Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

The Monster using a mobile device is certainly not the way _Frankenstein_ author Mary Shelley — or even_Young Frankenstein_ screenplay writers Mel Brooks and Gene Wilder — ever envisioned him. But modern times call for a modern creature, and now it's up to you to set the updated scene with a clever cybersecurity-related caption. Our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the April 12, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading March Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

A round of applause goes to Todd Schamberger, information security manager/CISSP at accounting firm Miller Kaplan. Todd's caption (below) hit the nail — er, computer — right on its head. And a big thanks to all who submitted their ideas!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: It's E-Live!

Threat actors are using legitimate network assets and open source code to fly under the radar in data-stealing attacks using a set of custom malware bent on evasion.

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.

According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments. But Naplistener — along with other new types of malware used by the group —appear "designed to evade network-based forms of detection," says Jake King, Elastic Security's director of engineering.

So, don't sleep on that defense-in-depth strategy.

Researchers observed Naplistener in the form of a new executable that was created and installed on a victim network as a Windows Service on Jan. 20. Threat actors created the executable, Wmdtc.exe, using a naming convention similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service.

**A Focus on Detection Evasion**

Naplistener is the latest in a series of new types of custom malware that Elastic researchers have observed REF2924 using in its attacks that support a particular focus on evading network-based detection, King says. What these new malware families all have in common is not only that they are based on open source technologies but also that they use familiar and legitimate network assets to mask their activities.

"A consistent theme to all these capabilities is the intention to hide in legitimate and expected forms of network communication, and \[they\] are installed to resemble the underlying services they abuse," King notes.

While other threat groups also adopt these approaches with custom malware, they do so "less often, and less consistently" than REF2924, he notes, demonstrating that REF2924 is betting heavily on avoiding detection for success.

"A unique observation of this threat actor is in the deep focus of evasion tactics," King says. "While many threats masquerade in similar ways, this threat pursues the methodology to an extreme and consistently uses these methodologies."

**Custom Malware at a Glance**

In addition to Naplistener, which mimics the behavior of Web servers on a network to hide itself, REF2924 also is wielding custom malware that Elastic Security tracks as SiestaGraph and Somnirecord, among others. The former is notable for using Microsoft cloud resources for command and control to evade detection, and the latter masquerades as DNS protocol traffic, King says.

"Organizations in the observed regions of impact who rely strictly on network-based methods of detection will struggle to identify these malware families," he adds.

Specifically, Naplistener creates an HTTP request listener that can process incoming requests from the Internet, read any data that was submitted, decode it from Base64 format, and execute it in memory, the researchers said.

As mentioned, it evades victims' attempts at network-based detection by behaving similarly to Web servers, operating between legitimate Web users and resembling normal Web traffic. It does this all without generating Web server log events, the researchers said.

Naplistener also relies on code present in public repositories for a variety of purposes, and it appears that REF2924 may be developing additional prototypes and production-quality code from open sources, they added.

**Going Beyond Network-Level Detection**

Because REF2024 is so focused on avoiding network-based detection methods, enterprises in its crosshairs can avoid compromise by the group primarily by prioritizing endpoint-based detection technologies, more commonly known as endpoint detection and response (EDR), King says.

Indeed, while EDR is not a new security strategy for many organizations in the US, in the region of the world where the group is operating, it is still in early stages of adoption, he says. This exposes these organizations to risk from the custom malware that the group is deploying.

"Organizations which rely on network technologies to detect threats will face significant challenges, and those are compounded relative to the complexity of their networks," King says. "In short: The more connections and types of connections, the harder it is for organizations to monitor them effectively; this is relatively quickly addressed with another host-based form of visibility."

Another technology that organizations can deploy to combat malware that can evade network-based detection is egress filtering, or limiting the kinds of outbound network communications they permit, King says.

However, he adds, "this is not a particularly scalable approach once an organization reaches a significant size, due to the large number of egress points they manage and the diversity of legitimate communication methods."

Custom 'Naplistener' Malware a Nightmare for Network-Based Detection

Third-party breaches have a wide effect that legacy security practices can no longer detect.

