Attack 2024 2023 2022 2021 2020
British LAPSUS$ Teen Members Sentenced for High-Profile Attacks
24.12.23 Attack The Hacker News
Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies.
Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime "as soon as possible," BBC reported. Kurtaj, who is autistic, was deemed unfit to stand trial.
Another LAPSUS$ member, a 17-year-old unnamed minor, was sentenced to an 18-month-long Youth Rehabilitation Order, including a three-month intensive supervision and surveillance requirement. He was found guilty of two counts of fraud, two Computer Misuse Act offenses, and one count of blackmail.
Both defendants were initially arrested in January 2022, and then released under investigation. They were re-arrested in March 2022. While Kurtaj was later granted bail, he continued to attack various companies until he was arrested again in September.
The attack spree, which took place between August 2020 and September 2022, targeted BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone.
LAPSUS$ is said to comprise members from the U.K. and Brazil. A third member of the group, also suspected to be a teen, was arrested in the South American nation in October 2022.
A report published by the U.S. Department of Homeland Security's (DHS) Cyber Safety Review Board (CSRB) this year revealed the threat actor's use of SIM-swapping attacks to take over victim accounts and infiltrate target networks. It also used a Telegram channel to publicize its operations and extort its victims.
Over the past year, the notoriety attracted by LAPSUS$ has also led to the emergence of another group called Scattered Spider. Both groups are part of a larger entity that calls itself the Comm.
Cybersecurity
According to the Federal Bureau of Investigation, the Comm consists of a "geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram" to engage in corporate intrusions, SIM swapping, crypto theft, real-life violence, and swatting.
"This case serves as an example of the dangers that young people can be drawn towards whilst online and the serious consequences it can have for someone's broader future," Amanda Horsburgh, detective chief superintendent from the City of London Police, said.
"Many young people wish to explore how technology works and what vulnerabilities exist. This can include learning to code, interacting with like-minded individuals online and experimenting with tools. Unfortunately, the digital world can also be tempting to young people for the wrong reasons."
Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster
21.12.23 Attack The Hacker News
Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns.
"Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," Mark Loman, vice president of threat research at Sophos, said.
"Attackers know this, so they hunt for that one' weak spot' — and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders."
Remote encryption (aka remote ransomware), as the name implies, occurs when a compromised endpoint is used to encrypt data on other devices on the same network.
In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimize their footprint, with more than 80% of all compromises originating from unmanaged devices.
"Ransomware families known to support remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal, and it's a technique that's been around for some time – as far back as 2013, CryptoLocker was targeting network shares," Sophos said.
A significant advantage to this approach is that it renders process-based remediation measures ineffective and the managed machines cannot detect the malicious activity since it is only present in an unmanaged device.
The development comes amid broader shifts in the ransomware landscape, with the threat actors adopting atypical programming languages, targeting beyond Windows systems, auctioning stolen data, and launching attacks after business hours and at weekends to thwart detection and incident response efforts.
Sophos, in a report published last week, highlighted the "symbiotic – but often uneasy – relationship" between ransomware gangs and the media, as a way to not only attract attention, but also to control the narrative and dispute what they view as inaccurate coverage.
This also extends to publishing FAQs and press releases on their data leak sites, even including direct quotes from the operators, and correcting mistakes made by journalists. Another tactic is the use of catchy names and slick graphics, indicating an evolution of the professionalization of cyber crime.
"The RansomHouse group, for example, has a message on its leak site specifically aimed at journalists, in which it offers to share information on a 'PR Telegram channel' before it is officially published," Sophos noted.
While ransomware groups like Conti and Pysa are known for adopting an organizational hierarchy comprising senior executives, system admins, developers, recruiters, HR, and legal teams, there is evidence to suggest that some have advertised opportunities for English writers and speakers on criminal forums.
"Media engagement provides ransomware gangs with both tactical and strategic advantages; it allows them to apply pressure to their victims, while also enabling them to shape the narrative, inflate their own notoriety and egos, and further 'mythologize' themselves," the company said.
Alert: Chinese-Speaking Hackers Pose as UAE Authority in Latest Smishing Wave
21.12.23 Attack The Hacker News
The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country.
"These criminals send malicious links to their victims' mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send," Resecurity said in a report published this week. "This helps them protect the fake website's domain and hosting location."
Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group's use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud.
The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside engaging in Magecart-style attacks on e-commerce platforms to inject malicious code and pilfer customer data.
"This fraud-as-a-service (FaaS) model enables 'Smishing Triad' to scale their operations by empowering other cybercriminals to leverage their tooling and launch independent attacks," Resecurity noted.
The latest attack wave is designed to target individuals who have recently updated their residence visas with harmful messages. The smishing campaign applies to both Android and iOS devices, with the operators likely using SMS spoofing or spam services to perpetrate the scheme.
Recipients who click on the embedded link the message are taken to a bogus, lookalike website ("rpjpapc[.]top") impersonating the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), which prompts them to enter their personal information such as names, passport numbers, mobile numbers, addresses, and card information.
What makes the campaign noteworthy is the use of a geofencing mechanism to load the phishing form only when visited from UAE-based IP addresses and mobile devices.
"The perpetrators of this act may have access to a private channel where they obtained information about UAE residents and foreigners living in or visiting the country," Resecurity said.
"This could be achieved through third-party data breaches, business email compromises, databases purchased on the dark web, or other sources."
Smishing Triad's latest campaign coincides with the launch of a new underground market known as OLVX Marketplace ("olvx[.]cc") that operates on the clear web and claims to sell tools to carry out online fraud, such as phish kits, web shells, and compromised credentials.
"While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX's ability to maintain and attract customers to the platform," ZeroFox said.
Cyber Criminals Misuse Predator Bot Detection Tool for Phishing Attacks#
The disclosure comes as Trellix revealed how threat actors are leveraging Predator, an open-source tool designed to combat fraud and identify requests originating from automated systems, bots, or web crawlers, as part of various phishing campaigns.
The starting point of the attack is a phishing email sent from a previously compromised account and containing a malicious link, which, when clicked, checks if the incoming request is coming from a bot or a crawler, before redirecting to the phishing page.
The cybersecurity firm said it identified various artifacts where the threat actors repurposed the original tool by providing a list of hard-coded links as opposed to generating random links dynamically upon detecting a visitor is a bot.
"Cyber criminals are always looking for new ways to evade detection from organizations' security products," security researcher Vihar Shah and Rohan Shah said. "Open-source tools such as these make their task easier, as they can readily use these tools to avoid detection and more easily achieve their malicious goals."
SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs
10.12.23 Attack The Hacker News
Researchers from the Vrije Universiteit Amsterdam have disclosed a new side-channel attack called SLAM that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm.
The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called Linear Address Masking (LAM) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI) and Arm (called Top Byte Ignore or TBI).
"SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data," VUSec researchers said, adding it could be leveraged to leak the root password hash within minutes from kernel memory.
While LAM is presented as a security feature, the study found that it ironically degrades security and "dramatically" increases the Spectre attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel.
