We take a look at the latest additions to security researchers’ armory

We take a look at the latest additions to security researchers’ armory

Here’s our latest round-up of hacking tools available to pen testers, enterprise security specialists, and other infosec professionals at the start of the third quarter of 2022.

**TruffleHog v3 adds support for more than 600 key types**

The newest version of TruffleHog has landed with support for more than 600 key types, furthering the tool’s ability to hunt for credential leaks.

Leaked credentials, including secret key pairs, are a serious cybersecurity issue. Keys can be abused to compromise enterprise networks, often more covertly and for longer time periods than the exploit of vulnerabilities in popular software.

Available on GitHub, TruffleHog is an open source project tool for discovering keys leaked via JavaScript or too-permissive CORS settings in APIs.

Read more about TruffleHog v3

**PacketStreamer reveals potential hacking behavior**

Deepfence has launched PacketStreamer, a new open source tool that captures network traffic from multiple sources to reveal potential hacking behavior.

PacketStreamer sensors collect raw network packets on remote hosts, apply filters, and forward them to a central receiver process where they are written in pcap format. Traffic streams can be compressed or encrypted using Transport Layer Security (TLS).

The company says the sensors impose little performance impact on the remote hosts, and that they can be run on bare-metal servers, on Docker hosts, and on Kubernetes nodes.

Users can then process the pcap file or live feed the traffic to tools such as Zeek, Wireshark, or Suricata, or as a live stream for machine learning models.

Read more about PacketStreamer

**GhostTouch reads your phone’s touchscreen without touching it**

Some attacks on smartphones require physical access to the device and interactions with the touchscreen. So your phone is more or less safe as long as no one touches it, right?

Wrong, according to a new research paper by security researchers at Zhejiang University, China, and the Technical University of Darmstadt, Germany.

To be presented at the Usenix Security Symposium in July, the paper (PDF) introduces GhostTouch, a type of attack that can execute taps and swipes on the phone’s screen from a distance of up to 40 millimeters.

According to the researchers’ findings, an attacker can use GhostTouch to carry out several types of malicious actions, including initiating calls and downloading malware.

Read more about GhostTouch

**YARAify scans suspicious files against a repository of YARA rules**

Security teams have a new tool to hunt for malware, using open source YARA rules.

YARAify can scan files using public YARA rules, integrate public and non-public YARA rules from Malpedia, operated by Germany’s Fraunhofer Institute, and scan using open and commercial ClamAV signatures.

Researchers can set up hunting rules to match both YARA rules and ClamAV signatures, and link YARAify to other tools via APIs.

Read more about YARAify

**YOU MIGHT ALSO LIKE** Bug Bounty Radar // The latest bug bounty programs for July 2022

Latest web hacking tools – Q3 2022

New web targets for the discerning hacker

New web targets for the discerning hacker

Bounty hunting remains a popular business, with a report this month revealing that the vast majority of ethical hackers would like to do more.

The survey, from Belgian bug bounty platform **Intigriti**, found that 96% were keen to spend more time bounty hunting, with two thirds considering it as a full-time career. The biggest draw is the money, cited by nearly half, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart malicious hackers.

Currently, more than half of bug bounty hunters are also in full-time employment elsewhere, and around a third are students. More than one in five, though, get more than a quarter of their total income from bounty payouts.

And for those keen to get stuck in, there’s a new invite-only bug bounty program for the French government’s identity authentication application, **France Identité**, launched earlier this year to complement the country’s new electronic identity cards.

Hosted by Paris-based ethical hacking platform **YesWeHack**, the program has recruited 30 ethical hackers so far, with specific skills relating to the application, particularly cryptography. It will eventually be opened to all, and will run for the mobile app’s lifetime.

Finally, **Google**’s been generous lately, paying out more than $300,000 for reports on a variety of flaws in Google Cloud Platform (GCP) during last year.

Security researcher Sebastian Lutz took first prize, with an award of $133,337, for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources. Second place, meanwhile, went to Hungarian researcher Imre Rad, who earned $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The program, which kicked off in 2019, now represents a fair chunk of the total $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.

**The latest bug bounty programs for July 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Animal Friends**

**Program provider:**  
Independent

**Program type:**  
Public

**Max reward:**  
£400 ($480)

**Outline:**  
UK pet insurance company Animal Friends has launched a public bug bounty program that’s focused on securing its corporate website, customer portal, vet portal, and sales platform.

