The state-sponsored group particularly targets organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses, researchers say.

The RedAlpha advanced persistent threat (APT) group, thought to be linked to the Chinese state, has been spying on global humanitarian, think tank, and government organizations thanks to a massive phishing campaign that's been active for years.

That's the word from Recorded Future's the Insikt Group, which also found that the intelligence collection is likely used to support human rights abuses orchestrated by the Chinese Communist Party (CCP).

RedAlpha (aka Deepcliff or Red Dev 3) specializes in mass credential-harvesting, which it accomplishes via convincing phishing emails with attached PDFs that lead to purported login pages. The group has been operational at a "high tempo" since at least 2015, Insikt researchers note, though it didn't spark the notice of security researchers until 2018. And since 2019, the activity has ramped up even further, analysts say.

"Over the past three years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other … organizations," according to a blog post on Tuesday from Insikt.

Last year, RedAlpha stood up at least 350 domains overall, representing a big spike in its activity, analysts said. In many cases, the observed phishing pages mimicked legitimate email login portals for these specific targets, suggesting the attackers intended to target individuals directly affiliated with the organizations, as opposed to using the branding of the entities to target other third parties.

In particular, the APT has been observed directly targeting ethnic and religious minorities such as the Tibetan and Uyghur communities and protesters such as Falun Gong members, and it has been particularly interested in anything Taiwan-related. In short, the targets align closely with Chinese interests. Thus, the idea is to gain access to email accounts and other online communications of victims, in order to eavesdrop and gather political intel on the targets, researchers surmise.

Casey Ellis, founder and CTO at Bugcrowd, says that the intel gleaned can be weaponized not just for guiding kinetic or physical strikes against the persons of interest but also for counter-messaging meant to undermine their activities.  

"China has an enormous population of very astute technologists, a vast security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D," he says. "Data stolen for nation-state espionage isn't, for example, likely to be used for fraud if the threat actor is Chinese. The main threat, as is true for most nation-state threat actors, is dis/misinformation, weaponized memes, and subversive propaganda through social networks and traditional media."

The spoofing also has included impersonating well-known email service providers in an effort to look legitimate, including Yahoo (135 typosquatted domains), Google (91 typosquatted domains), and Microsoft (70 typosquatted domains).

"Chinese state-sponsored groups continue to aggressively target dissident and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity," the researchers note. "This targeting of sensitive and vulnerable communities, many of which have security budget and resources constraints, is particularly concerning.  

**Sprawling Phishing Infrastructure**

According to Insikt's analysis, the group maintains large clusters of operational infrastructure, beyond the hundreds of phishing domains that imitate and spoof specific organizations.

The researchers say that other consistent characteristics of the group's efforts include the use of \*resellerclub\[.\]com nameservers; using the virtual private server (VPS) hosting provider Virtual Machine Solutions (VirMach); similar domain-naming conventions, such as the use of “mydrive-”, “accounts-”, “mail-”, “drive-”, and “files-” strings across hundreds of domains; overlapping WHOIS registrant names, email addresses, phone numbers, and organizations; and the use of specific server-side technology components and fake HTTP 404 Not Found errors.  

Phil Neray, vice president of cyber-defense strategy at CardinalOps, says that this kind of large footprint allows for significant espionage outcomes, which is one of the hallmarks of Chinese APTs.

"China has been a top nation-state threat for many years, given their strategic use of cyber-espionage to obtain expertise in key technologies such as biotech, semiconductors, defense, and energy, by stealing proprietary intellectual property from the West," he says. "They've also targeted PII in attacks against government organizations such as the Office of Personnel Management (OPM) and large health insurance organizations like Anthem, which were two of the largest data breaches in history."   

**Phishing Is Phishing Is Phishing**

The tactics in this case are tried and true, even if the perpetrators occupy "top-tier" status in the cybercrime pantheon.

