Mar 28, 2024NewsroomHardware Security / Vulnerability

Cybersecurity researchers from ETH Zurich have developed a new variant of the RowHammer DRAM (dynamic random-access memory) attack that, for the first time, successfully works against AMD Zen 2 and Zen 3 systems despite mitigations such as Target Row Refresh (TRR).

“This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface, considering today’s AMD market share of around 36% on x86 desktop CPUs,” the researchers said.

The technique has been codenamed ZenHammer, which can also trigger RowHammer bit flips on DDR5 devices for the first time.

RowHammer, first publicly disclosed in 2014, is a well-known attack that exploits DRAM’s memory cell architecture to alter data by repeatedly accessing a specific row (aka hammering) to cause the electrical charge of a cell to leak to adjacent cells.

This can induce random bit flips in neighboring memory rows (from 0 to 1, or vice versa), which can alter the memory contents and potentially facilitate privilege escalation, compromising confidentiality, integrity, and availability of a system.

The attacks take advantage of the physical proximity of these cells within the memory array, a problem that’s likely to worsen as the DRAM technology scaling continues and the storage density increases.

“As DRAM continues to scale, RowHammer bit flips can occur at smaller activation counts and thus a benign workload’s DRAM row activation rates can approach or even exceed the RowHammer threshold,” ETH Zurich researchers noted in a paper published in November 2022.

“Thus, a system may experience bit flips or frequently trigger RowHammer defense mechanisms even without a malicious party performing a RowHammer attack in the system, leading to data corruption or significant performance degradation.”

One of the crucial mitigations implemented by DRAM manufacturers against RowHammer is TRR, which is an umbrella term used for mechanisms that refresh target rows that are determined to be accessed frequently.

In doing so, the idea is to generate more memory refresh operations so that victim rows will either be refreshed before bits are flipped or be corrected after bits are flipped due to RowHammer attacks.

ZenHammer, like TRRespass and SMASH, bypasses TRR guardrails by reverse engineering the secret DRAM address functions in AMD systems and adopting improved refresh synchronization and scheduling of flushing and fencing instructions to trigger bit flips on seven out of 10 sample Zen 2 devices and six out of 10 Zen 3 devices.

The study also arrived at an optimal hammering instruction sequence to improve row activation rates in order to facilitate more effective hammering.

“Our results showed that regular loads (MOV) with CLFLUSHOPT for flushing aggressors from the cache, issued immediately after accessing an aggressor (‘scatter’ style), is optimal,” the researchers said.

ZenHammer has the distinction of being the very first method that can trigger bit flips on systems equipped with DDR5 chips on AMD’s Zen 4 microarchitectural platform. That said, it only works on one of the 10 tested devices (Ryzen 7 7700X).

It’s worth noting that DDR5 DRAM modules were previously considered immune to RowHammer attacks owing to them replacing TRR with a new kind of protection called refresh management.

“The changes in DDR5 such as improved RowHammer mitigations, on-die error correction code (ECC), and a higher refresh rate (32 ms) make it harder to trigger bit flip,” the researchers said.

“Given the lack of bit flips on nine of 10 DDR5 devices, more work is needed to better understand the potentially new RowHammer mitigations and their security guarantees.”

AMD, in a security bulletin, said it’s assessing RowHammer bit flips on DDR5 devices, and that it will provide an update following its completion.

“AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications,” it added. “Susceptibility to RowHammer attacks varies based on the DRAM device, vendor, technology, and system settings.”

Mar 29, 2024NewsroomVulnerability / Linux

Details have emerged about a vulnerability impacting the “wall” command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions.

The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.

“The util-linux wall command does not filter escape sequences from command line arguments,” Ferrante said. “This allows unprivileged users to put arbitrary text on other users’ terminals, if mesg is set to “y” and wall is setgid.”

The vulnerability was introduced as part of a commit made in August 2013.

The “wall” command is used to write a message to the terminals of all users that are currently logged in to a server, essentially allowing users with elevated permissions to broadcast key information to all local users (e.g., a system shutdown).

“wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users,” the man page for the Linux command reads. “Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program which automatically denies messages.”

CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command line arguments to trick users into creating a fake sudo (aka superuser do) prompt on other users’ terminals and trick them into entering their passwords.

However, for this to work, the mesg utility – which controls the ability to display messages from other users – has to be set to “y” (i.e., enabled) and the wall command has to have setgid permissions.

CVE-2024-28085 impacts Ubuntu 22.04 and Debian Bookworm as these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command does not have setgid.

“On Ubuntu 22.04, we have enough control to leak a user’s password by default,” Ferrante said. “The only indication of attack to the user will be an incorrect password prompt when they correctly type their password, along with their password being in their command history.”

