PRESS RELEASE

LONDON, July 25, 2024 /PRNewswire/ -- An investigation by Heimdal reveals that the EU is facing a surge in brute force cyber attacks on corporate and institutional networks, primarily originating from Russia.

These attackers exploit Microsoft infrastructure, particularly in Belgium and the Netherlands, to avoid detection.

The investigation into the Russian brute-force campaign has revealed several critical insights:

*   Attackers are aiming for High-Value Targets (HVTs)
    
*   Key infrastructure cities like Edinburgh and Dublin have been frequently targeted
    
*   Over half of the attack IP addresses are linked to Moscow, targeting major cities in the UK, Denmark, Hungary, and Lithuania
    
*   The rest of the investigated attack IPs can be traced back to Amsterdam and Brussels
    
*   Major ISPs like Telefonica LLC and IPX-FZCO were significantly abused
    
*   Heimdal's data shows these attacks date back to May 2024 but may have been happening even longer.
    

Prevalent Infiltration and Attack Techniques

The attackers primarily target administrative accounts using various case combinations and language variants.

Over 60% of attack IPs are new, with approximately 65% recently compromised and the rest previously abused, revealing a constantly evolving threat.

The threat actors employ known attack principles such as SMBv1 crawlers, RDP crawlers, and RDP alternative port crawlers, exploiting weak or default credentials through password guessing, spraying, and stuffing.

Additionally, their use of legitimate Microsoft infrastructure broadens the attack surface and complicates detection and response.

Data shows that attackers have actively exploited Microsoft infrastructure from the Netherlands and Belgium to increase their attack range and success odds.

Russia Leveraging State-Owned Networks to Propagate Attack

Major ISPs like Telefonica LLC and IPX-FZCO are significantly abused, with the former accounting for 27.7% of attacks from Russia.

The attackers also leveraged resources from Russian allies, including Indian telecom companies Bharat Sanchar Nigam Limited and Bharti Airtel Limited, both of which have faced recent data breaches.

Scope of Brute-Force Campaign

Russia's motivation behind these cyberattacks is multifaceted.

The reasons for these actions likely include aims to destabilize and disrupt critical infrastructure in Europe, extract sensitive data, gain financial advantage to fuel ongoing cyber-war efforts, or deploy malware.

The threat actors' mandates can span multiple types of subversive cyber-warfare ops, including seek-and-destroy, disruption of critical assets, and sabotage.

A Wake Up Call for the European Union

This persistent threat underscores the need for cybersecurity measures within EU countries, including strengthening cloud security, enforcing multi-factor authentication, conducting regular security audits, and educating employees.

Morten Kjaersgaard, Founder of Heimdal, said:

"This data shows that an entity in Russia is waging a hybrid war on Europe, and may have even infiltrated it.

The threat actors are aiming to extract as much data or financial means as possible, leveraging Microsoft infrastructure to do so.

Whoever is responsible, whether it's the state or another nefarious group, they have no shame in using Russia's allies to commit these crimes.

The exploitation of Indian infrastructure is a strong example. The data also proves these attackers have strong ties with China."

Paul Vixie, Co-Founder of SIE Europe, added:

"The data that Heimdal has uncovered is explosively evil, and SIE Europe data clearly shows how well built these Russian Wasp nests are and they show no signs of stopping.

SIE Europe does not ever traffic in Personally Identifiable Information, and this case shows the investigative power of public information once cooperatively assembled."

Read the full investigation here: Russia-Linked Brute-Force Campaign Targets EU via Microsoft Infrastructure (heimdalsecurity.com).

Heimdal Security Presents its Latest Report on Brute-Force Cyberattacks

One threat actor claims to have already gathered email addresses and associated hashes from more than 110 remote IT management databases.

Source: rafapress via Shutterstock

A threat actor on BreachForums is claiming to have harvested email addresses and associated hashes from more than 105 ServiceNow databases after exploiting two recently disclosed critical vulnerabilities in the cloud-based IT service management platform.

