Published By
Created On
22 May 2022 01:39:27 UTC
Transaction ID
Cost
Safe for Work
Free
Yes
Ransomware attack exposes data of 500,000 Chicago students
Ransomware attack exposes data of 500,000 Chicago students
The Chicago Public Schools has suffered a massive data breach that exposed the data of almost 500,000 students and 60,000 employee after their vendor, Battelle for Kids, suffered a ransomware attack in December.
Ohio-based Battelle for Kids is a not-for-profit educational organization that analyzes student data shared by public school systems to design instructional models and evaluate teacher performance.
Battelle for Kid says they work with 267 school systems, and its programs have reached over 2.8 million students.
Top Articles
READ MORE
READ MORE Massive data breach for Chicago Public Schools Yesterday, the Chicago Public School (CPS) district disclosed that a December 1st ransomware attack on Battelle for Kids exposed the stored data of 495,448 students and 56,138 employees in its school system.
According to a CPS, the school system partners with Battelle for Kids to upload student course information and assessment data for teacher evaluations.
CPS says that the data stored on Battelle for Kids' servers was for school years 2015 through 2019 and exposed students' personal information and assessment scores.
"Specifically, an unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019," explains the CPS student data breach notification.
For staff, the threat actors potentially accessed their name, school, employee ID number, CPS email address, and Battelle for Kids username during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.
CPS says that no Social Security Numbers, home addresses, health data, or financial information was exposed in the attack.
CPS is providing free credit monitoring, and identity theft protection to any students or staff members impacted.
Instructions on how to access this free credit reporting can be found on the CPS data breach page created by the school system.
Over four months to disclose breach In April, Ohio school districts began issuing data breach notifications warning students and staff that their data was exposed in the ransomware attack on Battelle for Kids.
Even though CPS' says their contract with Battelle for Kids requires immediate notification of a data breach, they first learned about the breach four months later, on April 26th, 2022.
However, it was not until May 11th that they first learned which specific students or staff had their data exposed.
"Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter," explains CPS on their data breach page.
While it is not known what ransomware gang is behind this attack, all groups leave ransom notes behind on encrypted devices that include email addresses or links to ransom negotiation sites.
Example ransom note listing stolen data As part of the extortion process, ransomware gangs commonly provide proof that they stole data by sharing a list of all the stolen folders and sometimes sharing individual files as proof.
When a victim refuses to pay a ransom, the threat actors publicly disclose that they attacked the victim and begin leaking their stolen data.
There has been no public disclosure by a ransomware gang stating that they breached Battelle for Kids, possibly indicating that Battelle for Kids paid a ransom demand.
A similar but unrelated data breach was disclosed by the New York City Department of Education in March, where a vendor's cyber attack exposed the data of 820,000 students.
BleepingComputer has contacted Battelle for Kids with questions but has not heard back at this time.
The Chicago Public Schools has suffered a massive data breach that exposed the data of almost 500,000 students and 60,000 employee after their vendor, Battelle for Kids, suffered a ransomware attack in December.
Ohio-based Battelle for Kids is a not-for-profit educational organization that analyzes student data shared by public school systems to design instructional models and evaluate teacher performance.
Battelle for Kid says they work with 267 school systems, and its programs have reached over 2.8 million students.
Top Articles
READ MORE
READ MORE Massive data breach for Chicago Public Schools Yesterday, the Chicago Public School (CPS) district disclosed that a December 1st ransomware attack on Battelle for Kids exposed the stored data of 495,448 students and 56,138 employees in its school system.
According to a CPS, the school system partners with Battelle for Kids to upload student course information and assessment data for teacher evaluations.
CPS says that the data stored on Battelle for Kids' servers was for school years 2015 through 2019 and exposed students' personal information and assessment scores.
"Specifically, an unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019," explains the CPS student data breach notification.
For staff, the threat actors potentially accessed their name, school, employee ID number, CPS email address, and Battelle for Kids username during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.
CPS says that no Social Security Numbers, home addresses, health data, or financial information was exposed in the attack.
CPS is providing free credit monitoring, and identity theft protection to any students or staff members impacted.
Instructions on how to access this free credit reporting can be found on the CPS data breach page created by the school system.
Over four months to disclose breach In April, Ohio school districts began issuing data breach notifications warning students and staff that their data was exposed in the ransomware attack on Battelle for Kids.
