Jul 04 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that thinks even if Anonymous, Lazarus, and Fancy Bear teamed up they couldnโt hack the Tories out of the thrashing they are about to receive ๐๐ณ๏ธ๐ #GeneralElection2024
Todayโs hottest cybersecurity news stories:
๐๐ผ Something smells WiFi! Scammer creates fake inflight WiFi โ๏ธ
๐ต๐ปโโ๏ธ MerkSpy spyware tool delivered via Microsoft MSHTML flaw ๐
๐จ๐ปโ๐ป New Intel CPU vulnerability 'Indirector' exposes sensitive data ๐๏ธ
Australian authorities arrested a man for using a portable Wi-Fi device to set up scam networks on flights, stealing data from unsuspecting passengers. Here's the scoop:
โ๏ธ In-Flight Data Theft
During a domestic flight, airline employees noticed a suspicious Wi-Fi network. Upon landing in Perth, police found a 42-year-old man from West Australia with a mobile access device, laptop, and mobile phone in his carry-on luggage.
๐ต๏ธโโ๏ธ Sneaky Tactics
The man allegedly used these devices to create fake Wi-Fi access points mid-flight, tricking passengers into logging on and entering personal information such as email addresses and social media credentials. The investigation revealed similar cybercrimes at airports in Melbourne, Adelaide, and other locations.
๐ Safety Tips from Authorities
Andrea Colman, an Australian AFP cybercrime detective inspector, advises that you shouldn't have to enter personal details to connect to free Wi-Fi networks. To protect yourself, install a reputable VPN on your devices to encrypt your data. Colman also suggests disabling Wi-Fi on mobile devices in public to prevent automatic connections to malicious hotspots.
"When using a public network, disable file sharing, don't do anything sensitive like banking, and change your device settings to 'forget network' once you're done," Colman added.
๐ฎ๐ป Facing Charges
The suspect now faces nine separate cybercrime charges. Travellers are urged to stay vigilant and cautious when using public Wi-Fi.
Stay safe and secure! ๐ก๏ธ
Unknown threat actors have been exploiting a patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy. Here's the scoop:
๐ Targeting Canada, India, Poland, and the U.S.
Fortinet FortiGuard Labs researcher Cara Lin reports that MerkSpy is designed to stealthily monitor user activities, capture sensitive information, and establish persistence on compromised systems.
๐ The Attack Chain
The attack begins with a Microsoft Word document disguised as a job description for a software engineer. Opening the file exploits CVE-2021-40444, a high-severity flaw in MSHTML, allowing remote code execution without user interaction. This vulnerability was patched by Microsoft in September 2021.
๐จ๐ปโ๐ซ Execution Steps
The malicious document downloads an HTML file ("olerender.html") from a remote server. This file executes embedded shellcode after checking the operating system version. "Olerender.html" uses 'VirtualProtect' to modify memory permissions, ensuring the shellcode is securely written into memory. 'CreateThread' then executes the shellcode, which downloads and runs the next payload from the attackerโs server.
๐ MerkSpy Deployment
The shellcode downloads a file deceptively named "GoogleUpdate," which harbors an injector payload. This payload evades detection by security software and loads MerkSpy into memory. MerkSpy establishes persistence through Windows Registry changes, launching automatically at system startup. It captures sensitive information, monitors user activities, and exfiltrates data to the attackers' servers.
๐พ Data Exfiltration
MerkSpy captures screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. This information is transmitted to "45.89.53[.]46/google/update[.]php."
โ ๏ธ Related Threats
Symantec detailed a smishing campaign targeting U.S. users with fake SMS messages from Apple. These messages trick users into clicking on bogus credential-harvesting pages. The malicious website uses a CAPTCHA for perceived legitimacy before directing users to an outdated iCloud login template.
Stay vigilant and secure! ๐ก๏ธ
Stay ahead of the curve with Presspool.ai! ๐ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐ค๐ก Thatโs us, alright! ๐คต How about you? Visionary AI executive, much? ๐
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐ค๐ฉโ๐ป๐
Rest assured, the process is very straightforward.
You simply:
๐ Sign Up & Create Campaign
๐ Define your audience, budget, and message to captivate your audience.
๐ Launch your campaign, as Presspoolโs AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ฏ
๐ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐ Elevate your marketing game and stay informed with Presspool.ai! ๐ Simples! ๐ฆฆ
Presspool.aiย ๐ฐ๐๐ค may just have what you need to succeed. And if the product isnโt for you, the newsletter alone is a gamechanger. And we know newsletters ๐
Modern Intel CPUs, including Raptor Lake and Alder Lake, are vulnerable to a new side-channel attack called Indirector. Here's the scoop, yโall!
๐ ๏ธ Vulnerability Exploited
Researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen discovered the Indirector attack. It leverages flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to bypass existing defences, compromising CPU security.
๐ How It Works
The IBP predicts target addresses of indirect branches, which are control flow instructions calculated at runtime. This attack targets the IBP to execute Branch Target Injection (BTI) attacks, also known as Spectre v2 (CVE-2017-5715), leading to unauthorised information disclosure via a side-channel.
๐งฉ Custom Tool: iBranch Locator
The researchers used iBranch Locator to find indirect branches, then performed precise IBP and BTP injections for speculative execution. These high-resolution attacks hijack the control flow of victim programs, causing jumps to arbitrary locations and leaking secrets.
๐ค Severity and Response
Yavarzadeh emphasised that Indirector attacks are more severe than previous attacks like Pathfinder, which targeted the Conditional Branch Predictor. Indirector reverse engineers IBP and BTB to create highly targeted attacks.
Intel, informed of the findings in February 2024, stated that existing mitigations like IBRS, eIBRS, and BHI are effective against this new research, and no new guidance is required. To counteract, it's recommended to use the Indirect Branch Predictor Barrier (IBPB) more aggressively and enhance the Branch Prediction Unit (BPU) with complex tags, encryption, and randomization.
๐ฆพ Similar Issues in Arm CPUs
Arm CPUs also face a speculative execution attack called TIKTAG, targeting the Memory Tagging Extension (MTE). This attack can leak data with over a 95% success rate in less than four seconds. Researchers identified new TikTag gadgets capable of leaking MTE tags from arbitrary memory addresses.
Arm responded by noting that MTE offers limited deterministic defences and broader probabilistic defences but isn't foolproof against skilled adversaries.
Stay vigilant and secure! ๐ก๏ธ
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!