A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU.

A side-channel timing attack dubbed "Hertzbleed" by researchers could allow remote attackers to sniff out cryptographic keys for servers. It affects most Intel processors, as well as some chipsets from AMD and likely others.

The issue is a timing side-channel flaw (tracked as CVE-2022-24436 for Intel and CVE-2022-23823 for AMD) found in the CPU-throttling technology known as dynamic voltage and frequency scaling (DVFS). DVFS regulates power consumption and electrical current use so that a CPU doesn't overheat when processing large amounts of data, and it conserves battery power during low-activity times.

As Intel explains in guidance published this week, observing these regulation changes can allow attackers to infer sensitive information.

"CPU frequency throttling is triggered when one of these limits is reached, which results in CPU frequency," according to Intel. "This frequency change and derived behavior may be correlated with information being processed by the CPU, and it may be possible to infer parts of the information through sophisticated analysis of the frequency change behavior."

"In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure," according to a technical research paper (PDF) by the team who discovered the attack, from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington.

Hertzbleed – its name a take on the infamous "Heartbleed" timing attack from 2014 – is significant because it allows remote attacks without the need to subvert a power-measurement interface, the researchers note, thus widening the attack surface.

"Software-based power-analysis attacks can be mitigated and easily detected by blocking (or restricting \[10\]) access to power-measurement interfaces," according to the paper. "Up until today, such a mitigation strategy would effectively reduce the attack surface to physical power analysis, a significantly smaller threat."

**Actual Threat or Not?**

While the researchers acknowledge that any real-world attacks would require a high level of complexity, they demonstrated successful proofs of concept for extracting keys as remote attackers authenticated with low privileges and no user interaction requires. This makes "Hertzbleed is a real, and practical, threat to the security of cryptographic software," they say.

Intel begs to differ. 

"While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment," said Jerry Bryant, Intel's senior director of security communications and incident response, in a recent posting. "Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue."

However, he also explained that the issue may extend past Intel and AMD.

"CVE-2022-24436 is not architecture-specific and any modern CPU that has dynamic power and thermal management is potentially affected," he said. "Intel shared its findings with other silicon vendors so they could assess their potential impact."

Neither Intel nor AMD are issuing microcode to address the issue; instead, they recommend that developers achieve mitigation through masking and blinding techniques that would hide the timing changes from observation.

'Hertzbleed' Side-Channel Attack Threatens Cryptographic Keys for Servers

The ability to handle intense pressure is just one of the skills that veterans bring to corporate cybersecurity work.

The contributions of ex-military personnel expand beyond their time of public service. They come to private-sector cybersecurity roles ready to take on foes that range from harbingers of mischief to deliverers of destruction.

"The importance of paying attention to even the tiniest of details due to potential impact and lives on the line is drilled into every military member," says Devon Bryan, global chief information security officer at Carnival Corp. and co-founder of the International Consortium of Minority Cybersecurity Professionals, now known as Cyversity. "Irrespective of branch of service and without regard to rank or station, the military emphasizes the necessity of working hard and with a passion for excellence, which are key for the infosec challenges of today."

It's no secret that former service members come prepared with training that many companies in the private sector find beneficial. But just which military skills transfer best to private cybersecurity jobs?

"An understanding of physical security and access control," says Oxana Parsons, senior cyber intelligence analyst at LookingGlass Cyber Solutions.

Many skills, even those seemingly unrelated to cybersecurity or IT, easily transfer, she adds. 

"In the military I have learned how to set up a local network — and I did it as a HUMINTer \[human intelligence collector\], so \[even\] not really an IT-related job can still provide some related training," Parsons says. "Also, in the military there are lots of opportunities to receive foreign language training and intelligence training, which taught me to understand the tradecraft behind intelligence collection and analysis."  

Other experienced vets point out that their collaboration and self-assessment skills alone can prove priceless to private-sector defense measures.

"Cybersecurity is such a broad field. The ability to be comfortable both knowing and accepting what you don't know, while being humble enough to seek out who does, is a particularly powerful skill to master," says Alex Diaz, customer success leader at Horizon3ai, who served both as a military intelligence officer and an enlisted all-source intelligence analyst in the US Army.