Even though CPS' says their contract with Battelle for Kids requires immediate notification of a data breach, they first learned about the breach four months later, on April 26th, 2022.
However, it was not until May 11th that they first learned which specific students or staff had their data exposed.
"Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter," explains CPS on their data breach page.
While it is not known what ransomware gang is behind this attack, all groups leave ransom notes behind on encrypted devices that include email addresses or links to ransom negotiation sites.
Example ransom note listing stolen data As part of the extortion process, ransomware gangs commonly provide proof that they stole data by sharing a list of all the stolen folders and sometimes sharing individual files as proof.
When a victim refuses to pay a ransom, the threat actors publicly disclose that they attacked the victim and begin leaking their stolen data.
There has been no public disclosure by a ransomware gang stating that they breached Battelle for Kids, possibly indicating that Battelle for Kids paid a ransom demand.
A similar but unrelated data breach was disclosed by the New York City Department of Education in March, where a vendor's cyber attack exposed the data of 820,000 students.
BleepingComputer has contacted Battelle for Kids with questions but has not heard back at this time.
Author
Content Type
Unspecified
video/mp4
Language
English
More from the publisher
Controlling
VIDEO
US LI
LANG_en_uslinksthanosandjigsawransomwareto55yearolddoctormp4
US links Thanos and Jigsaw ransomware to 55-year-old doctor
The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.
Zagala (aka Nosophoros, Aesculapius, and Nebuchadnezzar) also offered support to cybercriminals who bought the malware and shared profits earned after ransoming victims worldwide.
"As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran," said US Attorney Breon Peace.
Top Articles
READ MORE "We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use," Assistant Director-in-Charge Driscoll added.
Jigsaw ransomware includes a "Doomsday" counter that will delete a certain amount of files from the victims' drives every hour until the ransom is paid, with an increasing number of files after each reset.
Jigsaw hasn't been active since the fall of 2021, and, even then, the activity was really low.
A Jigsaw ransomware decryptor is available from Emsisoft.
Thanos ransomware is a Ransomware-as-a-Service (RaaS) operation advertised on Russian-speaking hacker forums.
The malware allows affiliates to customize their own ransomware using a builder offered by the developer.
While Zagala ran an affiliate program where cybercriminals would share their ransomware profits, he also licensed the Thanos malware using a licensing server he hosted in Charlotte, North Carolina.
This ransomware strain stopped showing up in ID-Ransomware submissions in February 2022, and the ransomware builder was leaked on VirusTotal in June 2021.
Thanos ransomware activity (ID-Ransomware) Some Thanos ransomware samples have previously been tagged as Prometheus, Haron, or Hakbit ransomware due to different encryption extensions used by affiliates.
However, Recorded Future's Insikt Group discovered that they're the same malware.
"Based on code similarity, string reuse, and core functionality, Insikt Group assesses with high confidence that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros," Insikt Group said.
Thanos ransomware builder (Recorded Future) According to today's DOJ press release, Zagala allegedly publicly discussed how his "clients" used his tools in ransomware attacks, "including by linking to a news story about an Iranian state-sponsored hacking group's use of Thanos to attack Israeli companies."
(likely this report from ClearSky on MuddyWater's Operation Quicksand).
In May 2022, law enforcement agents linked Zagala to the Thanos ransomware operation after interviewing one of his relatives who collected some of Zagala's illicit proceeds from the ransomware operation using a PayPal account.
This individual also showed them contact information stored in his phone that the defendant used to register some of the Thanos ransomware malicious infrastructure.
If convicted, Zagala faces up to five years in prison for attempted computer intrusion and five years of imprisonment for conspiracy to commit computer intrusions.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
MOZIL
LANG_en_mozillafixesfirefoxthunderbirdzerodaysexploitedatpwn2ownmp4
Mozilla fixes Firefox, Thunderbird zero-days exploited at Pwn2Own
Mozilla has released security updates for multiple products to address zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2022 hacking contest.
If exploited, the two critical flaws can let attackers gain JavaScript code execution on mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.
The zero-days have been fixed in Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1.
Top Articles
READ MORE Manfred Paul (@_manfp) earned $100,000 and 10 Master of Pwn points after demoing prototype pollution and improper input validation bugs on the first day of Pwn2Own.