Cybersecurity is a huge priority for the federal government, from President Biden's Executive Order 14028 to the National Cyber Strategy, but there's still one major gap in their net: third parties. In fact, nearly 60% of all data breaches are initiated via third-party vendors, which are often undetectable by the usual outward-facing approach to security until they have reached the perimeter of an organization.

The Transportation Security Administration's (TSA) no-fly list hack is the latest example of the massive risk that a third-party leak can have on federal cybersecurity. Data breaches in third parties cast a wide net of effects across the private and public sector alike, which legacy cybersecurity practices can no longer detect. As the Biden administration determines its cyber path, it is imperative that we all take a step back to look at the expanding security perimeter.

**The Effects of Third-Party Data Risk Are Far Reaching**

With more data being shared every day outside typical security perimeters, a single third-party data leak is enough to cause a devastating breach that can take down anything from the largest company to the most critical federal agency. Visibility is the primary culprit at play with third-party risk. In fact, the average organization shares sensitive data with 583 third parties — a staggering number of possible attack vectors to monitor. For the US government, this means contractors, vendors, other agencies, and more.

The effects of the expanding digital supply chain and weak visibility combine to open a variety of risks. SolarWinds is the most notorious example of a third-party supply chain hack, affecting not only organizations that used the software but also their network of customers and partners. The reach of this impact is especially important to consider for the federal government, where agencies play host to both critical and sensitive data for the nation and its citizens. Protection from a chain reaction of data compromise can only come from regularly updating security practices and technology.

The US government is making consistent strides to undergo a digital transformation — and this must expand to cybersecurity in the face of third-party risks. It cannot rely on legacy cybersecurity standards. Today's threats require always-on system security technologies and practices. Questionnaires, policies, and process reviews are ineffective in the new digital landscape.

**Preemptive Cybersecurity Combats Third-Party Risk**

To be effective, a third-party risk strategy must be preemptive. It is fairly common practice to review security policies, along with past security incidents and remediations of potential vendors, to predict future risk. However, this is not enough — it is merely reviewing a plan of prevention and attack.

It is, of course, imperative to make informed decisions regarding third-party relationships by researching organizations and their areas of possible exposure before committing to share data with them. Part of this evaluation should be understanding their dedication to visibility and strong security hygiene. Though scanning for malicious behavior is an important step, negligence also plays a major role in security vulnerabilities, and partners should be evaluated on how up to date their practices are.

Implementing contracts for existing partnerships can help address any found weaknesses. Those that fail to comply with security standards can be dealt with by enforcing clawback clauses and integrating supply chain penalties for data leaks of confidential information.

From there, it's important to maintain that preemptive security posture through ongoing monitoring and risk assessment. For part of a larger third-party life cycle management plan, helpful tools include automated risk management platforms, regular real-time risk assessments, and tools (such as external attack surface management, or EASM) for continually discovering, inventorying, classifying, prioritizing, and monitoring sensitive external assets within an IT infrastructure. \[Note: The author's company is one of many that offer EASM.\]

Most private and public organizations recognize the importance of cybersecurity, yet there are surprisingly still some laggard industries, and this poses a strong threat to federal cybersecurity. As we see more cyber priorities rolling out from the federal government — and better security practices trickling down to vendors through Cybersecurity Maturity Model Certification (CMMC) — we can hope to see more initiatives around these growing issues in the future. With the TSA no-fly leak behind us, third-party data protection should take a top spot in federal cyber priorities.

Controlling Third-Party Data Risk Should Be a Top Cybersecurity Priority

Aembit launches from stealth with a cloud-based identity access management platform for enterprise workloads.

Modern applications tend to be widely distributed and rely on multiple services, technologies, and APIs. Developers need to be able to authenticate the application to those services, store those credentials securely, and monitor access. While security and DevOps teams can integrate their existing identity access management platform with secrets-management tools, and enable audit logging, the resulting system tend to be challenging to implement and operate.

This is the problem Aembit, which emerged from stealth today, is tackling with its cloud-based platform. Aembit helps organizations provide seamless and secure access from client workloads to their APIs, databases, and cloud resources. DevOps and security teams can manage how federated workloads talk to each other without requiring developers to make changes to their applications, the company says.