"A transient execution attack exploits the microarchitectural side effects of transient instructions, thus allowing a malicious adversary to access information that would ordinarily be prohibited by architectural access control mechanisms," Intel says in its terminology documentation. Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Spectre gadgets to leak valuable information. It impacts the following CPUs - Existing AMD CPUs vulnerable to CVE-2020-12965 AMD has also pointed to current Spectre v2 mitigations to address the SLAM exploit. Intel, on the other hand, intends to provide software guidance prior to the future release of Intel processors that support LAM. In the interim, Linux maintainers have developed patches to disable LAM by default. The findings come nearly two months after VUSec shed light on Quarantine, a software-only approach to mitigate transient execution attacks and achieve physical domain isolation by partitioning the Last level cache (LLC) to give every security domain exclusive access to a different part of the LLC with the goal of eliminating LLC covert channels. "Quarantine's physical domain isolation isolates different security domains on separate cores to prevent them from sharing corelocal microarchitectural resources," the researchers said. "Moreover, it unshares the LLC, partitioning it among the security domains."
Future Intel CPUs supporting LAM (both 4- and 5-level paging)
Future AMD CPUs supporting UAI and 5-level paging
Future Arm CPUs supporting TBI and 5-level paging
"Arm systems already mitigate against Spectre v2 and BHB, and it is considered the software's responsibility to protect itself against Spectre v1," Arm said in an advisory. "The described techniques only increase the attack surface of existing vulnerabilities such as Spectre v2 or BHB by augmenting the number of exploitable gadgets."
15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack
6.12.23 Attack The Hacker News
New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.
"More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes," Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. "More than 6,000 repositories were vulnerable to repojacking due to account deletion."
Collectively, these repositories account for no less than 800,000 Go module-versions.
Repojacking, a portmanteau of "repository" and "hijacking," is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks.
Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo name changes to ensure that they still own their previous name as placeholders to prevent such abuse.
Modules written in the Go programming language are particularly susceptible to repojacking as unlike other package manager solutions like npm or PyPI, they are decentralized due to the fact that they get published to version control platforms like GitHub or Bitbucket.
"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Baines said. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."
To prevent developers from pulling down potentially unsafe packages, GitHub has in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners' accounts being renamed or deleted.
But VulnCheck noted that this protection isn't helpful when it comes to Go modules as they are cached by the module mirror, thereby obviating the need for interacting with or cloning a repository. In other words, there could be popular Go-based modules that have been cloned less than 100 times, resulting in a bypass of sorts.
"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."
The disclosure also comes as Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with Google, Meta, Microsoft, and VMware, that could be potentially exploited to stage supply chain, training data poisoning, and model theft attacks.
New BLUFFS Bluetooth Attack Expose Devices to Adversary-in-the-Middle Attacks
5.12.23 Attack The Hacker News
New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers.
The issues, collectively named BLUFFS, impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8) and were responsibly disclosed in October 2022.
The attacks "enable device impersonation and machine-in-the-middle across sessions by only compromising one session key," EURECOM researcher Daniele Antonioli said in a study published late last month.
This is made possible by leveraging two new flaws in the Bluetooth standard's session key derivation mechanism that allow the derivation of the same key across sessions.
While forward secrecy in key-agreement cryptographic protocols ensures that past communications are not revealed, even if the private keys to a particular exchange are revealed by a passive attacker, future secrecy (aka backward secrecy) guarantees the confidentiality of future messages should the past keys get corrupted.
In other words, forward secrecy protects past sessions against future compromises of keys.
The attack works by weaponizing four architectural vulnerabilities, including the aforementioned two flaws, in the specification of the Bluetooth session establishment process to derive a weak session key, and subsequently brute-force it to spoof arbitrary victims.
The AitM attacker impersonating the paired device could then negotiate a connection with the other end to establish a subsequent encryption procedure using legacy encryption.
In doing so, "an attacker in proximity may ensure that the same encryption key is used for every session while in proximity and force the lowest supported encryption key length," the Bluetooth Special Interest Group (SIG) said.
"Any conforming BR/EDR implementation is expected to be vulnerable to this attack on session key establishment, however, the impact may be limited by refusing access to host resources from a downgraded session, or by ensuring sufficient key entropy to make session key reuse of limited utility to an attacker."
Furthermore, an attacker can take advantage of the shortcomings to brute-force the encryption key in real-time, thereby enabling live injection attacks on traffic between vulnerable peers.
The success of the attack, however, presupposes that an attacking device is within the wireless range of two vulnerable Bluetooth devices initiating a pairing procedure and that the adversary can capture Bluetooth packets in plaintext and ciphertext, known as the victim's Bluetooth address, and craft Bluetooth packets.
As mitigations, SIG recommends that Bluetooth implementations reject service-level connections on an encrypted baseband link with key strengths below 7 octets, have devices operate in "Secure Connections Only Mode" to ensure sufficient key strength, and pair is done via "Secure Connections" mode as opposed the legacy mode.
The disclosure comes as ThreatLocker detailed a Bluetooth impersonation attack that can abuse the pairing mechanism to gain wireless access to Apple macOS systems via the Bluetooth connection and launch a reverse shell.
LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks
4.12.23 Attack The Hacker News
The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.
The shortcomings, collectively labeled LogoFAIL by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design."
Furthermore, they can be weaponized to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into the EFI system partition.
While the issues are not silicon-specific, meaning they impact both x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds read, details of which are expected to be made public later this week at the Black Hat Europe conference.
Specifically, these vulnerabilities are triggered when the injected images are parsed, leading to the execution of payloads that could hijack the flow and bypass security mechanisms. "This attack vector can give an attacker an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in an ESP partition or firmware capsule with a modified logo image," the firmware security company said. In doing so, threat actors could gain entrenched control over the impacted hosts, resulting in the deployment of persistent malware that can fly under the radar. Unlike BlackLotus or BootHole, it's worth noting that LogoFAIL doesn't break runtime integrity by modifying the boot loader or firmware component. The flaws affect all major IBVs like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread. The disclosure marks the first public demonstration of attack surfaces related to graphic image parsers embedded into the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP image parser bug could be exploited for malware persistence. "The types – and sheer volume – of security vulnerabilities discovered [...] show pure product security maturity and code quality in general on IBVs reference code," Binarly noted.
Discover How Gcore Thwarted Powerful 1.1Tbps and 1.6Tbps DDoS Attacks
1.12.23 Attack The Hacker News
The most recent Gcore Radar report and its aftermath have highlighted a dramatic increase in DDoS attacks across multiple industries. At the beginning of 2023, the average strength of attacks reached 800 Gbps, but now, even a peak as high as 1.5+ Tbps is unsurprising. To try and break through Gcore's defenses, perpetrators made two attempts with two different strategies. Read on to discover what happened and learn how the security provider stopped the attackers in their tracks without affecting end users' experiences.
A Powerful DDoS Attacks#
In November 2023, one of Gcore's customers from the gaming industry was targeted by two massive DDoS attacks, peaking at 1.1 and 1.6 Tbps respectively. The attackers deployed various techniques in an unsuccessful attempt to compromise Gcore's protective mechanisms.
Attack #1: 1.1 Tbps UDP-based DDoS#
In the first cyber assault, the attackers sent a barrage of UDP traffic to a target server, peaking at 1.1 Tbps. Two methods were employed:
By using random UDP source ports, they hoped to evade conventional filtering mechanisms.
The attackers concealed their genuine identity by forging source IP addresses.
This was a classic flood (or volumetric) attack, whereby the attackers hoped to consume all available bandwidth of or to a data center or network, overwhelming the target servers with traffic and making them unavailable to legitimate users.
The graph below shows customer's traffic during the attack. The peak of 1.1 Tbps shows an aggressive but short-lived attempt to flood the network with data. The green line ("total.general.input") shows all inbound traffic. The other colored lines on the graph represent the network's responses, including measures to filter and drop malicious traffic, as the system manages the deluge of data.
