The RISC-V chip architecture is gaining popularity worldwide, but the fact that it is easy to modify the processor design means it is also easy to introduce hard-to-patch vulnerabilities in the chips.

Source: Science Photo Library via Alamy Stock Photo

An emerging chip architecture gaining traction in smartphones, automotive technologies, and other electronics may find adoption stymied by security concerns.

Using x86 and ARM processors for hardware development can get expensive because of royalties that have to be paid to the owners (Intel and Arm). RISC-V is an instruction set on which customers can personalize silicon chips to meet their needs, much like how Lego blocks are put together. RISC-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

RISC-V is drawing interest among companies in the auto, critical infrastructure, and industrial sectors. For example, NASA is creating chips based on RISC-V that it intends to use in its space programs. Omdia estimates RISC-V shipments could tally 17 billion processors in 2030, improving 50% every year starting in 2024.

"46% of those processors are expected to be found in industrial applications, although the biggest growth over the forecast period will come in the automotive segment," Omdia said.

**Vulnerabilities in Designs**

RISC-V's open-source ethos is its biggest advantage, but also a liability: bad actors could introduce backdoors in the chip designs. Vulnerabilities in RISC-V chips used in automotive technology or critical infrastructure could be disastrous.

At Black Hat USA in August, researchers disclosed Ghostwrite, which allows users to bypass memory protection and access privileged memory in a RISC-V chip design called Xuantie C910. The Xuantie C910, designed by T-Head, a subsidiary of China-based Alibaba Group, received a lot of publicity when it was launched three years ago. It was one of the earliest RISC-V processors with a vector extension, which helps CPUs run demanding applications that include AI.

The vulnerability is particularly concerning because it affects the chip's proprietary vector extension, which wasn't properly implemented, says Fabian Thomas, a researcher in the group at CISPA Helmholtz Center for Information Security that discovered GhostWrite. Chip makers can patch the C910 by disabling the vector extension, but it will still be difficult to implement.

"People bought it and built 64-core machines because of that, and now we have to tell them to disable it," Thomas says.

**Shared Designs, Hard to Patch**

The issue is not in the RISC-V architecture itself, but in a faulty silicon implementation. Chip designers are enthusiastic about sharing RISC-V designs, but this means that designs with vulnerabilities may potentially be replicated and used in various areas. Resulting devices could be vulnerable to attack, and may be difficult to patch with microcode updates.

"The digital transformation happening in these sectors means they're all connected now, creating potential to exploit across all these very safety-critical systems," says Margaret Schmitt, a hardware security consultant.

It's already difficult to fix hardware vulnerabilities with firmware updates. The open nature of this chip architecture means it will be difficult to fix them in the field. "The silicon vulnerability is worse because you can't really fix them in the field in many cases... if it connects to critical infrastructure, this could be seen forever," says Alex Matrosov, CEO at Binarly.io.

There are hundreds of RISC-V designs available on GitHub to pick up, but security teams need to consider the risks of winding up with malicious chip designs with backdoors. "This is similar to open-source software projects where people \[make\] changes, saying 'I'm making it better,' but it's actually a backdoor or malware," Schmitt says.

The concern is especially heightened as the RISC-V architecture has become a priority for Russia and China, which are investing heavily in the technology to build homegrown chips. China and Russia ramped up RISC-V adoption after the U.S. banned the export of advanced chips to these countries amid trade and political hostilities.

The U.S. government has already talked about limiting RISC-V access to China, though that may be hard to do as the architecture is open source.

"You're seeing a potential basis for China to use this, a potential for unintended or intentionally added weaknesses to be a serious concern," says Schmitt.

**Working With Security Partners**

Organizations working with RISC-V chips on a shoestring budget may make the decision to sacrifice security, says Mike Eftimakis, vice president of strategy and ecosystem at Codasip, a software company.

"To be able to find a bug, you have to have the infrastructure behind you. It's very expensive and requires specialized knowledge, so it naturally shrinks the base of people who could potentially help with the verification of these devices," Eftimakis says.

Hardware security experts recommended going to established RISC-V companies with solid security processes, a strong customer base, and a good track record of designing chips. One example is Santa Clara, Calif.-based SiFive, which handles security analysis and rigorous compliance testing in its cores. The company has a large customer base that includes Google and NASA, a spokesman said in an email.

Another RISC-V company, Cupertino, Calif-based Ventana Micro Systems, uses the Caliptra specification to put security features directly in computing chips. Caliptra was developed by the Open Compute Project, a coalition which includes Google, Microsoft, AMD, and Nvidia.

Ventana Micro leaders have extensive experience working with x86 and ARM architectures, and are using that experience to secure RISC-V chips. "We applied these learnings during our ground-up development and have many patented features targeted at making our microarchitecture resilient to attacks," a company spokesperson said in an email.

**About the Author**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Security Concerns Plague Emerging Chip Architecture

The latest version of the evolving threat is a multistage attack demonstrating a move away from ransomware to purely espionage activities, typically targeting Ukraine and its supporters.

Source: Peter Treanor via Alamy Stock Photo

The RomCom cyber-espionage malware that rampaged through the Ukraine military and its supporters last year has resurfaced with a new variant. It leverages valid code-signing certificates to fly under the radar, allowing attackers to execute commands and download additional malicious files onto a victim's system in a multistage attack.

The variant, called SnipBot by researchers at Palo Alto's Unit 42, appears to have been spreading since December, picking up where the last version of RomCom left off, they revealed in analysis published this week. The malware is based on RomCom 3.0., but it also shares techniques already seen in RomCom 4.0, making it version 5.0 of the original RomCom remote access Trojan (RAT) family.

Earlier attacks of the actor behind RomCom — which also targeted supporters of Ukraine — often included ransomware payloads in addition to cyber-espionage activities. However, Unit 42 now believes that the attackers behind the malware have pivoted away from financial gain to exclusively focusing on intelligence-gathering, according to the post.

Even so, "the attacker's intentions are difficult to discern given the variety of targeted victims, which include organizations in sectors such as IT services, legal, and agriculture," Unit 42's Yaron Samuel and Dominik Reichel wrote in the analysis.

Related:Dark Reading News Desk Live From Black Hat USA 2024

**Email Kicks Off Initial RomCom Attack**

SnipBot first appears in either an executable downloadable file masquerading as a PDF, or as an actual PDF file sent to a victim in a phishing email that leads to an executable. The malware includes "a basic set of features that allows the attacker to run commands on a victim's system and download additional modules," the researchers wrote.

The PDF file shows distorted text that states a font is missing that's needed to show it correctly.

"If the victim clicks on the contained link that’s purported to download and install the font package, they will instead download the SnipBot downloader," the researchers wrote.

The malware itself is composed of several stages, with the executable file followed by remaining payloads that are either further executables or DLL files. Moreover, the downloader for the malware is always signed with a legitimate and valid code-signing certificate, the researchers noted.

"We don’t know how the threat actors obtain these certificates, but it's likely they steal them or gain them by fraud," they observed, adding that subsequent modules of the initial SnipBot malware were not signed.

**SnipBot's Infection Vector**

Related:Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

As mentioned, the downloader that delivers SnipBot is signed with a presumably stolen or spoofed certificate and also is obfuscated with a window message-based control-flow obfuscation algorithm; the malware's code is split up into multiple unordered blocks that are triggered by custom window messages.

The downloader also uses "two simple yet effective" anti-sandbox tricks, the researchers wrote. "The first one checks for the original file name by comparing the hashed process name against a hard-coded value," while the second one checks whether there are at least 100 entries in a particular Microsoft Windows registry, "which is usually the case on a regular user’s system but less likely to be the case in a sandbox system," they wrote.

Upon execution, the downloader contacts various command-and-control (C2) domains to retrieve a PDF file, and then subsequent payloads to the infected machine, the first of which provides spyware capability. Ultimately, the main module of SnipBot provides the attacker with command-line, uploading, and downloading capabilities on a victim’s system, as well as the ability download and execute additional payloads from C2.

Unit 42 also witnessed post-infection activity aiming to gather information about the company's internal network as well as attempts to exfiltrate a list of different files from the victim’s documents, downloads, and OneDrive folders to an external, attacker-controlled server.

Related:Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

**RomCom Remains an Active Threat**

The threat actor wielding RomCom has been active since at least 2022, and engages in various nefarious activities, including ransomware, extortion, and targeted credential gathering, likely to support intelligence-gathering operations. As mentioned, the threat actor seems to now be moving away from its previous financially motivated activities to engage exclusively in cyber espionage.

As SnipBot demonstrates an evolution in threat capabilities with novel obfuscation methods as well as post-exploitation activity, Unit 42 stressed "the need for organizations to remain vigilant and adopt advanced security measures to protect their systems and data from evolving cyberthreats," the researchers noted in their analysis.

Given the RomCom threat actor's interest in cyber espionage against Ukraine and its supporters, the Computer Emergency Response Team of Ukraine (CERT-UA) also has published information about the threat group and how it operates.