Similarly, on systems that allow wall messages to be sent, an attacker could potentially alter a user’s clipboard through escape sequences on select terminals like Windows Terminal. It does not work on GNOME Terminal.

Users are advised to update to util-linux version 2.40 to mitigate against the flaw.

“[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and *wall is setgid*,” according to the release notes. “Not all distros are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is set to y by default).”

The disclosure comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.

Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the underlying issue stems from input sanitization failure of netfilter verdicts, allowing a local attacker to cause a denial-of-service (DoS) condition or possibly execute arbitrary code. It has been addressed in a commit pushed on January 24, 2024.

Mar 29, 2024The Hacker NewsPen Testing / Regulatory Compliance

Network penetration testing plays a vital role in detecting vulnerabilities that can be exploited. The current method of performing pen testing is pricey, leading many companies to undertake it only when necessary, usually once a year for their compliance requirements. This manual approach often misses opportunities to find and fix security issues early on, leaving businesses vulnerable to expensive cyberattacks and potential breaches. However, new technologies using automation and AI have revolutionized the process, making regular network pentesting easy and affordable. We’re now in the golden era of pentesting, where every company can assess the security of their networks without breaking the bank.

Automating pen testing is a game-changer

Automation in cybersecurity is becoming a big deal and it’s only going to get bigger. Nowadays, we need automation to help deal with the fact that there just aren’t enough cybersecurity pros to go around. Businesses can’t keep up with all their security needs just using people, even if they get some help from outside services or contractors. According to the United States National Institute of Standards in Technology (NIST), by 2025, a lack of available cybersecurity workers combined with simple negligence will cause more than half of major cybersecurity problems.

Getting into security automation and AI is a game-changer for companies wanting to beef up their cyber defenses without having to hire a bunch of extra people. Especially when money is tight, automating security is a smart move because it’s cheaper, faster, and just as good as the old-school way of doing things manually. Automated pentesting delivers unparalleled security benefits at a fraction of the price of manual pen testing. Companies can now opt for regular, on-point and wallet-friendly automated pen tests, empowering them to find weak spots and mitigate risk proactively.

8 Benefits of Automated Network Pentesting

Network penetration testing is important for keeping a company’s network security resilient and ready for anything hackers might throw at it. Here’s a quick rundown of eight benefits that an organization gets from assessing their networks regularly with pentesting.

1. Finding and Fixing Weak Spots: Regular pen tests help IT professionals spot problems in your networks and devices before the bad guys do. This means you can patch things up or work around them, making it harder for hackers to sneak in or steal data.
2. Catching What Other Tools Miss: Pen tests mimic real hacker attacks, finding security holes that vulnerability scans might overlook. This includes checking all of the factors that could lead to an intrusion like making sure your user permissions are tight and your security policies work in real life.
3. Spotting Where Operations Can Improve: It’s not just about the tech. Pen testing can also show IT professionals where a company’s security processes, staff awareness, or response times might be lacking. Fixing these areas makes an organization’s overall security stronger and more resilient.
4. Avoiding Downtime and Money Loss: Catching vulnerabilities early helps organizations avoid damaging cyberattacks and dodge breaches that could cost a company a fortune in money and time offline. Think about avoiding legal headaches, fines, and the costs of cleaning up a mess, not to mention keeping your good reputation and customer trust. According to a 2023 survey by Kaseya, more than half of the IT professionals polled said that their company lost over $50,000 to cybersecurity incidents.
5. Staying on the Right Side of Regulators: Data protection regulations have proliferated on the regional and national levels. Plus, insurers can require regular security check-ups to issue and maintain cyber insurance policies. Those rules often include pen tests.
6. Getting Inside a Hacker’s Mind: Pen tests give you the lowdown on how attackers think and what tricks they use, giving IT professionals the edge they need to beef up their company’s defenses and get everyone on the team in a security-first mindset.
7. Putting Your Incident Plan to the Test: You can use pen tests to see if your plan for dealing with attacks works when push comes to shove. It’s all about being ready to spot, handle, and bounce back from security problems. Having a tested incident response plan can save 35% of the cost of an incident.
8. Making Your Customers Feel Secure: Showing that you’re serious about security by doing regular pen tests can make your customers trust you more. People like knowing their data is in safe hands.

Don’t fall for the trap of only pentesting for compliance

Just doing network pen testing once per year to check a box isn’t enough these days. Cyber threats move and evolve lightning-fast today. A reactive approach leaves a lot of holes in a company’s defense that bad actors could slip through. Waiting too long between pen tests means a company might not catch easily fixed issues until after hackers have already taken advantage, which can lead to an expensive cybersecurity nightmare.