Aembit defines workloads as “any program or application utilizing computing, data, networking, and storage to perform one or more tasks.” Examples include custom applications, HTTP-based APIs from software-as-a-service providers or API gateways, databases, data warehouses, data lakes, and application services provided by hyper-scale cloud vendors.

Founded in 2021, Aembit’s identity access management platform “gives identities to your workloads, authenticates them, authorizes them to access each other based on policies you set, and logs all accesses and access attempts for auditing and analytics,” the company said last fall.

Workload IAM is a sub-category of the broader IAM market, as it focuses on workload-to-workload interactions. IAM most commonly focuses on allowing human users to securely access applications and systems; workload IAM authorizes applications and services to access other applications and services. It’s an area that organizations are increasingly paying attention to because these connections can be abused. The breach at CircleCI is a good example – a system breach in CircleCI resulted in organizations having to rotate their secrets. The recent T-Mobile data breach, where data affiliated with 37 million customer accounts were stolen, was the result of an exploited API.

“The mesh of workload-to-workload connections created when software talks to other software need to be identified, secured and managed,” Jake Seid, co-founder and general partner of Ballistic Ventures, said in a statement. “Aembit is defining this new category of Workload IAM to defend enterprises’ most critical digital assets.”

As part of the launch, Aembit also raised $16.6 million in seed funding from Ballistic Ventures and Ten Eleven Ventures. Aembit’s co-founders, David Goldschlag and Kevin Sapp, previously co-founded New Edge Labs, which was sold to Netskope in 2019. The pair also founded mobile device management platform Trust Digital, which was acquired by McAfee in 2010.

IAM Startup Aembit Secures How Workloads Connect to Services

UK cybersecurity authorities and researchers tamp down fears that ChatGPT will overwhelm current defenses, while the CEO of OpenAI worries about its use in cyberattacks.

The dizzying capacity for OpenAI to vacuum up vast amounts of data and spit out custom-tailored content has ushered in all sorts of worrying predictions about the technology's ability to overwhelm everything — including cybersecurity defenses.

Indeed, ChatGPT's latest iteration, GPT-4, is smart enough to pass the bar exam, generate thousands of words of text, and write malicious code. And thanks to its stripped-down interface anyone can use, concerns that the OpenAI tools could turn any would-be petty thief into a technically savvy malicious coder in moments were, and still are, well-founded. ChatGPT-enabled cyberattacks started popping up just after its user-friendly interface premiered in November 2022.

OpenAI co-founder Greg Brockman told a crowd gathered at SXSW this month that he is concerned about the technology's potential to do two specific things really well: spread disinformation and launch cyberattacks.

"Now that they're getting better at writing computer code, \[OpenAI\] could be used for offensive cyberattacks," Brockman said.

No word on what OpenAI intends to do to mitigate the chatbot's cybersecurity threat, however. For the time being, it appears to be up to the cybersecurity community to mount a defense.

There are current safeguards put in place to keep users for using ChatGPT for unintended purposes, or for content deemed too violent or illegal, but users are quickly finding jailbreak workarounds for those content limitations.

Those threats warrant concern, but a growing chorus of experts, including a recent post by the UK's National Cyber Security Centre, are tempering concerns over the true dangers to enterprises with the rise of ChatGPT and large language models (LLMs).

**ChatGPT's Current Cyber Threat**

Work products of chatbots can save time taking care of less complex tasks, but when it comes to performing expert work like writing malicious code, OpenAI's ability to do that from scratch isn't really ready for prime time yet, the NCSC's blog post explained.

"For more complex tasks, it's currently easier for an expert to create the malware from scratch, rather than having to spend time correcting what the LLM has produced," the ChatGPT cyber-threat post said. "However, an expert capable of creating highly capable malware is likely to be able to coax an LLM into writing capable malware."

The problem with ChatGPT as a cyberattack tool on its own is that it lacks the ability to test whether the code it's creating actually works or not, says Nathan Hamiel, senior director of research with Kudelski Security.