**Fulfilling Private Cybersecurity Needs**

"As cybersecurity grows in prominence as a risk factor for organizations, private firms will need experienced and capable leaders to manage their security postures," says Matt Georgy, chief technology officer at Redacted. "Veterans bring a unique perspective working in chaotic situations and often making consequential decisions in high pressure situations." 

Previously, Georgy served as chief of intelligence of the US Air Force 18th Fighter Squadron, lead US government forensics analyst in Baghdad, and held several technical leadership roles at the National Security Agency (NSA).

While one could argue that all military service is security-related, not all ex-military personnel currently employed in cybersecurity served in security-related positions. Even so, their training often transfers to a new position in the private sector.

"I did not work in security while in the military. But I can find similarities to when I worked in a Navy Combat Information Center (CIC) or a Tactical Operations Center (TOC)," says Josh Smith, cybersecurity analyst at Nuspire, who previously served as operations supervisor, mission control and evaluation supervisor, and operations and logistics department head in the US Navy. "All require the ingestion of data, analyzing what was received, disseminating it to the appropriate parties, and taking action based on the findings."  

The constant shape-shifting of threats and attackers is familiar to military-trained professionals. That alone is a major plus to employers looking to protect themselves from whatever digital abomination is cresting the horizon next.

"Military veterans have a very wide skill set, as we're often asked to work outside of our specific roles," Smith says. "We're exposed to numerous situations that are dynamic, stressful, 24/7, and leave no room for error. Cybersecurity is very similar in this respect. Cybersecurity never sleeps and is consistently changing. Veterans can easily adapt to this lifestyle."  

For those who transferred their cybersecurity skills directly from public to private concerns, commonalities between the sectors smoothed the transition.

"Military operations are steeped in risk and threat by their very nature, so military veterans develop a keen sense for assessing and weighting threat and risk," says Mac McMillan, CEO of healthcare cybersecurity, privacy, and compliance consultancy CynergisTek. Formerly, McMillan was director of security at the Defense Threat Reduction Agency for the Department of Defense (DoD).

"On a personal level, their sense of urgency, structure, discipline, etc., is well-suited for cyber and IT jobs," McMillan adds.

**Rank Is Optional**

Higher ranks in any military branch generally signify accomplishment and experience that are also highly prized in the civilian world. However, limiting hiring to high-ranking ex-military applicants is shortsighted.

"As CISO of the US Marine Corps, I dealt with many early-day cyber incidents from both nation-state threat actors and crime syndicates ... like the Melissa virus and ILOVEYOU," says Carl Wright, chief commercial officer at AttackIQ. 

Officers and enlisted members participate in training programs worth millions of dollars to earn Military Occupational Specialty (MOS) designations. 

"One of those areas is cybersecurity, and within cyber you have defensive operations and offensive operations," Wright says. "The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private-sector offerings and is highly transferable to a career in the private sector."  

Ex-military personnel bring excellent security practices to other areas as well.

"While I did not directly work in a security billet, my team worked to design software and had security requirements we had to align with," says Heath Anderson, VP of information security and technology at LogicGate and former system test architect for the US Air Force. "This experience was some of the best education around security principles I could have asked for, since we had to focus on the intent of the requirement in order to make it actionable in our code for the software we were designing and testing."

For his part, Andrew Maloney, chief operations officer and co-founder of Query.AI, worked on a help desk and in systems administration until 2003, when he was deployed to Oman, in the Middle East, to manage the base's perimeter security firewalls and proxy servers. 

"This was my break into cyber," says Maloney, formerly systems administrator/security engineer for the US Air Force.

**Bringing Softer Skills to Bear**

Skills including leadership, planning, and organization and traits like duty, responsibility, and loyalty make military vets excellent team members and leaders in civilian roles, McMillan adds.

"The military not only expects these things from its members, they spend time teaching these skills to their members," he said. "All too often these are not things that are either taught or stressed in the private sector, which is a shame because there is nothing particularly proprietary about any of them."  

Successful in cybersecurity and in the military means sharpening soft skills as much as hard skills.

