Exposure of sensitive information to an unauthorized actor in BIOS firmware for some Intel(R) NUCs may allow a privilege user to potentially enable information disclosure via local access.

CVE-2023-29500

Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs.
Called Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as

Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs.

Called **Collide+Power** (CVE-2023-20583), **Downfall** (CVE-2022-40982), and **Inception** (CVE-2023-20569), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as Zenbleed (CVE-2023-20593).

"Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers," Daniel Moghimi, senior research scientist at Google, said. "This vulnerability \[...\] enables a user to access and steal data from other users who share the same computer."

In a hypothetical attack scenario, a malicious app installed on a device could weaponize the method to steal sensitive information like passwords and encryption keys, effectively undermining Intel's Software Guard eXtensions (SGX) protections.

The problem is rooted in the memory optimization features introduced by Intel in its processors, specifically those with AVX2 and AVX-512 instruction sets, thereby causing untrusted software to get past isolation barriers and access data stored by other programs.

This, in turn, is achieved by means of two transient execution attack techniques called Gather Data Sampling (GDS) and Gather Value Injection (GVI), the latter of which combines GDS with Load Value Injection (LVI).

"\[Downfall and Zenbleed\] allow an attacker to violate the software-hardware boundary established in modern processors," Tavis Ormandy and Moghimi noted. "This could allow an attacker to access data in internal hardware registers that hold information belonging to other users of the system (both across different virtual machines and different processes)."

Intel described Downfall (aka GDS) as a medium severity flaw that could result in information disclosure. It's also releasing a microcode update to mitigate the problem, although there is a possibility of a 50% performance reduction. The full list of affected models is available here.

If anything, the discovery of Downfall underscores the need for balancing security and performance optimization demands.

"Optimization features that are supposed to make computation faster are closely related to security and can introduce new vulnerabilities, if not implemented properly," Ormandy and Moghimi said.

In a related development, the chipmaker also moved to address a number of flaws, including a privilege escalation bug in the BIOS firmware for some Intel(R) Processors (CVE-2022-44611) that arises as a result of improper input validation.

"A remote attacker that is positioned within Bluetooth proximity to the victim device can corrupt BIOS memory by sending malformed \[Human Interface Device\] Report structures," NCC Group security researcher Jeremy Boone said.

Coinciding with Downfall is Inception, a transient execution attack that leaks arbitrary kernel memory on all AMD Zen CPUs, including the latest Zen 4 processors, at a rate of 39 bytes/s.

"As in the movie of the same name, Inception plants an 'idea' in the CPU while it is in a sense 'dreaming,' to make it take wrong actions based on supposedly self conceived experiences," ETH Zurich researchers said.

"Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs."

The approach is an amalgamation of Phantom speculation (CVE-2022-23825) and Training in Transient Execution (TTE), allowing for information disclosure along the lines of branch prediction-based attacks like Spectre-V2 and Retbleed.

"Inception makes the CPU believe that a XOR instruction is a recursive call instruction which overflows the return stack buffer with an attacker-controlled target," the researchers explained.

AMD, besides providing microcode patches and other mitigations, said the vulnerability is "only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools."

It's worth noting that a fix for CVE-2022-23825 was rolled out by Microsoft as part of its July 2022 Patch Tuesday updates. CVE-2023-20569 has been addressed in Microsoft's August 2023 Security Updates.

Rounding off the side-channel attacks is an unconventional software-based method dubbed Collide+Power, which works against devices powered by all processors and could be abused to leak arbitrary data across programs as well as from any security domain at a rate of up to 188.80 bits/h.

"The root of the problem is that shared CPU components, like the internal memory system, combine attacker data and data from any other application, resulting in a combined leakage signal in the power consumption," a group of academics from the Graz University of Technology and CISPA Helmholtz Center for Information Security said.

"Thus, knowing its own data, the attacker can determine the exact data values used in other applications."

In other words, the idea is to force a collision between attacker-controlled data, via malware planted on the targeted device, and the secret information associated with a victim program in the shared CPU cache memory.

"The leakage rates of Collide+Power are relatively low with the current state-of-the-art, and it is highly unlikely to be a target of a Collide+Power attack as an end-user," the researchers pointed out.