Researchers from Resecurity's HUNTER threat team warned late last week that the two ServiceNow vulnerabilities (CVE-2024-4879, CVSS score of 9.3 out of 10; and CVE-2024-5217, CVSS score of 9.2) were being actively exploited in the wild, and said they saw the BreachForums member putting the data up for sale at $5,000 for the whole tranche.

Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) today added the two bugs to its known exploited vulnerabilities catalog amid multiple reports of other attempts to exploit the flaws in recent days. Federal civilian executive branch agencies have until Aug. 19 to apply ServiceNow's patches, or to discontinue use of the platform until they can remediate the issue.

Resecurity researchers said that the attacks on ServiceNow should be expected. "There has been identified chatter on multiple underground forums on the Dark Web highlighting threat actors seeking compromised access to IT service desks, corporate portals, and other enterprise systems that typically provide remote access to employees and contractors," they wrote. "These systems could be used for pre-positioning and attack planning, as well as reconnaissance."

**An Unauthenticated RCE Chain Allows Total Access**

CVE-2024-4879 is an input validation vulnerability in ServiceNow's "Vancouver" and "Washington DC" versions of the platform. It enables an unauthenticated remote attacker to execute arbitrary code. The vendor has assessed the vulnerability as easy to exploit and requiring no user interaction or special conditions. CVE-2024-5217 is a similarly critical input validation flaw in the Vancouver, Washington DC and earlier editions of Now that also allows for remote code execution (RCE) and is easy to exploit.

ServiceNow issued hotfixes for both flaws on July 10 along with a fix for a third — less severe — flaw in the same software (CVE-2024-5178). AssetNote discovered the three vulnerabilities and reported them to ServiceNow in May, describing the issues as a "chain of vulnerabilities that allows full database access and full access to any servers," that organizations might be using to access cloud-hosted instances.

A public proof-of-concept exploit (PoC) was quickly published, paving the way for widespread attacks in the wild.

"On May 14, 2024, ServiceNow learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases," a spokeswoman said in an emailed comment. "That day, we deployed an update and have since issued a series of patches designed to address the issue" she said.  
Based on ServiceNow's investigation to date the company has not observed evidence that the activity that Resecurity said it has observed is related to instances that ServiceNow hosts, the spokeswoman said. "We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches.   

**In-the-Wild Attacks Start to Escalate**

Resecurity last week reported observing multiple attackers probing ServiceNow instances to check if they were vulnerable. "Initially, threat actors were injecting a payload and checking for a specific multiplication result in the response," Resecurity said. Next the attackers injected a payload that inspected the contents of the database and extracted it. "The final stage involved dumping user lists and collecting associated meta-data from compromised instances."  

The attacks so far have targeted Resecurity's clients (including an energy company, a data-center organization, a Middle Eastern government agency, and a software developer), critical infrastructure, foreign governments, as well as financial institutions, the Resecurity researchers noted in emailed comments to Dark Reading. Based on feedback from multiple victims, some of them appear to have been using on-premises or self-hosted versions of ServiceNow, or for some reason had opted out of receiving automatic updates from the company, the researchers said.

"Notably, some of them were not aware of the released patch, and in some cases used outdated or poorly maintained instances by their developers and software engineers," the company noted.

Imperva on July 23 also said it had observed attempts to exploit the vulnerabilities targeting organizations in the financial sector and multiple other industries. At the time, Imperva reported observing exploitation attempts across as any as 6,000 sites.

"Attackers are primarily leveraging automated tools to target login pages," Imperva said. "We're seeing two common payloads across attacks: one to test if remote code execution (RCE) is possible, and another command to show database users and passwords."

Estimates on the number of ServiceNow instances that are visible to Internet scans — and are hence likely targets for exploitation attempts — vary from more than 297,700 at the high-end to a less than 10,000 at the other end of the scale.

"Unfortunately, finding and exploiting these vulnerable systems isn't particularly difficult for motivated attackers," says Omri Weinberg, co-founder and CRO at DoControl.

**Self-Hosted MID Servers Could Become Targets**

ServiceNow is a widely used platform, and its instances often have public-facing components which threat actors can relatively easily find using automated scanning tools, Weinberg says. Once an adversary is able to find a vulnerable instance, "the exploit chain doesn't require a high level of technical sophistication, making it accessible to a broad range of attackers."