"The one common denominator that I have seen be the most successful is the insatiable desire to learn," says Brad LaPorte, a security consultant who served as systems administration branch chief in the US Army Pacific Command. "Cybersecurity is technically difficult and not for the faint at heart. It requires long hours and constant diligence to keep up with the multidaily changes that occur in this field. Those \[who\] constantly read, write, learn, and mentor others are exponentially more successful. Anyone can learn this stuff, but it requires them to put the work in."

It isn't just the hard-nosed tactics that win battles. Almost always, adding soft skills to the mix hones the best defenses.

"The skill that I found most beneficial is the ability to think in terms of the 'big picture' but act at a lower level." says Phil Hagen, faculty fellow at SANS Institute and formerly a computer network defense analyst and IT manager with the US Air Force. "Knowing the overall strategic or tactical arc of your actions is a big part of infosec. Infosec is a huge effort, and if you try to solve it all, it's going quickly to turn into a fool's errand. Seeing the long-term goals but identifying the dozens of smaller, interim milestones has been very helpful."

Responding to conflict and always being ready to assume command also top the soft skills most in demand from ex-military personnel.

William Mendez, managing director of operations at CyZen, says all military personnel are trained as leaders, since the nature of conflict creates uncertainty around when you may land in a situation where you have to assume command.

"Personnel with military backgrounds have the skills to lead successful teams," he says. "They often gain the respect of other members through leadership traits such as empathy and motivation. They often lead by example, always mentoring and never asking anyone to do something they would not be willing to do themselves." 

Every day, those who previously served their country can still stand guard. Their paths to cybersecurity careers are as varied as those of their civilian counterparts. Their dedication and sense of duty, however, remains intense.

"Employers have a cybersecurity skills gap to overcome, and they should see the military as a hugely untapped resource," says Susan Peediyakkal, infosec operations manager at NASA Ames Research Center. "Companies should consider building their own mentoring programs or partnering with organizations that have programs in place to ensure that veterans get the essential training and networking resources they need to build a successful career in cybersecurity."

Veterans Explain How Military Service Prepared Them for Cybersecurity Careers

Multiple cybercrime groups have been spotted selling stolen credentials and other sensitive personal information pilfered from travel-related websites.

Much in the same way that cybercriminals followed the fervor around the pandemic, they now are doing the same with the travel boom, creating various scams that aim to take advantage of travel organizations, airlines, and individuals going on vacation.

Since the start of the year, security firm Intel 471 has tracked several cybercrime groups selling credentials and databases of stolen personal identifiable information (PII) tied to travel-related websites.

"People are starting to travel more than they have in the past few years, so there is increased attention and heightened traffic online," Intel 471 researcher Greg Otto explains. "Cybercriminals love operating in areas where a lot of people are congregating and trying to spend money ASAP."

The methods of malicious actors have evolved because of the concentration on PII: From reservations to rewards programs to security checks, these organizations collect a wide array of PII, he says.

He points to one threat actor that was specifically targeting individuals with at least 100,000 miles in their mileage rewards accounts. Other actors are seeking help in gathering additional information to perpetrate travel fraud schemes, offering up their own slate of PII as incentive.

"Financially motivated cybercriminals have realized how much value lies in the data that travel companies and organizations collect, which is why they have moved to target organizations in the travel, aviation, and hospitality industry," he says. "If that PII is not protected, it's going to be targeted."

While ransomware-as-a-service (RaaS) does not appear to pose an acute threat to the global travel industry so far, an Intel 471 blog post outlined the threat RaaS has posed to regional airlines, including low-cost Indian airline SpiceJet and an unnamed Thai airline.

**What to Do About It**

What can organizations do to deter cybercriminals from targeting their systems? Have written security policies and procedures tailored to your specific organization, Otto says, and craft expectations for protection of data, including the confidentiality of data, and set limits of permissible data access and use for employees.

"Be aware of social engineering scams, have a robust passwords policy for employees and users, and patch vulnerabilities when applicable," he says.

Meanwhile, Intel 471 also noted activity around pro-Russia hacktivist groups, namely an actor joining KillNet, which has conducted attacks against targets in Romania and other countries providing support to Ukraine.