"Since Collide+Power is a technique independent of the power-related signal, possible mitigations must be deployed at a hardware level to prevent the exploited data collisions or at a software or hardware level to prevent an attacker from observing the power-related signal."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Collide+Power, Downfall, and Inception: New Side-Channel Attacks Affecting Modern CPUs

An out-of-bounds memory access flaw was found in the Linux kernel’s do_journal_end function when the fails array-index-out-of-bounds in fs/reiserfs/journal.c could happen. This flaw allows a local user to crash the system.

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)

git tree: upstream

console output:
https://drive.google.com/file/d/1rvB5Fwc85GjfGwkk0bcYKZksB5l-\_nOX/view?usp=drive\_link
kernel config: https://drive.google.com/file/d/1V146PezNdRzu1BRVfwwYsIwNCZvAOBxJ/view?usp=drive\_link
C reproducer: https://drive.google.com/file/d/1FLDqzxv4t92J7EMPqQdkg6ca6XtZJhCd/view?usp=drive\_link
Syzlang reproducer:
https://drive.google.com/file/d/1uPPRLIylpS116iXrlHMzKNga-fBwRAo1/view?usp=drive\_link
Similar report:
https://groups.google.com/g/syzkaller-bugs/c/osuwOxyjReQ/m/-FJKSzllAQAJ

If you fix this issue, please add the following tag to the commit:
Reported-by: Yikebaer Aizezi <yikebaer61@xxxxxxxxx>

UBSAN: array-index-out-of-bounds in fs/reiserfs/journal.c:4166:22
index 1 is out of range for type '\_\_le32 \[1\]'
CPU: 0 PID: 8058 Comm: syz-executor Not tainted 6.5.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xd4/0xf0 lib/dump\_stack.c:106
 ubsan\_epilogue lib/ubsan.c:217 \[inline\]
 \_\_ubsan\_handle\_out\_of\_bounds+0xbf/0x100 lib/ubsan.c:348
 do\_journal\_end+0x3b3c/0x4750 fs/reiserfs/journal.c:4166
 reiserfs\_sync\_fs+0xe7/0x100 fs/reiserfs/super.c:78
 sync\_filesystem fs/sync.c:56 \[inline\]
 sync\_filesystem+0xef/0x250 fs/sync.c:30
 generic\_shutdown\_super+0x70/0x470 fs/super.c:472
 kill\_block\_super+0x60/0xb0 fs/super.c:1417
 deactivate\_locked\_super+0x85/0x140 fs/super.c:330
 deactivate\_super+0x8c/0xa0 fs/super.c:361
 cleanup\_mnt+0x28f/0x3b0 fs/namespace.c:1254
 task\_work\_run+0x153/0x230 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x19/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x47afab
Code: 5f ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b4 ff ff ff f7
d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b4 ff ff ff f7 d8
RSP: 002b:00007ffe61655568 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00000000000001fc RCX: 000000000047afab
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffe61655610
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe61655400
R10: 00000000025d1b03 R11: 0000000000000246 R12: 00007ffe616566d0
R13: 00000000025d1a70 R14: 0000000000000000 R15: 00007ffe61656710
 </TASK>
================================================================================

TITLE: kernel panic: UBSAN: panic\_on\_warn set ...
CORRUPTED: false ()
MAINTAINERS (TO): \[reiserfs-devel@xxxxxxxxxxxxxxx\]
MAINTAINERS (CC): \[linux-kernel@xxxxxxxxxxxxxxx\]

index 1 is out of range for type '\_\_le32 \[1\]'
CPU: 0 PID: 8058 Comm: syz-executor Not tainted 6.5.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xd4/0xf0 lib/dump\_stack.c:106
 ubsan\_epilogue lib/ubsan.c:217 \[inline\]
 \_\_ubsan\_handle\_out\_of\_bounds+0xbf/0x100 lib/ubsan.c:348
 do\_journal\_end+0x3b3c/0x4750 fs/reiserfs/journal.c:4166
 reiserfs\_sync\_fs+0xe7/0x100 fs/reiserfs/super.c:78
 sync\_filesystem fs/sync.c:56 \[inline\]
 sync\_filesystem+0xef/0x250 fs/sync.c:30
 generic\_shutdown\_super+0x70/0x470 fs/super.c:472
 kill\_block\_super+0x60/0xb0 fs/super.c:1417
 deactivate\_locked\_super+0x85/0x140 fs/super.c:330
 deactivate\_super+0x8c/0xa0 fs/super.c:361
 cleanup\_mnt+0x28f/0x3b0 fs/namespace.c:1254
 task\_work\_run+0x153/0x230 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x19/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x47afab
Code: 5f ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b4 ff ff ff f7
d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b4 ff ff ff f7 d8
RSP: 002b:00007ffe61655568 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00000000000001fc RCX: 000000000047afab
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffe61655610
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe61655400
R10: 00000000025d1b03 R11: 0000000000000246 R12: 00007ffe616566d0
R13: 00000000025d1a70 R14: 0000000000000000 R15: 00007ffe61656710
 </TASK>
================================================================================
Kernel panic - not syncing: UBSAN: panic\_on\_warn set ...
CPU: 0 PID: 8058 Comm: syz-executor Not tainted 6.5.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0x92/0xf0 lib/dump\_stack.c:106
 panic+0x570/0x620 kernel/panic.c:340
 check\_panic\_on\_warn+0x8e/0x90 kernel/panic.c:236
 ubsan\_epilogue lib/ubsan.c:223 \[inline\]
 \_\_ubsan\_handle\_out\_of\_bounds+0xe7/0x100 lib/ubsan.c:348
 do\_journal\_end+0x3b3c/0x4750 fs/reiserfs/journal.c:4166
 reiserfs\_sync\_fs+0xe7/0x100 fs/reiserfs/super.c:78
 sync\_filesystem fs/sync.c:56 \[inline\]
 sync\_filesystem+0xef/0x250 fs/sync.c:30
 generic\_shutdown\_super+0x70/0x470 fs/super.c:472
 kill\_block\_super+0x60/0xb0 fs/super.c:1417
 deactivate\_locked\_super+0x85/0x140 fs/super.c:330
 deactivate\_super+0x8c/0xa0 fs/super.c:361
 cleanup\_mnt+0x28f/0x3b0 fs/namespace.c:1254
 task\_work\_run+0x153/0x230 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x19/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x47afab
Code: 5f ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b4 ff ff ff f7
d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b4 ff ff ff f7 d8
RSP: 002b:00007ffe61655568 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00000000000001fc RCX: 000000000047afab
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffe61655610
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe61655400
R10: 00000000025d1b03 R11: 0000000000000246 R12: 00007ffe616566d0
R13: 00000000025d1a70 R14: 0000000000000000 R15: 00007ffe61656710
 </TASK>
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 1 seconds..

CVE-2023-4205: Linux Kernel: UBSAN array-index-out-of-bounds in do_journal_end

An authentication bypass vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated users to access some functionality on BioStar 2 servers.

**This topic does not exist yet**

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.

CVE-2023-33363: en:release_note_291_cve_title []

An OS Command injection vulnerability exists in Suprema BioStar 2 before V2.9.1, which allows authenticated users to execute arbitrary OS commands on the BioStar 2 server.

**Disclosure Policy**

Team82 is committed to privately reporting vulnerabilities to affected vendors in a coordinated, timely manner in order to ensure the safety of the cybersecurity ecosystem worldwide. To engage with the vendor and research community, Team82 invites you to download and share our Coordinated Disclosure Policy. Team82 will adhere to this reporting and disclosure process when we discover vulnerabilities in products and services.

**Public Email & PGP Key**

Team82 has also made its public PGP Key available for the vendor and research community to securely and safely exchange vulnerability and research information with us.

CVE-2023-33364: CVE-2023-33364

A path traversal vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated attackers to fetch arbitrary files from the server's web server.

CVE-2023-33365: CVE-2023-33365

A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows authenticated users to inject arbitrary SQL directives into an SQL statement and execute arbitrary SQL commands.

CVE-2023-33366: CVE-2023-33366

Debian Linux Security Advisory 5462-1 - Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5462-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 30, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-20593

Tavis Ormandy discovered that under specific microarchitectural  
circumstances, a vector register in AMD "Zen 2" CPUs may not be  
written to 0 correctly.  This flaw allows an attacker to leak  
sensitive information across concurrent processes, hyper threads  
and virtualized guests.

For details please refer to  
<https://lock.cmpxchg8b.com/zenbleed.html> and  
<https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

This issue can also be mitigated by a microcode update through the  
amd64-microcode package or a system firmware (BIOS/UEFI) update.  
However, the initial microcode release by AMD only provides  
updates for second generation EPYC CPUs.  Various Ryzen CPUs are  
also affected, but no updates are available yet.