Weinberg recommends that organizations which cannot patch immediately focus on basic security hygiene like tightening access controls, increasing monitoring, and if possible, to restrict access to only trusted IP ranges.  

Naomi Buckwalter, director of product security at Contrast Security, says organizations using self-hosted proxy servers — called MID servers in ServiceNow speak — to connect internal systems to ServiceNow's cloud-based platform should pay special attention to the new flaws.

"While the MID server is not directly exposed to the Internet, attackers who manage to breach the internal network could potentially exploit these flaws to access sensitive data and disrupt critical business operations running on the Now Platform," Buckwalter says. "In a worst-case scenario, attackers could exfiltrate data, manipulate files, and gain unauthorized access to confidential information," she says. "ServiceNow has released patches to address these vulnerabilities, but organizations using self-hosted MID servers may still be at risk if they haven't applied the updates."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Patch Now: ServiceNow Critical RCE Bugs Under Active Exploit

Microsoft says that an examination of Windows crash reports around the outage shows that kernel drivers need to be carefully employed.

Source: Mundissima via Alamy Stock Photo

UPDATED

Microsoft has released more details around its assessment of the CrowdStrike Falcon outage nearly two weeks ago, noting that one takeaway is the need to reduce infosec vendors' reliance on the kernel drivers.

In a blog post published over the weekend, David Weston, vice president of enterprise and OS security at Microsoft, detailed that the company measured the impact of the incident through accessing crash reports that were voluntarily shared by customers. 

As not every customer opts to share crash reports, those are just "a subset of the number of impacted devices previously shared by Microsoft," Weston wrote. 

But the consensus that emerged was that while kernel drivers such as those employed by CrowdStrike can actually improve performance and prevent software tampering, those advantages must be rationalized against potential risk posed by their innate privileges.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote.

He said he believes that if security vendors can strike the right balance, organizations can minimize kernel usage while also maintaining a strong security position.

This story was updated at 9:15 a.m. ET on July 30, 2024 to correct inaccurate reporting that Microsoft revised the original 8.5 million device estimate for how many machines were affected by the CrowdStrike outage.

**About the Author(s)**

Microsoft Talks Kernel Drivers Post CrowdStrike Outage

Security presence has been heightened in Paris to ensure that the Games are safe, and Israeli athletes have been provided with even more protection.

Source: Italy Alan King via Alamy Stock Photo

The sensitive data of several Israeli athletes in the Paris Olympic Games was published on Telegram in an alleged doxing attack on Friday.

The information includes blood test results and login credentials that required France's Anti-Cybercrime Office (OFAC) to seek removal of the data after it was first reported.

A hacking group calling itself "Zeus" (likely a nod to the Games' Greek origins) is allegedly responsible, and also purportedly leaked the military status of Israeli athletes on social media a day prior.

"There are those who seek to harm the festivities of this joyous event," stated Israeli Foreign Minister Israel Katz in a letter to his French counterpart.

Both the Israeli and Palestinian delegations at the Olympics have been provided with extra protection due to the ongoing conflict in Gaza.

Roughly 18,000 French troops are in Paris to help secure the Games, in addition to the city's regular police. Israel's 88 athletes have been assigned security details, made up of both French officers and Israeli agents.

**About the Author(s)**

'Zeus' Hacker Group Strikes Israeli Olympic Athletes in Data Leak

An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites.

Source: Richard Levine via Alamy Stock Photo

Critical API security flaws have put millions of users at risk for account takeover, by using a modern authentication standard to resurrect a longtime vulnerability. The bugs were found in the Hotjar service, which tracks and records Web user activity, and in the code of the popular Business Insider global news website.

That's according to API security firm Salt Security's Salt Labs, which found that by pairing manipulation of the OAuth standard with cross-site scripting (XSS) flaws in the two sites, attackers can potentially expose sensitive data and conduct malicious activity acting as legitimate users of more than a million websites.

Hotjar, a tool that complements Google Analytics by recording user activity to analyze behavior, serves more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo.

