control and eliminate the malware before it encrypts files on vulnerable systems. Malvuln is a project created by researcher John Page (aka hyp3rlinx) that lists vulnerabilities uncovered in various types of malware. 

Early in 2021, the Malvuln project was launched. SecurityWeek covered it in January 2021, when there were only a few dozen entries, and again in June 2021, when there were 260. Malvuln had almost 600 malware vulnerabilities as of May 4, 2022. Page added ten new entries in the first several days of May, detailing vulnerabilities in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families. 

The researcher discovered that DLL hijacking flaws affect these and other ransomware families. By inserting a carefully designed file in a location where it will be run before the legal DLL, these vulnerabilities can often be exploited for arbitrary code execution and privilege escalation. When it comes to ransomware, a "attacker" can build a DLL file with the same name as a DLL that the malware looks for and loads. 

The new DLL will be executed instead of the ransomware executable if it is placed next to it. This can be used to stop malware from encrypting data by intercepting it and terminating it. The DLLs can be hidden, according to the researcher, who uses the Windows "attrib +s +h" command in his PoC videos. 

Page explained, “Endpoint protection systems and/or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill — the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.” 

Page told SecurityWeek that while some of the ransomware versions he tested were new, the strategy works against practically all ransomware, comparing it to a "Pandora's box of vulnerabilities." The researcher has also made videos showing how to exploit the ransomware's flaws. The videos demonstrate how a specially constructed DLL file installed in the same folder as the ransomware executable prevents the malware from encrypting files. 

Authentication bypass, command/code execution, hardcoded credentials, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related, and other forms of attacks are all stored in the Malvuln database. Page also recently released Adversary3, an open-source malware vulnerability intelligence tool for third-party attackers. The Python-based application is intended to make it easier to access data from the Malvuln database, allowing users to search for vulnerabilities by attack category. 

According to the researcher, the tool could be valuable in red teaming activities. For instance, the tester could seek for devices hosting malware and exploit vulnerabilities in that malware to gain elevated access. When the project was first announced, certain members of the cybersecurity community expressed concern that the data could be beneficial to malware makers, assisting them in fixing vulnerabilities, some of which may have been exploited for threat intelligence reasons without their knowledge. The ransomware vulnerabilities and the Adversary3 tool, on the other hand, illustrate that the project can also benefit the cybersecurity community.

Identifying Ransomware’s Stealthy Boot Configuration Edits


The research by Binary Defense entails the various threat hunting techniques and detections for a regularly reported Ransomware-as-a-Service (RaaS) methodology. Using the built-in Windows programme bcdedit.exe (Boot Configuration Data Edit),  threat actors have been spotted changing boot loader configurations to: 
  • Modify Boot Status Policies 
  • Disable Recovery Mode 
  • Enable Safe Mode 
Threat actors (such as Snatch and REvil) may not need to utilise bcdedit to adjust boot loader configurations if they implement code that directly modifies the Windows registry keys that define such configurations, according to the hypothesis employed by Binary Defense to construct the hunting queries. Last year, the researcher am0nsec published a proof-of-concept code that showed how to do exactly this on Windows 10 PCs. Binary Defense wanted to make sure that they could detect such behaviour not only on Windows 7, 8.1, and 11 computers but also on systems where the necessary registry key is stored under a different Globally Unique Identifier (GUID). 

The research builds on the work of Specter Ops researcher Michael Barclay, who published an in-depth blog about hunting for such activities on Windows 10 earlier this year. Below are the bcdedit.exe commands that attackers employ to change boot configuration. Other tools, such as the Windows System Configuration Utility (msconfig.exe), can be used to change the boot configuration data as well. Alternatives, on the other hand, are not described in the study because they are not command-line apps and hence cannot be utilised without a user interface.

Boot Status Policy: The usual way to edit the boot status policy is to use bcdedit with these command line arguments:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
If there is a failed shutdown, boot, or other error during the startup process, this will change the "boot status policy" settings and compel the system to boot normally rather than entering Windows Recovery Environment (Windows RE). Threat actors deactivate this to prevent system administrators from using the Windows RE's System Image Recovery tool.

Recovery Mode: The usual method for disabling recovery mode with bcdedit is like this:
bcdedit.exe /set {default} recoveryenabled no
This command completely eliminates the Windows RE. Using the prior command to change the boot status policy will prevent the boot loader from loading the recovery environment when there are starting difficulties, but it will also prohibit system administrators from manually loading it.

