Daily Brief

Researchers uncover a side-channel attack, named GoFetch, that targets Apple's M1, M2, and M3 processors, risking exposure of cryptographic keys. The GoFetch attack exploits the data memory-dependent prefetchers in modern Apple CPUs, violating constant-time cryptographic execution principles. Capable of pilfering private keys for algorithms such as OpenSSL Diffie-Hellman and CRYSTALS Kyber, this hardware vulnerability lacks a direct fix in affected chips. Apple was informed about the vulnerability on December 5, 2023, yet any potential software mitigation might result in a performance degradation for cryptographic operations. Intel's latest CPUs exhibit a more restrictive prefetcher implementation, seemingly impervious to this specific attack methodology. Defensive tactics recommended for developers include input blinding and DMP activation masking, but no simple solution exists for end-users apart from general safe computing practices. Apple has limited comments on the GoFetch issue, with advised mitigations available on a developer page, devoid of indicating concrete plans for a security patch.

Cybersecurity researchers have identified a series of phishing attacks using StrelaStealer malware affecting over 100 organizations across the E.U. and the U.S. The attacks involve spam emails with varying types of attachments designed to evade detection and launch the malware's DLL payload. StrelaStealer is capable of extracting email credentials from popular email clients and sending the information to servers controlled by attackers. Recent campaigns have shown a trend toward using invoice-themed emails with ZIP attachments containing a JavaScript file to initiate infection. The malware utilizes advanced obfuscation and anti-analysis techniques to complicate detection within sandboxed environments. Broader cybersecurity observations note the prevalence of other stealers like Stealc and RATs such as Revenge RAT and Remcos RAT, often packed using cryptors-as-a-service platforms. Separately, a social engineering scam involving fake obituary notices and SEO poisoning has been discovered, primarily aimed at pushing adware and other unwanted programs. The use of malware-as-a-service (MaaS) is highlighted, showing how relatively unskilled threat actors can conduct large-scale, successful attacks leveraging readily available tools and malware.

The U.S. National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) is undergoing a significant slowdown in adding analysis to reported vulnerabilities. NIST announced on February 15th, 2024, that users will experience delays in analysis efforts amid the transition to a new consortium aimed at improving the NVD program. Without the standard analysis, cybersecurity professionals struggle to assess and manage vulnerabilities effectively, as NIST's insights and scores (like CVSS) are critical for understanding the severity of security holes. The current halt in updates has resulted in thousands of Common Vulnerabilities and Exposures (CVEs) going without any record of NVD analysis, posing challenges for scanning and assessing software risks. Alternative sources like Open Source Vulnerabilities (OSV) or GitHub Security Advisory DB are available, but many organizations, especially government contractors, are mandated by law to use NIST's CVSS and NVD. Attempts are being made to compensate for the missing NVD data, such as Anchore's open-source project called NVD Data Overrides, which aims to provide a stopgap solution minus CVSS scores.

AWS has patched a critical vulnerability in AWS Managed Workflows for Apache Airflow (MWAA), named 'FlowFixation' by Tenable. The flaw enabled potential session hijacking and remote code execution on the underlying instances of the service. Attackers exploiting this weakness could have accessed connection strings, modified configurations, and triggered directed acyclic graphs (DAGS), leading to possible remote code execution (RCE) and lateral movement across services. The security issue stemmed from a session fixation exploit combined with an AWS domain misconfiguration enabling cross-site scripting (XSS) attacks. Tenable emphasizes the broader risk associated with cloud providers' domain architecture, pointing out potential for same-site attacks, cross-origin issues, and cookie tossing. AWS and Azure have taken steps to address the domain misconfiguration by adding affected domains to the Public Suffix List (PSL). Google Cloud, however, has not deemed the issue severe enough to warrant a fix. The report highlights the significant risks in cloud environments, including cookie-tossing attacks and bypassing of CSRF protections via session fixation vulnerabilities.