Threat actors are using their position within the government agencies to facilitate illegal border crossings for Ukrainian males aged 18 to 60.

“Accomplices used to facilitate the activity allegedly would transfer a person seeking to cross the Moldova-Ukraine border and bypass official checkpoints,” the blog post noted.

Cybercriminals Capitalizing on Resurgence in Travel

Symbiote, the latest malware to hit Linux users, is a parasite more than anything. Protect against this banking credential stealer now!
The post Stealthy Symbiote Linux malware is after financial institutions appeared first on Malwarebytes Labs.

Symbiote, a new “nearly impossible to detect” Linux malware, targeted financial sectors in Latin America—and the threat actors behind it might have links to Brazil. These findings were revealed in a recent report, a joint effort between the Blackberry Research Team and Dr. Joakim Kennedy, a security researcher with Intezer.

Despite its name, this Trojan—first seen in November 2021—is more parasitic than a mutual benefactor in a symbiosis, according to Dr. Kennedy. And this is what sets Symbiote apart from other Linux malware.

> “\[I\]t needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD\_PRELOAD (T1574.006), and parasitically infects the machine.
> 
> Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”

This abuse of the environmental variable LD\_PRELOAD appears to be the “LD\_PRELOAD trick” described in this post. Since Symbiote is a shared object, the threat actor can set LD\_PRELOAD to its path. In effect, this malformed file is loaded first _before_ other shared objects. And because it’s loaded first, Symbiote can “hijack the imports” from other SO files.

This enables it to hide on infected Linux machines.

**Symbiote: the hows and whys of its ways**

Once all processes have been infected, the Linux machine is as good as being infected. Symbiote then triggers its rootkit capabilities to hide, including other malware the threat actor may have dropped onto the device, processes, and network artifacts. This makes detection and active forensic examinations difficult.

Symbiote also offers threat actors a backdoor to the infected Linux machine, to which they can log in as a user with the highest privilege using a hardcoded password.

Per Dr. Kennedy, one exciting aspect Symbiote has is its Berkeley Packet Filter (BPF) hooking functionality. It does this to hide malicious traffic on an infected Linux machine. If you’re a threat actor, this is an excellent method when you don’t want to alert system admins of any network shenanigans on an infected Linux machine, as Symbiote can filter out such suspicious network traffic.

As a credential stealer, being stealthy is not an option.

> “The malware’s objective, in addition to hiding malicious activity on the machine, is to harvest credentials and provide remote access for the threat actor. The credentials are first encrypted with RC4 using an embedded key, and then written to a file.
> 
> In addition to storing the credentials locally, the credentials are exfiltrated. The data is hex encoded and chunked up to be exfiltrated via DNS address record requests to a domain name controlled by the threat actor.”

The researchers further report that Symbiote impersonated Brazilian bank websites, suggesting Brazilians are the target of this campaign. The IP address of these domains is linked to the Njalla Virtual Private Server (VPS) service. Furthermore, “Passive DNS records showed that the same IP address was resolved to ns1\[.\]cintepol\[.\]link and ns2\[.\]cintepol\[.\]link a few months earlier.”

Cintepol is said to be the intelligence portal of the Federal Police of Brazil, which allowed its police officers to access intelligence from the federal police when investigating. This fake Cintepol site was abandoned in January 2022 in favor of another domain pointing to another Njalla VPS IP.

**Protect against Symbiote**

The threat actors behind Symbiote put a lot of effort into making it as under-the-radar as possible. However, Vulcan Cyber’s Mike Parkin, senior technical engineer, said in an interview with Dark Reading that the evasion tactics in Symbiote can still be detected by other network monitoring tools that can pinpoint malicious traffic and the infected Linux system.

Parkin further added that several endpoint tools should be able to identify malicious changes on infected systems.

“There are also forensic techniques that can use the malware’s own behavior against it to reveal its presence,” Parkin noted. “They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ.”

The Blackberry and Intezer report contains many indicators of compromise (IOCs) that IT admins should use to beef up the security of their Linux boxes.

You can also read our article on Malwarebytes’ EDR for Linux.