"When it comes to phishing, threat actors at all levels generally rely on conventional aesthetic-based tactics to lure in their victims," Darren Guccione, CEO and co-founder at Keeper Security, tells Dark Reading. "Innocent people who are not trained on phishing prevention generally focus on the 'pinstripes' of the email. This means that the aesthetics they are familiar with, such as the logo and colors of a humanitarian, think tank, or government site, are used to lure them into a malicious link or form field."

It's important, however, not to underestimate the fallout from this familiar social-engineering approach. 

"Cybersecurity threats which ultimately result in breaches due to weak passwords, stolen credentials, or phishing emails are pervasive," Guccione says. "They can have devastating and long-term adverse consequences, particularly when a broad-scope espionage campaign is used to support human rights abuses."

Any organization should bolster user awareness and employ basic defenses to avoid being on the hook from phishing, Guccione adds.

"We tend to believe what we see, which is why aesthetics and a compelling user interface often trump awareness of a nefarious and incorrect URL," he notes. "The key to training is to ensure users are checking that the URL matches the authentic website. A password manager that can automatically identify when a site's URL doesn't match is a critical tool for preventing the most common password-related attacks, including phishing and credential stuffing."

CardinalOps' Neray adds that when it comes to civil-society targets specifically, "Organizations of all sizes must protect themselves by deploying continuous monitoring at all levels of their infrastructures — endpoints, network, cloud, identity — and ensuring they have SOC detection policies in place that match the latest adversary techniques employed by Chinese attackers, as documented in the MITRE ATT&CK framework."

China-Backed RedAlpha APT Builds Sprawling Cyber-Espionage Infrastructure

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged.

Dubbed Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.“Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: a decoy PDF document Coinbase\_online\_careers\_2022\_07.pdf, a bundle http\[://\]FinderFontsUpdater\[.\]app and a downloader safarifontagent.”

**Similarities to Previous Malware**

The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said.

However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.

The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:\[//\]concrecapital\[.\]com/%user%\[.\]jpg, which did not respond when researchers tried to connect to it.

**Lazarus on the Loose**

North Korea’s Lazarus is well known as one of the most prolific APTs and already is in the crosshairs of international authorities, having been sanctioned back in 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing for the regime of Kim Jong-un. It has often used impersonation ploys similar to the one observed in Operation In(ter)ception to try to get victims to take the malware bait.

A previous campaign identified in January also targeted job-seeking engineers by dangling fake employment opportunities at them in a spear-phishing campaign. The attacks used Windows Update as a living-off-the-land technique and GitHub as a C2 server.

Meanwhile, a similar campaign uncovered last year saw Lazarus impersonating defense contractors Boeing and General Motors and claiming to seek job candidates only to spread malicious documents.

**Changing It Up**

However, more recently Lazarus has diversified its tactics, with the feds revealing that Lazarus also has been responsible for a number of crypto heists aimed at padding the regime of Jong-un with cash.

Related to this activity, the U.S. government levied sanctions against cryptocurrency mixer service Tornado Cash for helping Lazarus launder cash from its cybercriminal activities, which they believe in part are being to fund North Korea’s missile program.

Lazarus even has dipped its toe in ransomware amid its frenzy of cyberextortion activity. In May, researchers at cybersecurity firm Trellix tied the recently emerged VHD ransomware to the North Korean APT.

APT Lazarus Targets Engineers with macOS Malware

A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations.
"In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new

A Chinese state-sponsored threat activity group named **RedAlpha** has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations.

"In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new report.

A lesser-known threat actor, RedAlpha was first documented by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community, some in India, to facilitate intelligence collection by deploying the NjRAT backdoor.

"The campaigns \[...\] combine light reconnaissance, selective targeting, and diverse malicious tooling," Recorded Future noted at the time.

Since then, malicious activities undertaken by the group have involved weaponizing as many as 350 domains that spoof legitimate entities like the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others.

The adversary's consistent targeting of think tanks and humanitarian organizations over the past three years falls in line with the strategic interests of the Chinese government, the report added.

The impersonated domains, which also include legitimate email and storage service providers like Yahoo!, Google, and Microsoft, are subsequently used to target proximate organizations and individuals to facilitate credential theft.

Attack chains start with phishing emails containing PDF files that embed malicious links to redirect users to rogue landing pages that mirror the email login portals for the targeted organizations.

"This means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties," the researchers noted.

Alternatively, the domains used in the credential-phishing activity have been found hosting generic login pages for popular email providers such as Outlook, alongside emulating other email software such as Zimbra used by these specific organizations.

In a sign of the campaign's evolution, the group has also impersonated login pages associated with Taiwan, Portugal, Brazil, and Vietnam's ministries of foreign affairs as well as India's National Informatics Centre (NIC), which manages IT infrastructure and services for the Indian government.

The RedAlpha cluster further appears to be connected to a Chinese information security company known as Jiangsu Cimer Information Security Technology Co. Ltd. (formerly Nanjing Qinglan Information Technology Co., Ltd.), underscoring the continued use of private contractors by intelligence agencies in the country.

"\[The targeting of think tanks, civil society organizations, and Taiwanese government and political entities\], coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.

Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents.

The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET's analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022.

"Malware is compiled for both Intel and Apple Silicon," the company said in a series of tweets. "It drops three files: a decoy PDF document 'Coinbase\_online\_careers\_2022\_07.pdf', a bundle 'FinderFontsUpdater.app,' and a downloader 'safarifontagent.'"

The decoy file, while sporting the .PDF extension, is in reality a Mach-O executable that functions as a dropper to launch FinderFontsUpdater, which, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.

ESET stated that the lure was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificate on August 12.

It's worth noting the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an .EXE file named "Coinbase\_online\_careers\_2022\_07.exe" earlier this month, as revealed by Malwarebytes researcher Hossein Jazi.

The Lazarus Group has emerged an expert of sorts when it comes to posing as HR representatives on social media platforms like LinkedIn to target companies that are of strategic interest.

Last month, it came to light that the $620 million Axie Infinity hack attributed to the collective was the result of one of its former employees getting duped by a fraudulent job offer on LinkedIn.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

"Seaborgium" is a highly persistent threat actor that has been targeting organizations and individuals of likely interest to the Russian government since at least 2017, company says.

Microsoft's Threat Intelligence Center (MSTIC) has taken steps to disrupt the operations of "Seaborgium," a Russia-based threat actor that has been involved in persistent spear-phishing and credential-theft campaigns aimed at organizations and individuals in NATO countries since at least 2017.

The threat actor's primary motivation appears to be cyber espionage. Its victims include numerous organizations in the defense and intelligence communities, nongovernmental organizations, think tanks, higher-education institutions, and intergovernmental organizations, mainly in the US and UK. Microsoft said it has identified some 30 organizations that have been targeted in Seaborgium campaigns so far this year alone.

"Seaborgium has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to Seaborgium activity being delivered to Microsoft consumer email accounts," Microsoft said in a blog post this week. Targeted individuals have included former intelligence officials, Russian experts, and Russian citizens outside the country that are of interest to Moscow. Available telemetry and tactics suggest overlaps between Seaborgium and threat groups that others are variously tracking as the Callisto Group, ColdRiver, and TA446, Microsoft said.

Seaborgium is just one of multiple Russia-based groups that are targeting US firms in cyber-espionage campaigns currently. Earlier this year, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about Russian actors systematically stealing sensitive, but not classified, data on US weapons development and technologies used by the US military and government. The warning followed one from January about the potential for more Russian attacks on US targets in retaliation for US-led sanctions over the war in Ukraine.

**Sophisticated Impersonation**

In its blog post, Microsoft described Seaborgium actors as using mostly the same social-engineering tactics over the years to try and gain an initial foothold in a target organization. Before launching a campaign, the threat actor has typically tended to conduct extensive research on targeted individuals to identify their social and business contacts. The research has often involved the threat actor using social media platforms — including fraudulent profiles on LinkedIn — and publicly available information gather intel on individuals of interest.

They then have used the information to impersonate individuals known to the target and contacted them using new email accounts with email addresses or aliases configured to match the names or aliases of the impersonated individuals, Microsoft said. The tone of the initial contact is usually different depending on whether an individual is a personal/consumer target or someone working in a targeted organization. In the case of the former, Seaborgium actors have typically started with a benign email that exchanges pleasantries on topics of interest to the target and references a nonexistent attachment. Microsoft surmised that the goal of taking this approach is likely to establish a rapport with a target. If the phishing email recipient replies, the threat actor responds with an email containing a link to their credential-stealing infrastructure.

Seaborgium's phishing emails have a more businesslike and organizational tone to them for individuals within a target organization. In these situations, the threat actors have shown a tendency to take a more authoritative approach in directing email recipients to the credential-stealing site — for example, by taking cybersecurity-themed lures. In most campaigns, Seaborgium actors have embedded the URL to their credential-stealing site directly in the email body itself, Microsoft said. But of late, the threat actor has also been using PDF files and attachments spoofing a document or file-hosting service — often OneDrive — to distribute the link.

**Using Stolen Credentials to Steal Emails and Attachments**

Microsoft said its researchers have observed Seaborgium using stolen credentials to directly log in to victims' email accounts and steal their emails and attachments. In a few instances, the threat actor has also been observed configuring victim email accounts to forward emails to attacker-controlled addresses. 

"There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialogue with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties," Microsoft said, adding that often these conversations have involved potentially sensitive information.

**Under Scrutiny**

As far as the disruption goes, the computing giant has now disabled accounts that Seaborgium actors have been using for victim reconnaissance, phishing, and other malicious activities. This includes multiple LinkedIn accounts. It has also developed detections for phishing domains associated with Seaborgium.

F-Secure, which refers to the threat actor as the Callisto Group, has been tracking its activities since 2015. In a 2017 report, the security vendor had described Callisto Group as a sophisticated actor targeting governments, journalists, and think tanks in the EU and parts of eastern Europe. F-Secure had described the group's campaigns as involving highly convincing spear-phishing emails often sent from legitimate email accounts to which the threat actor had previously gained access, using stolen credentials.

More recently, Google warned about the threat actor in a broader update on malicious cyber activity in eastern Europe since the start of the Ukraine war in February. The company said it had observed ColdRiver — its name for Seaborgium — continuing to use Gmail accounts to send credential-phishing emails to Google and non-Google email accounts belonging to politicians, defense and government officials, journalists, and think tanks. "The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive," Google said. The files have contained a link to a credential-phishing domain, according to Google.

Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign

South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.

South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.

The problem? Thames Water wasn't breached. 

Apparently, Clop got its UK water companies confused. 

South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was "experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible." It added there has been no disruption on service. 

"This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers," the water company said. 

Meanwhile, Thames Water, the UK's largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports. 

"As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror. 

While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group's attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence. 

"I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact," Liebig said. "And had Thames Water not done an investigation of the 'proof of compromise,' they may very well have decided to negotiate further. In both instances, each organization did their due diligence."

Clop Ransomware Gang Breaches Water Utility, Just Not the Right One

Contentious edge case activities are no excuse for further delaying of ‘much overdue’ reform, say campaigners

Contentious edge case activities are no excuse for further delaying of ‘much overdue’ reform, say campaigners

Campaigners for reform of the UK’s Computer Misuse Act (CMA) have identified cybersecurity activities that should be legally defensible amid an ongoing government review of the 1990 law.

Based on the “consensus” view of experts, these legitimate hacking activities included responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

This consensus “would form the core basis of a new legal environment for cybersecurity professionals based on a statutory defence,” says a report (PDF) published yesterday (August 15) by the CyberUp campaign.

