Today, almost any discussion about any subject won't go on for long before the current pandemic is brought up in some way. It impacts our lives in many ways. Of course, life must go on, and business does continue. But not in the same ways. Companies have had to review their business models and adapt to the reality that fewer people work from a centralized office with many having become home workers. This has raised a number of challenges for IT departments, including new security concerns.
One of the most important lessons of Covid has been that disruptive changes can happen at any time. Even if we cannot anticipate which disruptions may affect us, we have to assume that there will be some. Or, like one CISO I know, operate as if you've already been breached. That means we need to do a better job of anticipating and preparing for change, and that starts by taking nothing for granted.
PLATYPUS ATTACK - Newly Discovered Power Consumption Related Software Side Channel Attacks – Researchers at the University of Graz published a white paper on a new software-based side channel attack, dubbed PLATYPUSATTACK, and assigned CVE-2020-8694 and CVE-2020-8695. This novel attack affects Intel server, desktop, and laptop CPUs. The vulnerability lies within the Intel RAPL interface. When exploited by an unprivileged attacker on Linux, the attacker is able to utilize the vulnerability to leak secure crypto keys from secure areas of the chipset; Intel SGX enclaves. This attack is novel because prior to this attack, only hardware-based attacks with physical access to the machine made the attack possible. This latest development also provides insight into another possible attack vector, via the powercap framework on Linux. Because this framework is not restricted to privileged users on Linux, exploitation is possible by an unprivileged user. On Windows and macOS machines, you would have to be a privileged user to exploit this vulnerability.
Lazarus goes after the Supply Chain – Lazarus, also known as HIDDEN COBRA, has been linked to multiple high-profile attacks that have caused massive infrastructure disruptions, as well as financially motivated attacks in various parts of the world. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that nearly netted close to US $1 billion for the attackers. This week, security researchers revealed how the threat actor goes after the supply chain to allow them to deploy malware covertly in targeting South Korean users of WIZVERA VeraPort software.
AV Signatures: W32/FRS.VSNTGK20!tr
Muhstik Botnet targeting Oracle – The Muhstik botnet, a botnet that uses some of the Mirai source code, has been alive and operating for two years. It recently started targeting known vulnerabilities in the Oracle WebLogic application server (CVE-2019-2725, CVE-2017-10271) and the Drupal content management system (CVE-2018-7600), expanding the botnet's reach into cryptocurrency mining operations. After successfully exploiting vulnerabilities in the IoTs or web applications, the botnet will download a "pty" payload and then try to establish a connection with the C2 server. The researchers noticed that Muhstik continues to use the IRC protocol to communicate with its C2 server. The infected device will receive commands to download other malware such as the cryptomining XMRig malware and a scanning module that searches for other vulnerable applications or IoTs. It then tries to connect those to the botnet as well. Web administrators are advised to patch web applications and IoTs to mitigate this attack.
Validate your network’s security accuracy, application usage and performance with our Cyber Threat Assessment.