Safeboot: To change the Safeboot options, bcdedit is used with these command line arguments:
bcdedit.exe /set {default} safeboot minimal

This command modifies the configuration that decides whether or not the system will restart in Safe Mode the next time it is powered on. Since not all Endpoint Detection and Response (EDR) solutions and Anti-Virus (AV) software will be running in Safe Mode, this is being changed to prevent identification rather than recovery. Windows Defender, for example, does not work in Safe Mode. As a result, any activities taken by a threat actor (for example, file encryption) will not be tracked, and thus will not be prevented.

Prior study into similar approaches revealed that the registry keys storing these boot loader configuration items were Windows version-specific, with only Windows 10 detections. Binary Defense simply set up VMs running Windows 7, 8.1, and 11 and ran the three aforementioned bcdedit.exe commands while doing a capture with the Windows SysInternals tool Procmon to figure out what those registry keys were for other Windows versions. The logs created by this tool are notoriously noisy, but by adding two filters, one excluding any process not named bcdedit.exe and the other excluding any operation not named RegSetValue, it was simple to filter down to the necessary logs.

In a 60-day period, the following queries were evaluated across different enterprise environments with zero false positives. Because changes to these parameters are uncommon, all of these inquiries can be surfaced to a SOC as detections.

  • Carbon Black
Windows 7:

regmod_name:(*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*)

Windows 8.1:

regmod_name:(*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*)

Windows 10:

regmod_name:(*BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\16000009*)

Windows 11:

regmod_name:(*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*)

  • CrowdStrike
Windows 7:

(event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*”)

Windows 8.1:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*”)

Windows 10:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\25000080*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\250000E0*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\16000009*”)

Windows 11:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*”)

  • Microsoft Sentinel and Defender for Endpoint
Windows 7:

| where TimeGenerated > ago(90d)
where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080″)

Windows 8.1:

| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080″)

Windows 10:

| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009″)

Windows 11:

| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080″)

  • SentinelOne
Windows 7:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080”)

Windows 8.1: {303a1187-f04f-11e7-ae97-d7affdbdc5e9}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080”)

Windows 10:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009”)

Windows 11: {ea075dc0-83af-11ec-9994-82f1525d1096}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080”)

VirusTotal Reveals Claims of Critical Flaws in Google’s Antivirus Service


There have been questions raised regarding the credibility of research that claims to reveal a severe vulnerability in VirusTotal, a Google-owned antivirus comparison and threat intel service. 

VirusTotal (VT) is a service that enables security researchers, system administrators, and others to evaluate suspicious files, domains, IP addresses, and URLs using an aggregated service that includes close to 70 antivirus vendors and scan engines. The security community, including, but not limited to, the vendors who maintain the scanning engines used by VT, receives samples provided through the service automatically. 

 In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within [the] VirusTotal platform and gain access to its various scans capabilities”. 

A doctored DJVU file with a malicious payload added to the file's metadata is used in the attack. To accomplish remote code execution (RCE) and a remote shell, this payload exploits the CVE-2021-22204 vulnerability in Exiftool, a metadata analysis tool.

In April 2021, Cysource researchers presented their findings to Google's VRP, which were addressed a month later. VirusTotal claims that instead of providing a way to weaponize VirusTotal, Cysource has only demonstrated a way to exploit an unpatched third-party antivirus toolset. 

Bernardo Quintero, VirusTotal's founder, stated the code executions are occurring on third-party scanning systems that take and analyse samples obtained from VT, rather than VirusTotal itself, in a response to the findings released as a thread on Twitter. 

 “None [of the] reported machine was from VT and the ‘researchers’ knew it,” Quintero added.

Survey: 89% Firms Experienced One or More Successful Email Breach


During the past 12 months, 89 percent of firms had one or more successful email intrusions, resulting in significant expenses. 

The vast majority of security teams believe that their email protection measures are useless against the most significant inbound threats, such as ransomware. This is according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research. The survey examined issues with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and readiness to cope with attacks and incidents. 

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report.

Less than half of those surveyed felt their companies can prevent email threats from being delivered. Whereas, less than half of firms consider their current email security solutions to be efficient. Techniques to detect and stop mass-mailed phishing emails are seen as the least effective, followed by safeguards against impersonation attacks. 

As a result, it's perhaps unsurprising that nearly every company polled has experienced one or more sorts of email breaches. Overall, successful ransomware attacks have climbed by 71% in the last three years, Microsoft 365 credential compromise has increased by 49%, and successful phishing assaults have increased by 44%, according to the report. 

Email Defences 

When the firms looked into where email defence falls short, they discovered that, surprisingly, the use of email client plug-ins for users to flag questionable communications is on the upswing. According to a 2019 survey, half of the firms now employ an automatic email client plug-in for users to flag questionable email messages for review by skilled security personnel, up from 37% in 2019. The most common recipients of these reports are security operations centre analysts, email administrators, and an email security vendor or service provider, however, 78 percent of firms alert two or more groups. 