**Notes:**  
Discussing the new program, the insurance provider said: “No system is ever perfect, and therefore Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.”

Check out the Animal Friends bug bounty page for more details

**ClickHouse**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time.

**Notes:**  
The main focus of the public program is the open source version of the ClickHouse platform.

Check out the ClickHouse bug bounty page at Bugcrowd for more details

**France Identité**

**Program provider:**  
YesWeHack

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The French government has launched an invite-only bug bounty program for its newly launched identity authentication application, ‘France Identité’.

**Notes:**  
Hosted by Paris-based ethical hacking platform YesWeHack, the program will eventually be opened up to all security researchers and then run for the mobile app’s lifetime.

Check out our recent coverage for more details

**MetaMask**

**Program provider:**  
HackerOne

**Program type:**  
Public

**Max reward:**  
$50,000

**Outline:**  
MetaMask, one of the most widely used wallets for interacting with distributed applications, has launched a bug bounty program offering rewards of up to $50,000 for critical vulnerabilities.

**Notes:**  
MetaMask is particularly seeking reports demonstrating how an attacker could extract the secret recovery phrase or a private key from a wallet, or make a user’s wallet behave in “unexpected ways”.

Check out the MetaMask bug bounty page at HackerOne for more details

**Opera**

**Program provider:**  
Independent

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The developers behind the Opera web browser have launched a private bug bounty program to accompany the existing public program that’s housed on the Bugcrowd platform.

**Notes:**  
There are currently few details relating to this private program, although anyone expressing an interest must already have a Bugcrowd ID.

Check out Opera’s private bug bounty page for more details

**Phemex**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
Cryptocurrency trading platform Phemex has partnered with Bugcrowd to launch a bug bounty program.

**Notes:**  
Researchers have been tasked with finding bugs in the Phemex website and mobile apps. Cross-site scripting (XSS) and denial-of-service (DoS) exploits are out of scope.

Check out the Phemex bug bounty page at Bugcrowd for more details

**Other bug bounty and VDP news this month**

*   The 2022 **President’s Cup Cybersecurity Competition** is due to launch later this summer. Hosted by CISA, the annual national cyber competition aims to identify and reward the best cybersecurity talent in the federal executive workforce. Registration is now open for eligible participants.
*   **GameStop**, **Oanda**, and **PlanetArt** have launched (unpaid) VDPs on HackerOne.
*   Security pro Quinten Bowen has launched a **malware analysis capture-the-flag** (CTF) competition. Registration is free, and the CTF has “beginner to intermediate level flags” associated with static and dynamic analysis.

Curated by James Walker. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for June 2022

Bug Bounty Radar // The latest bug bounty programs for July 2022

All users who shared their email address with NFT marketplace told: ‘Assume you were impacted’

All users who shared their email address with NFT marketplace told: ‘Assume you were impacted’

UPDATED OpenSea, the world’s largest non-fungible token (NFT) marketplace, has revealed that a rogue employee at a third-party vendor has shared its users email addresses with an unauthorized external entity.

“If you have shared your email with OpenSea in the past, you should assume you were impacted,” users were warned by OpenSea head of security Cory Hardman in a blog post yesterday (June 29).

According to OpenSea, the culprit was employed by Customer.io, an automated messaging platform used by marketers to create and send emails, push notifications, and SMS messages.

Catch up with the latest blockchain security news

“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” said Hardman.

“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”

Customer.io issued the following statement to The Daily Swig:

  

As soon as we learned of the incident, we took immediate steps to investigate, contain its impact and determine its source, including hiring a third-party forensic investigations firm. We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised.

We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.

Additionally we are always working to improve our security and we have launched a comprehensive review of our access and compliance policies and will make adjustments where necessary.

**Phishing warning**

Hardman warned users of “a heightened likelihood for email phishing attempts”, and urged them to “be alert for any attempt to impersonate OpenSea” from email addresses that look “visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”

Moreover, continued Hardman, users should always scrutinize embedded hyperlinks before clicking, and never download attachments from emails purporting to be from OpenSea, or share passwords or secret wallet phrases, or sign wallet transactions, when prompted via email.