"I agree with the NCSC's assessment," Hamiel says. "ChatGPT responds to every request with a high degree of confidence whether it's right or wrong, whether it's outputting functional or nonfunctional code."

More realistically, he says, cyberattackers could use ChatGPT the same way they do other tools, like pen testing.

**ChatGPT Threat "Massively Overhyped"**

The harm to IT teams is that overblown cybersecurity risks being ascribed to ChatGPT and OpenAI are sucking already scarce resources away from more immediate threats, as Jeffrey Wells, partner at Sigma7, points out.

"The threats from ChatGPT are massively overhyped," Wells says. "The technology is still in its infancy, and there is little to no reason why a threat actor would want to use ChatGPT to create malicious code when there is an abundance of existing malware or crime-as-a-service (CaaS) that can be used to exploit the list of known and growing vulnerabilities."

Rather than worrying about ChatGPT, enterprise IT teams should focus their attention on cybersecurity fundamentals, risk management, and resource allocation strategies, Wells adds.

The value of ChatGPT, as well as an array of other tools available to threat actors, come down to their ability to exploit human error, says Bugcrowd founder and CTO Casey Ellis. The remedy is human problem-solving, he notes.

"The entire reason our industry exists is because of human creativity, human failures, and human needs," Ellis says. "Whenever automation 'solves' a swath of the cyber-defense problem, the attackers simply innovate past these defenses with newer techniques to serve their goals."

But Patrick Harr, CEO of SlashNext, warns organizations not to underestimate the longer-term threat ChatGPT could pose. Security teams, meanwhile, should look to leverage similar LLMs in their defenses, he says.

"Suggesting that ChatGPT is low risk is like putting your head in the sand and carrying on like it doesn’t exist," Harr says. "ChatGTP is only the start of the generative AI revolution, and the industry needs to take it seriously and focus on developing AI technology to combat AI-borne threats."

ChatGPT Gut Check: Cybersecurity Threats Overhyped or Not?

With HinataBot, malware authors have created a beast many times more efficient than even the scariest botnets of old, packing more than 3Tbit/s DDoS speeds.

Former Mirai hackers have developed a new botnet, dubbed HinataBot, with the potential to cause far greater damage with far fewer resources required from its operators than its predecessor.

Mirai is one of the world's most notorious botnets. In circulation since the mid-2010s, it uses Internet of Things (IoT) devices like routers and cameras to hit targets with massive amounts of traffic to force distributed denial of service (DDoS). Some of its most notorious attacks were against French technology company OVH, the government of Liberia, and DNS provider Dyn, an attack that touched websites such as Twitter, Reddit, GitHub, CNN, and many more.

Now, in a report published March 16, researchers from Akamai noted that HinataBot has only been in development since mid-January. Despite that, according to initial tests, it packs in orders of magnitude more powerful than its predecessor, reaching more than 3 Tbit/s traffic flows.

**Just How Powerful Is HinataBot?**

In its heyday, the Mirai botnet managed to flood its victims with hundreds of gigabytes per second in traffic — up to 623 Gbit/s for the KrebsOnSecurity website, and nearly 1 Tbit/s against OVH. As OVH noted at the time, that huge wave of data was enabled by a network of around 145,000 connected computers, all sending requests to their systems simultaneously.

To gauge the relative strength of HinataBot the Akamai researchers ran 10-second test attacks. "If the botnet contained just 1,000 nodes," they found, "the resulting UDP flood would weigh in at around 336 Gbps per second." In other words, with less than 1% of the resources, HinataBot was already capable of producing traffic approaching Mirai's most vicious attacks.

When they considered what HinataBot could do with 10,000 nodes — roughly 6.9% of the size of peak Mirai — the resulting traffic topped out at more than 3.3 Tbit/s, many times stronger than any Mirai attack.

"These theorized capabilities obviously don't take into account the different kinds of servers that would be participating, their respective bandwidth and hardware capabilities, etc.," Akamai researchers warned in the report, "but you get the picture. Let's hope that the HinataBot authors move onto new hobbies before we have to deal with their botnet at any real scale."

**Why Hackers Are Choosing Golang**

Much of the reason for HinataBot's improvements comes down to how it was written.