In addition, most firms now provide user training on email dangers, according to the survey: More than 99% of companies provide training at least once a year, and one out of every seven companies provides email security training monthly or more regularly. 

“Training more frequently reduces a range of threat markers Among organizations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organizations only training once or twice a year,” as per the report.

Furthermore, the survey discovered that more regular training leads to a higher number of suspicious messages being reported, as well as a higher percentage of these messages being reported as such. The survey also revealed that firms are utilising at least one additional security product to supplement Microsoft 365's basic email protections. However, the survey discovered that their implementation efficacy differs. 

The report explained, “Additive tools include Microsoft 365 Defender, security awareness training technology, a third-party secure email gateway or a third-party specialized anti-phishing add-on. There is a wide range of deployment patterns with the use of these tools.”

The firms came to the conclusion that these kinds of flaws, as well as weak defences in general, result in significant expenses for businesses.

“Costs include post-incident remediation, manual removal of malicious messages from inboxes, and time wasted on triaging messages reported as suspicious that prove to be benign. Organizations face a range of other costs too, including alert fatigue, cybersecurity analyst turnover, and regulatory fines” the report further read.

Critical Chipset Flaws Enable Remote Spying on Millions of Android Devices


Three security flaws in Qualcomm and MediaTek audio decoders have been discovered, if left unpatched which might permit an adversary to remotely access media and audio chats from compromised mobile devices. According to Israeli cybersecurity firm Check Point, the flaws might be exploited to execute remote code execution (RCE) attacks by delivering a carefully prepared audio file. 

The researchers said in a report shared with The Hacker News, "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera. In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." 

The flaws, termed ALHACK, are based on an audio coding system that Apple created and made open-source in 2011. The Apple Lossless Audio Codec (ALAC) or Apple Lossless audio codec format is used to compress digital music in a lossless manner. Since then, other third-party suppliers have used Apple's reference audio codec implementation as the basis for their own audio decoders, including Qualcomm and MediaTek. While Apple has constantly patched and fixed security problems in their proprietary version of ALAC, the open-source version of the codec has not gotten a single update since it was first uploaded to GitHub on October 27, 2011. 

Check Point revealed three vulnerabilities in this ported ALAC code, two of which were found in MediaTek CPUs and one in Qualcomm chipsets. – 
• CVE-2021-0674 (CVSS score: 5.5, MediaTek) - A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction 
• CVE-2021-0675 (CVSS score: 7.8, MediaTek) - A local privilege escalation flaw in the ALAC decoder stemming from out-of-bounds write 
• CVE-2021-30351 (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of a number of frames being passed during music playback 

The vulnerabilities allowed Check Point to "grab the phone's camera feed" in a proof-of-concept exploit, according to security researcher Slava Makkaveev, who discovered the issues alongside Netanel Ben Simon. All three vulnerabilities were addressed by the individual chipset manufacturers in December 2021, following responsible disclosure. 

"The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone," Makkaveev explained.

Hive Ransomware Employs New 'IPfuscation' Tactic to Conceal Payload


Threat researchers have found a new obfuscation strategy employed by the Hive ransomware gang, which utilises IPv4 addresses and a series of conversions that leads to the download of a Cobalt Strike beacon. Threat actors use code obfuscation to conceal the malicious nature of their code from human reviewers or security software to avoid discovery. 

There are a variety of techniques to create obfuscation, each with its own set of benefits and drawbacks, but a new one identified during an incident response involving Hive ransomware reveals that adversaries are coming up with new, subtler ways to accomplish their objective. 

Analysts at Sentinel Labs describe a new obfuscation technique called "IPfuscation," which is another example of how effective basic but sophisticated tactics can be in real-world malware deployment. The new approach was discovered while examining 64-bit Windows executables, each of which contained a payload that delivered Cobalt Strike. 

The payload is disguised as an array of ASCII IPv4 addresses, giving it the appearance of a harmless list of IP addresses. The list could potentially be misconstrued for hard-coded C2 communication information in malware research. A blob of shellcode arises when the file is handed to a converting function (ip2string.h) that converts the string to binary.

Following this step, the virus executes the shellcode either directly through SYSCALLs or through a callback on the user interface language enumerator (winnls.h), resulting in a normal Cobalt Strike stager. 

The following is an example from the Sentinel Labs report: The first hardcoded IP-formatted string is the ASCII string “”, which has a binary representation of 0xE48348FC (big-endian), and the next “IP” to be translated is “”, which has a binary representation of 0xC8E8F0. 

Disassembling these “binary representations” indicates the start of shellcode generated by common penetration testing frameworks. The analysts have uncovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC addresses, all operating in an almost identical manner as was described above.