"Due to the nature of the Hotjar solution, the data it collects can include a vast volume of personal and sensitive data, such as names, emails, addresses, private messages, bank details, and even credentials under certain circumstances," according to a Salt Labs blog post on the research.

A separate but just as dangerous vulnerability found on the Business Insider website can meanwhile be exploited to perform an cross-site scripting (XSS) attack and take over accounts on that site, which has millions of global users.

More worrisome, the same combination of problems is likely widespread and lurking on whole swathes of the Internet, the researchers warned.

**A Modern Authentication Standard Meets an Old Flaw**

OAuth is a relatively new standard increasingly being used for seamless cross-website authentication, familiar to many as the engine behind the "log in with Facebook" or "log in with Google" functionality included in many websites. The standard drives the mechanism responsible for the authentication handoff between the sites, allowing user data to be shared between them. It's been known to be misconfigured upon implementation in ways that create serious vulnerabilities that span numerous sites.

XSS, meanwhile, is one of the most oft-exploited and oldest Web vulnerabilities. It allows an attacker to inject malicious code into a legitimate Web page or application in order to execute scripts in a website visitor's browser for data theft and more.

An attacker who successfully exploits an attack vector that combines the two "will gain the same permissions and functionality as the victim, and therefore, the risk will be parallel to what can actually be done by a normal system user," Yaniv Balmas, vice president of research at Salt, tells Dark Reading.

Salt Labs discovered the vulnerability on the Business Insider site on March 20 and immediately informed the company, which fixed the flaws by March 30. The Hotjar flaw was discovered on April 17, and, upon disclosure, mitigated two days later.

However, Salt researchers believe that flaws that allow attackers to exploit this combo of OAuth and XSS are likely lurking undetected on other sites, thus exposing millions of unsuspecting users to potential account takeover.

"We strongly believe this is a very common issue, and most chances are that many other online services suffer from the same issue," Balmas says.

**Hotjar Attack**

Given that XSS has been around so long, most websites have built-in protections against attacks that exploit this vulnerability. Salt researchers were able to get around them using OAuth in two separate instances on both Hotjar and the Business Insider website.

On the former, the researchers manipulated the social login aspect of Hotjar, which redirects to Google to receive a secret token through OAuth to complete authentication on Hotjar. That token is a URL that contains secret code, which is something that JavaScript code can read, creating an XSS flaw.

"To combine XSS with this new social-login feature and achieve working exploitation, we use a JavaScript code that starts a new OAuth login flow in a new window and then reads the token from that window," according to the post. "With this method, the JavaScript code opens a new tab to Google, and Google automatically redirects the user back to \[the Hotjar site\] with the OAuth code in the URL."

The code reads the URL from the new tab and extracts the OAuth credentials from it. Once the attackers have a victim's code, they can start a new login flow in Hotjar, replacing their code with the victim code and leading to a full account takeover and thus potential exposure of all the personal data collected by Hotjar.

**Exploiting Mobile Logins**

The researchers also managed to exploit the social sign-in feature integrated into the code of the Business Insider website, specifically through mobile authentication, which opens a new Web browser to authenticate the user. After the user completes the authentication on the Web, they are then redirected to an endpoint with their credentials as parameters that are sent from the Web to the mobile site.

"This endpoint, created only to support authentication using the mobile application, is vulnerable to XSS," according to the post. Thus, if an attacker can read the credentials from the URL, they can achieve account takeover.

"What we need to do is write JavaScript code that starts a login flow, wait for the token to be visible in the URL, and then read that URL," according to the post. "If a victim clicks on that link, their credentials will be passed to a malicious domain."

Though the flaws specifically found on Hotjar and Business Insider have been mitigated, the potential for exploit on other sites means site administrators need to be careful in how they implement OAuth, lest it be used in similar attack scenarios, Balmas says.

"As always, when implementing any new technology, many things need to be considered, including, of course, security," he says. "A solid implementation that considers all possible options should be secure and will not allow an attacker an opportunity to abuse this attack vector."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

This year's conference will be a treasure trove of insights for cybersecurity professionals.