Over on Twitter, security researcher ‘CIA Officer’ advised users to be vigilant about the use phishing tool Email Appender, IP-loggers, and canary tokens.

“I strongly recommend checking email header, domain and disable ‘download remote content’, also do not forget about MFA \[multi-factor authentication\]!” they added.

Founded in in New York in 2017, OpenSea claims to be the world’s first as well as biggest marketplace focused on NFTs and crypto collectibles.

This article was updated on June 30 with comment from Customer.io

DON’T MISS Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

OpenSea user email addresses leaked by rogue employee at third-party vendor

All users who shared their email address with NFT marketplace told: ‘Assume you were impacted’

UPDATED OpenSea, the world’s largest non-fungible token (NFT) marketplace, has revealed that a rogue employee at a third-party vendor has shared its users email addresses with an unauthorized external entity.

“If you have shared your email with OpenSea in the past, you should assume you were impacted,” users were warned by OpenSea head of security Cory Hardman in a blog post on June 29.

The alleged culprit was employed by Customer.io, an automated messaging platform used by marketers to create and send emails, push notifications, and SMS messages.

Catch up with the latest blockchain security news

“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” said Hardman.

“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”

**Security improvements**

Customer.io initially told The Daily Swig that “the employee in question has had all access removed and has been suspended pending the conclusion of our investigation”.

That investigation then unearthed further leaks, with Customer.io issuing a further statement on July 7 saying it had learned that the rogue employee had provided email addresses associated with five other customers “to the same external bad actor”.

It continued:

  

We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor. This action was limited to this single employee.

Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.

The protection of our customer’s data is our first priority and this employee’s actions let us all down. We have alerted the five other customers to this information and sincerely apologize to them.

Customer.io said that a comprehensive security review of access and security policies had already resulted in a number of changes.

These include intrusion detection and immutable logging improvements to provide more proactive notifications of data exfiltration, further restrictions on access to production systems and data stores, rotation of all access and authorization keys for critical services, and turning access to customer account data off by default.

Moreover, when permitted to access customer accounts, Customer.io staff can no longer export customer data.

The firm said it was also retraining all staff on security policies.

Finally, Customer.io said it did “not expect to learn \[of\] any additional information \[being compromised\] since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job”.

**Phishing warning**

Cory Hardman from OpenSea warned users of “a heightened likelihood for email phishing attempts”, and urged them to “be alert for any attempt to impersonate OpenSea” from email addresses that look “visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”

Moreover, continued Hardman, users should always scrutinize embedded hyperlinks before clicking, and never download attachments from emails purporting to be from OpenSea, or share passwords or secret wallet phrases, or sign wallet transactions, when prompted via email.

Over on Twitter, security researcher ‘CIA Officer’ advised users to be vigilant about the use phishing tool Email Appender, IP-loggers, and canary tokens.

“I strongly recommend checking email header, domain and disable ‘download remote content’, also do not forget about MFA \[multi-factor authentication\]!” they added.

Founded in in New York in 2017, OpenSea claims to be the world’s first as well as biggest marketplace focused on NFTs and crypto collectibles.

This article was updated on June 30 with comment from Customer.io, and then with an additional update from Customer.io on July 11

DON’T MISS Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

OpenSea among six organizations affected by email address leak by rogue employee at third-party vendor

Fixed bug could allow attackers to extract sensitive information

Ben Dickson 30 June 2022 at 10:20 UTC

Fixed bug could allow attackers to extract sensitive information

  

A recently-patched security hole in Chromium browsers allowed attackers to bypass safeguards against dangling markup injection’, an attack that extracts sensitive information from webpages.

While dangling markup injection is well-known and -addressed in Chromium browsers, the new attack took advantage of an unaddressed case in how the browser upgrades unsafe HTTP connections.

**Extracting sensitive markup**

Dangling markup injection captures data cross-domain in situations where full cross-site scripting (XSS) attacks aren’t possible.

If an application doesn’t sanitize user-supplied data before integrating it into the markup, an attacker can take advantage to force the page to send some of the page’s markup to their own server.

For example, the attacker can inject HTML markup that includes a specially crafted element that invokes a resource on the attacker’s server and sends HTML markup on the page as the query string to the server.

The Chromium team has been patching dangling markup injection bugs since 2017 and has added restrictions to escape or remove HTML markup inserted into URL strings.

