A lot of interesting links, this week: Ransonmware, new APT grops, new vulnerabilities and (as usual) some coronavirus-related news!

TEMPEST@Home - Finding Radio Frequency Side Channels

Have you ever listened to a photocopier or a car engine to infer what it’s doing? If so, you already have all the fundamentals you need to study emission security. Be it the audible click of a relay, a whine of a capacitor, or the flickering of the lights when the heat comes on, these behaviors all have one thing in common: they leak information about some internal state and reveal what is happening inside to an outside observer. When viewed through the lens of information security, these types of electrical and mechanical side-effects form the field of emission security. The field was formalized around the end of the Second World War when, after being told to put up or shut up, Bell Labs technicians scared the living daylights out of the United States Signal Corps. Over the years, defensive requirements and certifications have been codified under the standards titled, “Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions,” or more simply put, TEMPEST.

As the test procedures in the TEMPEST standards are rudely made unavailable to us as they are considered “classified” we have to do the next best thing and make up our own. This article aims to make barely acceptable analogies about how radios work and show that you really don’t need that much in terms of know-how and equipment to find and take advantage of leaky radio signals. Towards the end, we will apply what we have learned to find a signal that can exfiltrate data out of a radio-less and air-gapped desktop workstation through a wall and 50ft away.


Exploiting (Almost) Every Antivirus Software

Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a “real time scan” either instantly or within a couple of minutes. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted.

Given the nature of how antivirus software has to operate, almost all of them run in a privileged state meaning the highest level of authority within the operating system. Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions.

What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.


Detect & Prevent Cyber Attackers from Exploiting Web Servers via Web Shell Malware

Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks. Web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS. To harden and defend web servers against this threat, NSA and the Australian Signals Directorate have issued a dual-seal Cybersecurity Information Sheet (CSI). This product contains valuable information on how to detect and prevent web shell malware from affecting Department of Defense and other government web servers, though the guidance would likely also be useful for any network defenders responsible for maintaining web servers.

Web shell malware has been a threat for years and continues to evade detection from most security tools. Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic.

This CSI contains detection techniques, along with links to signatures and lists maintained on GitHub. This report also highlights prevention techniques and recovery guidance. NSA encourages network defenders who maintain web servers to review this technical guidance and apply the mitigations as appropriate.



'DO NOT click the link'; Police warn of scam COVID-19 text messages

Police are warning cell phone users of a new text message scam during the coronavirus pandemic.

The Thomaston Police Department in Maine posted on Facebook a photo of the alert being sent to people in a text message.

The message was sent to someone in Maine from an Indiana area code telling them they need to self-isolate because they came in contact with someone who tested positive or has shown symptoms for coronavirus.


Chinese COVID-19 Detection Firm Just Got Hacked: Data For Sale On Dark Web

It’s a controversial subject—the use of CT scans to diagnose coronavirus—but it’s an emerging field. And while the likes of the U.S. Centers for Disease Control and Prevention and the American College of Radiology have cautioned against it, one Chinese medical company has harnessed Intel’s technology and Huawei’s marketing channels to push its solutions into frontline hospitals.

The Huizhou-based company in question, Huiying Medical, has said that the deployment of such technology might widen the availability of COVID-19 testing, especially in areas without access to the latest techniques and technology. It is reported to be field-testing the tech across 20 hospitals in China, after honing its AI algorithms from the study of several thousand confirmed cases. The company says its AI scanning can now correctly diagnose COVID-19 with 96% accuracy.


Researcher Discloses 4 Zero-Day Bugs in IBM's Enterprise Security Software

A cybersecurity researcher today publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting an enterprise security software offered by IBM after the company refused to acknowledge the responsibly submitted disclosure.

The affected premium product in question is IBM Data Risk Manager (IDRM) that has been designed to analyze sensitive business information assets of an organization and determine associated risks.

According to Pedro Ribeiro from Agile Information Security firm, IBM Data Risk Manager contains three critical severity vulnerabilities and a high impact bug, all listed below, which can be exploited by an unauthenticated attacker reachable over the network, and when chained together could also lead to remote code execution as root.