RELATED Statutory defense for ethical hacking under UK Computer Misuse Act tabled

Far from unleashing “a wild west of cyber vigilantism”, such a defense “will enable the UK’s cybersecurity sector to more effectively protect the UK as part of the whole-of-society effort, whilst ensuring cybercriminals can still be prosecuted”.

**Edge cases**

The CyberUp campaign also set out actions that should broadly be considered illegitimate, such as so-called ‘hack backs’ and malware deployment, as well as ‘active defence’ techniques that “still represent a grey area”.

These “contentious edge cases”, which require “further consultation and discussion as the policy formation process develops”, include exploitation of vulnerabilities, verification of passive-detected vulnerabilities, infiltrating a bad actor’s network, credential stuffing, active intel gathering, forensic analysis, botnets, and neutralizing suspicious or nefarious assets.

CyberUp insisted that the existence of edge cases is no excuse for further delaying of “much overdue” reform.

Campaigners deliver a letter signed by MPs that called for CMA reform to the Prime Minister’s residence

The results were based on input from 15 cybersecurity researchers, consultants, and other experts who assessed activities according to the potential harms and benefits accrued.

The degree of ‘consensus’, whereby more than 50% of experts agreed, varied considerably.

For instance, 100% agreed that use of sandboxes caused no or limited harm but delivered clear benefits, whereas 64% agreed that patching third-party networks or using remote desktop protocol (RDP) connections to obtain information from an attacker’s computers potentially ran the risk of causing harm but also provided worthwhile benefits.

**Importance of intent**

“Unsurprisingly, the exercise also revealed the limitations of any effort to isolate techniques, activities, and actions from the intent of an actor”, where the CMA currently “falls short”, said the report.

Rather than relying on binary lists of legitimate and illegitimate activities, which would quickly become out of date as techniques and technology evolved, CyberUp recommends that courts use broad principles to judge instances of unauthorised access.

A defense framework (PDF) published in 2021 by CyberUp establishes a set of such principles.

Read more of the latest cybersecurity news from the UK

The CyberUp campaign said it disagreed with suggestions from certain experts it consulted that some activities should only be conducted under license or, more stringently still, where actors “have been certified and have a court warrant to proceed”.

“Our view is that, over time with case law, and ideally with clear guidance from prosecutors, the boundaries of legal conduct will be sufficiently unambiguous to counter the need for the high degree of oversight that is sought by those who prefer a system more tightly regulated by the courts,” said the report.

A review of the aging CMA, which criminalizes “unauthorized access”, was announced in May 2021.

RECOMMENDED Browser-powered desync: New class of HTTP request smuggling attacks showcased at Black Hat USA

Legitimate hacking activities under UK law proposed by ‘expert consensus’

A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors.
Dubbed ÆPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that's akin to an "uninitialized memory read in the CPU itself."
"In contrast to transient execution

A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors.

Dubbed ÆPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that's akin to an "uninitialized memory read in the CPU itself."

"In contrast to transient execution attacks like Meltdown and Spectre, ÆPIC Leak is an architectural bug: the sensitive data gets directly disclosed without relying on any (noisy) side channel," the academics said.

The study was conducted by researchers from the Sapienza University of Rome, the Graz University of Technology, Amazon Web Services, and the CISPA Helmholtz Center for Information Security.

The vulnerability (CVE-2022-21233, CVSS score: 6.0), which affects CPUs with Sunny Cover microarchitecture, is rooted in a component called Advanced Programmable Interrupt Controller (APIC), which provides a mechanism to handle and route hardware interrupt signals in a scalable manner.

"The scan of the I/O address space on Intel CPUs based on the Sunny Cove microarchitecture revealed that the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC) are not properly initialized," the researchers noted.

"As a result, architecturally reading these registers returns stale data from the microarchitecture. Any data transferred between the L2 and the last-level cache can be read via these registers."

ÆPIC Leak specifically targets systems using Intel's trusted execution environment (TEE) known as Software Guard eXtensions (SGX), causing the leakage of AES and RSA keys from secure enclaves that run on the same physical CPU core with a success rate of 94% and 74% respectively.

"By protecting selected code and data from modification, developers can partition their application into hardened enclaves or trusted execution modules to help increase application security," Intel explains about the security assurances offered by SGX.

The flaw, put simply, breaks the aforementioned guarantees, enabling an attacker with permissions to execute privileged native code on a target machine to extract the private keys, and worse defeat attestation, a cornerstone of the security primitives used in SGX to ensure the integrity of code and data.

In response to the findings, Intel has released firmware updates, while describing the issue as a medium-severity vulnerability related to improper isolation of shared resources, leading to information disclosure via local access.

It's also worth noting that Intel has since deprecated support for SGX for its client CPUs, what with a litany of attack methods plaguing the technology, including SGX-ROP, MicroScope, Plundervolt, Load Value Injection, SGAxe, and VoltPillager.

**SQUIP Side Channel Attack Affect AMD CPUs**

The development comes as researchers demonstrated what's the first-ever side channel attack (CVE-2021-46778) on scheduler queues impacting AMD Zen 1, Zen 2, and Zen 3 microarchitectures that could be abused by an adversary to recover RSA keys.

The attack, codenamed SQUIP (short for Scheduler Queue Usage via Interference Probing), entails measuring the contention level on scheduler queues to potentially glean sensitive information.

No security updates have been released to patch the line of attack, but the chipmaker has recommended that "software developers employ existing best practices, including constant-time algorithms and avoiding secret-dependent control flows where appropriate."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors

Heads of CIA and CISA headline event at DC Convention Center.

Returning in person after two years, the 13th Annual Billington Cybersecurity Summit is a three-day event designed to examine the nation's pressing cyber needs and the impact of the Biden Administration's fast-moving cyber strategic direction.

The summit explores "Transforming Cybersecurity Through a Unified Approach" with a focus on the hottest cyber topics. More than 125 speakers spanning government, military, nonprofits, industry, and academia, including CIA Director William Burns; Chris Inglis, National Cyber Director, EOP; DHS CISA Director Jen Easterly; John Sherman, CIO, DOD; and two top cyber officials from Ukraine will discuss cyber trends and issues during more than 40 sessions.

**WHEN**

September 7-9, 2022

Sept 7: 8:45 a.m.-5 p.m.

Sept 8: 8:30 a.m.-5 p.m.

Sept 9: 9 a.m.-noon

**TOPICS**

The summit has more than 40 panel discussions, breakout sessions, and fireside chats. Agenda topics include:

*   Cyber Lessons Learned from Ukraine
*   Securing Infrastructure in an Increasingly Connected World
*   Election Security and the 2022 National Elections
*   Lessons Learned for Fortifying a Strong Cybersecurity Workforce
*   All-Star VC Roundtable: What Are the Next Game-Changing Cyber, Disruptive Technologies?
*   The Cyber Threat Landscape and Zero Trust: Lessons Learned and Success Stories
*   Future of Encryption: Moving to a Quantum-Resistant World
*   Cybersecurity Public/Private Engagement
*   Addressing Insider Threat while Protecting Privacy
*   Future Panel | Cybersecurity and the Future of 5G
*   Enhancing the Security of Open-Source Software and the Supply Chain
*   Automating Cybersecurity: Applying AI Internally and at the Edge
*   Beyond Ransomware: Identifying the Next Cyber Threats

**WHERE**

Walter E. Washington Convention Center

801 Mt Vernon Pl NW

Washington, DC

**HOW**

Learn more or register at https://billingtoncybersummit.com/. Complimentary government and military tickets are available. Tickets for corporate attendees are $895; academic and non-profits are $125; and students are $25. Press is free for credentialed reporters but must register in advance online.

