Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors MMIO Stale Data Advisory**

**Summary: **

Potential security vulnerabilities in Memory Mapped I/O (MMIO) for some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-21123

Description: Incomplete cleanup of multi-core shared buffers for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 6.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVEID: CVE-2022-21125

Description: Incomplete cleanup of microarchitectural fill buffers on some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2022-21127

Description: Incomplete cleanup in specific special register read operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2022-21166

Description: Incomplete cleanup in specific special register write operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**Affected Products:**

Some Intel® Processors, see full list:

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

**Recommendations:**

Intel recommends that users of the affected Intel® Processors update to the latest version provided by the system manufacturer that addresses these issues.

Intel® SGX PSW for Windows to version 2.16.100.3 or later: 

https://registrationcenter.intel.com/en/products/download/3406/

Intel® SGX SDK for Windows to version 2.16.100.3 or later:

https://registrationcenter.intel.com/en/products/download/3407/

Intel® SGX DCAP for Windows to version 1.14.100.3 or later:

https://registrationcenter.intel.com/en/products/download/3610/

Intel® SGX PSW for Linux to version 2.17.100.3 or later:

https://01.org/intel-software-guard-extensions/downloads

Intel® SGX SDK for Linux to version 2.17.100.3 or later:

https://01.org/intel-software-guard-extensions/downloads

Intel® SGX DCAP for Linux to version 1.14.100.3 or later:

https://01.org/intel-software-guard-extensions/downloads

To address this issue, an SGX TCB recovery is planned for Q2 2022. Customers will require the software update to get successful attestation responses. For customers using the Intel Attestation Service (IAS), the IAS Development Environment (DEV) will enforce the microcode and software updates beginning June 21, 2022 and the IAS Production Environment (LIV) will enforce the updates beginning July 19, 2022.

For customers that are not using IAS, but instead are constructing their own attestation infrastructure using the Intel® SGX Provisioning Certificate Service (PCS), updated Endorsements/Reference Values (i.e., PCK Certificates and verification collateral) will be available June 28, 2022. These customers decide when to enforce the microcode and software update, as part of their Appraisal Policies.

Refer to Intel® SGX Attestation Technical Details for more information on the SGX TCB recovery process.

Further TCB Recovery Guidance for developers is available. 

**Acknowledgements:**

The following issues were found internally by Intel employees.  Intel would like to thank Ke Sun, Alan Miller, Shlomi Alkalay, Robert Jones, Ezra Caltum for reporting CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166. Jason Kilman for reporting CVE-2022-21123, CVE-2022-21127, and Scott Cape and Anthony Wojciechowski for reporting CVE-2022-21127.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/14/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21166: INTEL-SA-00615

Improper input validation for some Intel(R) Processors may allow an authenticated user to potentially cause a denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Processors MMIO Undefined Access Advisory**

**Summary: **

A potential security vulnerability in Memory Mapped I/O (MMIO) for some 14nm Client/Xeon E3 Intel® Processors may allow a denial of service in certain virtualized environments.

**Vulnerability Details:**

CVEID: CVE-2022-21180

Description: Improper input validation for some Intel® Processors may allow an authenticated user to potentially cause a denial of service via local access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

Some 14nm Client/Xeon E3 Intel® Processors, see full list:

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest Virtual Machine Monitor provided by the VMM or OS provider that addresses these issues.

**Acknowledgements:**

This issue was found internally by Intel employees. Intel would like to thank Alysa Milburn, Jason Brandt, Avishai Redelman, Nir Lavi for reporting this issue.  Intel would like to thank Ke Sun, Alan Miller, Shlomi Alkalay, Robert Jones, and Ezra Caltum.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/14/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21180: INTEL-SA-00645

Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Software Developer Guidance for Power Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing guidance to address this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-24436

Description: Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 6.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

All Intel® Processors are affected.

**Recommendations:**

Intel is providing Software Guidance for cryptographic implementations. Cryptographic developers may choose to follow the guidance to harden their libraries and applications against frequency throttling information disclosure.

**Acknowledgements:**

Intel would like to thank the following external users for reporting this issue.

*   Yingchen Wang (University of Texas at Austin)
*   Riccardo Paccagnella (University of Illinois Urbana-Champaign)
*   Elizabeth Tang He (University of Illinois Urbana-Champaign)
*   Hovav Shacham (University of Texas at Austin)
*   Christopher Fletcher (University of Illinois Urbana-Champaign)
*   David Kohlbrenner (University of Washington)

Intel would like to thank the following Intel employees for finding this issue internally.

*   Chen Liu
*   Nadav Shulman
*   Jim Hermerding
*   Neer Roggel
*   Ilya Alexandrovich
*   Terry Wang (former Intel employee)

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

06/14/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-24436: INTEL-SA-00698

Academic researchers are developing projects to apply artificial intelligence to detect and stop cyberattacks and keep critical infrastructure secure, thanks to grants from the C3.ai Digital Transformation Institute.

Editors' Choice

Jai Vijayan, Contributing Writer, Dark Reading

Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading

Nathan Eddy, Contributing Writer, Dark Reading

Joshua Bevitz, Partner, Newmeyer Dillion

Gabriella Stevens, Associate, Newmeyer Dillion

Prashant Sharma, Co-Founder & CTO, Secuvy Inc.

Webinars

*   Outsourcing Cybersecurity: A Decision Maker's Guide
*   Using Threat Modeling to Improve Enterprise Cyber Defenses
*   Vendors as Your Largest BEC Threat
*   Implementing Zero Trust in Your Enterprise
*   How Data Breaches Happen and What To Do When They Happen To You

White Papers

*   Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal
*   5 Critical Cyber Range Exercises from the Experts
*   De-identifying Analytics Data with Skyflow
*   Securely Work From Anywhere With the Fortinet Security Fabric
*   Endpoint Detection Net Suite Use Cases

Events

*   Dark Reading Virtual Event - June 23 - Learn More
*   Black Hat USA - August 6-11 - Learn More

More Insights

White Papers

*   Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal
*   5 Critical Cyber Range Exercises from the Experts

Webinars

*   Outsourcing Cybersecurity: A Decision Maker's Guide
*   Using Threat Modeling to Improve Enterprise Cyber Defenses

Reports

*   Incorporating a Prevention Mindset into Threat Detection and Response
*   Practical Network Security Approaches for a Multicloud, Hybrid IT World

7 Ways to Bring AI to Cybersecurity

A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU.

A side-channel timing attack dubbed "Hertzbleed" by researchers could allow remote attackers to sniff out cryptographic keys for servers. It affects most Intel processors, as well as some chipsets from AMD and likely others.

The issue is a timing side-channel flaw (tracked as CVE-2022-24436 for Intel and CVE-2022-23823 for AMD) found in the CPU-throttling technology known as dynamic voltage and frequency scaling (DVFS). DVFS regulates power consumption and electrical current use so that a CPU doesn't overheat when processing large amounts of data, and it conserves battery power during low-activity times.

As Intel explains in guidance published this week, observing these regulation changes can allow attackers to infer sensitive information.

"CPU frequency throttling is triggered when one of these limits is reached, which results in CPU frequency," according to Intel. "This frequency change and derived behavior may be correlated with information being processed by the CPU, and it may be possible to infer parts of the information through sophisticated analysis of the frequency change behavior."

"In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure," according to a technical research paper (PDF) by the team who discovered the attack, from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington.

Hertzbleed – its name a take on the infamous "Heartbleed" timing attack from 2014 – is significant because it allows remote attacks without the need to subvert a power-measurement interface, the researchers note, thus widening the attack surface.

"Software-based power-analysis attacks can be mitigated and easily detected by blocking (or restricting \[10\]) access to power-measurement interfaces," according to the paper. "Up until today, such a mitigation strategy would effectively reduce the attack surface to physical power analysis, a significantly smaller threat."

**Actual Threat or Not?**

While the researchers acknowledge that any real-world attacks would require a high level of complexity, they demonstrated successful proofs of concept for extracting keys as remote attackers authenticated with low privileges and no user interaction requires. This makes "Hertzbleed is a real, and practical, threat to the security of cryptographic software," they say.

Intel begs to differ. 

"While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment," said Jerry Bryant, Intel's senior director of security communications and incident response, in a recent posting. "Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue."

However, he also explained that the issue may extend past Intel and AMD.

"CVE-2022-24436 is not architecture-specific and any modern CPU that has dynamic power and thermal management is potentially affected," he said. "Intel shared its findings with other silicon vendors so they could assess their potential impact."

Neither Intel nor AMD are issuing microcode to address the issue; instead, they recommend that developers achieve mitigation through masking and blinding techniques that would hide the timing changes from observation.

'Hertzbleed' Side-Channel Attack Threatens Cryptographic Keys for Servers

The ability to handle intense pressure is just one of the skills that veterans bring to corporate cybersecurity work.

The contributions of ex-military personnel expand beyond their time of public service. They come to private-sector cybersecurity roles ready to take on foes that range from harbingers of mischief to deliverers of destruction.

"The importance of paying attention to even the tiniest of details due to potential impact and lives on the line is drilled into every military member," says Devon Bryan, global chief information security officer at Carnival Corp. and co-founder of the International Consortium of Minority Cybersecurity Professionals, now known as Cyversity. "Irrespective of branch of service and without regard to rank or station, the military emphasizes the necessity of working hard and with a passion for excellence, which are key for the infosec challenges of today."

It's no secret that former service members come prepared with training that many companies in the private sector find beneficial. But just which military skills transfer best to private cybersecurity jobs?

"An understanding of physical security and access control," says Oxana Parsons, senior cyber intelligence analyst at LookingGlass Cyber Solutions.

Many skills, even those seemingly unrelated to cybersecurity or IT, easily transfer, she adds. 

"In the military I have learned how to set up a local network — and I did it as a HUMINTer \[human intelligence collector\], so \[even\] not really an IT-related job can still provide some related training," Parsons says. "Also, in the military there are lots of opportunities to receive foreign language training and intelligence training, which taught me to understand the tradecraft behind intelligence collection and analysis."  

Other experienced vets point out that their collaboration and self-assessment skills alone can prove priceless to private-sector defense measures.

"Cybersecurity is such a broad field. The ability to be comfortable both knowing and accepting what you don't know, while being humble enough to seek out who does, is a particularly powerful skill to master," says Alex Diaz, customer success leader at Horizon3ai, who served both as a military intelligence officer and an enlisted all-source intelligence analyst in the US Army.

**Fulfilling Private Cybersecurity Needs**

"As cybersecurity grows in prominence as a risk factor for organizations, private firms will need experienced and capable leaders to manage their security postures," says Matt Georgy, chief technology officer at Redacted. "Veterans bring a unique perspective working in chaotic situations and often making consequential decisions in high pressure situations." 

Previously, Georgy served as chief of intelligence of the US Air Force 18th Fighter Squadron, lead US government forensics analyst in Baghdad, and held several technical leadership roles at the National Security Agency (NSA).

While one could argue that all military service is security-related, not all ex-military personnel currently employed in cybersecurity served in security-related positions. Even so, their training often transfers to a new position in the private sector.

"I did not work in security while in the military. But I can find similarities to when I worked in a Navy Combat Information Center (CIC) or a Tactical Operations Center (TOC)," says Josh Smith, cybersecurity analyst at Nuspire, who previously served as operations supervisor, mission control and evaluation supervisor, and operations and logistics department head in the US Navy. "All require the ingestion of data, analyzing what was received, disseminating it to the appropriate parties, and taking action based on the findings."  

The constant shape-shifting of threats and attackers is familiar to military-trained professionals. That alone is a major plus to employers looking to protect themselves from whatever digital abomination is cresting the horizon next.

"Military veterans have a very wide skill set, as we're often asked to work outside of our specific roles," Smith says. "We're exposed to numerous situations that are dynamic, stressful, 24/7, and leave no room for error. Cybersecurity is very similar in this respect. Cybersecurity never sleeps and is consistently changing. Veterans can easily adapt to this lifestyle."  

For those who transferred their cybersecurity skills directly from public to private concerns, commonalities between the sectors smoothed the transition.

"Military operations are steeped in risk and threat by their very nature, so military veterans develop a keen sense for assessing and weighting threat and risk," says Mac McMillan, CEO of healthcare cybersecurity, privacy, and compliance consultancy CynergisTek. Formerly, McMillan was director of security at the Defense Threat Reduction Agency for the Department of Defense (DoD).

"On a personal level, their sense of urgency, structure, discipline, etc., is well-suited for cyber and IT jobs," McMillan adds.

**Rank Is Optional**

Higher ranks in any military branch generally signify accomplishment and experience that are also highly prized in the civilian world. However, limiting hiring to high-ranking ex-military applicants is shortsighted.

"As CISO of the US Marine Corps, I dealt with many early-day cyber incidents from both nation-state threat actors and crime syndicates ... like the Melissa virus and ILOVEYOU," says Carl Wright, chief commercial officer at AttackIQ. 

Officers and enlisted members participate in training programs worth millions of dollars to earn Military Occupational Specialty (MOS) designations. 

"One of those areas is cybersecurity, and within cyber you have defensive operations and offensive operations," Wright says. "The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private-sector offerings and is highly transferable to a career in the private sector."  

Ex-military personnel bring excellent security practices to other areas as well.

"While I did not directly work in a security billet, my team worked to design software and had security requirements we had to align with," says Heath Anderson, VP of information security and technology at LogicGate and former system test architect for the US Air Force. "This experience was some of the best education around security principles I could have asked for, since we had to focus on the intent of the requirement in order to make it actionable in our code for the software we were designing and testing."

For his part, Andrew Maloney, chief operations officer and co-founder of Query.AI, worked on a help desk and in systems administration until 2003, when he was deployed to Oman, in the Middle East, to manage the base's perimeter security firewalls and proxy servers. 

"This was my break into cyber," says Maloney, formerly systems administrator/security engineer for the US Air Force.

**Bringing Softer Skills to Bear**

Skills including leadership, planning, and organization and traits like duty, responsibility, and loyalty make military vets excellent team members and leaders in civilian roles, McMillan adds.

"The military not only expects these things from its members, they spend time teaching these skills to their members," he said. "All too often these are not things that are either taught or stressed in the private sector, which is a shame because there is nothing particularly proprietary about any of them."  

Successful in cybersecurity and in the military means sharpening soft skills as much as hard skills.

"The one common denominator that I have seen be the most successful is the insatiable desire to learn," says Brad LaPorte, a security consultant who served as systems administration branch chief in the US Army Pacific Command. "Cybersecurity is technically difficult and not for the faint at heart. It requires long hours and constant diligence to keep up with the multidaily changes that occur in this field. Those \[who\] constantly read, write, learn, and mentor others are exponentially more successful. Anyone can learn this stuff, but it requires them to put the work in."

It isn't just the hard-nosed tactics that win battles. Almost always, adding soft skills to the mix hones the best defenses.

"The skill that I found most beneficial is the ability to think in terms of the 'big picture' but act at a lower level." says Phil Hagen, faculty fellow at SANS Institute and formerly a computer network defense analyst and IT manager with the US Air Force. "Knowing the overall strategic or tactical arc of your actions is a big part of infosec. Infosec is a huge effort, and if you try to solve it all, it's going quickly to turn into a fool's errand. Seeing the long-term goals but identifying the dozens of smaller, interim milestones has been very helpful."

Responding to conflict and always being ready to assume command also top the soft skills most in demand from ex-military personnel.

William Mendez, managing director of operations at CyZen, says all military personnel are trained as leaders, since the nature of conflict creates uncertainty around when you may land in a situation where you have to assume command.

"Personnel with military backgrounds have the skills to lead successful teams," he says. "They often gain the respect of other members through leadership traits such as empathy and motivation. They often lead by example, always mentoring and never asking anyone to do something they would not be willing to do themselves." 

Every day, those who previously served their country can still stand guard. Their paths to cybersecurity careers are as varied as those of their civilian counterparts. Their dedication and sense of duty, however, remains intense.

"Employers have a cybersecurity skills gap to overcome, and they should see the military as a hugely untapped resource," says Susan Peediyakkal, infosec operations manager at NASA Ames Research Center. "Companies should consider building their own mentoring programs or partnering with organizations that have programs in place to ensure that veterans get the essential training and networking resources they need to build a successful career in cybersecurity."

Veterans Explain How Military Service Prepared Them for Cybersecurity Careers

Multiple cybercrime groups have been spotted selling stolen credentials and other sensitive personal information pilfered from travel-related websites.

Much in the same way that cybercriminals followed the fervor around the pandemic, they now are doing the same with the travel boom, creating various scams that aim to take advantage of travel organizations, airlines, and individuals going on vacation.

Since the start of the year, security firm Intel 471 has tracked several cybercrime groups selling credentials and databases of stolen personal identifiable information (PII) tied to travel-related websites.

"People are starting to travel more than they have in the past few years, so there is increased attention and heightened traffic online," Intel 471 researcher Greg Otto explains. "Cybercriminals love operating in areas where a lot of people are congregating and trying to spend money ASAP."

The methods of malicious actors have evolved because of the concentration on PII: From reservations to rewards programs to security checks, these organizations collect a wide array of PII, he says.

He points to one threat actor that was specifically targeting individuals with at least 100,000 miles in their mileage rewards accounts. Other actors are seeking help in gathering additional information to perpetrate travel fraud schemes, offering up their own slate of PII as incentive.

"Financially motivated cybercriminals have realized how much value lies in the data that travel companies and organizations collect, which is why they have moved to target organizations in the travel, aviation, and hospitality industry," he says. "If that PII is not protected, it's going to be targeted."

While ransomware-as-a-service (RaaS) does not appear to pose an acute threat to the global travel industry so far, an Intel 471 blog post outlined the threat RaaS has posed to regional airlines, including low-cost Indian airline SpiceJet and an unnamed Thai airline.

**What to Do About It**

What can organizations do to deter cybercriminals from targeting their systems? Have written security policies and procedures tailored to your specific organization, Otto says, and craft expectations for protection of data, including the confidentiality of data, and set limits of permissible data access and use for employees.

"Be aware of social engineering scams, have a robust passwords policy for employees and users, and patch vulnerabilities when applicable," he says.

Meanwhile, Intel 471 also noted activity around pro-Russia hacktivist groups, namely an actor joining KillNet, which has conducted attacks against targets in Romania and other countries providing support to Ukraine.

Threat actors are using their position within the government agencies to facilitate illegal border crossings for Ukrainian males aged 18 to 60.

“Accomplices used to facilitate the activity allegedly would transfer a person seeking to cross the Moldova-Ukraine border and bypass official checkpoints,” the blog post noted.

Cybercriminals Capitalizing on Resurgence in Travel

Symbiote, the latest malware to hit Linux users, is a parasite more than anything. Protect against this banking credential stealer now!
The post Stealthy Symbiote Linux malware is after financial institutions appeared first on Malwarebytes Labs.

Symbiote, a new “nearly impossible to detect” Linux malware, targeted financial sectors in Latin America—and the threat actors behind it might have links to Brazil. These findings were revealed in a recent report, a joint effort between the Blackberry Research Team and Dr. Joakim Kennedy, a security researcher with Intezer.

Despite its name, this Trojan—first seen in November 2021—is more parasitic than a mutual benefactor in a symbiosis, according to Dr. Kennedy. And this is what sets Symbiote apart from other Linux malware.

> “\[I\]t needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD\_PRELOAD (T1574.006), and parasitically infects the machine.
> 
> Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.”

This abuse of the environmental variable LD\_PRELOAD appears to be the “LD\_PRELOAD trick” described in this post. Since Symbiote is a shared object, the threat actor can set LD\_PRELOAD to its path. In effect, this malformed file is loaded first _before_ other shared objects. And because it’s loaded first, Symbiote can “hijack the imports” from other SO files.

This enables it to hide on infected Linux machines.

**Symbiote: the hows and whys of its ways**

Once all processes have been infected, the Linux machine is as good as being infected. Symbiote then triggers its rootkit capabilities to hide, including other malware the threat actor may have dropped onto the device, processes, and network artifacts. This makes detection and active forensic examinations difficult.

Symbiote also offers threat actors a backdoor to the infected Linux machine, to which they can log in as a user with the highest privilege using a hardcoded password.

Per Dr. Kennedy, one exciting aspect Symbiote has is its Berkeley Packet Filter (BPF) hooking functionality. It does this to hide malicious traffic on an infected Linux machine. If you’re a threat actor, this is an excellent method when you don’t want to alert system admins of any network shenanigans on an infected Linux machine, as Symbiote can filter out such suspicious network traffic.

As a credential stealer, being stealthy is not an option.

> “The malware’s objective, in addition to hiding malicious activity on the machine, is to harvest credentials and provide remote access for the threat actor. The credentials are first encrypted with RC4 using an embedded key, and then written to a file.
> 
> In addition to storing the credentials locally, the credentials are exfiltrated. The data is hex encoded and chunked up to be exfiltrated via DNS address record requests to a domain name controlled by the threat actor.”

The researchers further report that Symbiote impersonated Brazilian bank websites, suggesting Brazilians are the target of this campaign. The IP address of these domains is linked to the Njalla Virtual Private Server (VPS) service. Furthermore, “Passive DNS records showed that the same IP address was resolved to ns1\[.\]cintepol\[.\]link and ns2\[.\]cintepol\[.\]link a few months earlier.”

Cintepol is said to be the intelligence portal of the Federal Police of Brazil, which allowed its police officers to access intelligence from the federal police when investigating. This fake Cintepol site was abandoned in January 2022 in favor of another domain pointing to another Njalla VPS IP.

**Protect against Symbiote**

The threat actors behind Symbiote put a lot of effort into making it as under-the-radar as possible. However, Vulcan Cyber’s Mike Parkin, senior technical engineer, said in an interview with Dark Reading that the evasion tactics in Symbiote can still be detected by other network monitoring tools that can pinpoint malicious traffic and the infected Linux system.

Parkin further added that several endpoint tools should be able to identify malicious changes on infected systems.

“There are also forensic techniques that can use the malware’s own behavior against it to reveal its presence,” Parkin noted. “They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ.”

The Blackberry and Intezer report contains many indicators of compromise (IOCs) that IT admins should use to beef up the security of their Linux boxes.

You can also read our article on Malwarebytes’ EDR for Linux.

Stealthy Symbiote Linux malware is after financial institutions

Many consumers still relying on easy-to-crack passwords, warns Digital Shadows

John Leyden 15 June 2022 at 14:26 UTC

Many consumers still relying on easy-to-crack passwords, warns Digital Shadows

An eye-watering 24 billion usernames and passwords available on the dark web – an increase of 65% in just two years, according to a new study from Digital Shadows.

Some combinations are advertised more than once on forums, but even after removing duplicates, Digital Shadows still found that 6.7 billion unique credentials exist – an increase of approximately 1.7 billion or 34% in two years.

A study (PDF) from the threat intel firm, published on Wednesday (June 15), found that despite this, consumers continue to use easy to guess passwords.

For example, around 0.46% of all passwords – nearly one in every 200 – is ‘123456’. Keyboard combinations such as ‘qwerty’ or '1q2w3e’ are also all too commonplace.

In response to questions from The Daily Swig, Digital Shadows said most of the credentials collected and analyzed in its report come from organizations whose databases have been breached before password hashes are cracked and passwords leaked on cybercriminal forums. Login credential initially stolen through phishing attacks, and often using specialist phishing kits with another significant vector of credential pwnage.

Catch up on the latest password-related security news

Easy-to-use tools commonly available through criminal marketplaces at minimal cost or for free make it straightforward for even unskilled script kiddies to crack weak passwords.

Simply adding a ‘special character’ (such as @ # or \_) to a basic 10-character password makes it far harder to crack passwords and therefore makes it much less likely that a person will fall victim to an attack, with criminals instead attacking accounts that are easier to breach.

Digital Shadows reports that the sale of stolen and cracked credentials remains a mainstay of sales through cybercrime forums and marketplaces.

"Stolen credentials are one of the most crucial access tokens for a variety of cybercriminals and state-sponsored groups’ operations," Digital Shadows told The Daily Swig. "As such, the market for them is constantly florid and threat groups scramble to put their hands on these valuable assets."

**Progressively worse**

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that despite industry attempts to move beyond passwords as an authentication mechanism, the issue of breached credentials remains pressing – and is becoming progressively worse over time.

“Criminals have an endless list of breached credentials they can try but adding to this problem is weak passwords which means many accounts can be guessed using automated tools in just seconds,” Morgan said.

Morgan added: “In just the last 18 months, we at Digital Shadows have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices.

YOU MAY ALSO LIKE Cybercriminals use reverse tunneling and URL shorteners to launch ‘virtually undetectable’ phishing campaigns

“Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts,” they concluded.

In a blog post, Digital Shadows summarizes the findings from its research as well as offering advice on password security best practices.

Its top tips include advising users to switch to using a password manager and adding multi-factor authentication to their online accounts so that a password alone (even if compromised) is not enough to gain access.

READ MORE Volatile market for stolen credit card data shaken up by sanctions against Russia

Dark web awash with breached credentials, study finds

Organizations that can break out of siloed data and apply context can transform intelligence into actionable, relevant security knowledge.

For organizations struggling to defend against today's onslaught of cyberattacks, data can be both a blessing and a curse. Companies rely on data they get from outside sources, such as Cybersecurity and Infrastructure Security Agency (CISA) alerts, vendors, and threat intelligence feeds. However, all that information can be overwhelming if you don't know how to use it. Meanwhile, companies often overlook important data that resides inside their own environments.

To use threat intelligence effectively, you first need to understand what's happening inside your own environment and how your employees use network resources. With this context, you can interpret, tailor, and apply threat intelligence in a way that is specific and unique to your organization. This bespoke baseline enables you to identify anomalies in your environment and the issues they pose. All the outside threat data in the world won't help you if you don't know what your internal systems are supposed to be doing.

In general, there is too much reliance on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security craftsmanship. As security professionals, it's not our job to stare at the great and powerful Oz but to look behind the curtain.

For example, antivirus and endpoint detection and response (EDR) tools help security teams reduce the noise of logs, keep an eye on endpoints, and identify known threats, but they won't identify all the threats in your environment. Relying on traditional tools alone is practically a guarantee of failure. Sophisticated attackers reverse engineer the same tools you rely on to protect your systems. They know how those tools work, what their capabilities are, and what their weaknesses are. Why should the attacker know more about your systems than your security team does?

**Three Tips**

Use these tips for turning your threat intel into security knowledge:

1\. **Use multiple sources of data.** By all means, take advantage of threat intel feeds and CISA alerts, but know their limitations. Threat intel feeds have limited types of information — tactics, techniques, IP addresses, domain names, or file hashes — and by the time you get the alerts, the information can be months old. New information needs to be leveraged against not only the way your systems are today but the way they were in the past. By being able to view insights across time, you achieve a new level of security awareness and confidence in your continuous security integrity.

2\. **Make the data actionable.** Security professionals often don't see threat intel as valuable because it typically lacks context. A list of IP addresses is just data if you don't understand why (and when) the addresses are considered bad. Organizations often subscribe to more than a dozen feeds, which means they will get potentially millions of pieces of information daily. The majority of this information will either lead to false positives or be irrelevant to the organization's business. The cost of this is twofold. First, there is the cost of using this information in your security gear. Imagine trying to match millions of indicators of compromise against log volume from EDR, network detection and response, and intrusion detection systems. There is also a cost associated with dealing with those red herrings.

The best solution is to consider threat intel obtained from third parties as a springboard for analysis, not the end result. For example, a feed may indicate that a file with a particular MD5 hash is malicious. While your systems may not have that exact file on them, they could have variants that are unknown to the feed provider. Understanding the similarities and connections of what exists in your environment and how far removed they are from data in threat intel feeds is the next evolutionary step in becoming a true security practitioner.

3**. Adopt a security knowledge mindset.** Threat intel is not something you have, it's something you do. Don't blindly buy a security product just because it's there; understand how it works and what its limitations are. Ask yourself the question, "How might an attacker evade it?" Security consumers would never ask questions like that, while practitioners engage across teams and functions. They break through team-siloed thinking and facilitate bidirectional sharing of knowledge. What one incident responder may attribute to "strange activity" might shed light on an active threat research case.

Functional walls around security operations center (SOC), incident response, and research teams interfere with effective communication and information sharing. All three should feed information to each other in real time. They use different tools. For example, SOCs use SIEMs, IR uses forensic tools, threat intel folks use threat intel platforms. Executives need to formalize an operational structure that breaks down the silos and reduces tool fragmentation that prohibits security knowledge between teams.

**Conclusion**

Threat intel is a good thing, but if you're locked in a silo, its effectiveness is diminished. If you can break out of the silos and apply context, intelligence can be transformed into actionable security knowledge that's specific to your organization. And to make it happen, a top-down appreciation of the value of this is required from the CEO and board of directors all the way through to the security practitioners.

Tag

#intel