Line graphs showing a spike in a Gcore customer's network traffic, peaking at 1.1 Tbps, indicative of a substantial DDoS attack
The attack comprised a short but intense peak of 1.1 Tbps around 22:55
Attack #2: 1.6 Tbps TCP-based DDoS#
Graph of nine-hour attack with consistent traffic volume of 700 Mbps and peak of 1600 Mbps at the onset
The attack's consistent traffic volume was 700 Mbps and at the onset peaked at 1600 Mbps
This time, the attackers attempted to exploit TCP protocol with a mix of SYN flood, PSH, and ACK traffic.
In a SYN flood attack, several SYN packets are delivered to the target server without ACK packets. This means the server generates a half-open connection for each SYN packet. If successful, the server will ultimately run out of resources and stop accepting connections.
The PSH, ACK phase of the attack rapidly sends data to the target system. The ACK flag signals that the server received the previous packet. This pushes the system to handle data promptly, wasting resources. A SYN flood assault using PSH, ACK packets is harder to defend against than a SYN flood, since the PSH flag causes the server to process the packet contents immediately, consuming more resources.
As before, the goal was to overload the customer's servers and make their services inaccessible to authorized users. This SYN flood had a peak volume of 685.77 Mbps and the PSH, ACK had a magnitude of 906.73 Mbps.
Gcore's Defensive Strategies#
Gcore's DDoS Protection effectively neutralized both attacks while preserving regular service for the customer's end users. The general approach of fending off DDoS security threats includes several techniques, such as Gcore's front-line defenses:
Dynamic traffic shaping: Dynamically adjusted traffic rates effectively mitigate the impact of the attack while ensuring the continuity of critical services. In order to prioritize genuine traffic while slowing harmful transmissions, adaptive thresholds and rate restrictions are used.
Anomaly detection and quarantine: Models based on machine learning analyze behavior to identify anomalies. When an anomaly occurs, automated quarantine mechanisms redirect erroneous traffic to isolated segments for additional analysis.
Regular expression filters: To block malicious payloads without disrupting legitimate traffic, regular expression-based filter rules are implemented. Their continuous fine-tuning ensures optimal protection without false positives.
Collaborative threat intelligence: Gcore actively engages in the exchange of threat intelligence with industry peers. Collective insights and real-time threat feeds guide Gcore's security techniques, allowing a rapid response to developing attack vectors.
By employing these strategies, Gcore was able to effectively mitigate the impact of DDoS attacks and protect their customer's platform from disruption, negating potential reputational and financial losses.
Conclusion#
DDoS attacks of 1.5+ Tbps volume pose an increasing danger across industries, with attackers using imaginative techniques to try and bypass protection services. Over the course of 2023, Gcore has registered increases in both average and maximum attack volumes, and these two connected attacks demonstrate that trend.
In the attacks covered in the article, Gcore was able to prevent any damage through a combination of dynamic traffic shaping, anomaly detection, regular expression filters, and collaborative threat intelligence. Explore DDoS Protection options to secure your network against ever-evolving DDoS threats.
FCC Enforces Stronger Rules to Protect Customers Against SIM Swapping Attacks
17.11.23 Attack The Hacker News
The U.S. Federal Communications Commission (FCC) is adopting new rules that aim to protect consumers from cell phone account scams that make it possible for malicious actors to orchestrate SIM-swapping attacks and port-out fraud.
"The rules will help protect consumers from scammers who target data and personal information by covertly swapping SIM cards to a new device or porting phone numbers to a new carrier without ever gaining physical control of a consumer's phone," FCC said this week.
While SIM swapping refers to transferring a user's account to a SIM card controlled by the scammer by convincing the victim's wireless carrier, port-out fraud occurs when the bad actor, posing as the victim, transfers their phone number from one service provider to another without their knowledge.
The new rules, first proposed in July 2023, mandate wireless providers to adopt secure methods of authenticating a customer before redirecting a customer's phone number to a new device or provider.
Another requirement ensures that customers are immediately notified whenever a SIM change or port-out request is made on their accounts so that they can take appropriate action to secure against such attacks.
SIM swapping has emerged as a serious threat, enabling threat actors like LAPSUS$ and Scattered Spider to infiltrate corporate networks. Migrating the service to an actor-controlled device gives the attackers the ability to divert SMS-based two-factor authentication codes and take over victims' online accounts.
"Because we so frequently use our phone numbers for two-factor authentication, a bad actor who takes control of a phone can also take control of financial accounts, social media accounts, the list goes on," FCC Commissioner Geoffrey Starks said.
"Consumers must be able to count on secure verification procedures and reliable privacy guarantees from their wireless providers. And they should be able to go about their day without fearing that someone, somewhere, might take control of their phone without a single warning sign."
The development comes as the FCC said it's also launching an inquiry to understand the impact of artificial intelligence (AI) on robocalls and robotexts.
"AI could improve analytics tools used to block unwanted calls and texts and restore trust in our networks," the agency said. "But AI could also permit bad actors to more easily defraud consumers through calls and text messages, such as by using technology to mimic voices of public officials or other trusted sources."
CacheWarp Attack: New Vulnerability in AMD SEV Exposes Encrypted VMs
15.11.23 Attack The Hacker News
A group of academics has disclosed a new "software fault attack" on AMD's Secure Encrypted Virtualization (SEV) technology that could be potentially exploited by threat actors to infiltrate encrypted virtual machines (VMs) and even perform privilege escalation.
The attack has been codenamed CacheWarp (CVE-2023-20592) by researchers from the CISPA Helmholtz Center for Information Security and the Graz University of Technology. It impacts AMD CPUs supporting all variants of SEV.
"For this research, we specifically looked at AMD's newest TEE, AMD SEV-SNP, relying on the experience from previous attacks on Intel's TEE," security researcher Ruiyi Zhang told The Hacker News. "We found the 'INVD' instruction [flush a processor's cache contents] could be abused under the threat model of AMD SEV."
SEV, an extension to the AMD-V architecture and introduced in 2016, is designed to isolate VMs from the hypervisor by encrypting the memory contents of the VM with a unique key.
The idea, in a nutshell, is to shield the VM from the possibility that the hypervisor (i.e., the virtual machine monitor) could be malicious and thus cannot be trusted by default.
SEV-SNP, which incorporates Secure Nested Paging (SNP), adds "strong memory integrity protection to help prevent malicious hypervisor-based attacks like data replay, memory re-mapping, and more in order to create an isolated execution environment," according to AMD. But CacheWarp, according to Zhang, makes it possible to defeat the integrity protections and achieve privilege escalation and remote code execution in the targeted virtual machine - The instruction `INVD` drops all the modified content in the cache without writing them back to the memory. Hence, the attacker can drop any writes of guest VMs and the VM continues with architecturally stale data. In the paper, we demonstrate that via two primitives, "timewarp" and "dropforge." For the timewarp, we can reset what the computer has memorized as the next step. This makes the computer execute code that it executed before because it reads an outdated so-called return address from memory. The computer thus travels back in time. However, the old code is executed with new data (the return value of another function), which leads to unexpected effects. We use this method to bypass OpenSSH authentication, logging in without knowing the password. Another method, called "Dropforge," lets the attacker reset changes of guest VMs made to data. With one or multiple drops, the attacker can manipulate the logic flow of guest execution in an exploitable way. Take the `sudo` binary as an example, a return value is stored in the memory (stack) so that the attacker can reset it to an initial value. However, the initial value "0" gives us administrator privilege even when we are not. Cybersecurity Successful exploitation of the architectural bug could permit an attacker to hijack the control flow of a program by reverting to a previous state, and seize control of the VM. AMD has since released a microcode update to fix the "instruction misuse." "A team of Google Project Zero and Google Cloud security has audited the newest version of AMD's TEE (SEV-SNP) last year," Zhang noted. "AMD also claims that SEV-SNP prevents all attacks on the integrity. However, our attack breaks the integrity of it." CISPA researchers, earlier this August, also revealed a software-based power side-channel attack targeting Intel, AMD, and Arm CPUs dubbed Collide+Power (CVE-2023-20583) that could be weaponized to leak sensitive data by breaking isolation protections.
With this combination, we have unlimited access to the virtual machine.
New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days
27.7.23 Attack The Hacker News
The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed.
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC chair Gary Gensler said. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."
To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specifics "would pose a substantial risk to national security or public safety."
They also necessitate registrants to describe on an annual basis the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats, detail the material effects or risks arising as a result of those events, and share information about ongoing or completed remediation efforts.
"The key word here is 'material' and being able to determine what that actually means," Safe Security CEO Saket Modi told The Hacker News. "Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels."
That said, the rules do not extend to "specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."
The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by U.S. companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.
In recent months, more than 500 companies have become victims of a cyber attack spree orchestrated by a ransomware gang called Cl0p, propelled by the exploitation of critical flaws in software widely used in enterprise environments, with the threat actors leveraging new exfiltration methods to steal data, according to Kroll.
Tenable CEO and Chairman, Amit Yoran, said the new rules on cyber risk management and incident disclosure is "right on the money" and that they are a "dramatic step toward greater transparency and accountability."
"When cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization's cyber risk management activities," Yoran added.
That said, concerns have been raised that the time frame is too tight, leading to possibly inaccurate disclosures, given that it may take companies weeks or even months to fully investigate a breach. To complicate the matter further, premature breach notifications could tip off other attackers to a susceptible target and exacerbate security risks.
"The new requirement set forth by the SEC requiring organizations to report cyber attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries," James McQuiggan, security awareness advocate at KnowBe4, said.
"Within the E.U., the U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it's 24 hours. India has to report the breach within six hours."
"Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," McQuiggan added.
Banking Sector Targeted in Open-Source Software Supply Chain Attacks
24.7.23 Attack The Hacker News
Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector.
"These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it," Checkmarx said in a report published last week.
"The attackers employed deceptive tactics such as creating a fake LinkedIn profile to appear credible and customized command-and-control (C2) centers for each target, exploiting legitimate services for illicit activities."
The npm packages have since been reported and taken down. The names of the packages were not disclosed.
In the first attack, the malware author is said to have uploaded a couple of packages to the npm registry in early April 2023 by posing as an employee of the target bank. The modules came with a preinstall script to activate the infection sequence. To complete the ruse, the threat actor behind it created a fake LinkedIn page.
Once launched, the script determined the host operating system to see if it was Windows, Linux, or macOS, and proceeded to download a second-stage malware from a remote server by using a subdomain on Azure that incorporated the name of the bank in question.
"The attacker cleverly utilized Azure's CDN subdomains to effectively deliver the second-stage payload," Checkmarx researchers said. "This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure's status as a legitimate service."
The second-stage payload used in the intrusion is Havoc, an open-source command-and-control (C2) framework that has increasingly come under the radar of malicious actors looking to sidestep detection stemming from the use of Cobalt Strike, Sliver, and Brute Ratel.
In an unrelated attack detected in February 2023 targeting a different bank, the adversary uploaded to npm a package that was "meticulously designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action."
Specifically, it was engineered to covertly intercept login data and exfiltrate the details to an actor-controlled infrastructure.
"Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user," the company said.
"Once a malicious open-source package enters the pipeline, it's essentially an instantaneous breach – rendering any subsequent countermeasures ineffective. In other words, the damage is done."
The development comes as the Russian-speaking cybercrime group RedCurl breached an unnamed major Russian bank and an Australian company in November 2022 and May 2023 to siphon corporate secrets and employee information as part of a sophisticated phishing campaign, Group-IB's Russian arm, F.A.C.C.T., said.
"Over the past four and a half years, the Russian-speaking group Red Curl [...] has carried out at least 34 attacks on companies from the UK, Germany, Canada, Norway, Ukraine, and Australia," the company said.
"More than half of the attacks – 20 – fell on Russia. Among the victims of cyber spies were construction, financial, consulting companies, retailers, banks, insurance, and legal organizations."
Financial institutions have also been at the receiving end of attacks leveraging a web-inject toolkit called drIBAN to perform unauthorized transactions from a victim's computer in a manner that circumvents identity verification and anti-fraud mechanisms adopted by banks.
"The core functionality of drIBAN is the ATS engine (Automatic Transfer System)," Cleafy researchers Federico Valentini and Alessandro Strino noted in an analysis released on July 18, 2023.
"ATS is a class of web injects that alters on-the-fly legitimate banking transfers performed by the user, changing the beneficiary and transferring money to an illegitimate bank account controlled by TA or affiliates, which are then responsible for handling and laundering the stolen money."
Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports
22.7.23 Attack The Hacker News
The recent attack against Microsoft's email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought.
According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and Outlook.com could also have allowed the adversary to forge access tokens for various types of Azure AD applications.
This includes every application that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customers applications that support the "Login with Microsoft functionality," and multi-tenant applications in certain conditions.
"Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access," Ami Luttwak, chief technology officer and co-founder of Wiz, said in a statement. "An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is a 'shape shifter' superpower."
Microsoft, last week, disclosed the token forging technique was exploited by Storm-0558 to extract unclassified data from victim mailboxes, but the exact contours of the cyber espionage campaign remains unknown.
The Windows maker said it's still investigating as to how the adversary managed to acquire the MSA consumer signing key. But it's unclear if the key functioned as a master key of sorts to unlock access to data belonging to nearly two dozen organizations.
Wiz's analysis fills in some of the blanks, with the company discovering that "all Azure personal account v2.0 applications depend on a list of 8 public keys, and all Azure multi-tenant v2.0 applications with Microsoft account enabled depend on a list of 7 public keys."
It further found that Microsoft replaced one of the the listed public keys (thumbprint: "d4b4cccda9228624656bff33d8110955779632aa") that had been present since at least 2016 sometime between June 27, 2023, and July 5, 2023, around the same period the company said it had revoked the MSA key.
"This led us to believe that although the compromised key acquired by Storm-0558 was a private key designed for Microsoft's MSA tenant in Azure, it was also able to sign OpenID v2.0 tokens for multiple types of Azure Active Directory applications," Wiz said.
"Storm-0558 seemingly managed to obtain access to one of several keys that were intended for signing and verifying AAD access tokens. The compromised key was trusted to sign any OpenID v2.0 access token for personal accounts and mixed-audience (multi-tenant or personal account) AAD applications."
This effectively meant that the loophole could theoretically enable malicious actors to forge access tokens for consumption by any application that depends on the Azure identity platform.
Even worse, the acquired private key could have been weaponized to forge tokens to authenticate as any user to an affected application that trusts Microsoft OpenID v2.0 mixed audience and personal-accounts certificates.
"Identity provider's signing keys are probably the most powerful secrets in the modern world," Wiz security researcher Shir Tamari said. "With identity provider keys, one can gain immediate single hop access to everything, any email box, file service, or cloud account."
