Sep 13 2024
Welcome toΒ Gone Phishing, your weekly cybersecurity newsletter that leaves cybercriminals sleeping with the phishes ππ π‘
Patch of the Week!Β π©Ή
First thingβs first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatβs itβ¦ π³Β
Congrats to Veeam, the cybercriminals are no matchβ¦ for your patch! π©Ή
Check out this freshly hatched patch π£
π¨ Veeam Urgently Patches 18 Security Flaws! π
Veeam has released updates to fix 18 security vulnerabilities, including five critical flaws that could allow remote code execution.Β
Key vulnerabilities include CVE-2024-40711 (CVSS 9.8) and CVE-2024-38650 (CVSS 9.9), affecting Veeam Backup & Replication, Veeam ONE, and Veeam Service Provider Console. Users should update to the latest versions immediately to mitigate risks, as Veeam has become a popular target for ransomware attacks.Β
Notably, Rapid7 reports that Veeam was exploited in over 20% of its incident response cases in 2024! β οΈππ
Now, on to this weekβs hottest cybersecurity news stories:Β
πͺ New RAMBO attack steals data with RAM radio signals π»
πΌ Mustang Panda bamboozles Asia-Pacific govts w/ malware πΎ
π Chinese hackers target human rights studies in Middle East πͺ
A novel side-channel attack named RAMBO has been uncovered, leveraging radio signals emitted by a deviceβs random access memory (RAM) to exfiltrate sensitive data from air-gapped networks.Β
This technique was developed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab at Ben Gurion University in Israel. RAMBO uses software-generated radio signals to encode and transmit sensitive information, such as files, images, encryption keys, and biometric data, posing a significant threat to highly secure, isolated systems. π‘πΎ
βοΈ How RAMBO Works
The attack relies on software-defined radio (SDR) hardware and a simple antenna to intercept the transmitted radio signals from compromised devices.Β
These signals can be decoded and translated back into binary information by a remote attacker, using SDR to demodulate and retrieve the exfiltrated data.Β
The malware manipulates the RAMβs clock frequencies to generate electromagnetic emissions that are encoded using Manchester encoding, allowing the data to be transmitted covertly.Β
This technique has been demonstrated on systems with Intel i7 3.6GHz CPUs and 16 GB RAM, achieving data exfiltration speeds of up to 1,000 bits per second. ππ
π Exfiltration Capabilities of RAMBO
The RAMBO attack can leak various types of data, including keystrokes, documents, and biometric information.Β
For example:
Keystrokes: Exfiltrated in real-time with 16 bits per key.
RSA Encryption Keys: A 4096-bit key can be exfiltrated in about 41.96 seconds at low speeds.
Small Files: Biometric data, images (.jpg), and documents (.txt, .docx) can be transmitted within 400 seconds at slower speeds and even faster at higher speeds.
The efficiency of RAMBO makes it capable of leaking relatively brief information over a short period, underscoring the risk it poses to air-gapped systems. πποΈΒ
π‘οΈ Potential Countermeasures
To mitigate the risk of RAMBO and similar side-channel attacks, the following countermeasures are recommended:
Red-Black Zone Restrictions: Enforce strict separation of sensitive data and general-use zones.
Intrusion Detection Systems (IDS): Monitor memory access at the hypervisor level.
Radio Jammers: Deploy jamming devices to disrupt unauthorized radio communications.
Faraday Cages: Use Faraday cages to block electromagnetic emissions from sensitive equipment.
These measures aim to minimize the attack surface and enhance the security of air-gapped networks against electromagnetic-based data exfiltration techniques. ππ
ποΈ RAMBO in the Broader Threat Landscape
RAMBO joins a growing arsenal of unconventional data exfiltration techniques targeting air-gapped networks, often viewed as the last line of defense for protecting highly sensitive information.Β
As with all side-channel attacks, the initial infection vector requires the air-gapped network to be compromised, which can occur through rogue insiders, malicious USB devices, or supply chain attacks.Β
Once the malware is in place, these covert channels can be activated, enabling attackers to bypass traditional network defenses and exfiltrate critical data with stealth and precision. π«π»
Stay vigilant and employ robust security measures to safeguard against these evolving threats.
