New Spectre exploits beat AMD and Intel mitigations
Researchers from the University of Virginia and University of California San Diego discovered several new variants of Spectre exploits that affect all modern processors from AMD and Intel with micro-op caches. Existing Spectre mitigations do not protect the CPUs against potential attacks that use these vulnerabilities. Meanwhile, the researchers believe that mitigating these vulnerabilities will cause more significant performance penalties than the fixes for previous types of Spectre exploits. Since all modern processors from AMD (since 2017) and Intel (since 2011) use micro-op caches, all of them are prone to a hypothetical attack.
UPDATE: Since we published this story, Intel contacted CISOSeries directly to state that “the methods described in the paper are already mitigated. For software developers who have already implemented Intel’s guidance, there are no additional mitigations needed.” Here is Intel’s official statement:
“Intel reviewed the report and informed researchers that existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance. Software following our guidance already have protections against incidental channels including the uop cache incidental channel. No new mitigations or guidance are needed.”
Microsoft finds critical code execution bugs in IoT, OT devices
The 25 critical remote code execution (RCE) vulnerabilities are known collectively as BadAlloc and are caused by memory allocation Integer Overflow or Wraparound bugs. Threat actors can exploit them to trigger system crashes and execute malicious code remotely on vulnerable IoT and OT systems. Vulnerable IoT and OT devices impacted by the BadAlloc vulnerabilities can be found on consumer, medical, and industrial networks. A full list of affected devices is available in CISA Advisory 21-119-04.
New ransomware group uses SonicWall zero-day to breach networks
A financially motivated threat actor, UNC2447, has exploited a zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy new ransomware known as FiveHands on the networks of North American and European targets. Prior to deploying the ransomware payloads, UNC2447 was also observed using Cobalt Strike implants for gaining persistence and installing a SombRAT backdoor variant. FiveHands is very similar to HelloKitty ransomware, both of them rewrites of DeathRansom ransomware.
CISA issues guidance on defending against software supply chain attacks
The guidance took the form of a primer for companies, explaining the nature of the software supply chain and the various access points where supply chain vulnerabilities exist. It concludes by recommending that customers use the NIST Cyber Supply Chain Risk Management (C-SCRM) document to understand the risks involved with the use of a given piece of software in the infrastructure, and for software vendors to create a software development life cycle (SDLC) as the norm and not the exception.
Thanks to our episode sponsor, Boxcryptor
Undocumented backdoor targets Russian submarine designers through Microsoft’s equation editor
A new weaponizer has been discovered as part of a spearfishing attack upon a Russian defense contractor. The general director of Rubin Design Bureau, a submarine design center based in St. Petersburg, received an email that contained RoyalRoad, a tool that exploits vulnerabilities in Microsoft’s equation editor, a feature of Word that was removed from all versions in the January 2018 public update because of security issues with its implementation. RoyalRoad has not been attributed to any one gang, but the researchers mention similarities to work done by Chinese APT groups.
Experian API leaks most Americans’ credit scores
A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections. Bill Demirkapi, a sophomore at Rochester Institute of Technology, identified the tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was even able to build a command-line tool that let him automate lookups, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.” Experian, for its part, refuted concerns from the security community that the issue could be systemic.
SAP admits to ‘thousands’ of illegal software exports to Iran
SAP has reached a settlement with US investigators to close a prosecution relating to the violation of economic sanctions and the illegal export of software to Iran. The cloud software vendor admitted to violating existing sanctions and an embargo placed on the country by the United States. From 2010 to 2017, SAP and overseas partners exported US-origin software — including upgrades and security fixes — to users in Iran over 20,000 times. SAP’s Cloud Business Group (CBGs) units allowed over 2,300 users in Iran to access US-based cloud services. SAP voluntarily admitted to the accusations, leading to a settlement worth $8 million to avoid further action and prosecution.
Basecamp sees mass employee exodus after CEO bans political discussions
The company, which employs around 60 people, has seen one-third of its staff accept buyouts to leave, many citing new company policies around no longer being allowed to openly share their “societal and political discussions” at work. The departures are significant since they include Basecamp’s head of design, head of marketing and head of customer support, as well as many of its iOS team. Some Basecamp employees state the exodus has more to do with internal conversations about the company itself and its commitment to DEI – diversity, equity and inclusion – issues.