Update#
When reached for comment, Microsoft shared the following statement with The Hacker News -
Many of the claims made in this blog are speculative and not evidence-based. We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the Indicators of Compromise (IOCs) that we've made public. We’ve also recently expanded security logging availability, making it free for more customers by default, to help enterprises manage an increasingly complex threat landscape.
DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors
4.7.23 Attack The Hacker News
The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.
The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up.
DDoSia is attributed to a pro-Russian hacker group called NoName(057)16. Launched in 2022 and a successor of the Bobik botnet, the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan.
Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different websites were impacted.
Python and Go-based implementations of DDoSia have been unearthed to date, making it a cross-platform program capable of being used across Windows, Linux, and macOS systems.
"DDoSia is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly issuing network requests," SentinelOne explained in an analysis published in January 2023. "DDoSia issues requests as instructed by a configuration file that the malware receives from a C2 server when started."
DDoSia is distributed through a fully-automated process on Telegram that allows individuals to register for the crowdsourced initiative in exchange for a cryptocurrency payment and a ZIP archive containing the attack toolkit.
What's noteworthy about the new version is the use of encryption to mask the list of targets to be attacked, indicating that the tool is being actively maintained by the operators.
"NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims," Sekoia said.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of targeted denial-of-service (DoS) and DDoS attacks against multiple organizations in multiple sectors.
"These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible," the agency said in a bulletin.
Although CISA did not provide any additional specifics, the warning overlaps with claims by Anonymous Sudan on its Telegram channel that it had taken down the websites of the Department of Commerce, Social Security Administration (SSA), and the Treasury Department's Electronic Federal Tax Payment System (EFTPS).
Anonymous Sudan attracted attention last month for carrying Layer 7 DDoS attacks against various Microsoft services, including OneDrive, Outlook, and Azure web portals. The tech giant is tracking the cluster under the name Storm-1359.
The hacking crew has asserted it's conducting cyber strikes out of Africa on behalf of oppressed Muslims across the world. But cybersecurity researchers believe it to be a pro-Kremlin operation with no ties to Sudan and a member of the KillNet hacktivist collective.
In an analysis released on June 19, 2023, Australian cybersecurity vendor CyberCX characterized the entity as a "smokescreen for Russian interests." The company's website has since become inaccessible, greeting visitors with a "403 Forbidden" message. The threat actor claimed responsibility for the cyber attack.
"The reason for the attack: stop spreading rumors about us, and you must tell the truth and stop the investigations that we call the investigations of a dog," Anonymous Sudan said in a message posted on June 22, 2023.
Anonymous Sudan, in a Bloomberg report last week, further denied it was connected to Russia but acknowledged they share similar interests, and that it goes after "everything that is hostile to Islam."
CISA's latest advisory has also not gone unnoticed, for the group posted a response on June 30, 2023, stating: "A small Sudanese group with limited capabilities forced 'the most powerful government' in the world to publish articles and tweets about our attacks."
Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack
23.6.23 Attack The Hacker News
Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking, a new study has revealed.
This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report.
The supply chain vulnerability, also known as dependency repository hijacking, is a class of attacks that makes it possible to take over retired organizations or user names and publish trojanized versions of repositories to run malicious code.
"When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," researchers Ilay Goldman and Yakir Kadkoda said. "However, it is possible for anyone to create the old username and break this link."
Alternatively, a similar scenario could arise when a repository ownership is transferred to another user and the original account is deleted, thus allowing a bad actor to create an account with the old username.
Aqua said a threat actor could leverage websites like GHTorrent to extract GitHub metadata associated with any public commits and pull requests to compile a list of unique repositories.
An analysis of a subset of 1.25 million repositories for the month of June 2019 revealed that as many as 36,983 repositories were vulnerable to RepoJacking, denoting a 2.95% success rate.
With GitHub containing more than 330 million repositories, the findings suggest that millions of repositories could be vulnerable to a similar attack.
One such repository is google/mathsteps, which was previously under the ownership of Socratic (socraticorg/mathsteps), a company that was acquired by Google in 2018.
"When you access https://github.com/socraticorg/mathsteps, you are being redirected to https://github.com/google/mathsteps so eventually the user will fetch Google's repository," the researchers said.
"However, because the socraticorg organization was available, an attacker could open the socraticorg/mathsteps repository and users following Google's instructions will clone the attacker's repository instead. And because of the npm install this will lead to arbitrary code execution on the users."
This is not the first time such concerns have been raised. In October 2022, GitHub moved to close a security loophole that could have been exploited to create malicious repositories and mount supply chain attacks by circumventing popular repository namespace retirement.
To mitigate such risks, it's recommended that users periodically inspect their code for links that may be retrieving resources from external GitHub repositories.
"If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it," the researchers said.
New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
21.6.23 Attack The Hacker News
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet.
Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez.
"The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code," security researchers Joie Salvio and Roy Tay said.
An analysis of the malware artifact reveals its ability to terminate other competing botnets on the same host. It, however, lacks a persistence mechanism, meaning the program cannot survive a system reboot.
To get around this limitation, the malware deletes multiple binaries that are used to shut down or reboot the system -
/usr/sbin/reboot
/usr/bin/reboot
/usr/sbin/shutdown
/usr/bin/shutdown
/usr/sbin/poweroff
/usr/bin/poweroff
/usr/sbin/halt
/usr/bin/halt
Condi, unlike some botnets which propagate by means of brute-force attacks, leverages a scanner module that checks for vulnerable TP-Link Archer AX21 devices and, if so, executes a shell script retrieved from a remote server to deposit the malware.
Specifically, the scanner singles out routers susceptible to CVE-2023-1389 (CVSS score: 8.8), a command injection bug that was previously exploited by the Mirai botnet.
Fortinet said it came across other Condi samples that exploited several known security flaws for propagation, suggesting that unpatched software is at risk of being targeted by botnet malware.
The aggressive monetization tactics aside, Condi aims to ensnare the devices to create a powerful DDoS botnet that can be rented by other actors to orchestrate TCP and UDP flood attacks on websites and services.
"Malware campaigns, especially botnets, are always looking for ways to expand," the researchers said. "Exploiting recently discovered (or published) vulnerabilities has always been one of their favored methods."
The development comes as the AhnLab Security Emergency Response Center (ASEC) revealed that poorly managed Linux servers are being breached to deliver DDoS bots such as ShellBot and Tsunami (aka Kaiten) as well as stealthily abuse the resources for cryptocurrency mining.
"The source code of Tsunami is publicly available so it is used by a multitude of threat actors," ASEC said. "Among its various uses, it is mostly used in attacks against IoT devices. Of course, it is also consistently used to target Linux servers."
The attack chains entail compromising the servers using a dictionary attack to execute a rogue shell script capable of downloading next-stage malware and maintaining persistent backdoor access by adding a public key to the .ssh/authorized_keys file.
The Tsunami botnet malware used in the attack is a new variant called Ziggy that shares significant overlaps with the original source code. It further employs the Internet relay chat (IRC) for command-and-control (C2).
Also used during the intrusions is a set of ancillary tools for privilege escalation and altering or erasing log files to conceal the trail and hinder analysis.
"Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks," ASEC said.
Microsoft Blames Massive DDoS Attack for Azure, Outlook, and OneDrive Disruptions
19.6.23 Attack The Hacker News
Microsoft on Friday attributed a string of service outages aimed at Azure, Outlook, and OneDrive earlier this month to an uncategorized cluster it tracks under the name Storm-1359.
