Google Demonstrates a Spectre Attack 🔎, Sensitive Data Hidden in Image Files 🖼, A Busy Week for the US Courts ⚖

CyberLite Mar 23, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!


🔎 Google Releases Code Demonstrating a Spectre Attack

Google has released code for carrying out a Spectre attack against the Chrome Browser in an attempt to encourage developers to protect against this type of attack.

So what's a Spectre attack? Spectre is a flaw that was made public in early 2018 that abuses speculative execution in processors. Speculative execution occurs when a program has multiple paths that it could take and the data necessary for each path is loaded into the processor's cache - a small section of memory that a processor can access very quickly. A Spectre attack abuses this by giving a program a specially designed input so that one of the program’s paths accesses some sensitive data. Even if the program doesn't take that path the processor has still loaded the sensitive data and attackers can then guess what that data is.

Attackers guess the value of the data by trying to access different values; if a value can be accessed more quickly than others they know it’s in the cache. If you're interested in learning more here's a great youtube video, or a technical deep dive if that’s more your speed.


🖼 Hiding Sensitive Data Inside of Image Files

This week we saw two stories hit about image files being used to hide sensitive information. Firstly, a collection of hacker groups known as Magecart have been storing stolen credit card details as JPG image files to avoid detection. Magecart compromised websites and instead of trying to exfiltrate stolen credit card details, which a site owner is likely to detect, they stored them in image files on the website.

Hot off that news a security researcher discovered a technique for hiding ZIP archives and MP3 audio files inside of images (PNGs) posted on Twitter.

Both of these techniques involved hiding files within the image's metadata, which describes and gives information about the images. So if you were to look at the images you wouldn't notice any difference between those hiding information and a standard image.


⚖ The Department of Justice’s Busy Week

The US Department of Justice (DoJ) issued updates on four cases involving cyberattacks this week. Here's a quick rundown:

First up on the docket was last summer's hack of 130 high-profile Twitter accounts, including those belonging to Barack Obama and Elon Musk. A teenager from Florida has been accused of the hack and has been sentenced to three years in prison. The accounts were used by the attacker to publicize a bitcoin scam - victims were asked to send bitcoin to a specific address and then anything they sent would be doubled. It definitely sounds too good to be true, but it still earned the scammer $130,000.

In last week's issue I reported on a hacker group that compromised CCTV cameras controlled by the surveillance company Verkada. The group's leader Till Kottman has been charged with conspiracy, wire fraud and identity theft. The surveillance camera hack wasn't the first attack the group has been responsible for and they've been accused of hacking dozens of companies and government agencies since 2019. Kottman claimed that the hack was designed to "expose just how broadly we're being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit". Whilst it certainly did that, the US DoJ wasn't so keen on the method.

In another update from last week’s issue, the DoJ has indicted the CEO of Sky Global for willfully participating in a criminal enterprise - helping drug traffickers avoid law enforcement. Sky Global’s encrypted messaging service Sky ECC was accessed by Europol, who found a large network of criminals using the service.

Finally a Russian national pleaded guilty to offering a Tesla employee $1 million to plant ransomware on their network. Thankfully the employee alerted Tesla who then got the FBI involved.


💰 Microsoft could receive £150 million in new US Cyber Spending

A draft of the new US cybersecurity spending plan sets aside $150 million for upgrading the government's cloud platform. According to officials this is being used to purchase more advanced security capabilities from Microsoft; namely Microsoft's premium tracking capability that watches for malicious activity.

Some US lawmakers weren't too pleased about the news with Oregon Senator Ron Wyden saying:

“If the only solution to a major breach in which hackers exploited a design flaw long ignored by Microsoft is to give Microsoft more money, the government needs to reevaluate its dependence on Microsoft”

In response to Ron, I would say that Government departments should be paying to have the most advanced Microsoft security features; if they weren’t before that was an oversight. Whilst this isn't by any means a "solution" to the major breaches, it is still an important and necessary step to improving their security.


🔥 Rapid Fire

Some shorter stories…

📧 Microsoft has released a one-click mitigation tool to protect organizations against the Exchange Server vulnerabilities that have been causing chaos this month. The tool applies all necessary patches and checks if any malware or web shells are present on your server. Link.

💳 WeLeakInfo was previously a popular site amongst cybercriminals for accessing personal information leaked during data breaches. Last year it was seized by the FBI, but in an ironic turn of events a hacker has been able to access WeLeakInfo’s customer records and publish details of everyone who used this service. Link.

📨 An article from Vice this week reported on how an attacker could use business messaging service Sakari to re-route a user's SMS messages to their phone. The takeaway here is that there are many ways in which attackers can get hold of your SMS messages - relying on them as our primary means of two-factor authentication (2FA) may not be wise. But at the moment they're still the most convenient and frictionless way to get people to use 2FA. Link.

📱 Apple is laying the groundwork to separate security updates from standard OS updates. This would mean that users could get critical security fixes without updating to the most recent version of iOS - keeping any users who are hesitant to update secure. Link.

👩‍💻 Researchers have discovered a new attack against Apple developers that exploits Xcode, the primary software for developing apps for Apple's devices. Attackers cloned a popular Xcode project called TabBarInteraction and added a backdoor that would allow attackers to access the developer’s computers. This is very reminiscent of the recent North Korean attack against security researchers where they were coerced into installing a malicious Visual Studio project. Link.


🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

🌐 Vulnerabilities in two WordPress plugins have been uncovered that could allow attackers to take over affected websites. The flaws are a set of stored cross-site scripting (XSS) vulnerabilities in the Elementor and WP Super Cache plugins. These popular plugins are used in over 7 million websites. Link.

💻 A vulnerability in F5 Networks's BIG-IP and BIG-IQ software would allow an attacker to take full control of an affected system. F5 Networks provide networking software to a whole host of Fortune 500 companies including Facebook, Microsoft, and Oracle. At the time of writing the vulnerability is unpatched and there is evidence that it is being actively exploited. Link.


💭 Anything Else?

Other news, ideas, and insights from around the web that you might enjoy.

⛓ A fantastic paper on everything you need to know about supply chain attacks. It’s a long read but if you want to know more about these types of attacks it’s a great jumping-off point. Link.

🌐 WordPress vulnerabilities are disclosed faster than anyone can report on them, so it's no wonder that someone has created an online database for them. This is a great resource for all WordPress site owners! Link.

📷 Instagram will no longer let adults message teenagers who don't follow them. An incredibly welcome change. Link.

🎥 A look at China's Sharp Eyes program that aims to surveil 100% of public spaces. Take these figures with a grain of salt; it’s easier to announce programs like this than implement them. Link.


❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!


🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!

Oli

Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.