"Most malware has traditionally been written in C++ and C," explains Allen West, one of the principal researchers of the report. Mirai, for example, was written in C.

In more recent years, though, hackers have become more creative. "They're trying to take any new approach they can, and these new languages — such as Go, with its efficiencies and the way it stores strings — makes it more difficult for people to deal with."

"Go" — short for "Golang" — is the high-level programming language underpinning HinataBot. It's similar to C, but, in some ways, it's more powerful. With Golang, explains Chad Seaman, another author of the report, hackers "get better error handling, they get memory management, they get easy threaded worker pools, and a little bit more of a stable platform that provides some of the speed and performance you would associate with a C-level language, and C or C++ binaries, with a lot of things that they don't have to manage."

"It just lowers the bar on technical difficulty," he says, "while also raising the performance bar over, say, some of the other traditional languages."

For all of these reasons, Go has become a popular choice for malware authors. Botnets like kmsdbot, GoTrim, and GoBruteForcer are cases in point. "Go is becoming more performant and more mainstream and more common," Seaman says, and the malware that results is all the more powerful for it.

**How Much Should Businesses Worry About HinataBot?**

As scary as HinataBot may be, there may be a bright side.

HinataBot isn't simply more efficient than Mirai — it _must be_ more efficient because it's working with less.

"The vulnerabilities through which it's spread are not new or novel," Seaman says. HinataBot leverages weaknesses and CVEs already known to the security community and utilized by other botnets. It's an environment quite different than that of which Mirai operated in circa 2016–'17, when IoT vulnerabilities were novel and security for the devices was not top of mind.

"I don't think we're going to see a case of another Mirai, unless they get creative in how they're distributing and their infection techniques,” Seaman says. "We're not going to see another 70,000 or 100,000-node, Mirai-like threat from the Hinata authors under their current tactics, techniques, and procedures."

A less optimistic observer might note that, being only a couple of months old now, there is plenty of time for HinataBot to improve upon its limited weaknesses. "It may just be an introductory phase, right?" Seaman points out. "They're grabbing at low hanging fruit so far, without needing to go out and do anything really novel yet."

Nobody can yet say how big this botnet will become, or in what ways it'll change over time. For now, we can only prepare for what we know — that this is a very powerful tool, operating over known channels and exploiting known vulnerabilities.

"There's nothing that they're doing within the traffic that's circumventing security controls we've already put in place," notes Larry Cashdollar, the third author of the report. "The exploits are old. There are no zero days. So, as it stands, the fundamental security principles for defending against this kind of threat" — strong password policies, dutiful patching, and so on — "are the same. They're still sufficient."

Mirai Hackers Use Golang to Create a Bigger, Badder DDoS Botnet

No-code has lowered the barrier for non-developers to create applications. AI will completely eliminate it.

Since ChatGPT captured our imaginations, people have been contemplating its pending impact on the business world. This week, these thoughts became a reality, with Google and Microsoft embedding AI features into their business productivity suites.

Microsoft took another major step by releasing AI Copilot for Power Apps, Microsoft's low-code platform. Power Apps can connect far and beyond the Microsoft ecosystem, with almost a thousand built-in connectors to everything from Salesforce to on-prem and AWS. With one swift move, AI has been integrated into the day-to-day workflows of the world's largest organizations.

This is an amazing achievement, and other low-code/no-code platforms will surely try to catch up quickly. But ask yourself: Who will make the decision to integrate data with AI? Who will grant access? The answer: Every business user, and you won't even know, since they'll let AI impersonate their accounts.

**AI + Low-Code/No-Code = A Perfect Storm**

In recent years, low-code/no-code has given business users newfound freedom. They were granted developer-level power that enabled them to customize their digital experience, with the technical skills they already have rather than having to learn new ones. Business users have started building applications that solve the problems that hurt most, on top of their day-to-day business data, without relying on IT or waiting for resources. After just a few years of low-code/no-code, many enterprises find themselves with tens or hundreds of thousands of applications, built outside of IT with no oversight or control.