The conclusion here is that relying simply on static signatures to detect malicious payloads is no longer sufficient. According to the researchers, behavioural detection, AI-assisted analysis, and holistic endpoint security that combines suspicious elements from various locations have a better probability of removing IPfuscation.

BitRAT Malware Spreading Via Unofficial Microsoft Windows Activators


A new BitRAT malware distribution campaign is ongoing, targeting people who want to utilise unauthorised Microsoft licence activators to activate unlicensed Windows OS versions for free. 

BitRAT is a strong remote access trojan that can be purchased for as little as $20 (lifetime access) on cybercrime forums and dark web markets. As a result, each buyer has their own malware dissemination strategy, which may include phishing, watering holes, or trojanized software. Threat actors are delivering BitRAT malware as a Windows 10 Pro licence activator on webhards in a new BitRAT malware distribution campaign identified by AhnLab researchers. 

Webhards are popular online storage services in South Korea that receive a steady stream of visitors via direct download links posted on social media platforms or Discord. Threat actors are increasingly exploiting webhards to deliver malware due to their widespread use in the region. Based on some of the Korean characters in the code snippets and how it was distributed, the actor behind the current BitRAT campaign appears to be Korean. To use Windows 10, one must first purchase and activate a Microsoft licence. 

While there are ways to get Windows 10 for free, one must have a valid Windows 7 licence to do so. Those who don't want to deal with licencing concerns or who don't have a licence to upgrade frequently resort to pirating Windows 10 and using unapproved activators, many of which are infected with malware.'W10DigitalActiviation.exe' is the malicious file presented as a Windows 10 activator in this campaign, and it has a simple GUI with a button to "Activate Windows 10." 

Rather than activating the Windows licence on the host system, the "activator" will download malware from a threat actors' hardcoded command and control server. The retrieved payload is BitRAT, which is installed as 'Software Reporter Tool.exe' in the %TEMP% folder and added to the Startup folder. Exclusions for Windows Defender are also included by the downloader to guarantee that BitRAT is not detected. The downloader deletes itself from the system after the malware installation process is completed, leaving just BitRAT behind. 

BitRAT is marketed as a powerful, low-cost, and versatile malware that can steal a variety of sensitive data from the host computer.BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig coin mining. 

 It also includes a remote control for Windows PCs, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). On that front, ASEC's investigators discovered considerable code similarities between TinyNuke and its derivative, AveMaria,(Warzone). The RATs' hidden desktop capability is so valuable that some hacking groups, such as the Kimsuky, have included them in their arsenal only to use the hVNC tool.

Researchers Reveal New Side-Channel Attack on Homomorphic Encryption


A group of academics from North Carolina State University and Dokuz Eylul University have revealed the "first side-channel attack" on homomorphic encryption, which may be used to disclose data while the encryption process is in progress. 

Aydin Aysu, one of the authors of the study, stated, "Basically, by monitoring power consumption in a device that is encoding data for homomorphic encryption, we are able to read the data as it is being encrypted. This demonstrates that even next generation encryption technologies need protection against side-channel attacks." 

Homomorphic Encryption is a kind of encryption that enables specific sorts of computations to be done directly on encrypted data without the need to first decrypt it. It's also designed to protect privacy by permitting sensitive data to be shared with other third-party services, such as data analytics organisations, for additional processing while the base data remains encrypted and, as a result, unavailable to the service provider. 

To put it another way, the purpose of homomorphic encryption is to make it easier to establish end-to-end encrypted data storage and computation services that don't require the data owner to provide their secret keys with third-party services. The researchers proposed a data leakage attack based on a vulnerability found in Microsoft SEAL, the tech giant's open-source implementation of the technology, that could be abused in a way that enables the recovery of a piece of plaintext message that is homomorphically encrypted, successfully undoing the privacy safeguards.

The attack, dubbed RevEAL, takes advantage of a "power-based side-channel leakage of Microsoft SEAL prior to v3.6 that implements the Brakerski/Fan-Vercauteren (BFV) protocol" and "targets the Gaussian sampling in the SEAL's encryption phase and can extract the entire message with a single power measurement," as per the researchers. 

SEAL versions 3.6 and after, released on December 3, 2020, and beyond, employ a different sampling technique, according to the researchers, who also warn that future versions of the library may have a "different vulnerability." 

Kim Laine, Microsoft's principal research manager who heads the Cryptography and Privacy Research Group, stated in the release notes, "Encryption error is sampled from a Centered Binomial Distribution (CBD) by default unless 'SEAL_USE_GAUSSIAN_NOISE' is set to ON. Sampling from a CBD is constant-time and faster than sampling from a Gaussian distribution, which is why it is used by many of the NIST PQC finalists."