1 Million+ people have attended, and are RAVING about this AI Workshop.
Donβt believe us? Attend it for free and see it for yourself.
Save your spot here. (100 free spots only)
Highly Recommended: π
Join this 3-hour Power-Packed Masterclass worth $399 for absolutely free and learn 20+ AI tools to become 10x better & faster at what you do
πSave your seatΒ now (FREE for First 100)
ποΈ Tomorrow | β±οΈ 10 AM EST
In this Masterclass, youβll learn how to:
π Do quick excel analysis & make AI-powered PPTsΒ
π Build your own personal AI assistant to save 10+ hours
π Become an expert at prompting & learn 20+ AI tools
π Research faster & make your life a lot simpler & moreβ¦
π Register here (Offer valid for First 100 people only)π
The cyber threat group known as Mustang Panda (or Earth Preta) is stepping up its attacks with a refined arsenal, according to Trend Micro. Mustang Panda, active in the Asia-Pacific region, is using a variety of new tools to steal data and deliver more dangerous malware. ππ΅οΈββοΈ
π§ Key Tools and Tactics
PUBLOAD: A downloader linked to Mustang Panda since 2022, used to deliver the PlugX malware, and now spreading via a worm variant called HIUPAN. πͺ±πΎ
FDMTP & PTSOCKET: New tools introduced by PUBLOAD to enhance data exfiltration options, with FDMTP acting as a secondary control tool and PTSOCKET enabling multi-thread file transfers. π€πΒ
DOWNBAIT & CBROVER: Part of a "fast-paced" spear-phishing campaign targeting countries like Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan. These tools help deliver further payloads like the PlugX remote access trojan (RAT). π―π©
π Data Theft
Mustang Panda is known for targeting government entities, stealing documents, spreadsheets, and presentations (.doc, .xls, .pdf, etc.) by compressing and exfiltrating them via FTP or custom programs. ποΈπ΅οΈββοΈ
π‘ Recent Findings
Palo Alto Networks Unit 42 highlighted Mustang Panda's crafty use of Visual Studio Code's reverse shell feature, showing their ongoing evolution in attack strategies. π₯οΈπ
"Mustang Panda is rapidly advancing its techniques, making their attacks more complex and effective," say researchers. The group continues to refine its methods, including multi-stage malware chains and potentially exploiting cloud services for exfiltration. π©οΈπΒ
Stay alert! π¨π
Be the smartest person in the room by reading 1440! Dive into 1440, where 3.5 million readers find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet β politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight.
Government entities in the Middle East and Malaysia are under attack by Tropic Trooper, a cyber threat group active since 2011, and also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda. This group is notorious for targeting sectors like government, healthcare, and high-tech industries in Taiwan, Hong Kong, and the Philippines. π₯οΈπ‘οΈ
π― New Targets
Kaspersky detected Tropic Trooperβs activity in June 2024 when they found a new version of the China Chopper web shell on a public server running the Umbraco CMS. ππ They are now targeting critical government entities in the Middle East, particularly those focused on human rights studies, marking a strategic shift for the group. ποΈπ
π οΈ Attack Tools
Crowdoor Malware is a variant of SparrowDoor backdoor and is deployed via .NET modules in Umbraco CMS. It acts as a loader for Cobalt Strike, maintains persistence, and harvests sensitive information. π΅οΈββοΈπ» Tropic Trooper exploits vulnerabilities in applications like Adobe ColdFusion and Microsoft Exchange Server to deliver these web shells. ππ
β οΈ Persistent Threat
Even after detection, Tropic Trooper adapted quickly, uploading new malware samples to evade security measures. π‘οΈπ Their focus? A CMS publishing studies on human rights, specifically around the Israel-Hamas conflictβhighlighting a deliberate and strategic target. πβοΈ
Stay vigilant! π¨π
Thatβs all for this week, folks. Take care, itβs a jungle out there ποΈπ¦πΒ π¦π
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πBitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!