"These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools," the tech giant said in a post on Friday.
Storm-#### (previously DEV-####) is a temporary designation the Windows maker assigns to unknown, emerging, or developing groups whose identity or affiliation hasn't been definitively established yet.
While there is no evidence that any customer data was accessed or compromised, the company noted the attacks "temporarily impacted availability" of some services. Redmond said it further observed the threat actor launching layer 7 DDoS attacks from multiple cloud services and open proxy infrastructures.
This includes HTTP(S) flood attacks, which bombard the target services with a high volume of HTTP(S) requests; cache bypass, in which the attacker attempts to bypass the CDN layer and overload the origin servers; and a technique known as Slowloris.
"This attack is where the client opens a connection to a web server, requests a resource (e.g., an image), and then fails to acknowledge the download (or accepts it slowly)," the Microsoft Security Response Center (MSRC) said. "This forces the web server to keep the connection open and the requested resource in memory."
Microsoft 365 services such as Outlook, Teams, SharePoint Online, and OneDrive for Business went down at the start of the month, with the company subsequently stating it had detected an "anomaly with increased request rates."
"Traffic analysis showed an anomalous spike in HTTP requests being issued against Azure portal origins, bypassing existing automatic preventive measures, and triggering the service unavailable response," it said.
Microsoft further characterized the "murky upstart" as focused on disruption and publicity. A hacktivist group known as Anonymous Sudan has claimed responsibility for the attacks. However, it's worth noting that the company has not explicitly linked Storm-1359 to Anonymous Sudan.
Who is Anonymous Sudan?#
Anonymous Sudan has been making waves in the threat landscape with a series of DDoS attacks against Swedish, Dutch, Australian, and German organizations since the start of the year.
An analysis from Trustwave SpiderLabs in late March 2023 indicated that the adversary is likely an offshoot of the Pro-Russian threat actor group KillNet that first gained notoriety during the Russian-Ukraine conflict last year.
"It has publicly aligned itself with the Russian group KillNet, but for reasons only its operators know, prefers to use the story of defending Islam as the reason behind its attacks," Trustwave said.
KillNet has also attracted attention for its DDoS attacks on healthcare entities hosted in Microsoft Azure, which have surged from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.
The Kremlin-affiliated collective, which first emerged in October 2021, has further established a "private military hacking company" named Black Skills in an attempt to lend its cyber mercenary activities a corporate sheen.
Anonymous Sudan's Russian connections have also become evident in the wake of its collaboration with KillNet and REvil to form a "DARKNET parliament" and orchestrate cyber attacks on European and U.S. financial institutions. "Task number one is to paralyze the work of SWIFT," the message read.
"Killnet, despite its nationalistic agenda, has primarily been driven by financial motives, utilizing the eager support of the Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services," Flashpoint said in a profile of the adversary last week.
"KillNet has also partnered with several botnet providers as well as the Deanon Club — a partner threat group with which KillNet created Infinity Forum — to target narcotics-focused darknet markets."
New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force
30.5.23 Attack The Hacker News
Researchers have discovered an inexpensive attack technique that could be leveraged to brute-force fingerprints on smartphones to bypass user authentication and seize control of the devices.
The approach, dubbed BrutePrint, bypasses limits put in place to counter failed biometric authentication attempts by weaponizing two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework.
The flaws, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), leverage logical defects in the authentication framework, which arises due to insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.
The result is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking," researchers Yu Chen and Yiling He said in a research paper. "BrutePrint acts as a middleman between fingerprint sensor and TEE [Trusted Execution Environment]."
The goal, at its core, is to be able to perform an unlimited number of fingerprint image submissions until there is a match. It, however, presupposes that a threat actor is already in possession of the target device in question.
Additionally, it requires the adversary to be in possession of a fingerprint database and a setup comprising a microcontroller board and an auto-clicker that can hijack data sent by a fingerprint sensor to pull off the attack for as low as $15.
The first of the two vulnerabilities that render this attack possible is CAMF, which allows for increasing the fault tolerance capabilities of the system by invalidating the checksum of the fingerprint data, thereby giving an attacker unlimited tries.
MAL, on the other hand, exploits a side-channel to infer matches of the fingerprint images on the target devices, even when it enters a lockout mode following too many repeated login attempts.
"Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE," the researchers explained.
"As Success authentication result is immediately returned when a matched sample is met, it's possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images."
In an experimental setup, BrutePrint was evaluated against 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo, yielding infinite attempts on Android and HarmonyOS, and 10 additional attempts on iOS devices.
The findings come as a group of academics detailed a hybrid side-channel that takes advantage of the "three-way tradeoff between execution speed (i.e., frequency), power consumption, and temperature" in modern system-on-chips (SoCs) and GPUs to conduct "browser-based pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2.
The attack, called Hot Pixels, takes advantage of this behavior to mount website fingerprinting attacks and employ JavaScript code to harvest a user's browsing history.
This is accomplished by designing a computationally heavy SVG filter to leak pixel colors by measuring the rendering times and stealthily harvest the information with an accuracy as high as 94%.
The issues have been acknowledged by Apple, Google, AMD, Intel, Nvidia, Qualcomm. The researchers also recommend "prohibiting SVG filters from being applied to iframes or hyperlinks" and preventing unprivileged access to sensor readings.
BrutePrint and Hot Pixels also follow Google's discovery of 10 security defects in Intel's Trust Domain Extensions (TDX) that could lead to arbitrary code execution, denial-of-service conditions, and loss of integrity.
On a related note, Intel CPUs have also been found susceptible to a side-channel attack that makes use of variations in execution time caused by changing the EFLAGS register during transient execution to decode data without relying on the cache.
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
21.4.23 Attack The Hacker News
The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.
Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack."
The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.
"The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. "Specifically it will target the Chrome, Edge, Brave, or Firefox browsers."
Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that's capable of running additional commands and interacting with the victim's file system.
Mandiant's investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.
It described the initial intrusion vector as "a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER."
This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that's camouflaged as a legitimate dependency.
The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that's capable of sending data, executing shellcode, and terminating itself.
The initial compromise of the employee's personal computer using VEILEDSIGNAL enabled the threat actor to obtain the individual's corporate credentials, two after which the first unauthorized access to its network took place via a VPN by taking advantage of the stolen credentials.
Besides identifying tactical similarities between the compromised X_TRADER and 3CXDesktopApp apps, Mandiant found that the threat actor subsequently laterally moved within the 3CX environment and breached the Windows and macOS build environments.
"On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges," Mandiant said. "The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism."
POOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a C/C++ macOS implant capable of collecting basic system information and executing arbitrary commands, including carrying out file operations.
UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that's been reinforced by ESET's discovery of an overlapping command-and-control (C2) domain (journalide[.]org) employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.
Evidence gathered by Mandiant shows that the group exhibits commonalities with another intrusion set tracked as Operation AppleJeus, which has a track record of carrying out financially motivated attacks.
What's more, the breach of Trading Technologies' website is said to have taken place in early February 2022 by weaponizing a then zero-day flaw in Google Chrome (CVE-2022-0609) to activate a multi-stage infection chain responsible for serving unknown payloads to the site visitors.
"The site www.tradingtechnologies[.]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X_TRADER software package," Mandiant explained.
Another link connecting it to AppleJeus is the threat actor's previous use of an older version of POOLRAT as part of a long-running campaign disseminating booby-trapped trading applications like CoinGoTrade to facilitate cryptocurrency theft.