For the stable distribution (bookworm), this problem has been fixed in  
version 6.1.38-2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTGCyRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Tjjw//SsbN4RnQHqV1G0XVWxApVK1DYoKw6+tHxkkf301jV2abDMcIO1keVNol  
gc2yENQyzeoGd++eBqO0MD9GnvrbutT6n7wChuyvB7bzFDQQA6hJHLcFLkKYA3D1  
6yFgczWL0Tx7wcrpKU9gVMWAe928VE4hJGVd6nFF02YS0GF8voY/ymiCqbuQA05f  
LOmeHNIWyzulBG0qNwQE6HT6s6LkLMCZAawpe3D85cE6exFWRDKJhxKY8GcZvJDV  
8G80Ik1xYAQ6Q5HqwxUr2Rp0sN7a8SghF817Sn/Bx6ahvej61ZTgDn7QhKLkGwu2  
/DOnMcKwKd9WB7gS9T4YLd6rNOPCL4J5P06ia4/JbocExIu19pEEfQvb7gf5PVl3  
994DykFy9ByKiXYh91U9QNyKaBZSjMFeN9Mg8FbbuwZGLLNACkhZc72JK4yKsxTq  
5cucuVBzwbwvvrK63h3YVDyOv8vRiI/jquxOMehsrSGOuaHpd2VduQdnS0ayKjqX  
STOKNRMA+GGjIoNdLyfe9HDlm3ztwsjrxoO0eXqWjUc7EA6KOfsF7NLFju2YXEt9  
80Yr6kCS5/IukkhZBAP4GwV4mLKG1yZ7vzwb15pAihvtw7UFrrzifkcL0yPf7Cx8  
wVtTUdl+5Y4Dfy+i9/LT0sY4fVEKfZZoXnDV733vxTTKKNQSpFk=  
=ceVi  
-----END PGP SIGNATURE-----

Debian Security Advisory 5462-1

Debian Linux Security Advisory 5461-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5461-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 30, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-3390 CVE-2023-3610 CVE-2023-20593

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-3390

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    error path handling may result in denial of service or privilege  
    escalation.

CVE-2023-3610

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    refcount handling on the table and chain destroy path may result in  
    denial of service or privilege escalation.

CVE-2023-20593

    Tavis Ormandy discovered that under specific microarchitectural  
    circumstances, a vector register in AMD "Zen 2" CPUs may not be  
    written to 0 correctly.  This flaw allows an attacker to leak  
    sensitive information across concurrent processes, hyper threads  
    and virtualized guests.

    For details please refer to  
    <https://lock.cmpxchg8b.com/zenbleed.html> and  
    <https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

    This issue can also be mitigated by a microcode update through the  
    amd64-microcode package or a system firmware (BIOS/UEFI) update.  
    However, the initial microcode release by AMD only provides  
    updates for second generation EPYC CPUs.  Various Ryzen CPUs are  
    also affected, but no updates are available yet.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.179-3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTGCxhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q2Lw//W7eGT2uTxzgwGK1ivLNtzu4VnZfX3luCzLc2Gy49YhSTPfepMsR+EZWU  
zMfxMwXp7HcgUUAj6VnKPSYt0lmauDVy9POUl20nOzM8hFScemhFJ+DVSeeJrfhR  
RPUroaJNLpJS1QjYJisi2tjKnoc8IhCkw/X88I4S4dAzekmRTLeEdeAIP0jyRYDi  
Pd+nW8vR2bcMG4jAaA/lBu17FgysEpHMleMzr9Ocw7k6eqlcIo12w36Ml51MmXZW  
Lxr7XKrAM6p9TuL+BY0i4FvW0f7hvbpMdhIaAzUf+7LQj9Tn5rGNaHB+NhLO6HB1  
spOXfZLVCM10LDCDIUR3lz0hUNI/10bKtoarbvoygevVzuvGWLTmI5P/uei9Bv1m  
jqd+FOtkZuYsuQzvzIrVISGL2ltpD3055mBaOJWIBrDl+mrR88m+LAMA5iJiCuvh  
M6rfJgraQFHeMFJi1ojDgNyyRaasxOKXRcWAYOvgZ1XKLfJ10OkieYq5CO1c7iKW  
4NkwBklDP8wEHoZHMEY3KnLnGcNO93wBBGcQVIBlMXu0IKlf/BT0Rcj0ynz5g5N1  
MgvGAJio+yTr4QWRz/GQRtF3Lf5r4Ezib/Y2Qv9PUbVWzmmiUyQsATjcp9d+sLSB  
hJhR9+9d4DefRAPGFOSCA6d01qL8HygsvKyyGB4C1DdbSlT3APc=  
=3UcB  
-----END PGP SIGNATURE-----