**Safe connection, unsafe markup**

Chromium also has another security feature that upgrades unsafe HTTP protocols used in the HTML markup.

For example, if the src attribute of an tag refers to an HTTP address, the browser automatically upgrades it to HTTPS to enforce encrypted connections.

SeungJu Oh, the security researcher who reported the new bug, discovered that when the browser upgrades an in-page URL from HTTP to HTTPS, it bypasses the dangling markup injection safeguards.

As a result, if an attacker provides a dangling markup injection string that uses the HTTP scheme, it will not go through the dangling markup injection sanitization process when the URL is upgraded to HTTPS.

Oh provided a proof of concept with an tag, but also said that the same scheme works with audio, video, and possibly more tags.

“This allows attackers to get personal information by leaking the user’s content when \[the\] script is unavailable due to security elements such as CSP,” Oh writes.

According to the conversation thread in the Chromium bug report platform, the function that switches the URL protocol to HTTPS causes the dangling markup flag to become false, which in turn bypasses the security checks on the URL string. The bug has been patched in the new version of Chromium-based browsers.

The findings further highlight the necessity to sanitize user input before integrating it into the markup.

It is also a reminder of the complexities of managing the security of products that have many moving parts.

Sometimes, a security fix in one part of the program can break the safeguards in another, as Chromium’s latest dangling markup injection vulnerability shows.

YOU MAY ALSO LIKE UnRAR path traversal flaw can lead to RCE in Zimbra

Chromium browsers vulnerable to dangling markup injection

Other applications using binary to extract untrusted archives are potentially vulnerable too

Other applications using binary to extract untrusted archives are potentially vulnerable too

A path traversal vulnerability in RarLab’s UnRAR binary can lead to remote code execution (RCE) on business email platform Zimbra and can potentially affect other software.

The UnRAR utility is used to extract RAR archives to a temporary directory for virus-scanning and spam-checking purposes.

However, a recently patched file-write flaw (CVE-2022-30333) means an unauthenticated attacker can “create files outside of the target extraction directory when an application or victim user extracts an untrusted archive”, according to a blog post published by Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource).

Catch up with the latest security research news

If malicious hackers manage to write to a known location, continued Scannell, they could potentially execute arbitrary commands on the system.

Successful exploitation of the high severity (CVSS 7.5) issue on Zimbra, an open source platform used by more than 200,000 businesses, “gives an attacker access to every single email sent and received on a compromised email server”.

They can also silently backdoor login functionalities and steal users’ credentials, as well as escalate access to an organization’s other internal services, warned Scannell.

**Symlink protection bypass**

The flaw resides in UnRAR’s mechanism for preventing symbolic link (symlink) attacks on Unix systems, whereby the function for validating relative symlinks, ,checks if the symlink target contains on Unix or on Windows.

This check can, however, be negated due to the fact that untrusted input is sometimes modified after it has been validated, which breaks assumptions made during the validation step.

Specifically, once the symlink has been validated, UnRAR converts backslashes (\\) to forward slashes (/) with to ensure that a RAR archive created on Windows can be extracted on a Unix system.

“By exploiting this behavior, an attacker can write a file anywhere on the target filesystem,” said Scannell.

**RCE on Zimbra**

Since the Amavis content filter used by Zimbra to analyze extracted files operates as the Zimbra user, added Scannell, the file-write primitive allows the creation and overwriting of files in other services’ working directories too.

The researcher detailed how an attacker could achieve RCE on Zimbra by writing a JSP shell to the web directory, using a file-based command injection, or creating an SSH key.

Sonar notified RarLab of the flaw on May 4, 2022, and a security patch was included with version 6.12 binaries, which were released on May 6.

Zimbr developer Synacor was also warned about the flaw on May 4 so it could warn users to patch their cloud instances.

A blog post detailing the technicalities was published yesterday (June 28).

Only Unix binaries – excluding Android – and implementations using RarLab’s code are affected.

Scannell thanked RarLab’s developers for “their very fast and professional handling of this issue”, and shouted out Zimbra’s security team for “warning their customers to help prevent exploitation”.

Zimbra is something of a specialty for Sonar, whose researchers have in the last 12 months discovered a bug chain leading to full Zimbra server compromise, an XSS flaw that powered spear phishing campaigns, and, only two weeks ago, a memcached injection vulnerability that imperilled login credentials.

