Security Bulletin

Who:

• Entities Involved: ETH Zürich researchers, targeting AMD and Intel processors.

What:

• Discovery: New research reveals that even the latest AMD and Intel processors remain vulnerable to Spectre-style speculative execution attacks, undermining existing mitigations (IBPB) on x86 chips.

• New Vulnerabilities Identified:

  • Intel: A microcode flaw allows bypassing IBPB on Intel’s Golden Cove and Raptor Cove architectures, causing cross-process Spectre leaks.

  • AMD: Post-Barrier Inception (PB-Inception) enables privileged memory leakage in AMD Zen 1(+) and Zen 2 processors.

Impact:

• Security Risks: This vulnerability compromises sensitive data protection across both Intel and AMD chips, enabling attackers to bypass process boundaries and potentially access privileged data.

• Mitigations: Intel issued a microcode patch (CVE-2023-38575), and AMD has recommended kernel updates for affected systems.

Read the full article HERE

Who:

• Entity Involved: U.S. Government (USG), including Federal Departments and Agencies, private sector, and individual researchers.

What:

• New Guidance Issued: The USG introduced updated Traffic Light Protocol (TLP) guidance for categorizing and sharing sensitive cybersecurity intelligence across sectors.

• Purpose: To enhance collaboration, trust, and clarity in threat intelligence sharing, ensuring controlled distribution of sensitive information.

Impact:

• Increased Trust and Security: By standardizing how sensitive data is shared, the TLP framework strengthens partnerships within the cybersecurity community, fostering a collective approach to maintaining a secure cyberspace.

Read the full article HERE

Who:

• Threat Actors: APT34 (OilRig), an Iranian state-sponsored hacking group.

• Targets: Government and critical infrastructure entities in the United Arab Emirates and Gulf region, especially in the energy sector.

What:

• Attack Techniques: OilRig has escalated its activities with a new campaign involving:

  • Exploitation of Microsoft Exchange servers to steal credentials.

  • Exploitation of the CVE-2024-30088 Windows flaw for privilege escalation.

  • Use of a new backdoor called StealHook for credential theft and data exfiltration via email.

Key Tools and Exploits:

• Web Shell Deployment: Attackers begin by exploiting vulnerable web servers to install web shells, allowing remote code execution.

• CVE-2024-30088 Exploit: A high-severity flaw used to escalate privileges to the SYSTEM level on compromised devices.

• Password Theft: Attackers register a password filter DLL to capture plaintext credentials during password change events.

• StealHook Backdoor: Used to exfiltrate stolen credentials and sensitive data, sending them as email attachments to evade detection.

Impact:

• Threat to Critical Infrastructure: The attacks primarily target the energy sector, posing risks of operational disruption.

• Affiliation with FOX Kitten: OilRig’s potential connection with the FOX Kitten group raises concerns about ransomware attacks being added to their tactics.

  
  

Broader Threat: OilRig’s continued activity in the region and their use of advanced exploits to target high-value organizations make them a persistent and evolving threat.

Read the full article HERE

Who:

• Affected users: iPhone and iPad users, particularly those using models such as iPhone XS and later, iPad Pro, iPad Air, iPad mini, and specific iPhone 16 models.

• Discovered by: Security researchers Bistrit Daha, Michael Jimenez, and an anonymous researcher.

What:

• Incident: Apple released iOS and iPadOS updates to fix two critical vulnerabilities. One, tracked as CVE-2024-44204, allowed saved passwords to be read aloud via VoiceOver. The second, CVE-2024-44207, enabled iPhone 16 models to capture audio before the microphone indicator turned on.

• Devices impacted: Various iPhone and iPad models, including iPhone XS and iPhone 16 models, and newer iPads.

Impact:

• Potential Risk: User passwords could have been exposed through VoiceOver, and unauthorized audio recordings could occur before users were alerted.

• Fix: Apple resolved the issues by improving validation and adding enhanced checks. Users are urged to update to iOS 18.0.1 and iPadOS 18.0.1 to protect their devices.

Read the full article HERE

Who:

• The malware, dubbed 'DISGOMOJI,' was discovered by cybersecurity firm Volexity.

• The suspected threat actor, 'UTA0137,' is believed to be based in Pakistan.

• The malware targets government agencies in India.

What:

• DISGOMOJI is a Linux malware using emojis sent via Discord for command and control (C2).

• It executes commands, takes screenshots, steals files, deploys additional payloads, and searches for files on infected devices.

• The malware targets a custom Linux distribution named BOSS used by Indian government agencies.

Impact:

• Data Exfiltration: DISGOMOJI collects and sends system information, including IP address, username, hostname, operating system, and current working directory, back to the attackers.

• Persistence: The malware maintains persistence using the @reboot cron command and other mechanisms.

• Lateral Movement: Once a device is breached, threat actors can spread laterally, steal data, and attempt to gather additional credentials.

• Bypassing Detection: The use of emojis for C2 communication could potentially bypass security software that looks for text-based commands, making detection more challenging.

Read the full article HERE