Over 39,000 WordPress sites have been affected by the 'Sign1' malware campaign over the past six months. The latest variant of 'Sign1' has infected at least 2,500 sites in the past two months, using malicious JavaScript to redirect users to scam sites. Malware injects rogue JavaScript into HTML widgets and plugins, allowing remote execution of scripts that lead users to scam pages only if visiting from major sites like Google or Facebook. Attackers employ dynamic URLs changing every 10 minutes to evade blocklists, using domains registered just days before their use in cyberattacks. Sign1 appears to leverage brute-force attacks or exploit vulnerabilities in WordPress themes and plugins for site access, often using legitimate plugins to hide malicious code. The malware remains undetected for long periods as it doesn't place any malicious code into server files, instead using WordPress custom HTML widgets for code injection.

A China-linked threat group, UNC5174, exploited software flaws to infiltrate networks and deliver malware. The attackers targeted Southeast Asian and U.S. research, education, Hong Kong businesses, NGOs, and government entities. The group used vulnerabilities in multiple software including Atlassian Confluence, ConnectWise ScreenConnect, F5 BIG-IP, Linux Kernel, and Zyxel. Post-intrusion actions involved reconnaissance, scanning for vulnerabilities, creating admin accounts, and deploying SNOWLIGHT and GOREVERSE malwares. The threat actor also used tools like GOHEAVY for lateral movement and employed atypical practices such as applying patches to exploited vulnerabilities. UNC5174 appears to be acting as an initial access broker, potentially associated with China's Ministry of State Security (MSS). There are operational similarities between UNC5174 and another access broker, UNC302, indicating a collaborative MSS-backed cyber espionage effort. The Chinese MSS has issued warnings about foreign hackers targeting domestic entities, though without specifying the responsible group or origin.

The ThreatLocker® Zero Trust Endpoint Protection Platform advocates for a deny-by-default approach, enhancing organizational security against cyber threats. The platform aligns with multiple compliance frameworks, providing confidence in protection against devastating attacks such as ransomware. Cybersecurity compliance frameworks assist in developing strong security measures but can be ambiguous and complex in their requirements. Key cybersecurity practices include access management, multi-factor authentication, privileged access management, and antimalware solutions. Organizations are encouraged to implement firewall solutions, intrusion detection/prevention, and secure data encryption, among other robust security measures. Regular security reviews and adherence to written policies are emphasized to ensure continuous protection against potential threats. ThreatLocker® offers a free guide, "The IT Professional's Blueprint for Compliance", to help professionals navigate and fulfill diverse compliance obligations.

The U.S. Department of Justice, joined by 16 state and district attorneys, has filed a lawsuit against Apple, alleging the company maintains an unlawful monopoly in the smartphone market. Apple is accused of leveraging security and privacy as a pretext for anticompetitive behavior, such as selectively degrading text message security for non-iPhone users. The suit claims Apple's refusal to make iMessage interoperable with Android devices purposely undermines cross-platform communication security. Third-party attempts to enable secure messaging across platforms, like the Beeper Mini client for Android, have been stifled by Apple, citing security concerns. The DoJ argues that Apple's practices strengthen network effects, compelling consumers to stay within the Apple ecosystem and deterring them from switching to competitors. Apple plans to support the RCS messaging protocol and encryption in its Messages app, combining instant messaging features with enhanced security. Cupertino vows to "vigorously defend" against the lawsuit, asserting that a DoJ victory would set a "dangerous precedent" in government interference with technology design.

Pwn2Own Vancouver 2024 concluded with security researchers awarded $1,132,500 for demonstrating 29 zero-days. Participants successfully compromised various software and a Tesla Model 3, highlighting system vulnerabilities even in fully patched configurations. The event covered multiple categories including web browsers, virtualization, enterprise applications, and automotive systems. Top awards went to Team Synacktiv for a Tesla Model 3 win and Manfred Paul earning the "Master of Pwn" title with $202,500 in total prize money. Hacking highlights include gaining remote code execution on web browsers using sophisticated exploits and breaching the Tesla ECU in under 30 seconds. Vendors affected by the zero-day vulnerabilities now have a 90-day window to issue security patches before public disclosure by the Zero Day Initiative.

SentinelOne reports the deployment of upgraded 'AcidPour' malware targeting Ukrainian telecoms, potentially impacting four providers. AcidPour is connected to AcidRain malware and appears to be associated with Russian military intelligence activities, specifically to the Sandworm team. The malware predominantly aims to disable Linux x86 systems embedded in networking, IoT, RAID storage devices, and even Industrial Control Systems (ICS). Uniquely coded like the CaddyWiper, AcidPour possesses a self-deletion feature and various device-specific wiping approaches. The hacking group UAC-0165, linked with Sandworm, is allegedly responsible for the attacks on Ukrainian infrastructure, having targeted 11 telecom service providers from May to September 2023. The disclosure of the Ukrainian telecoms attack follows the claims of the Solntsepyok actor, with GRU ties, compromising four telecom operators on March 13, 2024. The evolving tactics of these threat actors indicate a strategic approach to cause disruptive and long-lasting impacts on critical infrastructure and communication systems.

A study from Colorado State University reveals serious security flaws in Electronic Logging Devices (ELDs) used by US commercial truck fleets. Over 14 million trucks could be affected by these vulnerabilities, allowing hackers to potentially take control of vehicles and spread malware. ELDs are mandated for tracking driving hours and vehicle data but lack robust security controls, making them susceptible to Bluetooth or Wi-Fi attacks. Researchers demonstrated a worm that can jump from truck to truck via wireless connections, using default passwords and predictable SSIDs to spread. The potential for such a cyberattack poses severe safety and operational risks to the US commercial transportation sector. The flaws have been disclosed to the manufacturers and the US Cybersecurity and Infrastructure Security Agency (CISA) for rectification. The researchers highlight the urgency for the transportation industry to improve cybersecurity, as current ELD systems expose vehicles to significant threats.

The U.S. government has issued guidance to protect critical infrastructure from DDoS attacks. The alert follows warnings about destructive cyber activities from China and occurs alongside a new cybersecurity task force for the water sector. Agencies including CISA, FBI, and MS-ISAC recommend that organizations follow their report to defend against these threats. The guide clarifies the difference between DoS and DDoS attacks and outlines three main attack techniques: volume-based, protocol-based, and application-layer attacks. A set of 15 best practices is provided, including risk assessments, network monitoring, regular traffic analysis, and implementing Captchas. Implementing DDoS mitigation strategies, maintaining updated software, and conducting regular employee training are also advised. The guide stresses the importance of incident response plans, data backup, and network redundancy to protect service availability during an attack.

Bipartisan US criticism targets Microsoft for allegedly censoring Bing search results in China on topics like human rights and democracy. Republican Senator Marco Rubio and Democrat Senator Mark Warner have condemned Microsoft's actions, advocating for Bing's withdrawal from China. A Bloomberg report suggests that Bing removes search content to align with Chinese government censorship policies. Google and Yahoo have ceased using their search engines in China, while other Western services are blocked. Microsoft argues Bing is the least censored search option in China, providing important information despite legal content removal obligations. The company contends leaving the Chinese market would deprive users of access to information through Bing, counter to the criticism of compliance. Previous incidents reveal that Bing has a history of censoring content and providing pro-state results in sensitivity to China's censorship practices.

The US House of Representatives has passed the Protecting Americans' Data from Foreign Adversaries Act of 2024 with unanimous support, prohibiting the sale of Americans' data to certain foreign entities. This bill targets data brokers and restricts them from selling personal information to adversarial nations such as North Korea, Russia, China, and Iran. Comprehensive categories of data are included in the bill, such as government IDs, financials, biometrics, and private communications. The bill grants enforcement authority to the Federal Trade Commission and aligns with President Biden's previous executive order, though does not encompass all countries listed in the EO. No public instances of data brokers selling to the mentioned adversaries have been reported, but a classified ODNI report indicates that PII is at risk of being utilized by foreign intelligence. The Duke University report highlights the availability of sensitive data belonging to US military personnel, adding to the justification for the bill. Next steps for the bill to become law include being introduced and passed in the Senate, with no set date for the Senate hearing.

KDE alerted Linux users about the risks of installing global themes that can execute arbitrary code and advised extreme caution. Themes and plugins from the KDE Store have no pre-upload review, creating potential for malicious content to be submitted. A user's experience shared on Reddit highlights the danger: a global theme executed 'rm -rf', leading to the loss of all their personal files. While the harmful theme has been removed, KDE acknowledged the existing risk with other unvetted themes in its repository. KDE plans to start vetting the content of its store and improving the warnings to users while also urging the community to report any suspicious software. KDE team highlighted the importance of user diligence, recommending review of content and looking for trusted sources before installation. In the interim, KDE will continue to caution users about potentially unstable or unfunctional content from its store.