RELATED Business email platform Zimbra patches memcached injection flaw that imperils user credentials

UnRAR path traversal flaw can lead to RCE in Zimbra

Team behind Abuse.ch and ThreatFox launch new hub for scanning and hunting files using YARA

Team behind Abuse.ch and ThreatFox launch new hub for scanning and hunting files using YARA

Security teams have a new tool to hunt for malware, using open source YARA rules.

YARAify can scan files using public YARA rules, integrate public and non-public YARA rules from Malpedia, operated by Germany’s Fraunhofer Institute, and scan using open and commercial ClamAV signatures.

Researchers can set up hunting rules to match both YARA rules and ClamAV signatures, and link YARAify to other tools via APIs.

**Pattern matching**

YARAify was developed by security researchers at Abuse.ch, a project from the Institute for Cybersecurity and Engineering (ICE) at the University of Applied Sciences at Bern, Switzerland.

According to founder Roman Hüssy, YARA rules are powerful but difficult to handle.

For example, rules are spread across platforms and git repositories, and there is no simple way to share them. Nor is there a single, consistent naming convention for YARA rules, leading to duplication and difficulties in rule handling.

Hüssy has added both a unique identity, , and YARAhub to help researchers share rules.

**RECOMMENDED** GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

Rule authors can also set up TLP classifications on YARAhub to allow others to use the YARA rule to hunt for threats, without seeing the rule itself.

“YARA is an open source tool for pattern matching,” Hüssy told _The Daily Swig_. “It allows anyone, usually security researchers or vendors of security software, to write their own rules to detect \[issues\] such as malicious or suspicious files.

“We decided to launch the YARAify platform to the public to allow anyone to share their YARA rules with the community in a structured way and to use those to hunt for suspicious and malicious files seen within the Abuse.ch universe.”

Hüssy hopes that YARAify will become the default platform for security researchers to share YARA rules. The response so far has been overwhelmingly positive, he said.

**Threat intel**

Security vendors are increasingly supporting YARA rules in their own applications, and YARA rules are used widely by SOCs and in threat hunting and threat intelligence.

Data protection and resilience vendor Rubrik, for example, has built support for YARA rules into its tools, to help IT teams with incident containment, and with threat hunting, especially to prevent a firm reinfecting its systems from compromised backups.

"When talking about YARA it is important to distinguish between YARA the tool and YARA rules,” James Blake, field CISO at Rubrik, told _The Daily Swig_.

“YARA rules are the descriptions of malware that the YARA tool creates when given a file to analyse. The adoption of YARA rules in open source and commercial preventative and detective controls, other standards such as STIX for threat intelligence exchange, as well as in threat intelligence platforms, have now extended way beyond just the YARA tool.”

Check out more of the latest hacking tools

YARA rules can be used to “allow a net to be cast wide and then gradually refined” during threat hunting, as researchers focus in on particular malware strains. But YARA rules are powerful because they can describe not just the content of an executable, but also its behavior. This helps researchers track malware families, even as they adapt.

“YARA rules are extensively used in mature SOCs and mature service provider organizations to improve detection and prevent some of the noise that’s generated by more simplified hash-based detections,” Martin Riley, director of managed security services at consulting firm Bridewell, told _The Daily Swig_.

Bridewell uses YARA rules to identify trends and carry out reverse map engineering on some malware.

“YARA rules essentially replace hash values of files, which can be easily manipulated by attackers,” Riley said.

“YARA rules provide a higher fidelity and more valuable detection mechanism for malicious objects within a network.” YARAify, he suggested, provides researchers with an alternative to tools such as Google’s VirusTotal.

**DON’T MISS** Rise in off-the-shelf ransomware kits continues

YARAify: Defensive tool scans suspicious files against a large repository of YARA rules

Signing mechanism security shortcomings exposed

Signing mechanism security shortcomings exposed

A poor implementation of Ed25519, a popular digital signature algorithm, has left dozens of cryptography libraries vulnerable to attacks.

According to Konstantinos Chalkias, a cryptographer at MystenLabs who discovered and reported the vulnerability, attackers could exploit the bug to steal private keys from cryptocurrency wallets.