Stealthy Symbiote Linux malware is after financial institutions

Many consumers still relying on easy-to-crack passwords, warns Digital Shadows

John Leyden 15 June 2022 at 14:26 UTC

Many consumers still relying on easy-to-crack passwords, warns Digital Shadows

An eye-watering 24 billion usernames and passwords available on the dark web – an increase of 65% in just two years, according to a new study from Digital Shadows.

Some combinations are advertised more than once on forums, but even after removing duplicates, Digital Shadows still found that 6.7 billion unique credentials exist – an increase of approximately 1.7 billion or 34% in two years.

A study (PDF) from the threat intel firm, published on Wednesday (June 15), found that despite this, consumers continue to use easy to guess passwords.

For example, around 0.46% of all passwords – nearly one in every 200 – is ‘123456’. Keyboard combinations such as ‘qwerty’ or '1q2w3e’ are also all too commonplace.

In response to questions from The Daily Swig, Digital Shadows said most of the credentials collected and analyzed in its report come from organizations whose databases have been breached before password hashes are cracked and passwords leaked on cybercriminal forums. Login credential initially stolen through phishing attacks, and often using specialist phishing kits with another significant vector of credential pwnage.

Catch up on the latest password-related security news

Easy-to-use tools commonly available through criminal marketplaces at minimal cost or for free make it straightforward for even unskilled script kiddies to crack weak passwords.

Simply adding a ‘special character’ (such as @ # or \_) to a basic 10-character password makes it far harder to crack passwords and therefore makes it much less likely that a person will fall victim to an attack, with criminals instead attacking accounts that are easier to breach.

Digital Shadows reports that the sale of stolen and cracked credentials remains a mainstay of sales through cybercrime forums and marketplaces.

"Stolen credentials are one of the most crucial access tokens for a variety of cybercriminals and state-sponsored groups’ operations," Digital Shadows told The Daily Swig. "As such, the market for them is constantly florid and threat groups scramble to put their hands on these valuable assets."

**Progressively worse**

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that despite industry attempts to move beyond passwords as an authentication mechanism, the issue of breached credentials remains pressing – and is becoming progressively worse over time.

“Criminals have an endless list of breached credentials they can try but adding to this problem is weak passwords which means many accounts can be guessed using automated tools in just seconds,” Morgan said.

Morgan added: “In just the last 18 months, we at Digital Shadows have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices.

YOU MAY ALSO LIKE Cybercriminals use reverse tunneling and URL shorteners to launch ‘virtually undetectable’ phishing campaigns

“Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts,” they concluded.

In a blog post, Digital Shadows summarizes the findings from its research as well as offering advice on password security best practices.

Its top tips include advising users to switch to using a password manager and adding multi-factor authentication to their online accounts so that a password alone (even if compromised) is not enough to gain access.

READ MORE Volatile market for stolen credit card data shaken up by sanctions against Russia

Dark web awash with breached credentials, study finds

Organizations that can break out of siloed data and apply context can transform intelligence into actionable, relevant security knowledge.

For organizations struggling to defend against today's onslaught of cyberattacks, data can be both a blessing and a curse. Companies rely on data they get from outside sources, such as Cybersecurity and Infrastructure Security Agency (CISA) alerts, vendors, and threat intelligence feeds. However, all that information can be overwhelming if you don't know how to use it. Meanwhile, companies often overlook important data that resides inside their own environments.

To use threat intelligence effectively, you first need to understand what's happening inside your own environment and how your employees use network resources. With this context, you can interpret, tailor, and apply threat intelligence in a way that is specific and unique to your organization. This bespoke baseline enables you to identify anomalies in your environment and the issues they pose. All the outside threat data in the world won't help you if you don't know what your internal systems are supposed to be doing.

In general, there is too much reliance on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security craftsmanship. As security professionals, it's not our job to stare at the great and powerful Oz but to look behind the curtain.

For example, antivirus and endpoint detection and response (EDR) tools help security teams reduce the noise of logs, keep an eye on endpoints, and identify known threats, but they won't identify all the threats in your environment. Relying on traditional tools alone is practically a guarantee of failure. Sophisticated attackers reverse engineer the same tools you rely on to protect your systems. They know how those tools work, what their capabilities are, and what their weaknesses are. Why should the attacker know more about your systems than your security team does?