"This group is actively attacking employees of defense enterprises and the Defense Forces of Ukraine, constantly updating its malware arsenal, but their malicious activities are not limited to Ukraine," the agency warned.

CERT-UA advised organizations that may be targeted to remain vigilant about emails from unknown senders, even if they present themselves as a government employee, and to refrain from downloading or opening suspicious files.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

RomCom Malware Resurfaces With SnipBot Variant

The group has used more than 30 custom tools to target high-value government and telecommunications organizations on behalf of Iranian intelligence services, researchers say.

Source: Christophe Coat via Alamy Stock Photo

An advanced persistent threat (APT) tied to Iran's Ministry of Intelligence and Security (MOIS) is providing initial access services to a bevy of Iranian state hacking groups.

UNC1860 has been the gateway for attacks by notorious groups like Scarred Manticore and OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten). As Mandiant explained in a recent blog post, its focus is exclusively on breaching and establishing a foothold in potentially valuable networks across high-value sectors — government, media, academia, critical infrastructure, and particularly telecommunications — then handing over access to other Iranian nation-state actors.

Over the years, UNC1860 has teamed up for attacks against targets in Iraq, Saudi Arabia, and Qatar; aided in espionage of Mideast telecommunications companies; prepared the ground for wiper attacks in Albania and Israel; and more.

**UNC1860's Many Backdoors**

In March, Israel's National Cyber Directorate warned that wiper attacks were striking organizations across the country, including managed service providers, local governments, and academic institutions. Among the indicators of compromise (IoCs) were a Web shell called "Stayshante" and a dropper called "Sasheyaway," just two of around 30 custom malware tools managed by UNC1860, the Mandiant report explained.

UNC1860 isn't the one doing the wiping, or any other disruptive, destructive, or otherwise exploitative behavior in a target's network. Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations, then dropping a series of increasingly serious and sophisticated backdoors. 

Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors like "Templedoor," "Faceface," and "Sparkload." For its highest-value targets, UNC1860 will deploy its most sophisticated, main-stage backdoors like "Templedrop," or "Oatboat," which loads and executes payloads such as "Tofupipe" and "Tofuload," TCP-based passive listeners.

"To set up those listeners, they are not even leveraging regular Windows API calls — they actually leverage some undocumented tools of HTTP.sys, which is crazy," says Stav Shulman, senior researcher with Mandiant by Google Cloud.

"Most backdoors would leverage common API calling, so most engines would detect them," Shulman explains. "But if you are determined enough, and clever enough, and if you have extraordinary technical knowledge, you can leverage calls that are not documented by the Microsoft Developer Network (MSDN). So UNC1860 actually reverse engineered them themselves, so that you won't detect their calls."

**UNC1860's Trick to Staying Undetected**

Besides its lack of destructive behavior, there's another reason why you hear about Scarred Manticore, Oil Rig, and Shrouded Snooper, but rarely UNC1860: All of UNC1860s implants are entirely passive. It doesn't send any information out from target networks, and doesn't need to maintain any kind of command-and-control (C2) infrastructure.

"Most detections today are very focused on outbound communications, but UNC1860 just focuses on inbound requests," Shulman says. "That inbound traffic they listen to can come from any number of stealthy sources \[including\] VPN nodes in proximity to the target, other victims of prior attacks, and other locations in a target's network."

In 2020, for example, the group was observed using one of its victims' networks as a launch point to scan for potentially vulnerable IP addresses in Saudi Arabia, vet various accounts and email addresses associated with domains in Saudi Arabia in Qatar, and target VPN servers in the same region.

And, as Shulman notes, "To escalate the operation, they only need to send one command at any random point in time to activate the backdoor." Because the group's implants utilize HTTPS-encrypted traffic, victims will not be able to decrypt its commands or payloads.

Shulman advises organizations to focus on how best to vet incoming network traffic.

"How do we detect \[malicious traffic\]? How do we decide if incoming traffic is malicious or not?" Shulman says. "Because even \[when UNC1860 is abusing\] documented API calls that cybersecurity engines would catch, there's plenty of legitimate software that use these same calls, so detecting malicious calls could be very confusing and have lots of false positives. Focusing on the incoming traffic is the key, I think, for detecting UNC1860's activity."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

The company has jettisoned hundreds of thousands of unused apps and millions of unused tenants as part of its Secure Future Initiative.

Source: JeanLucIchard via Shutterstock

Microsoft so far has eliminated some 730,000 unused applications and 5.75 million inactive tenants within its cloud environment as part of its sweeping Secure Future Initiative (SFI), designed to shore up security following a couple of major intrusions into its network over the past year.