Some but not yet all of the vulnerable technologies have been patched.

**Where’s your Ed at?**

Ed25519 is often used as a modern replacement for the Elliptic Curve Digital Signature Algorithm (ECDSA). Ed25519 is more open, secure, and faster than ECDSA, which is why it has become very popular in many sectors, especially in blockchain and cryptocurrency platforms.

“The main benefits against ECDSA is that EdDSA sig\[nature\]s are deterministic and users don’t need \[access to\] a secure Random Number Generator \[RNG\] to sign a transaction,” Chalkias told _The Daily Swig_. “Why is this useful? because a user’s laptop or IoT device might not have a good source of entropy or support a weak RNG function.”

Numerous security incidents have shown that poor random generation can result in private keys being leaked or stolen. One notable example was the private key leaks of PlayStation 3, whose technology relies on the ECDSA algorithm.

**Pre-computing public keys**

The standard specification of Ed25519 message signing involves providing the algorithm with a message and private key. The function will use the private key to compute the public key and sign the message. Some libraries provide a variant of the message signing function that also takes the pre-computed public key as an input parameter. There are some benefits to this implementation.

“Recomputing the public key each time would result in a slower algorithm (it adds an extra scalar to elliptic curve point multiplication to derive the public key, which reduces the speed by almost 2x, potentially making it even slower than ECDSA),” Chalkias said.

Read more of the latest hacking news from around the world

“And generally, in cryptography, it’s good hygiene to avoid accessing the private key many times. If we allowed the public key derivation on each signing invocation, then this implies we need to access it twice, once to sign, and once to derive the public key.”

However, the modification also creates a security loophole in the library.

Chalkias found that some libraries were allowing arbitrary public keys as inputs without checking if the input public key corresponds to the input private key. This shortcoming means that an attacker could use the signing function as an Oracle, perform crypto-analysis and ultimately get at secrets. For example, an attacker who can’t access the private key but can access the signing mechanism through an API call could use several public keys and messages to gradually build up insights into private key parameters.

**Libraries at risk**

Chalkias initially found 26 libraries that were vulnerable to the attack. The list was later extended to 40 libraries. The security researcher also found several online services that were vulnerable to the same kind of attack, including a fintech API.

“In some applications when keyGen fails or a clean-up process deletes the privKey for this user, then the app usually retries keyGen. But in the meantime and for a few sec\[ond\]s, the DB \[database\] still stored the old <userID, pubKeyOld\>, and this allowed a narrow window for race condition attacks before the DB gets updated with the new pubKey (a scenario that, surprisingly, we managed to exploit with significant probability),” Chalkias noted.

Since his report, several libraries have implemented fixes and workarounds, including ed25519-elisabeth, PASETO, and Trezor wallet.

“A few libraries \[have\] already provided either fixes (if they were vulnerable) or proactively added extra checks that the stored pub key corresponds to the private keys,” Chalkias concluded.

YOU MAY ALSO LIKE Researchers crack MEGA’s ‘privacy-by-design’ encryption, storage

Dozens of cryptography libraries vulnerable to private key theft

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

Deliveries of prepared meals to thousands of vulnerable people in England continue to be disrupted following a “sophisticated” cyber-attack on food distributor Apetito.

Apetito’s impacted UK arm delivers ready meals to hospitals, care homes, schools, childcare facilities, and the homes of vulnerable people across the west of England.

In an update (PDF) posted to its website yesterday (June 27), Paul Freeston, chair and CEO of Apetito UK and North America, reiterated that the firm would be unable to fulfill deliveries until and including Thursday June 30 following the cyber-attack over the weekend.

He advised customers with “deliveries on these days to make contingency plans”.

Freeston added that “a limited number of test deliveries from a manual system will be made tomorrow”, and if successful, “we hope to extend \[this system\] further this week”.

**Emergency procedures**

Freeston said on Sunday that the company had activated “emergency procedures” to ensure “most” customers of meals on wheels (home-delivered hot food) should still receive a meal – “although it may not be the meal they chose”.

Apetito subsidiary Wiltshire Farm Foods, which delivers frozen ready meals to the homes of mostly vulnerable people, usually seniors, managed to make “a limited number of local deliveries” yesterday using “a manual work-around system” that would “continue this week”.