**Three Tips**

Use these tips for turning your threat intel into security knowledge:

1\. **Use multiple sources of data.** By all means, take advantage of threat intel feeds and CISA alerts, but know their limitations. Threat intel feeds have limited types of information — tactics, techniques, IP addresses, domain names, or file hashes — and by the time you get the alerts, the information can be months old. New information needs to be leveraged against not only the way your systems are today but the way they were in the past. By being able to view insights across time, you achieve a new level of security awareness and confidence in your continuous security integrity.

2\. **Make the data actionable.** Security professionals often don't see threat intel as valuable because it typically lacks context. A list of IP addresses is just data if you don't understand why (and when) the addresses are considered bad. Organizations often subscribe to more than a dozen feeds, which means they will get potentially millions of pieces of information daily. The majority of this information will either lead to false positives or be irrelevant to the organization's business. The cost of this is twofold. First, there is the cost of using this information in your security gear. Imagine trying to match millions of indicators of compromise against log volume from EDR, network detection and response, and intrusion detection systems. There is also a cost associated with dealing with those red herrings.

The best solution is to consider threat intel obtained from third parties as a springboard for analysis, not the end result. For example, a feed may indicate that a file with a particular MD5 hash is malicious. While your systems may not have that exact file on them, they could have variants that are unknown to the feed provider. Understanding the similarities and connections of what exists in your environment and how far removed they are from data in threat intel feeds is the next evolutionary step in becoming a true security practitioner.

3**. Adopt a security knowledge mindset.** Threat intel is not something you have, it's something you do. Don't blindly buy a security product just because it's there; understand how it works and what its limitations are. Ask yourself the question, "How might an attacker evade it?" Security consumers would never ask questions like that, while practitioners engage across teams and functions. They break through team-siloed thinking and facilitate bidirectional sharing of knowledge. What one incident responder may attribute to "strange activity" might shed light on an active threat research case.

Functional walls around security operations center (SOC), incident response, and research teams interfere with effective communication and information sharing. All three should feed information to each other in real time. They use different tools. For example, SOCs use SIEMs, IR uses forensic tools, threat intel folks use threat intel platforms. Executives need to formalize an operational structure that breaks down the silos and reduces tool fragmentation that prohibits security knowledge between teams.

**Conclusion**

Threat intel is a good thing, but if you're locked in a silo, its effectiveness is diminished. If you can break out of the silos and apply context, intelligence can be transformed into actionable security knowledge that's specific to your organization. And to make it happen, a top-down appreciation of the value of this is required from the CEO and board of directors all the way through to the security practitioners.

Why We Need Security Knowledge and Not Just Threat Intel

Username and password combinations offered for sale on the Dark Web by criminals has increased 65% since 2020.

Passwordless technology may be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched — and wildly insecure. Some 24.6 billion complete sets of usernames and passwords are currently in circulation in cybercriminal marketplaces as of this year, a report has found.

That’s four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020.

The report from the Digital Shadows Photon Research team, "Account Takeover in 2022," shows that cybercriminals continue to profit handsomely from this reality with a record-breaking wave of credential thefts, account takeover attacks (ATO), and black-market sales of access to victim accounts.  

Within the data set of credentials on the Dark Web, approximately 6.7 billion of the offerings had a unique pairing of username and password, indicating that the combination was not duplicated across databases. That's 1.7 billion more than what researchers found in 2020. The report shows that the markets selling these credentials are robust and sophisticated, with several subscription services emerging to offer criminal premium services for purchasing them. 

**'Endless List' of Breached Data**

Further bad news for security folks is that many of the passwords examined in these stolen data stores were not very secure in the first place.

“Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

To wit: Nearly one in every 200 passwords found in the credentials offered for sale by criminals is 123456. Of the 50 most commonly used passwords in those collated for the report, 49 can be cracked in less than one second using tools also commonly available in underground forums. So whether a criminal buyer purchases a list of stolen credentials or a password cracker, accounts using only these credentials are extremely vulnerable to attack.

**Passwordless to the Rescue?**

This is just one in a multitude of reasons why security advocates and technology-standards organizations have been pushing so hard for more usable passwordless technology across the globe. According to a recent Dark Reading report, only 26% of IT decision-makers said they work in a passwordless organization, and 87% admitted they had at least one credential category that still depended on passwords. 

The most common systems they wished they could authenticate without passwords were workstation logins, legacy enterprise applications, and cloud applications. And those numbers primarily focus on business accounts without considering the even more thorny problem of consumer authentication, for everything from bank accounts to software subscription services.

One of the biggest pushes for passwordless authentication comes by way of the FIDO Alliance, which for more than a decade has been publishing standards for high-assurance authentication mechanisms to kick passwords to the curb. 

Earlier this year, the Fido Alliance acknowledged “we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space” in its unveiling of a vision for multidevice FIDO credentials to be used in consumer use cases — important in the era of remote working from personal devices. These passkeys are more secure than passwords and are designed to make logins easier across mobile devices and desktops. In May, Apple, Google, and Microsoft reported that they’re going implement support for these standards in their platforms.

But in the meantime, Morgan explains that organizations can’t afford to ignore the ever-growing issue of stolen and trafficked credentials used for ATO.

“We will move to a passwordless future, but for now the issue of breached credentials is out of control,” says Morgan. “In just the last 18 months, we have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”

24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far

Upsurge in the tourism industry after the COVID-19 pandemic grabs the attention of cybercriminals to scam the tourists.

Upsurge in the tourism industry after the COVID-19 pandemic grabs the attention of cybercriminals to scam the tourists.

Researchers are warning a post-COVID upsurge in travel has painted a bullseye on the travel industry and has spurred related cybercrimes.

Criminal activity includes an uptick in adversaries targeting the theft of airline mileage reward points, website credentials for travel websites and travel-related databases breaches, according to a report by Intel 471.

The impact of the attacks are hacked accounts stripped of value. But also, researchers say the consequences of recent attacks can also include flight delays and cancelations as airlines grapple with mitigating hacks.

****Your Reward Points Head to Illicit Markets****

Since January the researcher at Intel 471 detect multiple hacks used by cybercriminals to trade the credentials linked to the traveling websites.

The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles,” according to 471. These accounts are used to earn certain rewards on every dollar that is spent. The account credentials that were listed in February belong to U.K.-based users from a major traveling website and two U.S.-based airlines.

“Access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers,” said researchers. “The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity,” they added.

The exploitation of rewards-points programs, especially those associated with travel, is not new. Researchers have tracked several incidents over the years where hackers have targeted reward points. In 2018, a pair of Russian teens have been arrested for infiltrating more than a half-million online accounts, in particular targeting services that offer rewards points.

Researchers point out that as the travel industry rebounds from a COVID-related slump, the industry is once again a prime target for cybercriminals.

****Travel-related Identity Theft****

Other criminal activities include the targeting of travel-related databases – ripe with employee and traveler personal identifiable information (PII) that threat actors can sell for money.

Researchers observed on travel-related hackers leveraging a database of “40,000 people employed in Illinois”. The stolen database includes PII of employees. Researchers said this type of leaked information plays a role in travel-related fraud – allowing an attacker to generate new identities that can be used to either cross boarders or evade authorities.

In one instance, Intel 471 researchers, cybercriminals used PII to create illicit travel documents used for border crossings. “Shortly after the start of the (Russian invasion of Ukraine) war, the actor claimed the insider could facilitate illegal border crossings for Ukrainian males aged 18 to 60” researchers noted.

Some of the traveling bodies including Romania-based Air Traffic Services Administration and Bucharest Airport were targeted by a pro-Russian group of hackers known as KillNet. “Aviation and transportation entities were among KillNet’s most frequented targets in the first half of 2022,” researcher added.

Last month, an attack on the IT systems of SpiceJet airlines left travelers stranded at airports and causes the delay and cancellation of flights.

****Protection From the Scams****

The researchers suggested customers stay vigilant while making arrangements and should book flights from a trusted source, handle payment cautiously, and refrain from getting phished in any dubious vacation-related offers.