The company has also deployed 15,000 new, locked-down devices for software production teams over the past three months and implemented video-based identity verification for 95% of its production staff. In addition, Microsoft has updated its Entra ID and Microsoft Account (MSA) processes for generating, storing, and rotating access token signing keys for public and government clouds.

**Secure Future Initiative**

The changes are part of a broader Microsoft effort to reduce its attack surface, strengthen cloud identity and authentication mechanisms, and boost its ability to detect and respond to threats. "Since the initiative began, we've dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history," said Charlie Bell, executive vice president of Microsoft Security in an update this week.

Microsoft launched SFI in November 2023, a few months after China's Storm-0558 breached the company's Exchange Online infrastructure and accessed email accounts across more than two dozen government agencies. Among those affected were senior officials working on US relations with China. In a second incident last year that Microsoft only discovered and reported in January 2024, Russia's Midnight Blizzard breached the company's corporate email accounts via a low-tech password spraying attack.

The US Department of Homeland Security's Cyber Safety Review Board (CSRB) conducted a fact-finding analysis of the Storm-0558 incident and concluded the intrusion stemmed from a "cascade of security failures at Microsoft" at a strategic and cultural level. The board made several recommendations for Microsoft to bolster cloud security, especially around identity and authentication.

Microsoft has identified six areas for improvement with SFI: identity and secrets; security around cloud tenants and production systems; protections for engineering systems; network security; threat detection and monitoring; and incident response and remediation.

**Sweeping Security Changes at Microsoft**

Bell's report this week provided an update on the progress the company has been making in each of those areas. The updates to Entra ID and Microsoft Account, for instance, are part of an effort to better protect critical signing keys for remote authentication, from misuse. Storm-0558 actors took advantage of a single, errant signing key and a vulnerability in Microsoft's authentication system to grant themselves the ability to access essentially any Exchange Online account around the world.

Similarly, the elimination of hundreds of thousands of unused apps and millions of inactive tenants are part of an effort to reduce the surface area for potential attacks against cloud tenants and production systems.

On the network security front, Microsoft has implemented mechanisms for improving visibility: The company now maintains a central inventory for more than 99% of physical assets on its production network. "Virtual networks with backend connectivity are isolated from the Microsoft corporate network and subject to complete security reviews to reduce lateral movement," Microsoft's Bell wrote.

To protect engineering systems, Microsoft has begun using centrally managed pipeline templates for 85% of its production builds for the commercial cloud, reduced the lifespan of personal access tokens to seven days, and disabled Secure Shell Access to internal Microsoft engineering repos. Proof of presence checks are now mandatory for critical points along Microsoft's software development process.

**Exec-Level Accountability**

This is the second update that Microsoft has provided on the progress the company has been making with SFI. A previous one in May focused largely on changes that Microsoft has been making at the organizational level to — among other things — hold executives directly responsible for security.

The changes the company has made at the organizational level include tying compensation for senior leadership to specific security goals and milestones, tying the threat intelligence team more tightly to the enterprise CISO's office, and requiring engineering and security teams to work together.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Trims Cloud Cyberattack Surface in Security Push