Meny Har, CEO & Co-Founder, Opus Security

July 29, 2024

3 Min Read

Source: Anton Gvozdikov via Alamy Stock Photo

COMMENTARY

As always, Black Hat USA 2024 promises to be a treasure trove of insights for cybersecurity professionals. The artificial intelligence craze notwithstanding, vulnerability remediation continues to be the core focus for all sizes of organizations seeking to make security more efficient. Understandably, this year's conference promises a variety of approaches, case studies, and informative discussions on this topic. Here are the seven most illuminating sessions we suggest you attend, for insights on discovering, prioritizing, and patching vulnerabilities: 

**Breaching AWS Accounts Through Shadow Resources**

Speakers: Yakir Kadkoda, Michael Katchinskiy, Ofek Itach   
Date: Wednesday, Aug. 7, 10:20 a.m.-11 a.m.   
Tracks: Cloud security, enterprise security

Did you know that six critical vulnerabilities in Amazon Web Services (AWS) have the potential to lead to severe breaches, including remote code execution and information disclosure? This session dives into a methodology for discovering these vulnerabilities, and the speakers will introduce a new open source tool for researching service internal API calls. This session is essential for understanding and mitigating complex cloud vulnerabilities. 

**Predict, Prioritize, Patch: How Microsoft Harnesses LLMs for Security Response**

Speaker: Bill Demirkapi   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: AI, ML & data science, application security: defense

Joining this session will help you understand more about how Microsoft leverages large language models (LLMs) to streamline security response workflows. Hear about practical applications of LLMs for deriving vulnerability information, predicting report severity, and generating root causes from crash dumps. This is a seminal session for organizations looking to enhance their vulnerability management with AI. 

**Self-Hosted GitHub CI/CD Runners: Continuous Integration, Continuous Destruction**

Speakers: Adnan Khan, John Stawinski   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: Enterprise security, application security: offense

This technical deep dive addresses the security risks associated with self-hosted CI/CD runners, highlighting critical vulnerabilities discovered in GitHub and other platforms. Attendees will learn how to defend against pipeline poisoning and privilege escalation attacks, which are vital for securing the software development life cycle. 

**The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)**

Speaker: Liv Matan   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: Cloud security, application security: offense

Explore how a single faulty command in Google Cloud Platform (GCP) led to a critical RCE vulnerability, affecting millions of servers. This session will provide insights into the complexity of cloud services and present tools for uncovering hidden APIs used by cloud providers. Security leaders managing cloud security in their organizations and seeking to understand cloud service vulnerabilities will find this talk invaluable. 

**Will We Survive the Transitive Vulnerability Locusts?**

Speakers: Eyal Paz, Liad Cohen   
Date: Thursday, Aug. 8, 2:30 p.m.-3 p.m.   
Tracks: Application security: defense, exploit development & vulnerability discovery

Learn about the risk of transitive dependencies in software projects, with speakers clearly demonstrating how these vulnerabilities can be exploited. Attendees will learn practical strategies for mitigating these risks and prioritizing vulnerabilities in their threat model, which is crucial for secure software development. 

**Break the Wall From Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls**

Speakers: Qi Wang, Jianjun Chen, Run Guo, Chao Zhang, Haixin Duan   
Date: Thursday, Aug. 8, 2:30 p.m.-3 p.m.   
Tracks: Application security: offense, cloud security

Discover how protocol-level evasion vulnerabilities in WAFs can be exploited to bypass security measures. This session introduces WAF Manis, a novel testing framework that uncovered 311 evasion cases and could be extremely useful for those looking to strengthen their Web application defenses against sophisticated attacks. 

**Are Your Backups Still Immutable, Even Though You Can't Access Them?**

Speakers: Ryan Kane, Rushank Shetty   
Date: Thursday, Aug. 8, 3:20 p.m.-4 p.m.   
Tracks: Enterprise security, application security: offense

This session explores the security of immutable backups, highlighting how attackers can target the infrastructure hosting backup data. Learn the processes, failures, and successes in testing immutable backups, crucial for ensuring data resilience against ransomware attacks.