Forget about CI/CD or security reviews, most of these applications follow the "push save to deploy to production" model instead. Quickly and quietly, applications developed outside of IT without SDLC have become a significant portion of enterprise business applications. This has already become a major concern for enterprise security.

Enter AI. Imagine that every conversation you had with ChatGPT involved you giving it access to business data, and left behind a nice little application you could play around with and share with others. Got a long business email? Let AI shorten it for you. Need to find relevant customers in your CRM? Let AI generate statistics for you. Need to analyze user behavior over product telemetry? Let AI query the database for you. Don't stop there! Create mini-applications to allow answering those questions repeatedly, and share them with your coworkers! Every application requires access — your access. Low-code has lowered the barrier for non-developers to create applications. AI, however, will completely eliminate it.

Low-code/no-code provides ease-of-connectivity to business data by removing the difficult hurdles around authentication, and provides a host of widgets business users can combine creatively to address their needs. AI brings power to everyone, allowing them to create by simply asking for what they want. The two techniques fit together like a glove and a hand. Superpowered by AI, low-code/no-code expands from "everyone can build an application" to "everyone builds an application, for everything they think of, all of the time."

**You Are Not in Control**

Who decides what data the AI can access? You might be thinking this would be IT, or the security team, but you would be wrong. Business users are making those decisions. But how?

Imagine a scenario where every business user in a large enterprise starts to build their own applications. Setting aside the skill gap, the No. 1 hurdle to progress would be identity and access. Provisioning an application identity and granting the right permissions to it would require approval, which would trigger questions and perhaps even a security review. You won't get to tens of thousands of applications in a large enterprise this way.

To circumvent this hurdle, low-code/no-code platforms made a significant compromise: Applications can — and mostly do — impersonate users rather than have their own identities. This completely negates the permission issue. As a low-code/no-code developer, I can embed my own identity within my newly created application. I can even share my credentials with others, so they'll be able to build their own applications with my access to data or performing operations on my behalf. No more waiting for approval — we have a green light to create!

The problem with this credentials-sharing-as-a-service is that it completely negates the enterprise permission model. If users are sharing their credentials with each other, there's no easy way to distinguish them. Moreover, an application can leverage credentials across your organizational boundary — say, an employee's personal email account — in combination with a business account. To add a cherry on top, moving data between one account and the other is done by automated copy-and-paste on the low-code/no-code platform's cloud. No data gets transmitted, so there is no opportunity to block data leaking out.

Credential sharing and data leakage have been a major issue with low-code/no-code applications. AI doesn't change that, but it magnifies the scale of the problem. When AI is plugged into a low-code/no-code platform, the AI gains potential access to everything the platform can access. The transition between potential and in-practice access is up to whoever prompts the AI to build a low-code/no-code application for them. We are trusting our business users with making the right choice without any guardrails or guidance.

**Business Users Build Enterprise Applications**

More than a specific technology, low-code/no-code is an idea — a strong push into IT decentralization and business empowerment. It has already brought tremendous productivity benefits to the world's largest organizations, because the employees who know best how to impact the business are the business users.

For professionals in IT and security, this is a paradigm shift. No longer can we rely on the security savviness of developers or official security mandates. We must embrace business users and help guide them in the right direction. If we fail to do so, the forces of productivity and data-hungry AI will surely be glad to do that for us.

AI Has Your Business Data

Users of affected devices that want to mitigate risk from the security issues in the Exynos chipsets can turn off Wi-Fi and Voice-over-LTE settings, researchers from Google's Project Zero say.

A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.

Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google's Project Zero who discovered the flaws.

In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company's Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google's Pixel 6 and Pixel 7 series of devices.

**Android Users Face Complete Compromise**

Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim's phone number, Project Zero threat researcher Tim Willis wrote.

"Tests conducted by Project Zero confirm that those four vulnerabilities \[CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498\] allow an attacker to remotely compromise a phone at the baseband level," Willis said. "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." 

The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.

In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being "severe" and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It's also unclear whether, or when, all affected Samsung Galaxy devices will receive the updates.