Nazar: A Lost Amulet

Territorial Dispute continues to be an excellent resource for avid researchers undaunted by the thought of taking pointers from misplaced classified materials. For those blissfully unaware of TeDi, among the ShadowBrokers leaks we find two files far more noteworthy for threat intelligencers than the exploits and tools. Dr. Boldizar Bencsath and his team at CrySyS lab were the first to notice the value of ‘sigs.py’ and ‘drv_list.txt’. The former includes filenames and registry keys associated umbrellaed under a moniker ‘SIG[1-45]’. The CrySyS lab report is an excellent starting point to understand the contents of TeDi.

Since the release of this report in 2018, further signatures have been identified by Kaspersky’s GReAT team and by Silas Cutler and I during our time at Chronicle’s Uppercase. Today, I’ll focus on a specific misidentified TeDi signature, SIG37. These signatures are low fidelity –composed of a combination of paths, filenames, and registry keys– and thereby prone to misidentification. In this case, CrySyS lab tentatively identifies SIG37 as ‘IronTiger_ASPXSpy’ –a presumably Chinese APT group better known as ‘Emissary Panda’ among other names. CrySyS lab points to a file in VirusTotal whose community comments suggest the aforementioned detection.


Text ‘bomb’ crashes iPhones, iPads, Macs and Apple Watches – what you need to know

An innocent-looking message, containing characters in the Sindhi language, can cause your
iPhone, Ipad, Mac, or even Apple Watch to crash without warning.

The problem appears to exists in how the latest shipping versions of Apple’s operating system handle a Unicode symbol representing specific characters written in Sindhi, an official language in part of Pakistan.

The problem occurs most irritatingly when your device attempts to display a message notification. If you have configured your iPhone, for instance, to display a new message notification which includes a preview of the message, then iOS fails to properly render the characters and crashes with unpredictable results.

You may find the only way to get around the problem is to completely reboot your device – but there is always the risk that you will receive a new boobytrapped notification.

The problem can also manifest itself inside apps. For instance, some mischievous Twitter users have tweeted the offending characters causing other users to have their devices crash.

Hot For Security

New Zoom Flaw Let Hackers to Record Meetings Anonymously Even Recording Disabled

A new Zoom flaw lets hackers record Zoom meeting sessions and to capture the chat text without the knowledge of meeting participants’ even though host disables recording option for the participants.

Security researchers from Morphisec Labs observed a new vulnerability that lets malware injects into the Zoom process without any interaction even the recording option disabled for the user.


Hackers set up fake NHS website to spread malware

Over the past few months, we’ve seen the rise of crooks using the COVID-19 crisis to their advantage. Some have been doing so through selling fake goods such as fake vaccines on the dark web whereas some have been using dedicated phishing and typosquatting campaigns in conjunction with trojans to lure innocent users.

One such incident of the latter has been discovered by the IT security firm Kaspersky. According to the company, hackers were impersonating the official website of the National Health Service (NHS) of the United Kingdom to spread malware infection. 


Maze Ransomware – What You Need to Know

What’s this Maze thing I keep hearing about?

Maze is a particularly sophisticated strain of Windows ransomware that has hit companies and organizations around the world and demanded that a cryptocurrency payment be made in exchange for the safe recovery of encrypted data.

There’s been plenty of ransomware before. What makes Maze so special?

Like other ransomware seen in the past, Maze can spread across a corporate network, infect computers it finds and encrypts data so it cannot be accessed.

But what makes Maze more dangerous is that it also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid. Increasingly, other ransomware (such as REvil, also known as Sodinokibi) have been observed using similar tactics.

So simply restoring from a backup..?

…isn’t enough. Yes, restoring your data from a secure backup can get you back up and running again (if the backup hasn’t itself been compromised, of course), but it doesn’t undo the fact that criminals now have a copy of your company’s data.


Apple Pushes Back Against Zero-Day Exploit Claims

Company said there is no evidence that iOS bugs revealed by ZecOps earlier this week were ever used against customers.

Apple has pushed back against claims that two zero-day bugs in its iPhone iOS have been exploited for years, saying it’s found no evidence to support such activity.

Apple officials made the statement in response to a widely disseminated report published Wednesday by ZecOps, which claimed that two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads already had been exploited in the wild since 2018 by an “advanced threat operator.”

“Both vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released,” ZecOps said in its report.


Hackers are exploiting a Sophos firewall zero-day

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."

After investigating the report, Sophos determined this was an active attack and not an error in its product.