Just doing the bare minimum to meet compliance standards isn’t enough to stand up to the new, sophisticated cyberattacks that cybercriminals are launching at a record pace. The advent of widely available AI hasn’t just revolutionized cybersecurity. It has also revolutionized cybercrime. Companies need to be ready for the deluge of novel cyber threats that are headed their way. Pen testing helps IT professionals find the cracks that bad actors could slip through before there’s trouble.

Why should I pen test regularly?

Now is the perfect time for companies to get serious about regular network pen testing, thanks to automation. Here’s why every company should start using automated network pentesting immediately:

• It saves money – Automated network pen testing is much cheaper than the old-school manual way. A company used to need to hire expensive skilled people or outsource the task, a scenario that was both slow and pricey. Not anymore. With automation IT professionals can do pen tests both frequently, and most importantly, on a dime.

• You can scan more often – The digital world changes fast, with new weak spots popping up all the time. Automation lets you run pen tests a lot more often, keeping a constant watch for trouble. Automated tools like vPenTest from Vonahi Security can assess your systems and networks much more quickly than a person can with no IT team burden.

• Better quality and consistency – Automated pen testing hits the mark every time, running the same checks consistently without human mistakes. These tools are super accurate, spotting problems precisely and giving IT pros the lowdown on how to fix them. This not only bumps up the quality of a company’s security checks but also helps the IT team keep track of how things are improving over time.

Automate network pentesting with vPenTest

For any company wanting to up their cybersecurity game, using automated solutions like vPenTest from Vonahi Security is a no-brainer. vPenTest is a comprehensive, on-demand network penetration testing solution designed for IT teams. With the power of automation and the latest methodologies, vPenTest enhances your security posture by making pen testing faster, more accurate, and cost-effective. vPenTest helps get you more bang for your buck. With vPenTest, your network assessments cover more ground, enabling you to uncover and remediate your exploitable vulnerabilities before they become a real problem. Say goodbye to manual processes and hello to the golden age of automation with vPenTest. Learn more about vPenTest today!

About Vonahi Security

Vonahi Security, a Kaseya Company, is a pioneer in building the future of offensive cybersecurity consulting services through automation. vPenTest from Vonahi is a SaaS platform that fully replicates manual internal and external network penetration testing, making it easy and affordable for organizations to continuously evaluate cybersecurity risks in real-time. vPenTest is used by managed service providers, managed security service providers, and internal IT teams. Vonahi Security is headquartered in Atlanta, GA.

Mar 30, 2024NewsroomLinux / Supply Chain Attack

RedHat on Friday released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code,” the IBM subsidiary said in an advisory.

“This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund said. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes.'”

Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.

Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below –

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).

Mar 30, 2024NewsroomMalware / Cryptocurrency

Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users.

The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims’ Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.

One such attack chain targets users searching for Arc Browser on search engines like Google to serve bogus ads that redirect users to look-alike sites (“airci[.]net”) that serve the malware.

“Interestingly, the malicious website cannot be accessed directly, as it returns an error,” security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. “It can only be accessed through a generated sponsored link, presumably to evade detection.”

The disk image file downloaded from the counterfeit website (“ArcSetup.dmg”) delivers Atomic Stealer, which is known to request users to enter their system passwords via a fake prompt and ultimately facilitate information theft.

Jamf said it also discovered a phony website called meethub[.]gg that claims to offer a free group meeting scheduling software, but actually installs another stealer malware capable of harvesting users’ keychain data, stored credentials in web browsers, and information from cryptocurrency wallets.

Much like Atomic stealer, the malware – which is said to overlap with a Rust-based stealer family known as Realst – also prompts the user for their macOS login password using an AppleScript call to carry out its malicious actions.

Attacks leveraging this malware are said to have approached victims under the pretext of discussing job opportunities and interviewing them for a podcast, subsequently asking them to download an app from meethub[.]gg to join a video conference provided in the meeting invites.

“These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers,” the researchers said. “Those in the industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry.”

The development comes as MacPaw’s cybersecurity division Moonlock Lab disclosed that malicious DMG files (“App_v1.0.4.dmg”) are being used by threat actors to deploy a stealer malware designed to extract credentials and data from various applications.

This is accomplished by means of an obfuscated AppleScript and bash payload that’s retrieved from a Russian IP address, the former of which is used to launch a deceptive prompt (as mentioned above) to trick users into providing the system passwords.

“Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS’s Gatekeeper security feature,” security researcher Mykhailo Hrebeniuk said.

The development is an indication that macOS environments are increasingly under threat from stealer attacks, with some strains even boasting of sophisticated anti-virtualization techniques by activating a self-destructing kill switch to evade detection.

In recent weeks, malvertising campaigns have also been observed pushing the FakeBat loader (aka EugenLoader) and other information stealers like Rhadamanthys via a Go-based loader through decoy sites for popular software such as Notion and PuTTY.