Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks.
Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, followed by carrying out credential theft and lateral movement activities, before harvesting intellectual property and

Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks.

Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, carrying out credential theft and lateral movement activities, before harvesting intellectual property and dropping the ransomware payload.

The entire sequence of events played out over the course of two full weeks, the Microsoft 365 Defender Threat Intelligence Team said in a report published this week.

"In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in," the researchers said, pointing out how "no two BlackCat 'lives' or deployments might look the same."

BlackCat, also known by the names ALPHV and Noberus, is a relatively new entrant to the hyperactive ransomware space. It's also known to be one of the first cross-platform ransomware written in Rust, exemplifying a trend where threat actors are switching to uncommon programming languages in an attempt to evade detection.

The ransomware-as-a-service (RaaS) scheme, irrespective of the varying initial access vectors employed, culminates in the exfiltration and encryption of target data that's then held ransom as part of what's called double extortion.

The RaaS model has proven to be a lucrative gig economy-style cybercriminal ecosystem consisting of three different key players: access brokers (IABs), who compromise networks and maintain persistence; operators, who develop and maintain the ransomware operations; and affiliates, who purchase the access from IABs to deploy the actual payload.

According to an alert released by the U.S. Federal Bureau of Investigation (FBI), BlackCat ransomware attacks have victimized at least 60 entities worldwide as of March 2022 since it was first spotted in November 2021.

Furthermore, Microsoft said that "two of the most prolific" affiliate threat groups, which have been associated with several ransomware families such as Hive, Conti, REvil, and LockBit 2.0, are now distributing BlackCat.

This includes DEV-0237 (aka FIN12), a financially motivated threat actor that was last seen targeting the healthcare sector in October 2021, and DEV-0504, which has been active since 2020 and has a pattern of shifting payloads when a RaaS program shuts down.

"DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022," Microsoft noted last month. "Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers

Interpol's annual First Light project has gone global for the second time. We take a look at the results, findings, and trends.
The post Interpol’s First Light operation smashes crime on a global scale appeared first on Malwarebytes Labs.

A large-scale Interpol operation has resulted in arrested and ill-gotten gains seizures galore. Operation First Light took place between March and May of this year. It involved 76 countries taking social engineers and telecommunications fraudsters to task, with multiple wins for those involved.

**Taking the fight to the scammers**

The operations focused on several popular scams in play from criminals the world over, including telephone scams, romance, email deception (Business Email Compromise, which targets business), and related aspects of financial crime.

All around the world, law enforcement collected huge hauls of ill-gotten gains and electronic devices. Cash and forged official documents were seized in Hong Kong. Multiple national call centres suspected of telecommunications fraud were also raided. The haul in Portugal included dozens of laptops, mobile devices of all varieties, and stacks of counterfeit official documents. These results are just the tip of the iceberg.

**When an operation gets results**

First Light occurs annually and has been in operation since 2014. This year, it was funded by China’s Ministry of Public Security. Originally the project focused on Southeast Asia, and this is the second time the operation has gone global. Here’s some of the preliminary findings by Interpol, with numbers subject to change as more details are confirmed:

*   1,770 locations raided worldwide
*   Some 3,000 suspects identified
*   Around 2,000 operators, fraudsters and money launderers arrested
*   Roughly 4,000 bank accounts frozen
*   Some USD 50 million worth of illicit funds intercepted

At this stage, there are only a few examples of arrests and backgrounds to specific crimes available. Some notable examples have been given, however:

> Based on intelligence exchanged in the framework of the operation, the Singapore Police Force rescued a teenage scam victim who had been tricked into pretending to be kidnapped, sending videos of himself with fake wounds to his parents and seeking a EUR 1.5 million ransom.
> 
> A Chinese national wanted in connection with a Ponzi scheme estimated to have defrauded nearly 24,000 victims out of EUR 34 million was arrested in Papua New Guinea and returned to China via Singapore.

Interpol also mentions 8 suspects arrested in Singapore for “Ponzi-like” job scams. In the example given, victims were lured with the promise of high-paying online marketing jobs. Small initial earnings led to situations where they had to recruit more members to earn commissions.

**Trends and concerns**

Some of the most pressing observations from the forces working this operation are as follows:

*   the way money mule herders are laundering money through the personal bank accounts of victims;
*   how social media platforms are driving human trafﬁcking, entrapping people into forced labour, sexual slavery, or captivity in casinos or on fishing vessels;
*   an increase in vishing fraud with criminals pretending to be bank officials to trick victims into sharing online log-in details;
*   a growth in cybercriminals posing as INTERPOL officials to obtain money from victims believing themselves to be under investigation.

Impersonation of law enforcement and other official entities is a mainstay of email fraud and extortion scams. It’s also popular where scams involving visas are concerned. There can’t be many people who have yet to experience a fake banking SMS at this point. Social media has also been a problem where trafficking and forced labour are concerned for some time now.

Money muling and bogus jobs are big business, and makes regular appearances on Malwarebytes Labs. Much of this ties into fake job opportunities. It can also occur as the result of email and social media outreach. If you’re really unlucky, you could be sucked into bogus NFT art projects which eventually offer up some malware. You may even be caught out by fake postings on legitimate job hunting portals.

For scammers, the sky’s the limit. It is, however, nice to see globally coordinated law enforcement operations making some sort of dent in proceedings. It’s up to us to pay attention to upcoming criminal trends, and do what we can to avoid falling for them.

Interpol’s First Light operation smashes crime on a global scale

Analysts have uncovered an Iran-linked APT sending malicious emails to top Israeli government officials.

Analysts have uncovered an Iran-linked APT sending malicious emails to top Israeli government officials.

An advanced persistent threat group, with ties to Iran, is believed behind a phishing campaign targeting high-profile government and military Israeli personnel, according to a report by Check Point Software.

Targets of the campaign included a senior leadership in the Israeli defense industry, the former U.S. Ambassador to Israel and the former Deputy Prime Minister of Israel.

The goal of the campaign, the researchers said, was to obtain personal information from targets.

**Fake Emails from Legit Addresses**

One of the targets, according to Check Point, is Tzipi Livni, Israel’s former foreign minister, minister of justice and vice prime minister. Researchers believe that the target was selected because of the high-caliber list of contacts in her address book.

Not long ago she received an email from, according to the researchers, “a well-known former Major General in the IDF who served in a highly sensitive position.” The sender address was not spoofed – it was the same domain she’d corresponded with before. Translated from Hebrew, the message read:

> _Hello my dear friends, Please see attached article to summarize the year. ((\*eyes only\*))_ _Of course I don’t want it to be distributed, because it is not the final version. I would be happy to receive remarks of any kind. Have a great rest of the day._

The message contained a link. Livni delayed in clicking the link, prompting several follow-up emails.

> _Good morning, I haven’t heard from you. Some friends sent me remarks. Your remarks are also very important to me. I know you are very busy. But I wanted to ask you to take your time and read the article. Good week_

The persistence of the sender and flurry of messages raised her suspicions, according to Check Point. After Livni met with the former Major General, it became clear that the emails were sent from a compromised account and the contents of the messages were part of a phishing attack.

It was a similar story for the other targets in this campaign – suspect emails were being sent from legitimate contacts.

**What Really Happened**

The method of attack wasn’t particularly technical. “The most sophisticated part of the operation is the social engineering,” Sergey Shykevich, threat intelligence group manager at Check Point Research, noted. He said, the campaign was “a very targeted phishing chain that is specifically crafted for each target.” Personally crafted phishing emails is a technique called spear phishing.

The attackers initiated their spear phishing attacks, first by compromising an email address book belonging to a contact of their target. Then, using the hijacked account, they’d continue an already existing email chain between the contact and the target. In time, they’d steer the conversation towards conning the target to clicking on or opening a malicious link or document.

“Some of the emails include a link to a real document that is relevant to the target,” Check Point’s analysts noted. For example, an “invitation to a conference or research, phishing page of Yahoo, link to upload document scans.”

“The goal,” in the end, was “to steal their personal information, passport scans, and steal access to their mail accounts.”

**Who and Why**

“We have solid evidence that it started at least from December 2021,” Shykevich wrote, “but we assume that it started earlier.”

In their analysis, the researchers found evidence they believe points to the Iran-linked Phosphorus APT group (a.k.a. Charming Kitten, Ajax Security, NewsBeef, APT35). Phosphorus is one of Iran’s most active APTs, with “a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.”

Iran and Israel are usually at odds, and these attacks came “in the midst of escalating tensions between Israel and Iran. With recent assassinations of Iranian officials (some affiliated with the Israeli’s Mossad), and the thwarted attempts to kidnap Israeli citizens worldwide, we suspect that Phosphorous will continue with its ongoing efforts in the future.”

State-Sponsored Phishing Attack Targeted Israeli Military Officials

Digital transformation helps businesses keep operating and stay competitive. Here are the ways to think about security so that businesses reap the benefits without taking on associated risks.

**Question: How should I think about security when considering digital transformation projects?**

**Niv Weisenberg, Senior Director of Cyber Digital Transformation, Optiv**: Multiple factors contribute to the sheer number of digital transformation projects underway today: the proliferation of the Internet of Things (IoT), expanding artificial intelligence (AI) capabilities, the sudden shift to a remote workforce prompted by the global COVID-19 pandemic, and the rapid rate of cloud migration. Digital transformation is no longer a nice-to-have; it’s a must-have in order to survive and thrive in today’s business world. 

CISOs and their security teams need to think about security in the digital age from both an internal and an external perspective. For the former, security teams should introduce and adopt digital enablers to transform the information security organization. Digital enablers include the cloud, IoT, AI/machine learning (ML), and automation to transform the information security organization.   

For the latter, they should address potential risks as new digital enablers are introduced by the business to drive growth.

Here are five specific areas security teams should prioritize to achieve security-first digital transformation:

**1\. Security operations modernization**: Help security operations adopt a proactive posture when balancing the need to match technology adoption acceleration with cost management.

**2\. Developer-centric security**: Enhance overall security posture and optimize DevOps performance by embedding a culture of proactive security in the DevOps process, enabled by orchestration and automation. For example, “shift security left” in the application development process to integrate security products as developers code and into build/test processes — rather than leaving it as an after-the-fact bolt-on. This will help organizations solve issues at the point of origin, detect and remediate vulnerabilities before they hit production, and, most importantly, build a DevSecOps program that prioritizes security throughout all development phases.

**3\. Cloud strategy and execution**: Shifting security left applies in the cloud transformation journey, too. Develop a strategic roadmap for secure cloud migration, operation, and management, as well as secure architecture modernization. Also consider standing up cloud native app protection (CNAP) capabilities that will scour cloud environments and alert staff to compliance risks and configuration vulnerabilities in cloud services.

**4\. Connected devices:** Enforce critical network, device, and data protection by doing things such as hardening connected entry points to the data fabric, modernizing the data paths for IT/OT convergence, bringing legacy networks under a modern security architecture, and implementing zero trust and a software-defined perimeter.

**5\. Big data and analytics**: Maximize the value extracted from data and secure big data at scale with AI/ML-enabled analytics.

As important as it is to keep the business operating _and_ competitive, organizations must transform _securely._ Keeping security at the forefront gives the business the benefits of digital transformation without the associated risks.

How Should I Think About Security When Considering Digital Transformation Projects?

Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Software Developer Guidance for Power Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing guidance to address this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-24436

Description: Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 6.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

All Intel® Processors are affected.

**Recommendations:**

Intel is providing Software Guidance for cryptographic implementations. Cryptographic developers may choose to follow the guidance to harden their libraries and applications against frequency throttling information disclosure.

**Acknowledgements:**

Intel would like to thank the following external users for reporting this issue.

*   Yingchen Wang (University of Texas at Austin)
*   Riccardo Paccagnella (University of Illinois Urbana-Champaign)
*   Elizabeth Tang He (University of Illinois Urbana-Champaign)
*   Hovav Shacham (University of Texas at Austin)
*   Christopher Fletcher (University of Illinois Urbana-Champaign)
*   David Kohlbrenner (University of Washington)

Intel would like to thank the following Intel employees for finding this issue internally.

*   Chen Liu
*   Nadav Shulman
*   Jim Hermerding
*   Neer Roggel
*   Ilya Alexandrovich
*   Terry Wang (former Intel employee)

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/14/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-24436: INTEL-SA-00698

Improper input validation for some Intel(R) Processors may allow an authenticated user to potentially cause a denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors MMIO Undefined Access Advisory**

**Summary: **

A potential security vulnerability in Memory Mapped I/O (MMIO) for some 14nm Client/Xeon E3 Intel® Processors may allow a denial of service in certain virtualized environments.

**Vulnerability Details:**

CVEID: CVE-2022-21180

Description: Improper input validation for some Intel® Processors may allow an authenticated user to potentially cause a denial of service via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

Some 14nm Client/Xeon E3 Intel® Processors, see full list:

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest Virtual Machine Monitor provided by the VMM or OS provider that addresses these issues.

**Acknowledgements:**

This issue was found internally by Intel employees. Intel would like to thank Alysa Milburn, Jason Brandt, Avishai Redelman, Nir Lavi for reporting this issue.  Intel would like to thank Ke Sun, Alan Miller, Shlomi Alkalay, Robert Jones, and Ezra Caltum.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/14/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21180: INTEL-SA-00645

Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors MMIO Stale Data Advisory**

**Summary: **

Potential security vulnerabilities in Memory Mapped I/O (MMIO) for some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-21123

Description: Incomplete cleanup of multi-core shared buffers for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 6.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVEID: CVE-2022-21125

Description: Incomplete cleanup of microarchitectural fill buffers on some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2022-21127

Description: Incomplete cleanup in specific special register read operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2022-21166

Description: Incomplete cleanup in specific special register write operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**Affected Products:**

Some Intel® Processors, see full list:

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

**Recommendations:**

Intel recommends that users of the affected Intel® Processors update to the latest version provided by the system manufacturer that addresses these issues.

Intel® SGX PSW for Windows to version 2.16.100.3 or later: 

https://registrationcenter.intel.com/en/products/download/3406/

Intel® SGX SDK for Windows to version 2.16.100.3 or later:

https://registrationcenter.intel.com/en/products/download/3407/

Intel® SGX DCAP for Windows to version 1.14.100.3 or later:

https://registrationcenter.intel.com/en/products/download/3610/

Intel® SGX PSW for Linux to version 2.17.100.3 or later:

https://01.org/intel-software-guard-extensions/downloads

Intel® SGX SDK for Linux to version 2.17.100.3 or later:

https://01.org/intel-software-guard-extensions/downloads

Intel® SGX DCAP for Linux to version 1.14.100.3 or later:

https://01.org/intel-software-guard-extensions/downloads

To address this issue, an SGX TCB recovery is planned for Q2 2022. Customers will require the software update to get successful attestation responses. For customers using the Intel Attestation Service (IAS), the IAS Development Environment (DEV) will enforce the microcode and software updates beginning June 21, 2022 and the IAS Production Environment (LIV) will enforce the updates beginning July 19, 2022.

For customers that are not using IAS, but instead are constructing their own attestation infrastructure using the Intel® SGX Provisioning Certificate Service (PCS), updated Endorsements/Reference Values (i.e., PCK Certificates and verification collateral) will be available June 28, 2022. These customers decide when to enforce the microcode and software update, as part of their Appraisal Policies.

Refer to Intel® SGX Attestation Technical Details for more information on the SGX TCB recovery process.

Further TCB Recovery Guidance for developers is available. 

**Acknowledgements:**

The following issues were found internally by Intel employees.  Intel would like to thank Ke Sun, Alan Miller, Shlomi Alkalay, Robert Jones, Ezra Caltum for reporting CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166. Jason Kilman for reporting CVE-2022-21123, CVE-2022-21127, and Scott Cape and Anthony Wojciechowski for reporting CVE-2022-21127.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/14/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21166: INTEL-SA-00615

Academic researchers are developing projects to apply artificial intelligence to detect and stop cyberattacks and keep critical infrastructure secure, thanks to grants from the C3.ai Digital Transformation Institute.

Editors' Choice

Jai Vijayan, Contributing Writer, Dark Reading

Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading

Nathan Eddy, Contributing Writer, Dark Reading

Joshua Bevitz, Partner, Newmeyer Dillion

Gabriella Stevens, Associate, Newmeyer Dillion

Prashant Sharma, Co-Founder & CTO, Secuvy Inc.

Webinars

*   Outsourcing Cybersecurity: A Decision Maker's Guide
*   Using Threat Modeling to Improve Enterprise Cyber Defenses
*   Vendors as Your Largest BEC Threat
*   Implementing Zero Trust in Your Enterprise
*   How Data Breaches Happen and What To Do When They Happen To You

White Papers

*   Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal
*   5 Critical Cyber Range Exercises from the Experts
*   De-identifying Analytics Data with Skyflow
*   Securely Work From Anywhere With the Fortinet Security Fabric
*   Endpoint Detection Net Suite Use Cases

Events

*   Dark Reading Virtual Event - June 23 - Learn More
*   Black Hat USA - August 6-11 - Learn More

More Insights

White Papers

*   Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal
*   5 Critical Cyber Range Exercises from the Experts

Webinars

*   Outsourcing Cybersecurity: A Decision Maker's Guide
*   Using Threat Modeling to Improve Enterprise Cyber Defenses

Reports

*   Incorporating a Prevention Mindset into Threat Detection and Response
*   Practical Network Security Approaches for a Multicloud, Hybrid IT World

7 Ways to Bring AI to Cybersecurity

A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU.

A side-channel timing attack dubbed "Hertzbleed" by researchers could allow remote attackers to sniff out cryptographic keys for servers. It affects most Intel processors, as well as some chipsets from AMD and likely others.

The issue is a timing side-channel flaw (tracked as CVE-2022-24436 for Intel and CVE-2022-23823 for AMD) found in the CPU-throttling technology known as dynamic voltage and frequency scaling (DVFS). DVFS regulates power consumption and electrical current use so that a CPU doesn't overheat when processing large amounts of data, and it conserves battery power during low-activity times.

As Intel explains in guidance published this week, observing these regulation changes can allow attackers to infer sensitive information.

"CPU frequency throttling is triggered when one of these limits is reached, which results in CPU frequency," according to Intel. "This frequency change and derived behavior may be correlated with information being processed by the CPU, and it may be possible to infer parts of the information through sophisticated analysis of the frequency change behavior."

"In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure," according to a technical research paper (PDF) by the team who discovered the attack, from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington.

Hertzbleed – its name a take on the infamous "Heartbleed" timing attack from 2014 – is significant because it allows remote attacks without the need to subvert a power-measurement interface, the researchers note, thus widening the attack surface.

"Software-based power-analysis attacks can be mitigated and easily detected by blocking (or restricting \[10\]) access to power-measurement interfaces," according to the paper. "Up until today, such a mitigation strategy would effectively reduce the attack surface to physical power analysis, a significantly smaller threat."

**Actual Threat or Not?**

While the researchers acknowledge that any real-world attacks would require a high level of complexity, they demonstrated successful proofs of concept for extracting keys as remote attackers authenticated with low privileges and no user interaction requires. This makes "Hertzbleed is a real, and practical, threat to the security of cryptographic software," they say.

Intel begs to differ. 

"While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment," said Jerry Bryant, Intel's senior director of security communications and incident response, in a recent posting. "Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue."

However, he also explained that the issue may extend past Intel and AMD.

"CVE-2022-24436 is not architecture-specific and any modern CPU that has dynamic power and thermal management is potentially affected," he said. "Intel shared its findings with other silicon vendors so they could assess their potential impact."

Neither Intel nor AMD are issuing microcode to address the issue; instead, they recommend that developers achieve mitigation through masking and blinding techniques that would hide the timing changes from observation.

'Hertzbleed' Side-Channel Attack Threatens Cryptographic Keys for Servers

The ability to handle intense pressure is just one of the skills that veterans bring to corporate cybersecurity work.

The contributions of ex-military personnel expand beyond their time of public service. They come to private-sector cybersecurity roles ready to take on foes that range from harbingers of mischief to deliverers of destruction.

"The importance of paying attention to even the tiniest of details due to potential impact and lives on the line is drilled into every military member," says Devon Bryan, global chief information security officer at Carnival Corp. and co-founder of the International Consortium of Minority Cybersecurity Professionals, now known as Cyversity. "Irrespective of branch of service and without regard to rank or station, the military emphasizes the necessity of working hard and with a passion for excellence, which are key for the infosec challenges of today."

It's no secret that former service members come prepared with training that many companies in the private sector find beneficial. But just which military skills transfer best to private cybersecurity jobs?

"An understanding of physical security and access control," says Oxana Parsons, senior cyber intelligence analyst at LookingGlass Cyber Solutions.

Many skills, even those seemingly unrelated to cybersecurity or IT, easily transfer, she adds. 

"In the military I have learned how to set up a local network — and I did it as a HUMINTer \[human intelligence collector\], so \[even\] not really an IT-related job can still provide some related training," Parsons says. "Also, in the military there are lots of opportunities to receive foreign language training and intelligence training, which taught me to understand the tradecraft behind intelligence collection and analysis."  

Other experienced vets point out that their collaboration and self-assessment skills alone can prove priceless to private-sector defense measures.

"Cybersecurity is such a broad field. The ability to be comfortable both knowing and accepting what you don't know, while being humble enough to seek out who does, is a particularly powerful skill to master," says Alex Diaz, customer success leader at Horizon3ai, who served both as a military intelligence officer and an enlisted all-source intelligence analyst in the US Army.

**Fulfilling Private Cybersecurity Needs**

"As cybersecurity grows in prominence as a risk factor for organizations, private firms will need experienced and capable leaders to manage their security postures," says Matt Georgy, chief technology officer at Redacted. "Veterans bring a unique perspective working in chaotic situations and often making consequential decisions in high pressure situations." 

Previously, Georgy served as chief of intelligence of the US Air Force 18th Fighter Squadron, lead US government forensics analyst in Baghdad, and held several technical leadership roles at the National Security Agency (NSA).

While one could argue that all military service is security-related, not all ex-military personnel currently employed in cybersecurity served in security-related positions. Even so, their training often transfers to a new position in the private sector.

"I did not work in security while in the military. But I can find similarities to when I worked in a Navy Combat Information Center (CIC) or a Tactical Operations Center (TOC)," says Josh Smith, cybersecurity analyst at Nuspire, who previously served as operations supervisor, mission control and evaluation supervisor, and operations and logistics department head in the US Navy. "All require the ingestion of data, analyzing what was received, disseminating it to the appropriate parties, and taking action based on the findings."  

The constant shape-shifting of threats and attackers is familiar to military-trained professionals. That alone is a major plus to employers looking to protect themselves from whatever digital abomination is cresting the horizon next.

"Military veterans have a very wide skill set, as we're often asked to work outside of our specific roles," Smith says. "We're exposed to numerous situations that are dynamic, stressful, 24/7, and leave no room for error. Cybersecurity is very similar in this respect. Cybersecurity never sleeps and is consistently changing. Veterans can easily adapt to this lifestyle."  

For those who transferred their cybersecurity skills directly from public to private concerns, commonalities between the sectors smoothed the transition.

"Military operations are steeped in risk and threat by their very nature, so military veterans develop a keen sense for assessing and weighting threat and risk," says Mac McMillan, CEO of healthcare cybersecurity, privacy, and compliance consultancy CynergisTek. Formerly, McMillan was director of security at the Defense Threat Reduction Agency for the Department of Defense (DoD).

"On a personal level, their sense of urgency, structure, discipline, etc., is well-suited for cyber and IT jobs," McMillan adds.

**Rank Is Optional**

Higher ranks in any military branch generally signify accomplishment and experience that are also highly prized in the civilian world. However, limiting hiring to high-ranking ex-military applicants is shortsighted.

"As CISO of the US Marine Corps, I dealt with many early-day cyber incidents from both nation-state threat actors and crime syndicates ... like the Melissa virus and ILOVEYOU," says Carl Wright, chief commercial officer at AttackIQ. 

Officers and enlisted members participate in training programs worth millions of dollars to earn Military Occupational Specialty (MOS) designations. 

"One of those areas is cybersecurity, and within cyber you have defensive operations and offensive operations," Wright says. "The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private-sector offerings and is highly transferable to a career in the private sector."  

Ex-military personnel bring excellent security practices to other areas as well.

"While I did not directly work in a security billet, my team worked to design software and had security requirements we had to align with," says Heath Anderson, VP of information security and technology at LogicGate and former system test architect for the US Air Force. "This experience was some of the best education around security principles I could have asked for, since we had to focus on the intent of the requirement in order to make it actionable in our code for the software we were designing and testing."

For his part, Andrew Maloney, chief operations officer and co-founder of Query.AI, worked on a help desk and in systems administration until 2003, when he was deployed to Oman, in the Middle East, to manage the base's perimeter security firewalls and proxy servers. 

"This was my break into cyber," says Maloney, formerly systems administrator/security engineer for the US Air Force.

**Bringing Softer Skills to Bear**

Skills including leadership, planning, and organization and traits like duty, responsibility, and loyalty make military vets excellent team members and leaders in civilian roles, McMillan adds.

"The military not only expects these things from its members, they spend time teaching these skills to their members," he said. "All too often these are not things that are either taught or stressed in the private sector, which is a shame because there is nothing particularly proprietary about any of them."  

Successful in cybersecurity and in the military means sharpening soft skills as much as hard skills.

"The one common denominator that I have seen be the most successful is the insatiable desire to learn," says Brad LaPorte, a security consultant who served as systems administration branch chief in the US Army Pacific Command. "Cybersecurity is technically difficult and not for the faint at heart. It requires long hours and constant diligence to keep up with the multidaily changes that occur in this field. Those \[who\] constantly read, write, learn, and mentor others are exponentially more successful. Anyone can learn this stuff, but it requires them to put the work in."

It isn't just the hard-nosed tactics that win battles. Almost always, adding soft skills to the mix hones the best defenses.

"The skill that I found most beneficial is the ability to think in terms of the 'big picture' but act at a lower level." says Phil Hagen, faculty fellow at SANS Institute and formerly a computer network defense analyst and IT manager with the US Air Force. "Knowing the overall strategic or tactical arc of your actions is a big part of infosec. Infosec is a huge effort, and if you try to solve it all, it's going quickly to turn into a fool's errand. Seeing the long-term goals but identifying the dozens of smaller, interim milestones has been very helpful."

Responding to conflict and always being ready to assume command also top the soft skills most in demand from ex-military personnel.

William Mendez, managing director of operations at CyZen, says all military personnel are trained as leaders, since the nature of conflict creates uncertainty around when you may land in a situation where you have to assume command.

"Personnel with military backgrounds have the skills to lead successful teams," he says. "They often gain the respect of other members through leadership traits such as empathy and motivation. They often lead by example, always mentoring and never asking anyone to do something they would not be willing to do themselves." 

Every day, those who previously served their country can still stand guard. Their paths to cybersecurity careers are as varied as those of their civilian counterparts. Their dedication and sense of duty, however, remains intense.

"Employers have a cybersecurity skills gap to overcome, and they should see the military as a hugely untapped resource," says Susan Peediyakkal, infosec operations manager at NASA Ames Research Center. "Companies should consider building their own mentoring programs or partnering with organizations that have programs in place to ensure that veterans get the essential training and networking resources they need to build a successful career in cybersecurity."

Tag

#intel