Debian Security Advisory 5461-1

By Deeba Ahmed
Dubbed CherryBlos and FakeTrade by researchers, these two malware campaigns have been identified as potentially related by Trend Micro.
This is a post from HackRead.com Read the original post: FakeTrade Android Malware Attack Steals Crypto Wallet Data

**IN SUMMARY**

*   **The malware campaigns have been dubbed CherryBlos and FakeTrade.**
*   **The prime target of this attack is crypto wallet data on Android devices.**
*   **TikTok, Twitter and Telegram are being used to promote malicious apps.**

A new malware campaign is currently focusing its sights on Android devices, aiming to surreptitiously steal personal information and cryptocurrency wallet credentials from unsuspecting users.

According to the latest report by Trend Micro, cybersecurity researchers have detected two financially motivated malware campaigns. These malicious operations exploit applications within the official Google Play Store, making the platform an attractive target for such cybercriminal campaigns.

Dubbed CherryBlos and FakeTrade by researchers, these two malware campaigns have been identified as potentially related by Trend Micro. The link between them lies in the fact that both types of malware utilize identical application certificates and network infrastructure.

Researchers have identified that campaign operators are increasingly targeting Android users with banking trojans to steal cryptocurrency. To achieve their malicious objectives, they distribute fake Android applications loaded with malware. These apps are advertised on the Google Play Store, phishing websites, and social media platforms. The same pattern is identified in the latest campaigns.

It is worth noting that the malware operators are exploiting various social networking platforms, including X (formerly Twitter), TikTok, and Telegram, to promote fraudulent Android apps. All of the offensive apps have been removed from Google Play.

Fake TikTok and (X) Twitter account dropping malicious apps (Screenshots credit: Trend Micro)

**CherryBlos Campaign**

The CherryBIos campaign exploits social network sites to promote fake services and ads, leading users to phishing websites. Unsuspecting individuals are deceived into downloading and installing Android apps infected with malware from these sites.

The malware, known as CherryBIos, first appeared online in April 2023. It earned its name from the unique string found in its hijacking framework. Once installed, CherryBIos can pilfer cryptocurrency wallet credentials and alter a user’s address, diverting funds to the attackers’ address during withdrawals.

“Upon further investigation, we were able to trace its source to a telegram group called Ukraine ROBOT that had been posting messages related to cryptocurrency mining since early 2023. This group’s profile directly points to the phishing website where the malware was downloaded,” Trend Micro’s report read.

Later, the malware was found in Happy Miner, GPTalk, and SynthNet apps. An interesting feature of CherryBIos malware is that it exploits OCR (optical character recognition) to read mnemonic phrases found in images on a compromised device and send the data to a C2 server.

These phrases are specifically helpful when users want to restore a crypto wallet. It is a notorious Android banking trojan that first requests Android accessibility permissions to perform malicious activities. These permissions are designed for people with disabilities and help them interact with the device via gestures and perform tasks like reading screen content aloud or automating repetitive tasks.

**FakeTrade Campaign**

In the FakeTrade campaign, malware operators use numerous fake money-earning apps that appear to be e-commerce platforms, promising increased income through referrals and top-ups. The malware (AndroidOS FakeTrade.HRXB), hidden inside the apps, prevents users from withdrawing funds.

Researchers found approximately 31 fake Android apps distributing the FakeTrade malware, most of which were designed for shopping or persuading users to complete various tasks in order to earn money or purchase app credits to top up their accounts. However, those who fell for this trap were unable to withdraw funds when they attempted to do so. Most of the apps were uploaded to Google Play in 2021, with some appearing in 2022.

Researchers suspect that the threat actors behind these campaigns aren’t targeting any specific region, considering the languages used in their analyzed samples. This means their victims could be dispersed worldwide, as attackers can conveniently replace resource strings and upload these fake apps to different Google Play regions such as Vietnam, Mexico, Indonesia, the Philippines, and Uganda.

1.  Triada Malware Infects Android Devices via Fake Telegram App
2.  Google Removes Swing VPN Android App Exposed as DDoS Botnet
3.  Iranian Stalkerware ‘Spyhide’ Steals Data from 60K Android Devices
4.  Popular Android Screen Recorder iRecorder App Revealed as Trojan
5.  Global Malware Attack Imitates VPN, Security Apps on Android Phones

Tag

#bios