Ubuntu Security Notice 7028-1 - It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    =========================================================================Ubuntu Security Notice USN-7028-1September 23, 2024linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash).Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - Greybus drivers;  - Modular ISDN driver;  - Multiple devices driver;  - Network drivers;  - SCSI drivers;  - VFIO drivers;  - F2FS file system;  - GFS2 file system;  - JFS file system;  - NILFS2 file system;  - Kernel debugger infrastructure;  - Bluetooth subsystem;  - IPv4 networking;  - L2TP protocol;  - Netfilter;  - RxRPC session sockets;(CVE-2024-42154, CVE-2023-52527, CVE-2024-26733, CVE-2024-42160,CVE-2021-47188, CVE-2024-38570, CVE-2024-26851, CVE-2024-26984,CVE-2024-26677, CVE-2024-39480, CVE-2024-27398, CVE-2022-48791,CVE-2024-42224, CVE-2024-38583, CVE-2024-40902, CVE-2023-52809,CVE-2024-39495, CVE-2024-26651, CVE-2024-26880, CVE-2024-42228,CVE-2024-27437, CVE-2022-48863)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-4.15.0-1135-oracle  4.15.0-1135.146          Available with Ubuntu Pro  linux-image-4.15.0-1156-kvm     4.15.0-1156.161          Available with Ubuntu Pro  linux-image-4.15.0-1166-gcp     4.15.0-1166.183          Available with Ubuntu Pro  linux-image-4.15.0-1173-aws     4.15.0-1173.186          Available with Ubuntu Pro  linux-image-4.15.0-1181-azure   4.15.0-1181.196          Available with Ubuntu Pro  linux-image-4.15.0-229-generic  4.15.0-229.241          Available with Ubuntu Pro  linux-image-4.15.0-229-lowlatency  4.15.0-229.241          Available with Ubuntu Pro  linux-image-aws-lts-18.04       4.15.0.1173.171          Available with Ubuntu Pro  linux-image-azure-lts-18.04     4.15.0.1181.149          Available with Ubuntu Pro  linux-image-gcp-lts-18.04       4.15.0.1166.179          Available with Ubuntu Pro  linux-image-generic             4.15.0.229.213          Available with Ubuntu Pro  linux-image-kvm                 4.15.0.1156.147          Available with Ubuntu Pro  linux-image-lowlatency          4.15.0.229.213          Available with Ubuntu Pro  linux-image-oracle-lts-18.04    4.15.0.1135.140          Available with Ubuntu Pro  linux-image-virtual             4.15.0.229.213          Available with Ubuntu ProUbuntu 16.04 LTS  linux-image-4.15.0-1135-oracle  4.15.0-1135.146~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1166-gcp     4.15.0-1166.183~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1173-aws     4.15.0-1173.186~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1181-azure   4.15.0-1181.196~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-229-generic  4.15.0-229.241~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-229-lowlatency  4.15.0-229.241~16.04.1          Available with Ubuntu Pro  linux-image-aws-hwe             4.15.0.1173.186~16.04.1          Available with Ubuntu Pro  linux-image-azure               4.15.0.1181.196~16.04.1          Available with Ubuntu Pro  linux-image-gcp                 4.15.0.1166.183~16.04.1          Available with Ubuntu Pro  linux-image-generic-hwe-16.04   4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-gke                 4.15.0.1166.183~16.04.1          Available with Ubuntu Pro  linux-image-lowlatency-hwe-16.04  4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-oem                 4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-oracle              4.15.0.1135.146~16.04.1          Available with Ubuntu Pro  linux-image-virtual-hwe-16.04   4.15.0.229.241~16.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7028-1  CVE-2021-47188, CVE-2022-48791, CVE-2022-48863, CVE-2023-52527,  CVE-2023-52809, CVE-2024-26651, CVE-2024-26677, CVE-2024-26733,  CVE-2024-26851, CVE-2024-26880, CVE-2024-26984, CVE-2024-27398,  CVE-2024-27437, CVE-2024-38570, CVE-2024-38583, CVE-2024-39480,  CVE-2024-39495, CVE-2024-40902, CVE-2024-42154, CVE-2024-42160,  CVE-2024-42224, CVE-2024-42228

Ubuntu Security Notice USN-7028-1

Ubuntu Security Notice 7020-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    =========================================================================Ubuntu Security Notice USN-7020-2September 23, 2024linux-azure vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems:   - GPU drivers;   - Network drivers;   - SCSI drivers;   - F2FS file system;   - BPF subsystem;   - IPv4 networking; (CVE-2024-42160, CVE-2024-42159, CVE-2024-42154, CVE-2024-41009, CVE-2024-42228, CVE-2024-42224)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1015-azure    6.8.0-1015.17  linux-image-6.8.0-1015-azure-fde  6.8.0-1015.17  linux-image-azure               6.8.0-1015.17  linux-image-azure-fde           6.8.0-1015.17After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7020-2  https://ubuntu.com/security/notices/USN-7020-1  CVE-2024-41009, CVE-2024-42154, CVE-2024-42159, CVE-2024-42160,  CVE-2024-42224, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/6.8.0-1015.17

Ubuntu Security Notice USN-7020-2

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean

Cybersecurity / Cyber Threat

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean from the past week.

****⚡ Threat of the Week****

**Raptor Train Botnet Dismantled:** The U.S. government announced the takedown of the Raptor Train botnet controlled by a China-linked threat actor known as Flax Typhoon. The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America, Europe, Asia, Africa, and Oceania, and South America. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group.

****🔔 Top News****

*   **Lazarus Group's New Malware:** The North Korea-linked cyber espionage group known as UNC2970 (aka TEMP.Hermit) has been observed utilizing job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity is also tracked as Operation Dream Job.
*   **iServer and Ghost Dismantled:** In yet another big win for law enforcement agencies, Europol announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The agency, in partnership with the Australian Federal Police (AFP), dismantled an encrypted communications network called Ghost that enabled serious and organized crime across the world.
*   **Iranian APT Acts as Initial Access Provider:** An Iranian threat actor tracked as UNC1860 is acting as an initial access facilitator that provides remote access to target networks by deploying various passive backdoors. This access is then leveraged by other Iranian hacking groups affiliated with the Ministry of Intelligence and Security (MOIS).
*   **Apple Drops Lawsuit against NSO Group:** Apple filed a motion to "voluntarily" dismiss the lawsuit it's pursuing against Israeli commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The lawsuit was filed in November 2021.
*   **Phishing Attacks Exploit HTTP Headers:** A new wave of phishing attacks is abusing refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. Targets of the campaigns include entities in South Korea and the U.S.

****📰 Around the Cyber World****

*   **Sandvine Leaves 56 "Non-democratic" Countries:** Sandvine, the company behind middleboxes that have facilitated the delivery of commercial spyware as part of highly-targeted attacks, said it has exited 32 countries and is in process of ceasing operations in another 24 countries, citing elevated threats to digital rights. Earlier this February, the company was added to the U.S. Entity List. "The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights, and other digital freedoms we believe are inalienable," it said. It did not disclose the list of countries it's exiting as part of the overhaul.
*   **.mobi Domain Acquired for $20:** Researchers from watchTowr Labs spent a mere $20 to acquire a legacy WHOIS server domain associated with the .mobi top-level domain (TLD) and set up a WHOIS server on that domain. This led to the discovery that over 135,000 unique systems still queried the old WHOIS server over a five day period ending on September 4, 2024, including cybersecurity tools and mail servers for government, military and university entities. The research also showed that the TLS/SSL process for the entire .mobi TLD had been undermined as numerous Certificate Authorities (CAs) were found to be still using the "rogue" WHOIS server to "determine the owners of a domain and where verification details should be sent." Google has since called for stopping the use of WHOIS data for TLS domain verifications.
*   **ServiceNow Misconfigurations Leak Sensitive Data:** Thousands of companies are inadvertently exposing secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations. AppOmni attributed the issue to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning." ServiceNow has published guidance on how to configure their instances to prevent unauthenticated access to KB articles.
*   **Google Cloud Document AI Flaw Fixed:** Speaking of misconfigurations, researchers have found that overly permissive settings in Google Cloud's Document AI service could be leveraged by threat actors to hack into Cloud Storage buckets and steal sensitive information. Vectra AI described the vulnerability as an instance of transitive access abuse.
*   **Microsoft Plans End of Kernel Access for EDR Software:** Following the massive fallout from the CrowdStrike update mishap in July 2024, Microsoft has highlighted Windows 11's "improved security posture and security defaults" that allow for more security capabilities to security software makers outside of kernel mode access. It also said it will collaborate with ecosystem partners to achieve "enhanced reliability without sacrificing security."

**🔥 **Cybersecurity Resources & Insights******— **Upcoming Webinars****

*   **Zero Trust: Anti-Ransomware Armor**: Join our next webinar with Zscaler's Emily Laufer for a deep dive into the 2024 Ransomware Report, uncovering the latest trends, emerging threats, and the zero-trust strategies that can safeguard your organization. Don't become another statistic – Register now and fight back!
*   **SIEM Reboot: From Overload to Oversight:** Drowning in data? Your SIEM should be a lifesaver, not another headache. Join us to uncover how legacy SIEM went wrong, and how a modern approach can simplify security without sacrificing performance. We'll dive into the origins of SIEM, its current challenges, and our community-driven solutions to cut through the noise and empower your security. Register now for a fresh take on SIEM!

**— **Ask the Expert****

*   **Q:** How does Zero Trust differ fundamentally from traditional Perimeter Defense, and what are the key challenges and advantages when transitioning an organization from a Perimeter Defense model to a Zero Trust architecture?

*   **A:** Zero Trust and perimeter defense are two ways to protect computer systems. Zero Trust is like having multiple locks on your doors AND checking IDs at every room, meaning it trusts no one and constantly verifies everyone and everything trying to access anything. It's great for stopping hackers, even if they manage to sneak in, and works well when people work from different places or use cloud services. Perimeter defense is like having a strong wall around your castle, focusing on keeping the bad guys out. But, if someone breaks through, they have easy access to everything inside. This older approach struggles with today's threats and remote work situations. Switching to Zero Trust is like upgrading your security system, but it takes time and money. It's worth it because it provides much better protection. Remember, it's not just one thing, but a whole new way of thinking about security, and you can start small and build up over time. Also, don't ditch the wall completely, it's still useful for basic protection.

**— **Cybersecurity Jargon Buster****

*   **Polymorphic Malware:** Imagine a sneaky virus that keeps changing its disguise (signature) to trick your antivirus. It's like a chameleon, making it tough to catch.
*   **Metamorphic Malware:** This one's even trickier! It's like a shapeshifter, not just changing clothes, but completely transforming its body. It rewrites its own code each time it infects, making it nearly impossible for antivirus to recognize.

**— **Tip of the Week****

**"Think Before You Click" Maze:** Navigate a series of decision points based on real-world scenarios, choosing the safest option to avoid phishing traps and other online threats.

****Conclusion****

"To err is human; to forgive, divine." - Alexander Pope. But in the realm of cybersecurity, forgiveness can be costly. Let's learn from these mistakes, strengthen our defenses, and keep the digital world a safer place for all.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 16-22)

A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools.
The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia

Cyber Espionage / Malware

A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools.

The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed **Earth Baxia**.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said.

The discovery of lure documents in Simplified Chinese points to China being one of the affected countries as well, although the cybersecurity company said it does not have enough information to determine what sectors within the country have been singled out.

The multi-stage infection chain process leverages two different techniques, using spear-phishing emails and the exploitation of the GeoServer flaw (CVE-2024-36401, CVSS score: 9.8), to ultimately deliver Cobalt Strike and a previously unknown backdoor codenamed EAGLEDOOR, which allows for information gathering and payload delivery.

"The threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads, aiming to lower the victim's guard," the researchers noted, adding the former method is used to download next-stage malware via a decoy MSC file dubbed RIPCOY embedded within a ZIP archive attachment.

It's worth mentioning here that Japanese cybersecurity company NTT Security Holdings recently detailed an activity cluster with links to APT41 that it said used the same two techniques to target Taiwan, the Philippines military, and Vietnamese energy organizations.

It's likely that these two intrusion sets are related, given the overlapping use of Cobalt Strike command-and-control (C2) domains that mimic Amazon Web Services, Microsoft Azure (e.g., "s3cloud-azure," "s2cloud-amazon," "s3bucket-azure," and "s3cloud-azure"), and Trend Micro itself ("trendmicrotech").

The end goal of the attacks is to deploy a custom variant of Cobalt Strike, which acts as a launchpad for the EAGLEDOOR backdoor ("Eagle.dll") via DLL side-loading.

The malware supports four methods to communicate with the C2 server over DNS, HTTP, TCP, and Telegram. While the first three protocols are used to transmit the victim status, the core functionality is realized through the Telegram Bot API to upload and download files, and execute additional payloads. The harvested data is exfiltrated via curl.exe.

"Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries," the researchers pointed out.

"They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware

Another day, another claim of Dell data breach!

Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident.

On September 19, 2024, _Hackread.com_ **published an exclusive report** detailing claims of a Dell data breach involving sensitive information related to 10,863 Dell employees. The same hacker behind the original breach is now claiming that Dell has been “breached again,” suggesting a larger ongoing issue.

The hacker, who operates under the alias “grep” on the infamous cybercrime platform Breach Forums, posted these claims on Sunday, September 22, 2024. In this post, “grep” revealed that Dell has suffered another significant breach, this time with the help of a fellow hacker known as “Chucky.” Together, they allegedly compromised Dell’s internal systems, exposing confidential data.

According to “grep,” the breach contains data related to Jira files, database tables, and schema migrations, amounting to a total of 3.5 GB of uncompressed data. The hackers claim to have gained access by compromising Dell’s Atlassian software suite, including Jenkins and Confluence, widely used tools for software development and collaboration.

Here’s the exact message shared by the hacker on the forum:

_Compromised data: Jira’s files, DB tables, schema migration, etc., totalling_ 3.5GB uncompressed. This time, it was breached by Chucky. Before Dell makes any claims, we both compromised your Atlassian and accessed Jenkins, Confluence, etc.  
GDPR said time is ticking, by the way, _xD._

The hacker on Breach Forum announcing his leak (Screenshot credit: Hackread.com)

In response to the first alleged breach, Dell told _Hackread.com_ that it was aware of the situation and had launched an investigation. However, as of now, the company has not addressed the latest breach claims.

The _Hackread.com_ research team has analyzed some of the files and determined that they likely contain sensitive information about Dell’s internal infrastructure. This includes system configurations, user credentials, security vulnerabilities, and development processes. If confirmed, this information could potentially be leveraged to target Dell’s systems on a much larger scale.

Further review of the leaked files suggests that they belong to a variety of enterprise tools and environments used by Dell, including Jira, database tables, schemas, and Atlassian tools such as Jenkins and Confluence. For security reasons, we are withholding specific details of the compromised files.

Screenshot from the leaked data Screenshot credit: Hackread.com)

_Hackread.com_ has reached out to Dell for a comment and will update this article as the story develops.

1.  **Hacker Leaks Data of 33,000 Accenture Employees**
2.  **Acer Online Store Hacked; 34,000 Customers’ Data Stolen**
3.  **Hacker Leaks Thousands of Microsoft and Nokia Employee Data**
4.  **Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**

Hackers Claim Second Dell Data Breach in One Week

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions…

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions and frustration as vendors scramble to find solutions. Learn about the affected software, potential workarounds, and the latest updates on this ongoing issue.

Apple’s latest macOS update, macOS Sequoia (version 15), is reportedly causing issues with security tools from major providers like CrowdStrike, SentinelOne, ESET, and Microsoft. The update appears incompatible with several popular security tools, rendering them inoperable. The issue, which affects macOS users and enterprises, has caused frustration among those working with macOS-focused security tools. 

For your information, Apple officially launched its AI-focused macOS Sequoia on Monday. It is a new operating system, first revealed at WWDC 2024, offering exclusive features like Apple Intelligence, which uses Apple silicon to create language, images, and actions across apps, leveraging users’ personal context. 

However, the update has raised concerns for certain security-related products and applications as several security researchers and users on social media, Reddit, and a Mac-focused Slack channel reported issues with these security tools after installing Sequoia.

On Mastodon, security researcher Will Dormann reported firewall-related and DNS issues in macOS Sequoia, noting that blocking incoming connections within the macOS Sequoia firewall can also block replies to DNS requests, causing problems.

Dormann also noted a related issue affecting Chrome and Chromium-based browsers on macOS Sequoia, where blocking incoming connections for Google Chrome in the macOS firewall causes large downloads to stall.

Meanwhile, Apple has not yet addressed the concerns regarding Sequoia’s compatibility with security software such as ESET Endpoint Security and CrodStrike Falcon, and the full scope of the compatibility issues with Sequoia remains unclear.  

Most companies have advised users not to update the OS until the issue is resolved, as they are unable to support macOS Sequoia. CrowdStrike confirmed the issue and announced a delay in supporting Sequoia.

The company is waiting for Apple to release a fix before updating their software.  Similarly, ESET acknowledged network connection problems after the update but later clarified that their products are compatible with Sequoia. 

While SentinelOne initially advised users against upgrading to Sequoia, they later clarified that full support was available. However, some users still reported problems with other functionalities like firewalls and DNS configurations. 

A potential workaround shared by security researcher Wacław Jacek on his blog involves using command-line tools to adjust firewall settings for specific applications. According to Jacek, to modify firewall settings, use the CLI tool /usr/libexec/ApplicationFirewall/socketfilterfw.

This will allow your browser to access the internet again, but other software may still not function. To disable the entire firewall, open the terminal app, find the path to your web browser, run ls -l, and add your browser to the firewall using /usr/libexec/ApplicationFirewall/socketfilterfw.

Until the situation is resolved, please proceed with caution when considering the Sequoia update, especially if you rely heavily on third-party security software.

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit, shared his concern over the situation with Hackread.com stating, “With the release of new operating systems, all security vendors must test and qualify their releases. It is a good thing that security vendors have been proactive in this situation and have already sent out steps to take in case their systems are facing issues with the latest Mac update.”

Mayuresh highlighted that “From the looks of it, the networking stack – or the macOS Sequoia firewall to be specific – has changed because the security tools that use it to provide security are not able to do so. Not just security tools, VPNs are also having a difficult time getting a DNS resolution.”

He also suggested the following to the security teams responsible for securing Macs:

1.  Avoid updating to macOS Sequoia unless their security vendor has officially certified it for use.
2.  Turn off auto-updates to major OS releases before internal certification.
3.  Internally certify new operating system releases by installing Dev, and Beta builds of operating systems with certified software before organization-wide deployments.

Nevertheless, the importance of comprehensive testing before deploying major updates in production environments should not be ignored. It also highlights the need for organizations to have proper backup plans and alternative security measures in place. Developing a multi-layered security approach that doesn’t rely solely on a single tool or vendor can enhance overall stability.

1.  **CrowdStrike Update Causes Havoc By Disrupting Businesses**
2.  **Webroot Marked Facebook as Phishing Site, Windows as Malware**
3.  **Apple mistakenly approved malware hidden as Adobe Flash Player**
4.  **Microsoft Releases Tool to Fix CrowdStrike-Caused Windows Chaos**
5.  **Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware**

Tag

#microsoft