Willis said affected Google Pixel devices had already received a fix for one of the disclosed flaws (CVE-2023-24033) with the company's March 2023 security update. Google did not immediately respond to a Dark Reading request for information on when patches would be available for the remaining vulnerabilities. Vivo did not respond immediately to a Dark Reading request either, so the company's plans for addressing the vulnerabilities remain unclear as well.

**The Android Patch Gap Problem**

In the past, device vendors have taken their time addressing vulnerabilities in the Android ecosystem. So, if that's any indication, users affected by the vulnerabilities in the Samsung chipset could be in for a long wait. 

In November, Project Zero researchers reported on what they described a significant patch gap resulting from the delay between when a firmware patch for an Android device becomes available and when a device vendor actually makes it available for their users. As an example, Project Zero researchers pointed to several vulnerabilities they discovered in the ARM Mali GPU driver. Google reported the vulnerabilities to ARM last June and July, after which the latter issued patches for the flaws in July and August. Yet more than three months later, in November, when Google tested affected devices for the vulnerability, the researchers found every single device still vulnerable to the issues.

"The easy part is fixing the hardware flaws with new software," says Ted Miracco, CEO at Approov. "The harder part is getting manufacturers to push the updates to the end users and getting end users to update their devices," he says. Unfortunately, many users of the chipsets may not be quick to patch the devices and users are probably largely unaware if the vulnerabilities, he says.

Vulnerabilities like the ones Project Zero discovered in the Samsung chipsets exist not only in the Android ecosystem, but in the iOS ecosystem and any complex supply chain involving sophisticated hardware and software as well, Miracco continues. The challenge is reducing the time from detecting flaws to deploying solutions on all devices. 

"This is an area where the Android ecosystem needs to put a lot attention, as updates can be few and far between with many manufacturers of mobile devices," he says. Enterprises could mandate that users who bring their own devices (BYOD) to work must utilize devices from approved suppliers that have a track record of rapidly deploying updates, Miracco adds.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says vulnerabilities like these highlight the need for enterprises to evaluate their mobile security strategies. "It makes sense for enterprises to guide their employees on how to stay safe and if there are new requirements for enterprise access," he notes.

With so much original equipment manufacturer (OEM) fragmentation in the Android space, the patches might only be available after a few months for all the vulnerabilities discovered. "This is why it's important for enterprises to invest in security that can handle zero-day threats and can be updated over the air," Vishnubhotta adds.

Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

The alleged mastermind of hacker forum Breach Forums, "pompompurin," has been arrested in New York City, according to court documents.

Following last year's takedown of Dark Web hacker destination Raid Forums, a new platform soon emerged in its place called Breach Forums.

Now US federal agents have a man called Conor Brian Fitzpatrick in custody, the person they allege is behind the moniker "pompompurin," and the chief operator of the BreachForums underground hacker site.

Fitzpatrick was arrested in Peekskill, New York on March 15, according to an affidavit.

"When I arrested the defendant ... he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick, b) he used the alias 'pompompurin,' and c) he was the owner and administrator of BreachForums, the data breach website referenced in the complaint," FBI special agent John Longmire testified.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cops Nab BreachForums Boss in New York

The basketball playoffs are around the corner and convincing social-engineering attacks on fans using NBA-themed lures could be too.

As it moves into the final stretch of its regular season, the National Basketball Association said over the weekend that "an unauthorized third party" netted a database filled with the names and email addresses of fans.

The data was housed by a newsletter service that it partners with, the NBA noted in a letter to those affected — an all-too-common instance of the risk that third-party vendors can represent for organizations if their security isn't properly vetted.

For the affected fans of the sport, they now have more to deal with than just handicapping the playoff picture. While account credentials, phone numbers, and other sensitive information were not included in the heist, they should still expect targeted email phishing attacks related to NBA topics, the NBA warned in the letter, which was tweeted out by one recipient. Those could include messages appearing to relate to office pools and other business-themed attacks.

"Even though the information did not contain much sensitive information, by using a name and email address, along with the knowledge that this individual has an interest in the NBA, social engineers could put together a much more appealing phishing attack than if they had none of this information," Erich Kron, security awareness advocate at KnowBe4, said in an emailed statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading