New Speculative Execution Attack Targets ARM’s Memory Tagging Extension
Researchers have identified a new speculative execution attack, dubbed “TIKTAG,” that compromises ARM’s Memory Tagging Extension (MTE). This attack, which has over a 95% success rate, effectively bypasses the MTE security feature designed to prevent memory corruption. Conducted by a team from Samsung, Seoul National University, and Georgia Institute of Technology, the study showcases how TIKTAG can exploit both the Linux kernel and Google Chrome. MTE, incorporated in ARM v8.5-A architecture, uses low-overhead tagging to secure memory access, but TIKTAG uses speculative execution to leak these tags. Specifically, TIKTAG-v1 and TIKTAG-v2 gadgets exploit branch prediction and store-to-load forwarding behaviors, respectively. Although leaking tags does not directly expose sensitive data, it undermines MTE’s protective measures. Despite recognizing the issue, ARM and Chrome’s security teams have not prioritized immediate fixes, emphasizing that the revealed tag values do not compromise the architecture’s fundamental principles.
Velvet Ant Hackers Exploit F5 BIG-IP Appliances to Steal Data
A cyberespionage group known as ‘Velvet Ant,’ suspected to be Chinese, has been using custom malware to compromise F5 BIG-IP appliances, gaining long-term access to internal networks and exfiltrating data for years. According to a Sygnia report, Velvet Ant leveraged outdated F5 BIG-IP devices within the victim’s network to establish multiple entry points. These devices, used for critical functions like load balancing and firewalling, were running vulnerable OS versions and were exploited using known remote code execution flaws. The attackers installed various malware, including PlugX and PMCD, allowing them to blend their activities with legitimate traffic, making detection difficult. Despite efforts to eradicate the malware, Velvet Ant re-deployed it using new configurations. The attack highlights the need for robust security measures, including regular updates, strict management port controls, and enhanced edge device security. F5 advises running the latest software versions and using diagnostic tools to ensure optimal system security and performance.
Panera Bread Likely Paid Ransom in March Ransomware Attack
Panera Bread, a well-known American fast food chain, is believed to have paid a ransom following a ransomware attack in March, according to internal communications. Last week, the company notified employees that personal information, including names and social security numbers, had been stolen. The ransomware attack, which encrypted all virtual machines, caused a week-long disruption affecting Panera’s website, phone systems, mobile app, point-of-sale, and internal systems. Although no ransomware gang claimed responsibility or leaked the stolen data, the lack of such activity suggests a ransom was paid. An alleged employee on Reddit confirmed that Panera paid the hackers to prevent data release. This claim was supported by an internal email from Senior Vice President KJ Payette, stating that Panera received assurances the stolen data was deleted. However, even with ransom payments, there is no guarantee that threat actors will not retain or misuse the data, as seen in past incidents involving other companies.
Scathing Report on Medibank Cyberattack Highlights Unenforced MFA
A recent report by Australia’s Information Commissioner reveals that misconfigurations and missed alerts enabled a hacker to breach Medibank, stealing data from over 9 million individuals. In October 2022, Medibank, an Australian health insurance provider, announced a cyberattack that disrupted its operations and led to the theft of customer data, including health claims. The breach, affecting 9.7 million people, was later linked to the BlogXX ransomware gang, an offshoot of the REvil gang, and traced back to Russian national Aleksandr Gennadievich Ermakov.
The Office of the Australian Information Commissioner (OAIC) found that from March 2021 to October 2022, Medibank failed to protect personal information adequately. The breach began when a Medibank contractor saved company credentials on a personal browser, which were later stolen via malware on the contractor’s home computer. The hacker used these credentials to access Medibank’s Microsoft Exchange server and VPN, exploiting the lack of enforced multi-factor authentication (MFA).
Medibank’s failure to implement MFA allowed the attacker to move laterally within the network, stealing 520 GB of sensitive data. Additionally, the company’s Endpoint Detection and Response (EDR) software raised alerts in August 2022, which were not properly addressed. The breach was only discovered in mid-October during an investigation of a separate incident.
This case underscores the critical importance of MFA in protecting credentials and securing VPN gateways, which are frequently targeted by ransomware gangs to gain network access.
ONNX Phishing Service Targets Microsoft 365 Accounts at Financial Firms
ONNX Store, a new phishing-as-a-service (PhaaS) platform, is targeting Microsoft 365 accounts of financial sector employees using QR codes in PDF attachments. This platform, linked to the Arabic-speaking threat actor MRxC0DER, uses Telegram bots and bypasses two-factor authentication (2FA).
Since February 2024, ONNX attacks have involved phishing emails with PDF attachments containing malicious QR codes. These emails impersonate HR departments, using salary updates to lure victims. Scanning the QR code redirects users to phishing pages mimicking Microsoft 365’s login interface, where credentials and 2FA tokens are stolen and relayed to attackers in real-time.
ONNX operates via Telegram, offering customizable phishing templates and encrypted JavaScript to evade detection. It uses Cloudflare services for domain protection and provides bulletproof hosting and remote desktop protocol (RDP) services for secure campaign management.
ONNX offers subscription tiers from $150 to $400 per month, with features like true login, one-time passwords, and advanced 2FA cookie stealing.
To counter these attacks, admins should block unverified PDF and HTML attachments, restrict access to sites with untrusted certificates, and implement FIDO2 hardware security keys. EclecticIQ provides YARA rules to detect malicious PDFs with phishing QR codes.
UNC3886 Hackers Use Linux Rootkits to Hide on VMware ESXi VMs
The Chinese threat actor UNC3886 has been using open-source rootkits, ‘Reptile’ and ‘Medusa,’ to remain hidden on VMware ESXi virtual machines, enabling credential theft, command execution, and lateral movement. According to cybersecurity firm Mandiant, UNC3886 exploited Fortinet and VMware zero-day vulnerabilities to breach various sectors, including government, telecommunications, and technology.
UNC3886 used Reptile, a kernel module providing stealth and backdoor access, and Medusa, which logs credentials and commands. These rootkits allowed the threat actor to maintain long-term persistence on compromised systems.
Additionally, UNC3886 employed custom malware tools:
- Mopsled: A backdoor used on vCenter servers.
- Riflespine: Leveraging Google Drive for command and control.
- Lookover: Capturing TACACS+ credentials.
- Backdoored SSH execs: Capturing and encrypting credentials.
- VMCI backdoors: Enabling communication between guest and host VMs.
Mandiant’s report provides indicators of compromise and YARA rules to detect UNC3886 activity. Further details on VMCI backdoors are expected in future updates.
CDK Global Outage Caused by BlackSuit Ransomware Attack
The BlackSuit ransomware gang is responsible for the massive IT outage at CDK Global, disrupting car dealerships across North America. Sources indicate that CDK is negotiating with the ransomware gang for a decryptor and to prevent data leaks.
The attack led CDK to shut down its IT systems, including its car dealership platform, to contain the spread. An attempted restoration resulted in a second incident, causing another shutdown. CDK’s SaaS platform supports essential car dealership operations. With the platform down, dealerships resorted to pen and paper, affecting car purchases and services.
Major dealerships like Penske Automotive Group and Sonic Automotive reported disruptions, implementing business continuity plans. CDK has warned of threat actors posing as CDK agents to gain unauthorized access.
BlackSuit, believed to be a rebrand of the Royal ransomware operation, launched in May 2023. Royal Ransomware is thought to be the successor to the Conti cybercrime syndicate. The FBI and CISA linked Royal and BlackSuit, noting similar tactics and coding overlaps. The advisory connected Royal to attacks on over 350 organizations and more than $275 million in ransom demands.
Conclusion
In conclusion, the cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.