Travel-related Cybercrime Takes Off as Industry Rebounds

A newly discovered security vulnerability in modern Intel and AMD processors could let remote attackers steal encryption keys via a power side channel attack.
Dubbed Hertzbleed by a group of researchers from the University of Texas, University of Illinois Urbana-Champaign, and the University of Washington, the issue is rooted in dynamic voltage and frequency scaling (DVFS), power and thermal

A newly discovered security vulnerability in modern Intel and AMD processors could let remote attackers steal encryption keys via a power side channel attack.

Dubbed Hertzbleed by a group of researchers from the University of Texas, University of Illinois Urbana-Champaign, and the University of Washington, the issue is rooted in dynamic voltage and frequency scaling (DVFS), power and thermal management feature employed to conserve power and reduce the amount of heat generated by a chip.

"The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second)," the researchers said.

This can have significant security implications on cryptographic libraries even when implemented correctly as constant-time code to prevent timing-based side channels, effectively enabling an attacker to leverage the execution time variations to extract sensitive information such as cryptographic keys.

Both AMD (CVE-2022-23823) and Intel (CVE-2022-24436) have issued independent advisories in response to the findings, with the latter noting that all Intel processors are affected by Hertzbleed. No patches have been made available.

"As the vulnerability impacts a cryptographic algorithm having power analysis-based side channel leakages, developers can apply countermeasures on the software code of the algorithm. Either masking, hiding, or key-rotation may be used to mitigate the attack," AMD stated.

While no patches have been made available to address the weakness, Intel has recommended cryptographic developers follow its guidance to harden their libraries and applications against frequency throttling information disclosure.

This is not the first time novel methods have been uncovered to siphon data from Intel processors. In March 2021, two co-authors of Hertzbleed demonstrated an "on-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors.

"The takeaway is that current cryptographic engineering practices for how to write constant-time code are no longer sufficient to guarantee constant time execution of software on modern, variable-frequency processors," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Hertzbleed Side-Channel Attack Affects All Modern AMD and Intel CPUs

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.
Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser.
<!-

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.

Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser.

Tracked as CVE-2022-30190 (CVSS score: 7.8), the zero-day bug relates to a remote code execution vulnerability affecting the Windows Support Diagnostic Tool (MSDT) when it's invoked using the "ms-msdt:" URI protocol scheme from an application such as Word.

The vulnerability can be trivially exploited by means of a specially crafted Word document that downloads and loads a malicious HTML file through Word's remote template feature. The HTML file ultimately permits the attacker to load and execute PowerShell code within Windows.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," Microsoft said in an advisory. "The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights."

A crucial aspect of Follina is that exploiting the flaw does not require the use of macros, thereby obviating the need for an adversary to trick victims into enabling macros to trigger the attack.

Since details of the issue surfaced late last month, it has been subjected to widespread exploitation by different threat actors to drop a variety of payloads such as AsyncRAT, QBot, and other information stealers. Evidence indicates that Follina has been abused in the wild since at least April 12, 2022.

Besides CVE-2022-30190, the cumulative security update also resolves several remote code execution flaws in Windows Network File System (CVE-2022-30136), Windows Hyper-V (CVE-2022-30163), Windows Lightweight Directory Access Protocol, Microsoft Office, HEVC Video Extensions, and Azure RTOS GUIX Studio.

Another security shortcoming of note is CVE-2022-30147 (CVSS score: 7.8), an elevation of privilege vulnerability affecting Windows Installer and which has been marked with an "Exploitation More Likely" assessment by Microsoft.

"Once an attacker has gained initial access, they can elevate that initial level of access up to that of an administrator, where they can disable security tools," Kev Breen, director of cyber threat research at Immersive Labs, said in a statement. "In the case of ransomware attack, this leverages access to more sensitive data before encrypting the files."

The latest round of patches is also notable for not featuring any updates to the Print Spooler component for the first time since January 2022. They also arrive as Microsoft said it's officially retiring support for Internet Explorer 11 starting June 15, 2022, on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual Channels.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Atlassian Confluence Server and Data Center
*   Cisco
*   Citrix
*   Dell
*   GitLab
*   Google Chrome
*   HP
*   Intel
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens, and
*   VMware

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel