A novel hardware attack dubbed PACMAN has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.
It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT

A novel hardware attack dubbed **PACMAN** has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.

It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan said in a new paper.

What's more concerning is that "while the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added.

The vulnerability is rooted in pointer authentication codes (PACs), a line of defense introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.

PACs aim to solve a common problem in software security, such as memory corruption vulnerabilities, which are often exploited by overwriting control data in memory (i.e., pointers) to redirect code execution to an arbitrary location controlled by the attacker.

While strategies like Address Space Layout Randomization (ASLR) have been devised to increase the difficulty of performing buffer overflow attacks, the goal of PACs is to ascertain the "validity of pointers with minimal size and performance impact," effectively preventing an adversary from creating valid pointers for use in an exploit.

This is achieved by protecting a pointer with a cryptographic hash — called a Pointer Authentication Code (PAC) — to ensure its integrity. Apple explains PACs as follows -

_Pointer authentication works by offering a special CPU instruction to add a cryptographic signature — or PAC — to unused high-order bits of a pointer before storing the pointer. Another instruction removes and authenticates the signature after reading the pointer back from memory. Any change to the stored value between the write and the read invalidates the signature. The CPU interprets authentication failure as memory corruption and sets a high-order bit in the pointer, making the pointer invalid and causing the app to crash._

But PACMAN "removes the primary barrier to conducting control-flow hijacking attacks on a platform protected using pointer authentication." It combines memory corruption and speculative execution to circumvent the security feature, leaking "PAC verification results via microarchitectural side channels without causing any crashes."

The attack method, in a nutshell, makes it possible to distinguish between a correct PAC and incorrect hash, permitting a bad actor to "brute-force the correct PAC value while suppressing crashes and construct a control-flow hijacking attack on a PA-enabled victim program or operating system."

The crash prevention, for its part, succeeds because each PAC value is speculatively guessed by exploiting a timing-based side channel via the translation look-aside buffer (TLB) using a Prime+Probe attack.

Speculative execution vulnerabilities, as observed in the case of Spectre and Meltdown, weaponize out-of-order execution, a technique that's used to bring about a performance improvement in modern microprocessors by predicting the most likely path of a program's execution flow.

However, it's worth noting that the threat model presumes that there already exists an exploitable memory corruption vulnerability in a victim program (kernel), which, in turn, allows the unprivileged attacker (a malicious app) to inject rogue code into certain memory locations in the victim process.

"This attack has important implications for designers looking to implement future processors featuring pointer authentication, and has broad implications for the security of future control-flow integrity primitives," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

MIT Researchers Discover New Flaw in Apple M1 CPUs That Can't Be Patched

This affects all versions of package posix.
 When invoking the toString method, it will fallback to 0x0 value, as the value of toString  is not invokable (not a function), and then it will crash with type-check.



Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-POSIX-2400719
    
*   **published**
    
    7 Jun 2022
    
*   **disclosed**
    
    14 Feb 2022
    
*   **credit**
    
    Snyk Research Team
    

**How to fix?**

There is no fixed version for posix.

**Overview**

posix is a missing POSIX system calls for Node.

Affected versions of this package are vulnerable to Denial of Service (DoS). When invoking the toString method, it will fallback to 0x0 value, as the value of toString is not invokable (not a function), and then it will crash with type-check.

**PoC**

    const posix = require('posix')
    
    try{
            console.log('[!] Trying invokation')
            posix.setegid({toString:1});
            console.log('[!] Made it!')
    }catch(e){
            console.log('[!] Excepted')
            console.error(e)
    }
    
    console.log("but we ok")
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-21211: Denial of Service (DoS) in posix | CVE-2022-21211 | Snyk

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-JPEGJS-2859218
    
*   **published**
    
    7 Jun 2022
    
*   **disclosed**
    
    6 Jun 2022
    
*   **credit**
    
    Sohom Datta
    

**How to fix?**

Upgrade jpeg-js to version 0.4.4 or higher.

**Overview**

Affected versions of this package are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

**PoC**

1.  Create a npm workspace npm init
2.  Install the jpeg-js library
3.  Create a JS file with the following code: \`\`\`js const jpeg = require('jpeg-js');

let buf = Buffer.from( 'ffd8ffc1f151d800ff51d800ffdaffde', 'hex' ); jpeg.decode( buf );

\`\`\` 4) Run the file and observe that the code never stops running

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25851: Denial of Service (DoS) in jpeg-js | CVE-2022-25851 | Snyk

A Linux-based banking Trojan is a master at staying under the radar.

A stealthy Linux threat called Symbiote is targeting financial institutions in Latin America, with all file, processes, and network artifacts hidden by the malware, making it virtually invisible to detection by live forensics.

The malware was first uncovered in November, according to a blog post by BlackBerry Research. What sets Symbiote apart from other Linux malware is its approach to infecting running processes, rather than using a stand-alone executable file to inflict damage.

It then harvests credentials to provide remote access for the threat actor, exfiltrating credentials as well as storing them locally.

"It operates as a rootkit and hides its presence on the machine. Once it has infected the machine fully, it allows you to see only what it wants you to see," Joakim Kennedy, security researcher at Intezer and author of the BlackBerry blog post, explains. "Essentially, you can't trust what the machine is telling you."

However, it can be detected externally, he says, since it exfiltrates stolen credentials via the DNS requests.

Kennedy says the domain names the malware uses impersonate big banks in Brazil, which also helps it stay under the radar.

"While we couldn't tell based on only what we found, attackers targeting financial institutions are often motivated by potential monetary gain," he says.

**Shared Object Library**

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, points out that unlike most malware variants, the Symbiote malware is a shared object library, instead of an executable file.

Symbiote uses the LD\_PRELOAD variable that allows it to be pre-loaded by applications before other shared object libraries.

"This is a sophisticated and evasive technique that can help the malware blend in with legitimate running processes and applications, which is one of the reasons Symbiote is difficult to detect," she says.

The malware also has Berkeley Packet Filter (BPF) hooking functionality. Packet capture tools intercept, or capture, network traffic typically for the purposes of an investigation.

BPF is a tool embedded within several Linux operating systems that allows users to filter out certain packets depending on the type of investigation they are performing, which can reduce the overall results, making analysis easier.

"The Symbiote malware is designed to essentially filter its traffic out of the packet capture results," Hoffman explains. "This is just another layer of stealth used by the attackers to cover their tracks and fly under the radar."

Kennedy adds that this is the first time the BPF hooking functionality has been observed operating in this way, and points out that other malware variants have typically used BPF to receive commands from their command-and-control server.

"This malware instead uses this method to hide network activity," he says. "It's an active measure used by the malware to prevent being detected if someone investigates the infected machine — like covering up its footsteps so it's harder to track down.”

**Easier to Attack?**

Mike Parkin, senior technical engineer at Vulcan Cyber, says there may be a perception on the attacker's part that the targets in Latin America have a less mature security infrastructure and would thus be easier to attack.

He explains that the attackers went out of their way to hide their malware from anything that's running on the infected system, leveraging BPF to hide their communications traffic.

"While this will work on the local host, other network-monitoring tools will be able to identify the hostile traffic and the infected source," he says.

He explains that there are several endpoint tools available that should identify changes on a victim system.

"There are also forensic techniques that can use the malware's own behavior against it to reveal its presence," he notes. "The authors who created Symbiote went to great lengths hide their malware. They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ."

Kennedy says that the most important action is to focus on the techniques used by this malware to ensure that you can detect and/or protect against those, whether you're protecting against Symbiote or another attack that uses the same technique.

"I would say Symbiote, and other recently discovered undetected Linux malware, shows that operating systems other than Windows are not immune to highly evasive malware," he says. "Since it doesn’t get as much attention as Windows malware, we don't know what else is out there that hasn’t been discovered yet."

Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry

The House committee's televised hearings interrogate the Capitol attack with damning new evidence. Whether it's enough to prevent another one is uncertain.

It’s hard to tell which fact should shock us most out of the first, surprisingly compelling public hearing of the congressional committee investigating the insurrection at the US Capitol on January 6.

Jared Kushner brushing aside as mere “whining” the repeated resignation threats from White House counsel and its top lawyers in the face of Donald Trump’s ongoing push to overturn the election?

The fact that even as rioters surged through the Capitol and members of Congress fled in terror, Donald Trump, the president of the United States, never once spoke to any corner of the US government to ask for help—never once called the Justice Department, Homeland Security, or the Pentagon?

The committee’s allegations that members of Congress sought presidential pardons for their own roles in the January 6 events?  

Or the simple power of a brave police officer talking about our nation’s most sacred democratic space as a “war zone” and how—repeatedly injured by the rioters that the GOP has sought in the last 18 months to reframe as “normal tourists” engaged in “legitimate political discourse”—she slipped on others’ blood spread across the steps of the US Capitol? 

After months of behind-the-scenes investigation, wide-ranging subpoenas, witness depositions, document reviews, countless hours of reviewing video footage, and delicate internal political machinations, the public portion of the House’s January 6 select committee kicked off Thursday night with a two-hour blockbuster that immediately established the stakes of the work—the former president of the United States attempted nothing less than a coup to remain in power—and recentered its work as one of the most important political investigations in our lifetime.

Committee vice-chair Rep. Liz Cheney, a Wyoming Republican who has been excoriated by her own party for agreeing to participate in the investigation alongside Republican Rep. Adam Kinzinger of Illinois, provided a captivating introduction and overview of the events of January 6, 2021. She also highlighted what the committee will explore over the course of roughly a half-dozen hearings this month and immediately gave the lie to GOP dismissals of the investigation as nothing more than a political witch hunt.

The skillful—and politically courageous—presentation by Cheney, followed up by multiple video segments produced by the committee, highlights the coordination among armed, white nationalist militia groups like the Proud Boys and Oath Keepers, as well as the singular role Donald Trump played in stoking lies that the election had been stolen and then inviting his supporters to come to Washington on January 6 to protest—protests that quickly escalated into a brutal, violent assault on the Capitol that had lawmakers fleeing for their lives. One of the most powerful video clips showed staffers of Republican leader Kevin McCarthy—who has long downplayed the Capitol assault—evacuating their House offices in terror. Other clips showed the crowd chanting, “Hang Mike Pence” and insurrectionists screaming in the face of police to demand that they hand over House speaker Nancy Pelosi. Cheney closed her poised and pointed presentation with a warning to the hundreds of her GOP colleagues who have excused the events of 1/6: “There will come a day when Donald Trump is gone, but your dishonor will remain.”

Committee chair Rep. Bennie Thompson, Democrat of Mississippi, outlined how future hearings would focus on the particulars of the conspiracy and the careful construction of Trump’s knowing lies—committee members explained that they saw in Trump’s behavior a “sophisticated” seven-step plan for overturning the election—but Thursday’s hearing mostly focused on reminding Americans of the stakes involved. This was no ordinary political protest. This was no ordinary election loss. The actions of Donald Trump before, during, and after the January 6 Capitol assault instead marked an end to America’s 240-year tradition of peaceful transitions of presidential power.

Instead, Donald Trump embarked on a concerted effort to use the tools of the presidency and the US government to overturn the legitimate, authentic election results—even though his own staff told him, according to their depositions aired Thursday in the hearing, that “there was no there there.”

First Trump lied to the public. Then he tried to weaponize the Justice Department to back his lies. He pressured state election officials and legislators to embrace far-fetched legal theories and change their states’ election results. His team worked to invent and send to Washington invalid slates of electors, in the hopes that Congress would recognize them and allow him to overturn his loss. He summoned supporters and encouraged armed groups to join him in DC on January 6, promising in a tweet that it “will be wild.” Then he pressured Vice President Mike Pence to violate his constitutional oath and refuse to certify the valid election results ahead of January 6. And lastly, he seemingly refused to lift a finger—either to place a telephone call or send a tweet—to summon federal aid as the Capitol and legislative branch remained under violent assault for hours. Instead, according to the committee, only Vice President Pence—himself hiding at a secure loading dock inside the Capitol complex after being hastily evacuated from the Senate chamber above—contacted the military and ordered them to respond and secure the Capitol.

Taken together, it is the most audacious, calculated, and unconstitutional plot America has faced in its history—one that came far closer to success than anyone imagined.

Over the course of those two hours, the committee succeeded in reframing the national conversation and focused on the true horror of January 6. In doing so, it surely raised the pressure on the Justice Department, which is conducting a seemingly slow-moving parallel investigation that has seen hundreds of low-level indictments and charges against January 6 rioters—including the arrest just yesterday of a GOP gubernatorial candidate in Michigan—and a number of more serious “seditious conspiracy” indictments against Oath Keepers and Proud Boys leaders. Thus far, it has stopped short of penetrating Donald Trump’s motley collection of enablers, grifters, and hangers-on.

Despite the shocking clarity of the committee’s opening presentation, it remains uncertain at best whether it will be able to break through America’s political polarization and its increasingly separate-and-unequal media ecosystems. Fox News, alone among the major networks, refused to air the hearings live and instead allowed its host Tucker Carlson, who increasingly features openly white nationalist positions, to spew venom to his millions of prime-time viewers during an hour-long show, unusually uninterrupted by commercials.

In many ways, Fox’s decision to double down on Tucker Carlson’s lies Thursday night is unsurprising. The network’s decision in the weeks after the 2020 election—as Donald Trump built up the Big Lie and set the kindling for January 6—to embrace Trump’s lies and undermine the legitimacy of then-President-elect Joe Biden’s victory makes it all but an unindicted co-conspirator in the violence on Capitol Hill.

The challenge America now faces, heading into next week’s follow-up hearings, is that none of us know what part of Donald Trump’s story we’re living in—the beginning, the middle, or the end? The committee’s work ahead is to convince America to view January 6 as a turning point, not a warning that we will later say went ignored.

There’s a saying, after all, that there’s no such thing as an unsuccessful coup. An unsuccessful coup is just practice.

The January 6 Hearing Was a Warning

The commission argues that legislative action is needed to ensure a well-functioning market for AI systems that balances benefits and risks.

The European Commission (EC) is currently debating new rules and actions for trust and accountability in artificial intelligence (AI) technology through a legal framework called the EU AI Act. Its aim is to promote the development and uptake of AI while addressing potential risks some AI systems can pose to safety and fundamental rights.

While most AI systems will pose low to no risk, the EU says, some create dangers that must be addressed. For example, the opacity of many algorithms may create uncertainty and hamper effective enforcement of existing safety and rights laws.

The EC argues that legislative action is needed to ensure a well-functioning internal market for AI systems where both benefits and risks are adequately addressed.

"The EU AI Act aims to be a human centric legal-ethical framework that intends to safeguard and protect human rights and fundamental freedoms from violations of these rights and freedoms by algorithms and smart machines," says Mauritz Kop, Transatlantic Technology Law Forum Fellow at Stanford Law School and strategic intellectual property lawyer at AIRecht.

The right to know whether you are dealing with a human or a machine — which is becoming increasingly more difficult as AI becomes more sophisticated — is part of that vision, he explains.

Kop notes that AI is now mostly unregulated, except for a few sector-specific rules. The act aims to address the legal gaps and loopholes by introducing a product safety regime for AI.

"The risks are too high for nonbinding self-regulation by companies alone," he says.

**Effects on AI Innovation**

Kop admits that regulatory conformity and legal compliance will be a burden, especially for early AI startups developing high-risk AI systems. Empirical research that shows the GDPR – while preserving privacy and data protection and data security – had a negative effect on innovation, he notes.

Risk classification for AI is based on the intended purpose of the system, in line with existing EU product safety legislation. Classification depends on the function the AI system performs and on the specific purpose and modalities for which the system is used.

"The legal uncertainty surrounding \[regulation\] and the lack of budget to hire specialized lawyers or multidisciplinary teams still are significant barriers for a flourishing AI startup and scale-up ecosystem," Kop says. "The question remains whether the AI Act will improve or worsen the startup climate in the EU."

The EC will determine which AI gets classified as "high risk" using criteria that are still under debate, creating a list of examples of high-risk systems to help guide judgment.

"It will be a dynamic list that contains various types of AI applications used in certain high-risk industries, which means the rules get stricter for riskier AI in healthcare and defense than they are for AI apps in tourism," Kop says. "For instance, medical AI is \[classified as\] high risk to prevent direct harm to patients due to AI errors."

He notes there is still controversy about the criteria and definition of AI that the draft uses. Some commentators argue it should be more technology-specific, aimed at certain riskier types of machine learning, such as deep unsupervised learning or deep reinforcement learning.

"Others focus more on the intent of the system, such as social credit scoring, instead of potential harmful results, such as neuro-influencing," Kop added. "A more detailed classification of what 'risk' entails would thus be welcome in the final version of the act."

**Facial Recognition as a High-Risk Technology**

Joseph Carson, chief security scientist and advisory CISO at Delinea, participated in several of the talks around the act, including as a subject matter expert in the use of AI in law enforcement and articulating the concerns around security and privacy.

The EU AI Act, he says, will mainly affect those organizations that already collect and process personal identifiable information. Therefore, it will impact how they use advanced algorithms in processing the data.

"It is important to understand the risks if no regulation or act is in place and what the possible impact \[is\] if organizations abuse the combination of sensitive data and algorithms," Carson says. "The future of the Internet is a scary place, and the enforcement of the EU AI Act allows us to embrace the future of the Internet using AI with both responsibility and accountability."

Regarding facial recognition, he says the technology should be regulated and controlled.

"It has many amazing uses in society, but it must be something you opt in and agree to use; citizens must have a choice," he says. "If no act is in place, we will see a significant increase in deepfakes that will spiral out of control."

Malin Strandell-Jansson, senior knowledge expert at McKinsey & Co, says facial recognition is one of the most debated issues in the draft act, and the final outcome is not yet clear.

In its draft format, the AI Act strictly prohibits the use of real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, as it poses particular risks for fundamental rights – notably human dignity, respect for private and family life, protection of personal data, and nondiscrimination.

Strandell-Jansson points out a few exceptions, including use for law enforcement purposes for the targeted search for specific potential victims of crime, including missing children; the response to the imminent threat of a terror attack; or the detection and identification of perpetrators of serious crimes.

"Regarding private businesses, the AI Act considers all emotion recognition and biometric categorization systems to be high-risk applications if they fall under the use cases identified as such — for example, in the areas of employment, education, law enforcement, migration, and border control," she explains.

As such, potential providers would have to subject such AI systems to transparency and conformity obligations before putting them on the market in Europe.

**The Time to Act on AI Is Now**

Dr. Sohrob Kazerounian, AI research lead at Vectra, an AI cybersecurity company, says the need to create a regulatory framework for AI has never been more pressing.

"AI systems are rapidly being integrated into products and services across wide-ranging markets," he says. "Yet the trustworthiness and interpretability of these systems can be rather opaque, with poorly understood risks to users and society more broadly."

While some existing legal frameworks and consumer protections may be relevant, applications that use AI are sufficiently different enough from traditional consumer products that they necessitate fundamentally new legal mechanisms, he adds.

The overarching goal of the bill is to anticipate and mitigate the most critical risks resulting from the use and failure of AI, with actions ranging from banning systems deemed to have "unacceptable risk" altogether to heavy regulation of "high-risk" systems. Another, albeit less-noted, consequence of the framework is that it could provide clarity and certainty to markets about what regulations will exist and how they will be applied.

"As such, the regulatory framework may in fact result in increased investment and market participation in the AI sector," Kazerounian said.

**Limits for Deepfakes and Biometric Recognition**

By addressing specific AI use cases, such as deepfakes and biometric or emotional recognition, the AI Act is hoping to ameliorate the heightened risks such technologies pose, such as violation of privacy, indiscriminate or mass surveillance, profiling and scoring of citizens, and manipulation, Strandell-Jansson says.  

"Biometrics for categorization and emotion recognition have the potential to lead to infringements of people's privacy and their right to the protection of personal data as well as to their manipulation," she says. "In addition, there are serious doubts as to the scientific nature and reliability of such systems."

The bill would require people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Although that's a promising step, it raises a couple of potential issues.

Overall, Kazerounian says it is "undoubtedly" a good start to require increased visibility for consumers when they are being classified by biometric data and when they are interacting with AI-generated content rather than real humans or real content.

"Unfortunately, the AI act specifies a set of application areas within which the use of AI would be considered high-risk, without necessarily discussing the risk-based criteria that could be used to determine the status of future applications of AI," he said. "As such, the seemingly ad-hoc decisions about which application areas are considered high-risk simultaneously appear to be too specific and too vague."

Current high-risk areas include certain types of biometric identification, operation of critical infrastructure, employment decisions, and some law enforcement activities, he explains.

"Yet it isn't clear why only these areas were considered high-risk and furthermore doesn't delineate which applications of statistical models and machine-learning systems within these areas should receive heavy regulatory oversight," he adds.

**Possible Groundwork for Similar US Law**

It is unclear what this act could mean for a similar law in the US, Kazerounian says, noting that it has now been more than half a decade since the passing of GDPR, the EU law on data regulation, without any similar federal laws following in the US — yet.

"Nevertheless, GDPR has undoubtedly influenced the behavior of multinational corporations, which have either had to fracture their policies around data protections for EU and non-EU environments or simply have a single policy based on GDPR applied globally," he said. "In any case, if the US decides to propose legislation on the regulation of AI, at a minimum it will be influenced by the EU act."

EU Debates AI Act to Protect Human Rights, Define High-Risk Uses

So-called Symbiote malware, first found targeting financial institutions, contains stealthy rootkit capabilities.

A new malware variant attacking Linux systems that steals credentials and allows for remote access to victim machines camouflages so well that the researchers studying it say they can't conclude if it's being used in targeted or larger-scale attack campaigns.

Security researchers from Intezer and BlackBerry's Research & Intelligence Team say the so-called Symbiote malware is unusual in that it's not a pure executable file: it's actually a shared object library that loads itself into a machine's running processes using the LD\_Preload file in Linux. "Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability," the researchers wrote in a blog post this week.

Symbiote was first sighted in November of 2021, they said, and at the time appeared to be created for attacking financial institutions in Latin America.

"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges," the researchers wrote.

While detecting the rootkit is a major challenge, the researchers said organizations should watch for anomalous DNS requests. But relying on antivirus and endpoint detection and response tools to detect it is moot: They can be compromised by the rootkit since it's embedded in "userland," the researchers warned.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Linux Malware 'Nearly Impossible to Detect'

A new research undertaken by a group of academics from the University of California San Diego has revealed for the first time that Bluetooth signals can be fingerprinted to track smartphones (and therefore, individuals).
The identification, at its core, hinges on imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a "unique physical-layer

A new research undertaken by a group of academics from the University of California San Diego has revealed for the first time that Bluetooth signals can be fingerprinted to track smartphones (and therefore, individuals).

The identification, at its core, hinges on imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a "unique physical-layer fingerprint."

"To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals," the researchers said in a new paper titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices."

The attack is made possible due to the ubiquitous nature of Bluetooth Low Energy (BLE) beacons that are continuously transmitted by modern devices to enable crucial functions such as contact tracing during public health emergencies.

The hardware defects, on the other hand, stem from the fact that both Wi-Fi and BLE components are often integrated together into a specialized "combo chip," effectively subjecting Bluetooth to the same set of metrics that can be used to uniquely fingerprint Wi-Fi devices: carrier frequency offset and IQ imbalance.

Fingerprinting and tracking a device then entails extracting CFO and I/Q imperfections for each packet by computing the Mahalanobis distance to determine "how close the features of the new packet" are to its previously recorded hardware imperfection fingerprint.

"Also, since BLE devices have temporarily stable identifiers in their packets \[i.e., MAC address\], we can identify a device based on the average over multiple packets, increasing identification accuracy," the researchers said.

That said, there are several challenges to pulling off such an attack in an adversarial setting, chief among them being that the ability to uniquely identify a device depends on the BLE chipset used as well as the chipsets of other devices that are in close physical proximity to the target.

Other critical factors that could affect the readings include device temperature, differences in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio used by the malicious actor to execute the fingerprinting attacks.

"By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified," the researchers concluded.

"BLE does present a location tracking threat for mobile devices. However an attacker's ability to track a particular target is essentially a matter of luck."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones

A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.

\# Exploit Title: Privilege Escalation via Forced Browsing

\# Google Dork: NA

\# Date: 11/03/2022

\# Exploit Author: Ali J.

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

\# Version: 1.0

\# Tested on: Windows 10

\# CVE : CVE-2021-44582

Steps to Reproduce:

1\. Login to the Money Transfer Management System with admin credentials and copy the URL.

2\. Logout from the admin role and login with the normal user credentials, observe the available modules on the left side.

3\. Paste the admin URL and observe that the application is vulnerable to Privilege Escalation via Forced Browsing.

CVE-2021-44582: CVE-2021-44582/Privilege Escalation via Forced Browsing in Sourcecodester Money Transfer Management System at main · warmachine-57/CVE-2021-44582

Sysadmins should update their installations immediately

Jessica Haworth 10 June 2022 at 12:34 UTC

Sysadmins should update their installations immediately

Two flaws in the web interface of a Fujitsu cloud storage system could allow an unauthenticated attacker to read, write, and destroy backed up files.

The security vulnerabilities were present in the enterprise-grade Fujitsu Eternus CS8000 (Control Center) V8.1.

Researchers from NCC Group found two separate issues due to a lack of user input validation in two PHP scripts, which are normally included post-authentication.

Both flaws, a command injection in and a command injection in , could allow an attacker to gain remote code execution on the appliance without prior authentication or authorization.

Read more of the latest web security research here

As no include-guards are in-place, the attacker is able to trigger the script without prior authentication by calling it directly.

This would enable them to take control over the appliance as if they were logged in directly via a secure shell.

“If exploited, the attacker obtains limited user privileges on the machine as the ‘www-data’ user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative ‘root’ user of the system,” a blog post from NCC Group reads.

“Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.”

**Patch now**

The issues were discovered during a penetration test conducted by NCC Group on behalf of a client. They were then reported to Fujitsu, which has since patched the bugs (PDF).

Fujitsu said it has “no knowledge” of any working exploit code, and has seen no successful attempts to exploit the vulnerabilities in the wild.

NCC Group advised users to upgrade to the latest version of the software immediately. It has also listed other recommendations to mitigate the bugs in the blog post.

The Daily Swig has reached out to both NCC Group and Fujitsu for comment and will update this article accordingly.

DON’T MISS Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

Tag

#mac