New ZenHammer Attack Bypasses RowHammer Defenses on AMD CPUs
Cybersecurity researchers from ETH Zurich have developed a new variant of the RowHammer DRAM (dynamic random-access memory) attack that, for the first time, successfully works against AMD Zen 2 and Zen 3 systems despite mitigations such as Target Row Refresh (TRR).
“This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface, considering today’s AMD market share of around 36% on x86 desktop CPUs,” the researchers said.
The technique has been codenamed ZenHammer, which can also trigger RowHammer bit flips on DDR5 devices for the first time.
RowHammer, first publicly disclosed in 2014, is a well-known attack that exploits DRAM’s memory cell architecture to alter data by repeatedly accessing a specific row (aka hammering) to cause the electrical charge of a cell to leak to adjacent cells.
This can induce random bit flips in neighboring memory rows (from 0 to 1, or vice versa), which can alter the memory contents and potentially facilitate privilege escalation, compromising confidentiality, integrity, and availability of a system.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2024/03/new-zenhammer-attack-bypasses-rowhammer.html
Link: https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-impacts-amd-zen-cpus/
Link: https://www.securityweek.com/zenhammer-attack-targets-dram-on-systems-with-amd-cpus/
Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection
A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale.
“Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries,” Netcraft said.
Darcula has been employed in several high-profile phishing attacks over the last year, wherein the smishing messages are sent to both Android and iOS users in the U.K., in addition to those that leverage package delivery lures by impersonating legitimate services like USPS.
Source: The hacker news / Bleeping computer / Dark reading
Link: https://thehackernews.com/2024/03/darcula-phishing-network-leveraging-rcs.html
New “GoFetch” Vulnerability in Apple M-Series Chips Leaks Secret Encryption Keys
A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations.
Dubbed GoFetch, the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Apple was made aware of the findings in December 2023.
Prefetchers are a hardware optimization technique that predicts what memory addresses a currently running program will access in the near future and retrieve the data into the cache accordingly from the main memory. The goal of this approach is to reduce the program’s memory access latency.
DMP is a type of prefetcher that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it ripe for cache-based attacks that trick the prefetcher into revealing the contents associated with a victim process that should be otherwise inaccessible.
Source: The hacker news / Bleeping computer / Dark reading
Link: https://thehackernews.com/2024/03/new-gofetch-vulnerability-in-apple-m.html
Cisco warns of password-spraying attacks targeting VPN services
Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
The company says that the attacks have also been targeting other remote access VPN services and appear to be part of reconnaissance activity.
During a password-spraying attack, an adversary tries the same password with multiple accounts in an attempt to log in.
Cisco’s mitigation guide lists indicators of compromise (IoCs) for this activity to help detect the attacks and block them. This includes inability to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled.
Another sign is an unusual amount of authentication requests recorded by system logs.
Cisco’s recommendations to defend against these attacks include:
- Enabling logging to a remote syslog server to improve incident analysis and correlation.
- Securing default remote access VPN profiles by pointing unused default connection profiles to a sinkhole AAA server to prevent unauthorized access.
- Leveraging TCP shun to manually block malicious IPs.
- Configuring control-plane ACLs to filter out unauthorized public IP addresses from initiating VPN sessions.
- Using certificate-based authentication for RAVPN, which provides a more secure authentication method than traditional credentials.
Source: Bleeping computer
Recent ‘MFA Bombing’ Attacks Targeting Apple Users
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.
Source: Krebs on security / Dark reading
Link: https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/
Link: https://www.darkreading.com/cloud-security/mfa-bombing-attacks-target-apple-iphone-users
The OODA Loop: The Military Model That Speeds Up Cybersecurity Response
Time is a precious commodity especially in cybersecurity. Cybercriminals can be in and out of victim environments in less than 24 hours of initial access. Professional cybercriminals and advanced persistent threats (APTs) leverage zero-day vulnerabilities, easily rendering software developers clueless.
When a cyberattack strikes, defenders have only minutes to detect and respond. The faster the detection, the sooner a virus can be arrested from spreading. The faster the response time, the sooner the enemy can be outmaneuvered. To win this race against time, defenders need two things: 1) a robust decision-making model that aids in swift but accurate decision-making; and 2) real-time status checks on the entire infrastructure, allowing security teams the chance of making informed decisions.
The OODA loop is a military mental model developed in the mid-20th century by Air Force strategist Col. John Boyd to boost decision-making skills for fighter pilots during aerial combats.
The OODA loop consists of four iterative phases: Observe, Orient, Decide and Act. “Observe” refers to building a comprehensive picture of the situation. “Orient” means connecting with reality, avoiding cognitive biases, and developing a deep awareness of the situation and its context. “Decide” translates to making decisions based on observations, but not jumping to conclusions. “Act” is about implementing or acting on the decision made.
Source: Securityweek
Link: https://www.securityweek.com/the-ooda-loop-the-military-model-that-speeds-up-cybersecurity-response/