IEEE Cipher --- Items from security-related news (E175), September 2023

  • Dormant Chinese Malware Causes Concern
    U.S. Hunts Chinese Malware That Could Disrupt American Military Operations
    Publisher: New York Times
    Date: July 29, 2023
    By: David E. Sanger and Julian E. Barnes
    Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
    Publisher: Microsoft Security
    Date: May 24, 2023

    The Biden administration has started to discuss the widespread presence of a piece of malware with "some state governors and utility companies." The malware is so far benign, simply spreading and probing affected sites. It has been lurking around, notably at a military base in Guam, for a year or more.

    Microsoft identifies, with "moderate confidence", the Chinese group Volt Typhoon as the originator of the deeply surreptitious malware. Its purpose is unknown, but there is suspicion that it could be activated to disrupt communicatons between the US and Asia at some point of tension.

    The malware enters systems through Fortinet FortiGuard devices, and from there uses a wide variety of methods to entrench itself in routers and other edge devices. It gathers credentials for infrastructure and keeps data in encoded files. At this time the extent of its footprint is unknown.

  • Air Force Comms for the Home
    Air Force contractor charged with soliciting minor, stealing gear

    Publisher: Air Force Times
    Date: Aug 4, 2023
    By: Rachel S. Cohen

    An engineering contractor for Arnold Air Force Base (AAFB) in Tennessee caused consternation when it was discovered that he had taken a great deal of radio equipment and restricted communications data to his home. There, he set up his own system to run "the entire AAFB communications system". He also had data for local law enforcement radio programming. He had the capability of eavesdropping on Air Force, local FBI, and Tennessee Valley Authority communications.

    The motive seemed to be hubris rather than espionage, but the extent the home system was surprising. A few dozen USB and hard drives had been used to copy all the relevant information for the base's radio systems.

  • IT Support from Russia? Just Say No
    Microsoft says Russia-linked hackers behind dozens of Teams phishing attacks

    Publisher: Reuters
    Date: August 2, 2023
    By: Zeba Siddiqui

    Midnight Blizzard or APT29, is a hacking organization that carefully chooses high value targets, particularly "government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors." Its latest exploits have been phishing attempts originating from domains that mimic Microsoft IT support sites. The phishing chat conversation urges users of Microsoft TEAMS to approve multifactor authentication prompts. Fewer than 40 organizations have been targeted, and Microsoft has taken steps to recognize and avoid the fraudulent domains. Nonetheless, users need to stay alert to these attempts, lest they open their organizations to document theft.

  • North Korea's Long Infosec Arm
    Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company

    Publisher: Sentinel One
    Date: August 7, 2023
    By: Tom Hegel and Aleksandar Milenkoski

    Infosec specialists at SentinelOne Labs say they were looking into North Korea's missile system development (through "our usual hunting and tracking" when they came across some interesting emails showing that North Korea is able to penetrate Russian cyberstrucure. The North Korean exploit went undetected for several months as they crawled through the cyberspace of the Russian missile manufacturer NPO Mashinostroyeniya.

    The exploit used by North Korea was based on a version of "OpenCarrot Windows OS backdoor", used by the "Scarcruft threat actor". Through this they gained access to the target's email server. SentinelOne Labs found the exfiltrated email files in the North Korean infrastructure. The emails show that the missile manufacturer identified the intrusions and took steps to shut it down in May of 2022.

    The report by SentinelOne Labs mentions other interesting mechanisms of the exploit. They were aided in their investigation by what they perceived of sloppiness by the North Koreans in not sufficiently hiding their exploits, but they also mention the danger posed by the "convergence of North Korean cyber threat actors".

  • Teslas Made Cozy for Free via Side Channel Attacks
    Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrades>
    Sorry Elon, but this appears to be unpatchable.
    Publisher: tomsHardware
    Date: August 7, 2023
    By: Brandon Hill

    Teslas internal controls run on Linux and Linux runs on chips that have a Trusted Processing Module. That sounds really secure, but if one has physical access to the chip, one can apply a voltage glitch and bypass all the cryptographic security. It turns out that there are paywalled features of the cars that can be unlocked once the unfettered access to Linux is opened, one of those features being meant for passenger comfort in cold weather.

    For more detail, see the BlackHat presentation:
    Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater by Christian Werling, Niclas Kühnapfel, Hans Niklas Jacob (PhD Students TU Berlin), and Oleg Drokin, Security Researcher,

  • MOVEit Hack Keeps on Movin'
    MOVEit hack spawned around 600 breaches but isn't done yet - cyber analysts

    Publisher: Reuters
    Date: August 8, 2023
    By: Raphael Satter and Zeba Siddiqui

    We previously reported on the ransomware exploit against a widely used file transfer app MOVEit. At that time, the number of sites thought to be affected was small, and a patch was immediately available. In the interim, as many as 40 million people have had their privacy compromised, and the number of businesses affected is 600 and growing. The intruders have been able to get the private data of many clients of the breached systems: driver's license info, pensioners data, etc. Some experts feel that the implications of these disclosures will have rippling effects for some long time to come.

  • Cyber Intruders Might Flip the Switch
    Data centers at risk due to flaws in power management software
    Bugs found by Trellix researchers could allow for malicious hackers to gain access to sensitive sites like data centers.
    Publisher: CyberScoop
    Date: August 14, 2023
    By: Christian Vasquez

    At a recent DEFCON researchers from Trellix revealed how vulnerable data centers can be to network-based instrusions. While the individual server security might be stellar, the power management for the facility sometimes can be accessed without proper authentication, due to software flaws. This gives intruders the ability to turn individual computers off or on, and such a level of control might enable installation of malware onto the machines.

    The vulnerable software identified by Trellix has been patched. It has been long known that control software often derives from systems of yore that did not have strong security controls. The weaknesses return to haunt high-tech today.

  • Just Blast that Pass
    BLASTPASS NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild

    Publisher: CitizenLab
    Date: September 7, 2023

    Apple has developer tools for creating secure credentials for "passes" of various kinds, e.g. special promotions, event tickets, boarding passes. These can be put into Apple wallets and read through scanners. It sounds very useful and very secure, except that someone found a way to use it to install spyware: the notorious "NSO Group's Pegasus mercenary spyware"

    This zero-day exploit was uncovered during a check of an iPhone belonging to an NGO employee. The vulnerability was particularly concerning because it required to action on the part of a victim other than receiving an iMessage with an image.

    Apple has issued two CVEs addressing the problem. They note that "Lockdown Mode" will protect against the spyware. Lockdown Mode is for people who fear being "personally targeted by some of the most sophisticated digital threats."

  • Hacks in Vegas Ruin Stays in Vegas
    MGM Resorts says cyberattack could have material effect on company

    Publisher: CNBC
    Date: Sep 13, 2023
    By: Rohan Goswami

    The fun and glitz of Las Vegas can pale if the gaming machines don't work and you can't get into your hotel room. Due to a cyberattack, visitors to MGM resorts have been experiencing these issues and others. In an SEC filing, the company revealed that they expect revenue losses from the ongoing problems.

    Another regulatory filing about losses due to cyberhacks was given by the Clorox company. Their recovery from the attacks affected production, and at the current time they are filling orders with manual processes. See the CNN article from September 18: Clorox products in short supply after cyberattack disrupts operations

  • North Korean Cravings for Crypto Currency
    Blockchain analysts suspect North Korea-linked hackers behind $70 million crypto theft

    Publisher: Reuters
    Date: September 15, 2023
    By: Elizabeth Howcroft and Raphael Satter

    The crypto currency exchange CoinEx announced that it had lost a small portion of its assets due to hacking of its crypto wallets. The $70 million dollars may have be stolen by the Lazarus group, which has ties to North Korea.

    The blockchain analytics firm Elliptic said that the CoinEx heist followed the same pattern as four recent cryptocurrency thefts, and they believe that the Lazarus group was behind them all. Their analysis is here:

  • Debugging Considered Harmful
    Microsoft finally explains cause of Azure breach: An engineer's account was hacked
    Other failures along the way included a signing key improperly appearing in a crash dump.
    Publisher: Ars Technica
    Date: Sept 6, 2023
    By: Dan Goodin

    Microsoft has explained several critical failures that led to the compromise of the email accounts of several carefully chosen Exchange users, including some in the US Department of Justice. The notable oversight was a core dump that included a signing key; the core dump was given to an engineer who worked on it in a facility that had less security than Microsoft normally insists on for sensitive security information. The engineer's account had been hacked by a Chinese actor known as Storm-0558.

    Normally, signing keys are excised from core dumps, but Microsoft said that a "race condition" had prevented that action, and the engineers were unaware of the disclosed key. The organization that obtained the core dump from the engineer's corporate account somehow spotted the key and made use of it for creating unauthorized credentials for accessing accounts.

    There was another problem that was exploited as part of the wider and targeted breach of Exchange accounts. Somehow the developers of the mail system and the developers of an API for cryptographic validation of keys got their wires crossed, resulting in a situation in which each group thought the other was doing the validation. Oops.

  • The Unending End-to-End Battle
  • UK Online Safety Bill to become law – and encryption busting clause is still there
    Admits it's 'not technically feasible' ... but with no promise not to invoke it
    Publisher: The Register
    Date: Sep 20, 2023
    By: Lindsday Clark

    The UK Parliament passed a sweeping bill aimed at private communications services. The bill is intended to "tackle child sexual exploitation and abuse content", but the requirement for possibly scanning encrypted user messages and files has privacy experts concerned.

    The bill allows the government's communication regulator, Ofcom, to order a messaging service to scan messages for harmful content, even if the service provides "end-to-end" encryption. Some providers have said that they will stop offering products in the UK because from a purely technical viewpoint, end-to-end encryption and scanning cannot be combined. The parliament sought some middle ground in saying that the scanning would only be used as a last resort, but that does not address the impossibility of the requirement.