Read more of the latest cyber-attack news

As expected, Monday’s Apetito deliveries to businesses, including other ‘meals-on-wheels’ operators, proceeded normally “as these orders were already picked” before systems were disrupted.

On the production front, “a significant but restricted” program was up and running as of yesterday.

Meal orders submitted by businesses after 7.30pm on Friday “should be assumed not to have been received”, said Freeston.

Wiltshire Farm Foods is apparently unable to take orders over the phone or via its website and app, with fulfilment new orders expected to resume from July 4.

**‘Designed to extort money’**

Apetito, announced on Sunday (June 26) that it shut down many IT systems following the cyber-attack, which was “designed to extort money from the company”.

The company said it was “building new hardware and software to replace the affected systems”, which did not include its UK Microsoft systems, while “email communication is fully functional”.

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

It was also “seeking to establish whether any personally identifiable information (PII) has been compromised” and would alert customers and the Information Commissioner’s Office (ICO) if necessary.

Freeston said he was confident that payment card data was not compromised since this data was not held on Apetito’s systems.

“Our crisis management team is meeting multiple times each day to review progress, direct resources and respond to emerging issues”, he continued, adding that Apetito would continue providing updates at least daily.

“I would like to thank our customers and other contacts who are being so supportive during this issue. Our team continue to work tirelessly on the recovery and I am very grateful for their amazing efforts.”

Apetito declined to comment further when contacted by The Daily Swig.

YOU MIGHT ALSO LIKE Statutory defense for ethical hacking under UK Computer Misuse Act tabled

Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

The number of new ransomware families and unique variants has fallen over the last year, according to new research from WithSecure.

The company, formerly known as F-Secure Business, says in its latest Ransomware Threat Update (PDF) that the number of new families and unique variants appearing each year peaked around 2017, but stayed relatively stable for most of the second half of the last decade.

Last year, though, saw a significant drop in the amount of new ransomware families discovered by the researchers.

The main reason, says the firm, appears to be a consolidation of efforts by attackers, who are increasingly exploiting off-the-shelf Ransomware-as-a-Service (RaaS) packages.

**RELATED** DBIR 2022: Ransomware surge increases global data breach woes

“These days, cybercriminals are often operating as organisations, and they want to maximise their ROI,” Paolo Palumbo, vice president of WithSecure’s Tactical Defense Unit, tells _The Daily Swig_.

“In this sense, they are focusing their resources on getting a foothold in a victim’s system, rather than developing their own ransomware. People often forget that this isn’t a game of who makes the best ransomware – it’s about getting money out of victims.”

**Rise of RaaS**

Importantly, Palumbo says that the fall in the number of ransomware families doesn’t necessarily imply a fall in the number of attackers.

“Like many other businesses, cybercriminals are taking advantage of specialist tech vendors who prepare readily-available platforms to conduct these types of scams and attacks,” he says.

“But we shouldn’t assume it makes the users of these systems incompetent or any less expert.”

Read more of the latest infosec research news

Ransomware was the most widespread threat type identified in 2021, accounting for nearly 17% of identified threats.

And WannaCry was the most prevalent ransomware family – by a considerable margin, accounting for more than half of non-generic ransomware detections.

This was followed by three RaaS families: GandCrab, REvil, and Phobos.

**Double extortion**

In terms of tactics, threat actors are increasingly finding new ways of extorting cash from victims, for example by stealing data before encryption and threatening to leak it, with Maze and REvil the most notable examples of what’s been dubbed ‘double extortion’.

Malicious Microsoft Office documents and downloads were the most commonly observed ransomware attack vectors in 2021, followed by exploiting vulnerabilities and accessing networks via exposed Remote Desktop Protocol (RDP) ports.

WithSecure points out that many of these vectors rely on unpatched vulnerabilities – particularly in internet-facing infrastructure – poor password hygiene, lack of multi-factor authentication to secure online accounts, and other weaknesses that organizations should be able to address.

Meanwhile, says Palumbo, governments have their part to play.

“The role of governments and agencies is extremely important and multi-faceted,” he says.

“They need to continue pushing the importance of cybersecurity education and hygiene for both individuals and organizations, making it more difficult for cybercriminals to take advantage and extort money.”

**DON’T MISS** Researchers crack MEGA’s ‘privacy by design’ storage, encryption

Source

PortSwigger