The first vulnerability is a prototype pollution in Top-Level Await implementation (tracked as CVE-2022-1802) that can let an attacker corrupt the methods of an Array object in JavaScript using prototype pollution to achieve JavaScript code execution in a privileged context.
The second one (CVE-2022-1529) allows attackers to abuse Java object indexing improper input validation in prototype pollution injection attacks.
"An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process," Mozilla explained.
The Cybersecurity and Infrastructure Security Agency (CISA) also encouraged admins and users on Monday to patch these security flaws, given that threat actors could exploit them to "take control of an affected system."
Mozilla patched these vulnerabilities two days after they were exploited and reported at the Pwn2Own hacking contest by Manfred Paul.
However, vendors don't usually hurry to release patches after Pwn2Own since they have 90 days to push security fixes until Trend Micro's Zero Day Initiative publicly discloses them.
Pwn2Own 2022 Vancouver ended on May 20 after 17 competitors earned $1,155,000 for zero-day exploits and exploit chains demonstrated over three days after 21 attempts.
Security researchers also earned $400,000 for 26 zero-day exploits targeting ICS and SCADA products demoed between April 19 and April 21 during the 2022 Pwn2Own Miami contest.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
[WHIT
LANG_en_whitepapersocialengineeringwhatyouhtmlmp4
[White Paper] Social Engineering: What You Need to Know to Stay Resilient
Security and IT teams are losing sleep as would-be intruders lay siege to the weakest link in any organization's digital defense: employees.
By preying on human emotion, social engineering scams inflict billions of dollars of damage with minimal planning or expertise.
Cybercriminals find it easier to manipulate people before resorting to technical "hacking" tactics.
Recent research reveals that social engineering is leveraged in 98% of attacks.
As the rapid, ongoing acceleration of remote work raises the stakes, security leaders are fighting back with education and awareness.
Resources developed by experts, like this new white paper — "Social Engineering: What You Need to Know to Stay Resilient" — identify the most common tactics, track how these types of attacks are evolving, and provide tips to protect organizations and their end-users.
These insights not only inform security practitioners of the latest tactics and emerging threats, but help employees understand that safeguarding data is not just a "security team problem."
Instead, every teammate is vulnerable to social engineering schemes, and every teammate must play their part to safeguard sensitive data.
To help security teams recognize inbound swindles, "Social Engineering: What You Need to Know to Stay Resilient" unpacks the history and evolution of social engineering attacks, provides tips for resiliency, and dissects the five stages of a modern social engineering attack: To learn more about social engineering and measures you can take to keep your organization, download "Social Engineering: What You Need to Know to Stay Resilient" here.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
MICRO
LANG_en_microsoftfixesnewpetitpotamwindowsntlmrelayattackvectormp4
Microsoft fixes new PetitPotam Windows NTLM Relay attack vector
A recent security update for a Windows NTLM Relay Attack has been confirmed to be a previously unfixed vector for the PetitPotam attack.
During the May 2022 Patch Tuesday, Microsoft released a security update for an actively exploited NTLM Relay Attack labeled as a 'Windows LSA Spoofing Vulnerability' and tracked as CVE-2022-26925.
"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM.
This security update detects anonymous connection attempts in LSARPC and disallows it."
Top Articles
READ MORE
READ MORE An NTLM Relay Attack allows threat actors to force devices, even domain controllers, to authenticate against malicious servers they control.
Once a device authenticates, the malicious server can impersonate the device and gain all of its privileges.
These attacks are significant problems as they could allow a threat actor to gain complete control over the domain.
While Microsoft did not share too many details about the bug, they stated that the fix affected the EFS API OpenEncryptedFileRaw(A/W) function, which indicated that this might be another unpatched vector for the PetitPotam attack.
Confirmed to be part of Petitotam PetitPotam is an NTLM Relay Attack tracked as CVE-2021-36942 that French security researcher GILLES Lionel discovered, aka Topotam, in July.
The PetitPotam attack allowed unauthenticated users to use the EfsRpcOpenFileRaw function of the MS-EFSRPC API to force a device to perform NTLM authentication against attacker-controlled servers.
A demonstration of this attack can be viewed below.
While Microsoft fixed part of the PetitPotam vulnerability in August 2021, there were still unpatched vectors that allowed the bug to be abused by attackers.
When we contacted Microsoft to confirm if the NTLM Relay vector patched this month was related to PetitPotam, they responded with a stock response that did not answer our questions.
“A security update was released in May.
Customers who apply the update, or have automatic updates enabled, will be protected.
We are continuously improving security for our products and encourage customers to turn on automatic updates to help ensure they are protected.” – a Microsoft spokesperson.
However, BleepingComputer has since confirmed that the recently fixed NTLM Relay Attack bug does, in fact, fix an unpatched vector for the PetitPotam attack.
Raphael John, who Microsoft attributes for the discovery of the new NTLM Relay vulnerability, says that he discovered that PetitPotam was still working when conducting pentests in January and March.
However, when he disclosed it to Microsoft, they fixed it under a new CVE rather than the original one assigned to PetitPotam.
"I made it very clear in the report, that it is just PetitPotam and nothing I found out or changed," Raphael John told BleepingComputer in a conversation.
PetitPotam continued to work after Microsoft fixed it because Topotam discovered a bypass to the August security update and added it to his tool in January 2022.
Gilles has confirmed to BleepingComputer that the new security update has now fixed the PetitPotam 'EfsRpcOpenFileRaw' vector, but other EFS vectors still exist, allowing the attack to work.
"All functions of petitpotam, as others vectors, still works except efsopenfileraw," Gilles told BleepingComputer.
As new PetitPotam vectors and other NTML Relay attacks will be discovered in the future, Microsoft suggests that Windows domain admins become familiar with the mitigations outlined in their 'Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)' support document.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
U.S.
LANG_en_usproposes1millionfineoncolonialhtmlmp4
U.S. Proposes $1 Million Fine on Colonial Pipeline for Safety Violations After Cyberattack
The U.S. Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed a penalty of nearly $1 million to Colonial Pipeline for violating federal safety regulations, worsening the impact of the ransomware attack last year.
The $986,400 penalty is the result of an inspection conducted by the regulator of the pipeline operator's control room management (CRM) procedures from January through November 2020.
The PHMSA said that "a probable failure to adequately plan and prepare for manual shutdown and restart of its pipeline system [...] contributed to the national impacts when the pipeline remained out of service after the May 2021 cyberattack."
Colonial Pipeline, operator of the largest U.S. fuel pipeline, was forced to temporarily take its systems offline in the wake of a DarkSide ransomware attack in early May 2021, disrupting gas supply and prompting a regional emergency declaration across 17 states.
The incident also saw the company shelling out $4.4 million in ransom to the cybercrime syndicate to regain access to its computer network, although the U.S. government managed to recover a significant chunk of the digital funds paid.
"The pipeline shutdown impacted numerous refineries' ability to move refined product, and supply shortages created wide-spread societal impacts long after the restart," PHMSA said in a Notice of Probable Violation and Proposed Compliance Order.
"Colonial Pipeline's ad-hoc approach toward consideration of a 'manual restart' created the potential for increased risks to the pipeline's integrity as well as additional delays in restart, exacerbating the supply issues and societal impacts."
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
OAS P
LANG_en_oasplatformvulnerabletocriticalrceandapiaccessflawsmp4
OAS platform vulnerable to critical RCE and API access flaws
Threat analysts have disclosed vulnerabilities affecting the Open Automation Software (OAS) platform, leading to device access, denial of service, and remote code execution.
The OAS platform is a widely used data connectivity solution that unites industrial devices (PLCs, OPCs, Modbus), SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.
It is a versatile and flexible hardware and software connectivity solution that facilitates data transfers between proprietary devices and apps from multiple vendors and connects them to firm-specific products, custom software, etc.
Top Articles
READ MORE
Intuit warns of QuickBooks phishing threatening to
suspend accounts Overview of the OAS platform OAS is used by Michelin, Volvo, Intel, JBT AeroTech, the U.S. Navy, Dart Oil and Gas, General Dynamics, AES Wind Generation, and several other high-profile industrial entities.
As such, vulnerabilities in the platform can put crucial industrial sectors at risk of disruption and confidential information disclosure.
Critical flaws According to a report by Cisco Talos, OAS platform version 16.00.0112 and below is vulnerable to a range of high and critical severity bugs that create the potential for damaging attacks.
Starting with the most critical of the bunch, CVE-2022-26833 has a CVSS severity rating of 9.4 out of 10 and concerns the unauthenticated access and use of the REST API functionality in OAS.
An attacker could trigger the exploitation of this flaw by sending a series of specially crafted HTTP requests to the vulnerable endpoints.
As Cisco explains, the REST API is designed to give programmatic access for configuration changes and data viewing to the “Default” user, which Talos researchers were able to authenticate by sending a request with a blank username and password.
Authenticating without using any credentials
(Cisco) The second critical flaw is CVE-2022-26082, rated at 9.1, which is a file write vulnerability in the OAS Engine SecureTransferFiles module.
According to Cisco, a specially-crafted series of network requests sent to the vulnerable endpoint may lead to arbitrary remote code execution.
“By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to upload an arbitrary file to any location permissible by the underlying user.
By default, these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.” - Cisco Talos This enables a remote threat actor to upload new authorized_keys files to the oasuser’s .ssh directory, making it possible to access the system via ssh commands.
The other flaws discovered by Cisco Talos are all categorized as high-severity (CVSS: 7.5) and are the following: CVE-2022-27169: obtain directory listing via network requests
CVE-2022-26077: information disclosure targeting account credentials
CVE-2022-26026: denial of service and loss of data links
CVE-2022-26303 and CVE-2022-26043: external configuration changes and creation of new users and security groups Cisco provides mitigation advice for each of the above vulnerabilities, which involves disabling services and closing communication ports, so if upgrading to a newer version of OAS is impossible, there might be a solution with some functionality or convenience trade-offs.
Otherwise, upgrading to a more recent version of the OAS platform would be advisable.
The security fixes for the two critical flaws described above landed in version 16.00.0.113, which was released as a security update on May 22, 2022.
Upgrade lags are to be expected in industrial environments that operate intricate and complicated data connectivity systems, but in this case, due to the severity of the disclosed flaws, it is crucial to take immediate action.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
INDUS
LANG_en_industrialspydataextortionmarketgetsintotheransomwaregamemp4
Industrial Spy data extortion market gets into the ransomware game
The Industrial Spy data extortion marketplace has now launched its own ransomware operation, where they now also encrypt victim's devices.
Last month, we reported on a new data extortion marketplace called Industrial Spy that allowed threat actors, and possibly even business competitors, to purchase data stolen from companies.
This marketplace sells different types of stolen data, ranging from selling 'premium' data for millions of dollars to individual files for as little as $2.
Top Articles
READ MORE
READ MORE Industrial Spy's premium stolen data category
Source: BleepingComputer To promote their service, the threat actors partnered with adware loaders and fake crack sites to distribute malware that would create README.txt files on a device.
The threat actors used these files to promote their marketplace, explaining that readers can purchase schemes, drawings, technologies, political and military secrets, accounting reports, and client databases of their competitors.
Industrial Spy gets into the ransomware game Last week, security researcher MalwareHunterTeam found a new sample of the Industrial Spy malware with what looked more like a ransom note rather than a promotional text file.
This ransom note now states that the Industrial Spy threat actors not only stole the victim's data but also encrypted it.
"Unfortunately we have to report you that your company was compromised.
All your files were encrypted and you can't restore them without our private key.
Trying to restore it without our help may cause complete loss of your data," reads the Industrial Spy ransom note shared below.
"Also we researched whole your corporate network and downloaded all your sensitive data to our servers.
If we will not get any contact from you in 3 next days we will publish your data on the site 'Industrial Spy Market'."
Industrial Spy ransom note
Source: BleepingComputer MalwareHunterTeam shared the malware sample with BleepingComputer to confirm if it encrypted files as it said.
BleepingComputer's tests showed that the Industrial Spy ransomware does indeed encrypt files, but unlike most other ransomware families, does not append a new extension to encrypted file's names, as shown below.
File encrypted by the Industrial Spy Ransomware
Source: BleepingComputer BleepingComputer also shared the sample with ransomware expert Michael Gillespie, who said from a glance that he believes that it uses DES encryption, with the key encrypted using an RSA1024 public key.
The ransomware also uses a filemarker of 0xFEEDBEEF, which we have not seen before in a ransomware family.
However, this filemarker should not be confused with 0xDEADBEEF; a well-known magic debug value used in programming.