These sessions and many others on vulnerability remediation are a testament to the growing importance of building a culture of proactive security, by addressing the constantly evolving attack surfaces and staying vigilant. Ensuring that you have a robust vulnerability remediation process is a critical and vital security checkpoint in your organization's security posture. 

**About the Author(s)**

CEO & Co-Founder, Opus Security

Meny Har is the CEO and co-founder of Opus Security, a cloud-native security remediation platform, helping security teams orchestrate remediation processes from start to fix. Before founding Opus, he was part of the founding team and vice president of product with the cloud-native SOAR platform Siemplify, which was acquired by Google Cloud in January 2022. Meny has more than 15 years of cybersecurity experience, with a proven track record of building, validating, and scaling successful products.

7 Sessions Not to Miss at Black Hat USA 2024

A large text-message phishing attack campaign attributed to the China-based Smishing Triad employs malicious iMessages.

Image Source: dbtravel via Alamy Stock Photo

A China-based hacking group known as Smishing Triad has waged text message-borne phishing attacks against individuals in India, using the country's government-operated postal system as a lure.

The threat actors are targeting iPhone users with text messages falsely claiming that a package is awaiting collection at an India Post warehouse. The deceptive messages contain URLs leading to fraudulent websites.

According to a new Fortinet FortiGuard Labs report, between January and July 2024, more than 470 domain registrations were mimicking India Post's official domain, with the majority registered via Chinese and American domain registrars.

Researchers at FortiGuard Labs discovered phishing emails sent via iMessage using third-party email addresses like Hotmail, Gmail, and Yahoo. Apple ID accounts configured with these third-party emails send the malicious messages containing short URLs that direct recipients to the fraudulent websites.

**Text Phishing Goes Postal**

India Post is just the latest mail service to face mobile phishing attacks. The US Postal Service (USPS) recently found its name abused in smishing attacks orchestrated by a single threat actor based in Tehran. Another recent smishing attack aimed at US citizens informed them they had unpaid road tolls, with the aim of coercing targets into giving up their bank information.

Stephen Kowski, field CTO at SlashNext Email Security+, says the India Post phishing campaign highlights the evolving tactics of threat actors.

"They are now leveraging trusted communication channels like iMessage to deceive victims, underscoring the need for comprehensive mobile Web threat protection that can detect and block malicious URLs, even when wrapped in encrypted messages," he says.

As SMS- and other text-based attacks become increasingly sophisticated, organizations must prioritize educating their users on how to identify and report suspicious messages, he notes. "They must also implement robust security measures that can inspect and mitigate threats in real-time, regardless of the communication channel used."

By extending security controls to the mobile Web, organizations can better protect their users from these types of attacks, even when they occur outside of traditional network perimeters.

**"Mobile First" Attacks Rise**

Mobile devices are a prime target for phishing campaigns, given the amount of phishing vectors available to attackers, be it SMS, QR codes, third-party communication apps, or personal email.

This, combined with a relative false sense of security most users and organizations have on mobile, and a lack of active security controls, make mobile phishing campaigns a low risk, high reward for attackers for both personal and corporate information.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says this type of "mobile first" attack is something that is occurring more and more every day.

"Cybercriminals and hackers have begun to realize that there's a false sense of security with mobile devices, particularly those on iOS," he says.

Users tend to be less careful on their mobile devices than on a standard computer or laptop, and they rarely have proper security controls in place on their mobile devices.

"Our own research has shown a significant rise recently in mobile-targeted phishing attacks that only fully execute the attack when the link is clicked from a mobile device," he says. "Users must be on guard for anything that appears unusual, especially related to a text message or SMS."

He advises companies to have strong mobile endpoint protection defenses on employee phones to protect against exactly this type of attack, or worse.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

China-Backed Phishing Attack Targets India Postal System Users

Several vendors for consumer and enterprise PCs share a compromised crypto key that should never have been on the devices in the first place.

Source: Lim Yong Hian via Shutterstock

Attackers can bypass the Secure Boot process on millions of Intel and ARM microprocessor-based computing systems from multiple vendors, because they all share a previously leaked cryptographic key used in the device startup process.