**WHY**

Presented by over 40 sponsors, led by Amazon Web Services, Raytheon Intelligence & Space, and Cisco Secure, the Billington Summit convenes leading senior cyber government decision-makers to examine key trends and topics while fostering deeper dialogue between government leaders and private industry.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SEPT. 7-9: Ukraine, Election, AI, Cybercrime, 5G Among Topics Explored by 125+ Speakers at 13th Billington Cybersecurity Summit

upsMonitor in ViewPower (aka ViewPowerHTML) 1.04-21012 through 1.04-21353 has insecure permissions for the service binary that enable an Authenticated User to modify files, allowing for privilege escalation.

 ViewPower Management Software 

**ViewPowerHTML 1.04-21353** is an advanced UPS management software. It allows remote monitor and manage from one to multiple UPSs in a networked environment, either LAN or INTERNET. It can not only prevent data loss from power outage and safely shutdown systems, but also store programming data and scheduled shutdown UPSs.  

  

**Feature summary:**  
• Allows control and monitoring of multiple UPSs via LAN and INTERNET  
• Supports auto and manual online upgrade  
• User-friendly power analysis graph: event statistics, history data chart export  
• Real-time dynamic graphs of UPS data (voltage, frequency, load level, battery level)  
• Safely OS shutdown and protection from data loss during power failure  
• Warning notifications via audible alarm, broadcast, mobile messenger, and e-mail  
• Scheduled UPS on/off, battery test, programmable outlet control, and audible alarm control  
• Password security protection and remote access management  
• Supports multiple languages: English, Chinese, French, German, Spanish, Russian, Portuguese, Ukrainian, Italian, Polish, Czech, Turkish   Download the software according to your requested operation system in your computer system. Supported browser versions include IE browser (not support the version older than IE10), Google, Chrome, Firefox,. All browers should support html5.

Software Version

Type

Download Link

Supported OS

ViewPower Network Edition  

Software for Windows® (V.HTML 1.04-21353)

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / Windows SBS 2011

Windows XP 2003 /2008

Windows® Server 2019 (32-bit & x64-bit)

User Manual

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / 2019 (32-bit & x64-bit) Windows SBS 2011

Software for MAC x86-64 (V.HTML 1.04-21353) Intel Chip

Mac OS 10.6/10.7/10.8/10.9/10.10/10.11/10.12/10.13/10.14/10.15 /11.x (intel x64-bit)

Software for MAC x86-64 (V.HTML 1.04-21353) M1 Chip

Mac OS 11.x (M1)

Software for Linux  
(V.HTML 1.04-21353)

Graphic mode operation:

Linux Cent OS 5/ 6 / 7 (32-bit )  
Linux Debian 6.x/8.x/10.x (32bit)  
Linux Fedora 5/ 17 (32bit)  
Linux Mint 14.x/19.x (32bit)  
Linux OpenSUSE 10/ 11 / 12/ 13 (32bit)  
Linux RedHat Enterprise AS3, AS5 AS6 (32bit)  
Linux RedHat Enterprise 5/8/9 (32-bit)  
Linux Ubuntu 8/ 9/ 10/ 12/ 14/ 15/ 16 (32-bit )  

Text mode operation:

Graphic mode operation:

Linux CentOS 5/ 6/ 7/ 8 (64bit)  
Linux Debian 6/ 7/ 8/ 10 (64bit)  
Linux Fedora 5/ 17/ 33 (64-bit)  
Linux Mint 19/ 20 (64bit)  
Linux OpenSUSE 10/ 11/ 12/ 13 (64bit)  
Linux RedHat Enterprise AS6 (64bit)  
Linux SUSE 10/ 11/ 12 (64bit)  
Linux Ubuntu 10/ 11/ 12/ 14/ 15/ 16/ 18/ 19/ 20 (64bit)  

Text mode operation:

ESXI Shutdown Wizard

User Manual

ESXI 4.x/ 5.x/6.x

Tag

#intel