Tag Archive for: Vulnerability

Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

/in


An unpatchable vulnerability has been discovered in Apple’s M-series chips that allows attackers to extract secret encryption keys from Macs under certain conditions, according to a newly published academic research paper (via ArsTechnica).

m1 vs m2 air feature toned down
Named “GoFetch,” the type of cyber attack described involves Data Memory-Dependent Prefetchers (DMPs), which try to predict what data the computer will need next and retrieve it in advance. This is meant to make processing faster, but it can unintentionally reveal information about what the computer is doing.

The paper finds that DMPs, especially the ones in Apple’s processors, pose a significant threat to the security provided by constant-time programming models, which are used to write programs so that they take the same amount of time to run, no matter what data they’re dealing with.

The constant-time programming model is meant to protect against side-channel attacks, or types of attacks where someone can gain sensitive information from a computer system without directly accessing it (by observing certain patterns, for example). The idea is that if all operations take the same amount of time, there’s less for an attacker to observe and exploit.

However, the paper finds that DMPs, particularly in Apple silicon, can leak information even if the program is designed not to reveal any patterns in how it accesses memory. The new research finds that the DMPs can sometimes confuse memory content, which causes it to treat the data as an address to perform memory access, which goes against the constant-time model.

The authors present GoFetch as a new type of attack that can exploit this vulnerability in DMPs to extract encryption keys from secure software. The attack works against some popular encryption algorithms that are thought to be resistant to side-channel attacks, including both traditional (e.g. OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum (e.g. CRYSTALS-Kyber and CRYSTALS-Dilithium) cryptographic methods.

In an email to ArsTechnica, the authors explained:

Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is…

Source…

TA577 Exploits NTLM Authentication Vulnerability

/in


Cybersecurity researchers at Proofpoint have uncovered a new tactic employed by cybercriminal threat actor TA577, shedding light on a lesser-seen objective in their operations. 

The group was found utilizing an attack chain aimed at stealing NT LAN Manager (NTLM) authentication information. This method could potentially be exploited for sensitive data gathering and facilitating further malicious activities.

In an analysis published earlier today, the Proofpoint team identified at least two campaigns conducted by TA577 on February 26 and 27 2024 employing this technique. 

These campaigns targeted hundreds of organizations globally, sending out tens of thousands of messages. The messages were designed to appear as replies to previous emails, a tactic known as thread hijacking, and contained zipped HTML attachments.

Each attachment had a unique file hash, and the HTML files within were tailored to specific recipients. Upon opening, these files initiated a connection attempt to a Server Message Block (SMB) server via a meta refresh to a file scheme URI ending in .txt. This connection was designed to reach an external SMB resource controlled by the threat actor, aiming to capture NTLM hashes.

Proofpoint’s analysis did not detect any malware delivery from these URLs. Instead, researchers concluded that TA577’s objective was to capture NTLMv2 challenge/response pairs to steal NTLM hashes, based on the characteristics of the attack chain and tools used.

The stolen NTLM hashes could potentially be exploited for password cracking or to facilitate “Pass-The-Hash” attacks within targeted organizations. Indicators suggest the use of the open-source toolkit Impacket on the SMB servers, a practice uncommon in standard SMB environments.

Read more on Pass-The-Hash attacks: Microsoft Fixes Two Zero-Day Bugs Used in Attacks

It’s worth noting that the delivery method used by TA577 – employing a malicious HTML file within a zip archive – is specifically designed to bypass security measures. Even disabling guest access to SMB does not mitigate the attack, as the file attempts to authenticate to the external SMB server.

“Proofpoint researchers have also seen an increase…

Source…

Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

/in


A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions.

Apple’s Shortcuts application, designed for macOS and iOS, is aimed at automating tasks. For businesses, it allows users to create macros for executing specific tasks on their devices, and then combine them into workflows for everything from Web automation to smart-factory functions. These can then be shared online through iCloud and other platforms with co-workers and partners.

According to an analysis from Bitdefender out today, the vulnerability (CVE-2024-23204) makes it possible to craft a malicious Shortcuts file that would be able to bypass Apple’s Transparency, Consent, and Control (TCC) security framework, which is supposed to ensure that apps explicitly request permission from the user before accessing certain data or functionalities.

That means that when someone adds a malicious shortcut to their library, it can silently pilfer sensitive data and systems information, without having to get the user to give access permission. In their proof-of-concept (PoC) exploit, Bitdefender researchers were then able to exfiltrate the data in an encrypted image file.

“With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms,” the report noted.

The bug is a threat to macOS and iOS devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it is rated 7.5 out of a possible 10 (high) on the Common Vulnerability Scoring System (CVSS) because it can be remotely exploited with no required privileges.

Apple has patched the bug, and “we are urging users to make sure they are running the latest version of the Apple Shortcuts software,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender.

Apple Security Vulnerabilities: Ever More Common

In October, Accenture published a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 — with the trend poised to continue.

The findings coincide with the emergence…

Source…

DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability

/in


Feb 14, 2024NewsroomZero-Day / Financial Sector Security

Microsoft SmartScreen Zero-Day Vulnerability

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.

Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).

“In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware,” the cybersecurity firm said in a Tuesday report.

Microsoft, which addressed the flaw in its February Patch Tuesday update, said an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file in order to bypass displayed security checks.

Cybersecurity

However, successful exploitation banks on the prerequisite that the threat actor convinces the victim to click on the file link to view the attacker-controlled content.

The infection procedure documented by Trend Micro weaponizes CVE-2024-21412 to drop a malicious installer file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed via forex trading forums under the pretext of sharing a link to a stock chart image that, in reality, is an internet shortcut file (“photo_2023-12-29.jpg.url”).

“The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view,” security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.

“When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.”

The clever trick that makes this possible is the threat actor’s abuse of the search: application protocol, which is used for calling the desktop search application on Windows and has been abused in the past to deliver malware.

The rogue internet shortcut file, for its part, points to another internet shortcut file hosted on a remote server (“2.url”), which, in turn, points to a CMD shell script within a ZIP archive…

Source…