The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a device's firmware and boot software.

Unfortunately, researchers from firmware security vendor Binarly discovered that the key had been publicly exposed in a data leak back in 2018. "This key was likely included in \[AMI's\] reference implementation with the expectation that it would be replaced with another safely generated key by downstream entities in the supply chain," Binarly said in a posting on the issue this week.

**The PKFail Secure Boot Issue**

What appears to have happened is that an original equipment manufacturer (OEM) used the AMI test key for firmware it produced for different Intel and ARM-based device makers. The result is there are potentially millions of consumer and enterprise devices around the world that are currently using the same compromised AMI PK during the secure bootup process, says Alex Matrosov, CEO and founder of Binarly. Affected vendors include Lenovo, HP, Asus and SuperMicro.

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," says Matrosov, who has dubbed the issue as "PKFail." The issue makes it easier for attackers to, among other things, deploy Unified Extensible Firmware Interface (UEFI) bootkits like last year's BlackLotus, which offer persistent kernel access and privileges.

"The fix is easy: the compromised key needs to be replaced, and device vendors need to ship a firmware update," Matrosov says. Several have already done so, he notes. However, in many cases — as with data center servers, for instance, or for systems used in critical applications — the firmware updates could take some time to be deployed.

"Exploitation of this issue is trivial in the case that the device is impacted," he says, pointing to a proof-of-concept exploit (PoC) that Binarly developed for PKFail. Matrosov recommends that organizations disconnect devices with the leaked AMI PK from critical networks until they are able to deploy a firmware upgrade.

**A Master Key and a Really Big Deal**

The PKfail issue is a big deal because it makes it easy for hackers to bypass Secure Boot, which is like having a master key that unlocks many houses, said Rogier Fischer, CEO of Netherlands-based Hadrian in an emailed comment. "Since the same keys are used across different devices, one breach can affect many systems, making the problem widespread," he said.

PKFail is the only the latest manifestation of a problem that has been around for more than a decade, which is the tendency by OEMs and device-makers to use non-production and test cryptographic keys in production firmware and devices, Matrosov says. The AMI PK for instance was clearly meant to be treated as completely untrusted, and yet it ended up in devices from multiple vendors.

Binarly's report pointed to an incident in 2016 tracked as CVE-2016-5247, where security researchers discovered multiple Lenovo devices that shared the same AMI test PK. At the time, the National Vulnerability Database described the issue as allowing "local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key."

Ultimately, PKFail is a manifestation of poor cryptographic key management practices in the device supply chain, Binarly said in its report.

"This is a huge problem," Matrosov says. "If you think about an apartment complex where all the door locks have the same keys. If one key goes missing, it could create problems for everyone."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Devices Vulnerable to 'PKFail' Secure Boot Bypass Issue

Researchers track the healthcare sector as experiencing the biggest financial losses, with banking and transportation following close behind.

Source: SOPA Images Limited via Alamy Stock Photo

As the CrowdStrike Falcon outage story continues to unfold, the monetary losses to businesses from the global incident continue to rise: The volume is likely to reach $5.4 billion in costs for Fortune 500 companies, according to a report from Parametrix.

Parametrix researchers have found that roughly 25% of Fortune 500 companies experienced disruptions due to the incident, the most heavily affected industries financially being healthcare ($1.94 billion in estimated losses) and banking ($1.15 billion). In addition, a shocking 100% of the transportation and airlines sector was affected, and the group will rack up an estimated $0.86 billion in losses, according to the forecast. The $5.4 billion estimate excludes Microsoft.

The researchers noted that the outage impact to some industries, like software and IT-related services, is more likely to cause a "ripple effect beyond Fortune 500 companies," though hard numbers were not quantified in the report.

Parametrix previously detailed how the cloud acted as the catalyst for the widespread impact of the outage, and said that "the event highlights the critical dependency of major corporations on cloud services, and the systemic risks posed by such disruptions." To prevent future losses, the new report encourages cyber insurers and risk-assessors to concentrate on mapping, managing, and assessing cloud-based service provider exposure; and stressed that it's important to take a broad view, and not rely solely on the CrowdStrike event as a primary reference for "modeling future system failures involving cloud-based service providers."

