Cyber Threat Report - 4 Jun 2021
New variant of Rowhammer attack: Half-double
A new variant of the Rowhammer exploit has been discovered by Google researchers.
The Rowhammer exploit uses the way modern DRAM (the memory chip) is designed to alter its contents, and previously it only worked on DDR3 RAM but now they have managed to attack DDR4 chips too with a newer version.
What's fascinating about this exploit is how it works:
Using malicious applications the attacker can read and write operations into rows of memory cells at high speed.
As the chips are small in size, frequent access to the memory cells allows the attacker to read the contents of the neighbouring cells.
This creates a small electromagnetic field inside the rows of memory cells which changes the cell values from 0 to 1 and vice versa.
This then allows the bypass of software and hardware protection policies and subsequent control of the targeted system.
Very clever stuff.
Chinese cyber group targetting US and EU organisations
Chinese threat groups, currently known as UNC2630 and UNC2717, are deploying new strains of malware on compromised networks. More recently, they have targeted US and EU organisations after exploiting a zero-day vulnerability on Pulse Secure VPN appliances.
The organisations targeted operate in government, defence, technology, transportation and financial sectors, many of which were highlighted as strategic goals mentioned in China's recent Five Year Plan.
The threat groups are very good at avoiding detection - changing timestamps, deleting evidence and files to make it difficult to track when the system was compromised and what was stolen.
New Linux Backdoor Identified
Linux is the backbone of Android OS and most of the IoT devices we use today, such as smart speakers and appliances around the house. Although Linux is one of the most secure operating systems available, its widespread use for such devices makes it a tasty target for cybercriminals.
A new backdoor into Linux has been discovered called Facefish that can be used to steal login credentials and device information, execute commands and can deploy multiple rootkits.
It is thought that the purpose of this backdoor is to use the compromised system as part of a botnet.
Steam used in a new phishing campaign
A clever new type of phishing campaign has been discovered using the gaming platform Steam.
Users will receive a request from a friend on Steam asking them to vote for their team, which takes them to a legitimate-looking website where the user is given the option to sign In via Steam to vote.
As this is very common it is not immediately alarming, but clicking the 'sign in via Steam' button opens up what looks like a new window in which to enter your credentials. The 'window' is in fact just another layer created on top of the original site, but allows you to minimise it and move the window around. It also has all of the Steam and Valve logos so the whole thing is very well designed and could easily fool people.
The window is created using XSS (cross-site scripting) meaning it uses code from the real website, allowing you to actually log in when you enter your credentials. What's even worse, is that because of this, anyone using MFA will also receive their code as they normally would and type it into the window, giving the attacker the MFA code. They can then change the MFA contact number and lock the victim out of the account.
Phishing attempts are getting more and more complex and well designed, it is paramount that we are more vigilant than ever. Treat everything as suspicious.
8.3 million plaintext passwords exposed in DailyQuiz data breach
Nearly 13 million user account details were stolen from DailyQuiz (a platform allowing you to create and share quizzes) earlier this year, with 8.3 million cleartext passwords included.
The data was originally being sold for $2000 but has been recently leaked publically.
The data has been passed on to haveibeenpwned.com to allow people to check if their account has been compromised. It is recommended that users of the site change their passwords and anywhere else they have used that password if they have been compromised.
That's all for now, stay safe!