While encrypting files, the Industrial Spy ransomware will create the above ransom note named 'README.html' in every folder on the device.
These ransom notes contain a TOX id that victims can use to contact the ransomware gang and negotiate a ransom.
A tie to Cuba ransomware?
When researching the TOX ID and email address found in the ransom note, MalwareHunterTeam discovered a strange connection to the Cuba ransomware operation.
A ransomware sample uploaded to VirusTotal creates a ransom note with an identical TOX ID and email address.
However, instead of linking to the Industrial Spy Tor site, it links to Cuba Ransomware's data leak site and uses the same file name, !!
READ ME !
!.txt, as known Cuba ransom notes.
Ransom note linking to Cuba data leak site
Source: BleepingComputer Furthermore, the encrypted files have the .cuba extension appended to them, just like the regular Cuba ransomware operation does when encrypting files.
While this does not 100% tie the two groups together, it's very possible that the Industrial Spy threat actors simply used Cuba's information while testing the creation of their ransomware.
However, it is peculiar and something that security researchers and analysts will need to keep an eye on.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
RESEA
LANG_en_researchersfindwaytorunmalwareonhtmlmp4
Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF
A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that's executed while an iPhone is "off."
The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a "power reserve" Low Power Mode (LPM).
While this is done so as to enable features like Find My and facilitate Express Card transactions, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt said in a paper.
"The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM," the researchers said.
"Since LPM support is implemented in hardware, it cannot be removed by changing software components.
As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown.
This poses a new threat model."
The findings are set to be presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week.
The LPM features, newly introduced last year with iOS 15, make it possible to track lost devices using the Find My network even when run out of battery power or have been shut off.
Current devices with Ultra-wideband support include iPhone 11, iPhone 12, and iPhone 13.
A message displayed when turning off iPhones reads thus: "iPhone remains findable after power off.
Find My helps you locate this iPhone when it is lost or stolen, even when it is in power reserve mode or when powered off."
Calling the current LPM implementation "opaque," the researchers not only sometimes observed failures when initializing Find My advertisements during power off, effectively contradicting the aforementioned message, they also found that the Bluetooth firmware is neither signed nor encrypted.
By taking advantage of this loophole, an adversary with privileged access can create malware that's capable of being executed on an iPhone Bluetooth chip even when it's powered off.
However, for such a firmware compromise to happen, the attacker must be able to communicate to the firmware via the operating system, modify the firmware image, or gain code execution on an LPM-enabled chip over-the-air by exploiting flaws such as BrakTooth.
Put differently, the idea is to alter the LPM application thread to embed malware, such as those that could alert the malicious actor of a victim's Find My Bluetooth broadcasts, enabling the threat actor to keep remote tabs on the target.
"Instead of changing existing functionality, they could also add completely new features," SEEMOO researchers pointed out, adding they responsibly disclosed all the issues to Apple, but that the tech giant "had no feedback."
With LPM-related features taking a more stealthier approach to carrying out its intended use cases, SEEMOO called on Apple to include a hardware-based switch to disconnect the battery so as to alleviate any surveillance concerns that could arise out of firmware-level attacks.
"Since LPM support is based on the iPhone's hardware, it cannot be removed with system updates," the researchers said.
"Thus, it has a long-lasting effect on the overall iOS security model."
"Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications.
Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation."
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
CISCO
LANG_en_ciscoissuespatchesfornewiosxrhtmlmp4
Cisco Issues Patch for New IOS XR Zero-Day Vulnerability Exploited in the Wild
Cisco on Friday rolled out fixes for a medium-severity vulnerability affecting IOS XR Software that it said has been exploited in real-world attacks.
Tracked as CVE-2022-20821 (CVSS score: 6.5), the issue relates to an open port vulnerability that could be abused by an unauthenticated, remote attacker to connect to a Redis instance and achieve code execution.
"A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database," Cisco said in an advisory.
"Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system."
The flaw, which it said was identified during the resolution of a technical assistance center (TAC) case, impacts Cisco 8000 Series routers running IOS XR Software that has the health check RPM installed and active.
The networking equipment maker also cautioned that it became aware of the attempted exploitation of the zero-day bug earlier this month.
"Cisco strongly recommends that customers apply suitable workarounds or upgrade to a fixed software release to remediate this vulnerability," it added.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English