The entire scale of the campaign remains unknown, and it's currently not clear if the compromised X_TRADER software was used by other firms. The platform was purportedly decommissioned in April 2020, but it was still available to download from the site in 2022.
3CX, in an update shared on April 20, 2023, said it's taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.
"Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea's interests," Mandiant said.
North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack
12.4.23 Attack The Hacker News
Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus.
The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence and incident response unit is tracking the activity under its uncategorized moniker UNC4736.
It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps.
The attack chain, based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called Gopuram in selective attacks aimed at crypto companies.
Mandiant's forensic investigation has now revealed that the threat actors infected 3CX systems with a malware codenamed TAXHAUL that's designed to decrypt and load shellcode containing a "complex downloader" labeled COLDCAT.
"On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware," 3CX said. "The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet."
The company further said the malicious DLL (wlbsctrl.dll) was loaded by the Windows IKE and AuthIP IPsec Keying Modules (IKEEXT) service through svchost.exe, a legitimate system process.
macOS systems targeted in the attack are said to have been backdoored using another malware strain referred to as SIMPLESEA, a C-based malware that communicates via HTTP to run shell commands, transfer files, and update configurations.
The malware families detected within the 3CX environment have been observed to contact at least four command-and-control (C2) servers: azureonlinecloud[.]com, akamaicontainer[.]com, journalide[.]org, and msboxonline[.]com.
3CX CEO Nick Galea, in a forum post last week, said the company is only aware of a "handful of cases" where the malware was actually activated and that it's working to "strengthen our policies, practices, and technology to protect against future attacks." An updated app has since been made available to customers.
It's currently not determined how the threat actors managed to break into 3CX's network, and if it entailed the weaponization of a known or unknown vulnerability. The supply chain compromise is being tracked under the identifier CVE-2023-29059 (CVSS score: 7.8).
Hackers Flood NPM with Bogus Packages Causing a DoS Attack
11.4.23 Attack The Hacker News
Threat actors flooded the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack.
"The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems' good reputation on search engines," Checkmarx's Jossef Harush Kadouri said in a report published last week.
"The attacks caused a denial-of-service (DoS) that made NPM unstable with sporadic 'Service Unavailable' errors."
While similar campaigns were recently observed propagating phishing links, the latest wave pushed the number of package versions to 1.42 million, a dramatic uptick from the approximate 800,000 packages released on npm.
The attack technique leverages the fact that open source repositories are ranked higher on search engine results to create rogue websites and upload empty npm modules with links to those sites in the README.md files.
"Since the open source ecosystems are highly reputed on search engines, any new open-source packages and their descriptions inherit this good reputation and become well-indexed on search engines, making them more visible to unsuspecting users," Harush Kadouri explained.
Given that the whole process is automated, the load created by publishing numerous packages led to NPM intermittently experiencing stability issues towards the end of March 2023.
Checkmarx points out that while there may be multiple actors behind the activity, the end goal is to infect the victim's system with malware such as RedLine Stealer, Glupteba, SmokeLoader, and cryptocurrency miners.
Other links take users through a series of intermediate pages that ultimately lead to legitimate e-commerce sites like AliExpress with referral IDs, earning the actors a profit when the victim makes a purchase on the platform. A third category entails inviting Russian users to join a Telegram channel that specializes in cryptocurrency.
"The battle against threat actors poisoning our software supply chain ecosystem continues to be challenging, as attackers constantly adapt and surprise the industry with new and unexpected techniques," Harush Kadouri said.
To prevent such automated campaigns, Checmarx has recommended npm to incorporate anti-bot techniques during user account creation.
3CX Supply Chain Attack — Here's What We Know So Far
1.4.23 Attack The Hacker News
Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.
The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS. The issue has been assigned the CVE identifier CVE-2023-29059.
The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.
"3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea said in a blog post. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server."
Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoning of an upstream dependency. The scale of the attack is currently unknown.
Telemetry data shared by Fortinet shows that the geographic spread of victim machines calling out to known actor controlled infrastructure chiefly spans Italy, Germany, Austria, the U.S., South Africa, Australia, Switzerland, the Netherlands, Canada, and the U.K.
The earliest period of potentially malicious activity is said to have been detected on or around March 22, 2023, according to a post on the 3CX forum, although preparations for the sophisticated campaign commenced no later than February 2022.
3CX said the initial alert flagging a potential security problem in its app last week was treated as a "false positive" owing to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.
The Windows version of the attack leveraged a technique called DLL side-loading to load a rogue library referred to as "ffmpeg.dll" that's designed to read encrypted shellcode from another DLL called "d3dcompiler_47.dll."
SUDDENICON downloading a new executable
This involved accessing a GitHub repository to retrieve an ICO file containing URLs hosting the final-stage payload, an information stealer (dubbed ICONIC Stealer or SUDDENICON) capable of harvesting system information and sensitive data stored in web browsers.
British cybersecurity vendor Sophos pointed out that the shellcode utilized in the attack is a "byte-to-byte match" to prior samples seen in incidents exclusively attributed to the Lazarus Group.
"The choice of these two DLLs – ffmpeg and d3dcompiler_47 – by the threat actors behind this attack was no accident," ReversingLabs security researcher Karlo Zanki said.
"The target in question, 3CXDesktopApp, is built on the Electron open source framework. Both of the libraries in question usually ship with the Electron runtime and, therefore, are unlikely to raise suspicion within customer environments."
The macOS attack chain, in the same vein, bypassed Apple's notarization checks to download an unknown payload from a command-and-control (C2) server that's currently unresponsive.
"The macOS version does not use GitHub to retrieve its C2 server," Volexity said, which is tracking the activity under the cluster UTA0040. "Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key, 0x7A."
Cybersecurity firm CrowdStrike, in an advisory of its own, has attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor.
"The activity, which targets many organizations across a broad range of verticals without any obvious patterns, has been attributed to Labyrinth Chollima based on observed network infrastructure uniquely associated with that adversary, similar installation techniques, and a reused RC4 key," Adam Meyers, senior vice president of intelligence at CrowdStrike, told The Hacker News.
"The trojanized 3CX applications invoke a variant of ArcfeedLoader, malware uniquely attributed to Labyrinth Chollima."
Labyrinth Chollima, per the Texas-based company, is a subset of the Lazarus Group, which also constitutes Silent Chollima (aka Andariel or Nickel Hyatt) and Stardust Chollima (aka BlueNoroff or Nickel Gladstone).
The threat actor "has been active at least since 2009 and typically tries to generate revenue by targeting crypto and financial organizations," Meyers said, adding it's "likely affiliated with Bureau 121 of the DPRK's Reconnaissance General Bureau (RGB) and primarily conducts espionage operations and revenue generation schemes."
Google Chrome blocks latest 3CX MSI installer#
3CX, in an update shared on Friday, said Google is prohibiting downloads of the MSI installer files through its Chrome web browser. It also noted that antivirus engines from several companies are blocking any software signed with the old security certificate.
The following MSI installers have been blocked: SBC for Windows, Windows desktop app, and Call Flow Designer. However, there are indications that the restriction may have been lifted as some customers report being able to download the latest version (18.12.422) through Chrome.
In response, the company said it's making new MSI installers with a new certificate and a new build server, a process that's expected to take at least eight hours. It's further encouraging its customers to use the web app (PWA) version instead.
3CX Desktop App Supply Chain Attack Leaves Millions at Risk - Urgent Update on the Way!
1.4.23 Attack The Hacker News
3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said.