**About the Author(s)**

CrowdStrike Outage Losses Estimated at a Staggering $5.4B

The campaign is laser-targeted, bucking the trend of "spray-and-pray" malicious open source packages turning up in code repositories seemingly every other day.

Source: Penta Springs Limited via Alamy Stock Photo

Researchers have come across a rather odd Python code package online that aims to steal Google Cloud Platform credentials from a very limited set of macOS victims.

The package, "lr-utils-lib," was uploaded to the Python Package Index (PyPi) early in June, and conceals its malicious code in the setup file, Checkmarx explained in a blog post on July 26 — thus allowing it to execute right away upon installation. Then, the code checks that it's running on a macOS system, and if so, checks the system's IOPlatformUUID, which is the value used to identify a particular Mac computer.

It turns out that the malware is highly targeted, only looking to infect a predetermined list of 64 specific machines. Further information about those machines, and the attacker targeting them, is unknown at this point, but it's worth noting that the package's name is very close to that of a legitimate package called "lr-utils," which is widely used in deep learning and neural networks applications, and to download large data sets. Dark Reading has sent a request for comment to Checkmarx to see if this could give a sense of the possible targets of the campaign.

In any event, from those machines, lr-utils-lib attempts to exfiltrate Google Cloud Platform credentials to a remote server, with the potential for follow-on attacks on cloud assets, including data theft, malware implantation, and the introduction of vulnerable components into the environment that can be exploited for lateral movement. As Ross Bryant, head of research at Phylum, explains, "The risk is obvious. Anyone who has your digital credentials effectively has all your rights and privileges."

Another interesting aspect of the campaign involves social engineering. The package owner goes by the name "Lucid Zenith," and apparently claims to be the CEO of a legitimate organization — Apex Companies LLC — on LinkedIn. There is also another LinkedIn profile belonging to the real CEO of the company, but the fake page is apparently so convincing that some AI platforms, including Perplexity, incorrectly stated that Lucid Zenith is the true CEO of the company, Checkmarx noted.

"We queried various AI-powered search engines and chatbots to learn more about Lucid Zenith’s position," according to the post. "What we found was a variety of inconsistent responses."

It added, "This was quite shocking since the AI-powered search engine could have easily confirmed the fact by checking the official company page, or even noticing that there were two LinkedIn profiles claiming the same title."

**Targeted Package Attacks: A Rare Phenomenon**

Malicious packages are utterly commonplace, masquerading as legitimate and useful software components while hiding their true nature. And more often than not, that true nature involves data theft. And because open source software (OSS) is, by definition, open to anyone, it's typically a good way to breach a wide variety of targets across regions.

This campaign stands out, Bryant explains, because OSS is being used in a highly targeted manner; however, there is limited precedent for the approach. For instance, "the malicious npm packages that we have seen associated with North Korean activity appear to be highly targeted," he says. Each package has unique identifiers which we attribute to individual targets. Once the victim has been compromised, the attacker immediately unpublishes the package, leaving behind almost no trace. This has been effective enough to steal billions of dollars worth of cryptocurrency."

Dark Reading has reached out to Checkmarx for more information about lr-utils-lib, including its current status. At the time of writing, a search for it on PyPi yielded no results, but it can still threaten those who have already imported it into their projects.

To mitigate the risk that your organization unwittingly accepts one of these laser-targeted packages, "Vigilance is required at every upgrade for every package and all its dependencies in an organization's software supply chain," says Bryant. "Developers should also be wary of social engineering attacks that have been very effective lately."

For its part, Checkmarx stressed that critical thinking is an invaluable asset when it comes to defending against this kind of attack. "Users should ensure they are installing packages from trusted sources and verify the contents of the setup scripts," according to the post. "The associated fake LinkedIn profile and inconsistent handling of this false information by AI-powered search engines ... serves as a reminder of the limitations of AI-powered tools for information verification, drawing parallels to issues like package hallucinations. It underscores the critical need for strict vetting processes, multi-source verification, and fostering a culture of critical thinking."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading