Cyber Security Weekly Briefing, 13 – 17 June

Telefónica Tech    17 June, 2022
Report cyber

​​​Hertzbleed. New side-channel attack on AMD and Intel processors

Security researchers at several US universities have discovered a new side-channel attack affecting Intel and AMD processors, called Hertzbleed.

What is remarkable about this attack is that it could allow an attacker to extract cryptographic keys from remote servers. This is due to the fact that, under certain circumstances, the Dynamic Voltage and Frequency Scaling System (DVFS) of modern x86 architecture processors depends on the data being processed, allowing, on modern processors, the same program to run at a different CPU frequency.

Both Intel (CVE-2022-24436) and AMD (CVE-2022-23823) have already identified the vulnerability and issued the corresponding security advisories.

According to the researchers who discovered Hertzbleed, neither firm plans to release patches for these flaws.

* * *

PACMAN. New attack against Mac devices

Security researchers at MIT CSAIL have discovered a new attack that could evade Pointer Authentication (PAC) on Apple’s M1 processors.

PAC is a security mechanism which cryptographically signs certain pointers and allows the operating system to detect and block unexpected changes. If these changes are not detected, they could lead to information leaks or system compromise.

This attack would allow threat actors to access the file system and execute arbitrary code on vulnerable Macs. To do so, attackers must first locate an existing memory write/read flaw affecting the software on the victim’s Mac device, which would be blocked by PAC and could increase the severity of the flaw by achieving pointer authentication bypass.

In addition, it would be necessary to know the PAC value of a particular pointer on the target. This new attack technique was reported to Apple in 2021, along with a proof of concept, although the company indicates that it does not pose an immediate risk to Mac users, as it requires the exploitation of another flaw, and it is not possible to bypass security systems on its own.

More info:

* * *

Citrix fixes two vulnerabilities in ADM

Citrix has released a critical security bulletin fixing two vulnerabilities in Citrix Application Delivery Management (ADM).

The first flaw, listed as CVE-2022-27511, is due to improper access control, and could allow an attacker to reset the administrator password after a device reboot, allowing SSH access with the default administrator credentials.

In addition, Citrix has fixed another security flaw (CVE-2022-27512) that, if successfully exploited, could result in a temporary outage of the ADM license server, causing Citrix ADM to be unable to issue new or renew licenses.

Both flaws affect Citrix ADM versions 13.1 before 13.1-21.53 and Citrix ADM 13.0 before 13.0-85.19. The firm urges users to upgrade Citrix ADM server and Citrix ADM agent as soon as possible.

* * *

Microsoft Exchange servers compromised to deploy BlackCat ransomware

The Microsoft 365 Defender threat intelligence team has reported two security incidents where the BlackCat ransomware was deployed.

On the one hand, the exploitation of an unpatched Exchange server was detected as an entry vector. After this initial access, the attackers moved through the affected network, stealing credentials and exfiltrating large amounts of information to be used for double extortion. Two weeks after the initial access, the ransomware was deployed. It is worth mentioning that Microsoft has not reported which vulnerability was exploited.

Another incident involved the use of compromised credentials on a remote desktop server with internet access as an entry vector, with the attackers subsequently gaining access to passwords and other information, and ultimately implementing the BlackCat payload for data encryption.

* * *

​​Office365 feature makes it easy to encrypt files in the cloud

Security researchers at Proofpoint have discovered a feature in Office 365 that could allow ransomware operators to encrypt files stored in SharePoint Online and OneDrive, making them unrecoverable without backups or the attacker’s decryption key.

The researchers have focused on studying these two cloud applications because they are the most widely used in enterprise environments. The only necessary requirement they set for both SharePoint Online and OneDrive is initial access, which can be achieved by compromising the user’s account (through phishing attacks, brute-force attacks, etc.), tricking the user into authorising third-party OAuth applications that allow access to these platforms, or through session hijacking, either by hijacking a logged-in user’s web session or by hijacking an API token for SharePoint and/or OneDrive.

Once accessed, the attack relies on exploiting the “AutoSave” functionality, which allows users to create cloud backups of old versions every time they edit their files. What the attacker does is to reduce the limit of file versions that can be stored to a very small number and encrypt the file more times than the limit that has been entered.

In this way, the versions of the files that had been saved prior to the attack are lost and only the encrypted versions are available in the cloud account.

Proofpoint has reportedly alerted Microsoft, which has indicated that the functionality works as it should and that old versions of files can be recovered for 14 days with the help of Microsoft Support.

Leave a Reply

Your email address will not be published.