The cybersecurity firm is tracking the activity under the name SmoothOperator, stating the threat actor registered a massive attack infrastructure as far back as February 2022. There are indications that the attack may have commenced around March 22, 2023.
3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.
While the 3CX PBX client is available for multiple platforms, telemetry data shows that the attacks observed so far are confined to the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.
The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that's designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.
The final payload is an information stealer capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.
The macOS sample (a 381 MB file), according to security researcher Patrick Wardle, carries a valid signature and is notarized by Apple, meaning it can be run without the operating system blocking it.
The malicious app, similar to the Windows counterpart, includes a Mach-O binary named libffmpeg.dylib that's designed to reach out to an external server "pbxsources[.]com" to download and execute a file named UpdateAgent. The server is currently offline.
Huntress reported that there are 242,519 publicly exposed 3CX phone management systems. Broadcom-owned Symantec, in its own advisory, said "the information gathered by this malware presumably allowed the attackers to gauge if the victim was a candidate for further compromise."
"Due to its widespread use and its importance in an organization's communication system, threat actors can cause major damage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this software," Trend Micro said.
Cybersecurity firm CrowdStrike said it's attributing the attack with high confidence to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.
"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike added.
In a forum post, 3CX's CEO Nick Galea said it's in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. "Unfortunately this happened because of an upstream library we use became infected," Galea said, without specifying more details.
As a workaround, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.
3CX, in a follow-up update, said the "issue appears to be one of the bundled libraries that we compiled into the Windows Electron app via git" and that it's further investigating the matter.
(This is a developing story and has been updated with new information about the macOS infection chain.)
Large-scale Cyber Attack Hijacks East Asian Websites for Adult Content Redirects
14.3.23 Attack The Hacker News
A widespread malicious cyber operation has hijacked thousands of websites aimed at East Asian audiences to redirect visitors to adult-themed content since early September 2022.
The ongoing campaign entails injecting malicious JavaScript code to the hacked websites, often connecting to the target web server using legitimate FTP credentials the threat actor previously obtained via an unknown method.
"In many cases, these were highly secure auto-generated FTP credentials which the attacker was somehow able to acquire and leverage for website hijacking," Wiz said in a report published this month.
The fact that the breached websites – owned by both small firms and multinational corporations – utilize different tech stacks and hosting service providers has made it difficult to trace a common attack vector, the cloud security company noted.
That having said, one of the common denominators between the websites is that a majority of them are either hosted in China or hosted in a different country but are primed for Chinese users.
What's more, the URLs hosting the rogue JavaScript code are geofenced to limit its execution in certain East Asian countries.
There are also indications that the campaign has set its sights on Android as well, with the redirection script leading visitors to gambling websites that urge them to install an app (APK package name "com.tyc9n1999co.coandroid").
The identity of the threat actor is unknown as yet, and although their precise motives are yet to be identified, it is suspected that the goal is to carry out ad fraud and SEO manipulation, or alternatively, drive inorganic traffic to these websites.
Another notable aspect of the attacks is the absence of phishing, web skimming, or malware infection.
"We remain unsure as to how the threat actor has been gaining initial access to so many websites, and we have yet to identify any significant commonalities between the impacted servers other than their usage of FTP," researchers Amitai Cohen and Barak Sharoni said.
"Although it's unlikely that the threat actor is using a 0-day vulnerability given the apparently low sophistication of the attack, we can't rule this out as an option."
CASPER attack steals data using air-gapped computer's internal speaker
12.3.23 Attack Bleepingcomputer
Researchers at the School of Cyber Security at Korea University, Seoul, have presented a new covert channel attack named CASPER can leak data from air-gapped computers to a nearby smartphone at a rate of 20bits/sec.
The CASPER attack leverages the internal speakers inside the target computer as the data transmission channel to transmit high-frequency audio that the human ear cannot hear and convey binary or Morse code to a microphone up to 1.5m away.
The receiving microphone can be in a smartphone recording sound inside the attacker's pocket or a laptop in the same room.
Researchers have previously developed similar attacks leveraging external speakers. However, air-gapped, network-isolated systems used in critical environments, such as government networks, energy infrastructure, and weapon control systems, are unlikely to have external speakers.
On the other hand, internal speakers that provide audio feedback, such as boot-up beeps, are still considered necessary, so they're commonly present, making them better candidates.
Infecting the target
As is the case with almost all secret channel attacks targeting network-isolated computers, a rogue employee or a stealthy intruder with physical access to the target must first infect it with malware.
Although this scenario may seem impractical or even far-fetched, there have been multiple instances of such attacks being successfully carried out in the past, with notable examples including the Stuxnet worm, which targeted Iran's uranium enrichment facility at Natanz, the Agent.BTZ malware that infected a U.S. military base, and the Remsec modular backdoor, which secretly collected information from air-gapped government networks for over five years.
The malware can autonomously enumerate the target's filesystem, locate files or file types that match a hardcoded list and attempt to exfiltrate them.
More realistically, it can perform keylogging, which is more suitable for such a slow data transmission rate.
The malware will encode the data to be exfiltrated from the target in binary or Morse code and transmit it through the internal speaker using frequency modulation, achieving an imperceptible ultrasound in a range between 17 kHz and 20 kHz.
CASPER attack diagram (Korea University)
The results
The researchers experimented with the described model using a Linux-based (Ubuntu 20.04) computer as the target, and a Samsung Galaxy Z Flip 3 as the receiver, running a basic recorder application with a sampling frequency of up to 20 kHz.
In the Morse code experiment, the researchers set the length per bit to 100 ms and used 18 kHz for dots and 19 kHz for the dash. The smartphone was located 50cm away and was able to decode the sent word "covert."
In the binary data experiment, the length per bit was set to 50 ms, transferring zeros at a frequency of 18 kHz and 1s at 19 kHz. A 50 ms start/end bit was also used at 17 kHz to indicate the beginning of a new message.
Data transmitted through generated sound frequencies (Korea University)
Based on the conducted tests, the maximum distance of the receiver is 1.5 meters (4.9 ft), using a length per bit of 100 ms.
The overall results of the experiment, however, show that the length per bit affects the bit error rate, and a maximum reliable transmitting bit rate of 20 bits/s is achievable when the length per bit is 50 ms.
Bit error rate calculations (Korea University)
At this data transfer rate, the malware could transmit a typical 8-character length password in about 3 seconds and a 2048-bit RSA key in 100 seconds.
Anything above that, like a small 10 KB file, for example, would need over an hour to exfiltrate from the air-gapped system, even if the conditions are ideal and no interruptions occur during the transmission.
"Our method is slower in transferring data compared to other covert channel technologies using optical methods or electromagnetic methods because the speed of data transfer by sound is limited." - Korea University.
A solution to the slow data rate would be to vary the frequency band for multiple simultaneous transmissions; however, internal speakers can only produce sound in a single frequency band, so the attack is practically limited.
The researchers shared ways to defend against the CASPER attack, with the simplest being to remove the internal speaker from mission-critical computers.
If that's impossible, defenders could implement a high-pass filter to keep all generated frequencies within the audible sound spectrum, blocking ultrasound transmissions.
If you're interested in other covert channel attacks against air-gapped systems, check out COVID-bit, which uses the PSU to generate electromagnetic waves that carry data.
Other examples of similar attacks are ETHERLED, which relies on the LED lights of the target's network card to transmit Morse code signals, and one named SATAn, which uses SATA cables as wireless antennas.