Welcome to the next episode of the Xopero Security Center! How to launch a cyberattack on devices equipped with Thunderbolt ports – even if the targeted device is locked and its drive encrypted? It looks like the attacker need only a short time window (physical access) a screwdriver and some portable hardware. But don’t be fooled, the ThunderSpy attack – which took years to develop – is really elegant.
Millions of Thunderbolt-equipped Devices Open to ‘ThunderSpy’ Attack
A new attack enables bad actors to steal data from Windows or Linux devices equipped with Thunderbolt ports – if they can get their hands on the device for just five minutes. Vulnerable are all Thunderbolt-equipped devices manufactured before 2019 – what makes millions of devices at risk
The attack, called “Thunderspy,” specifically targets Thunderbolt technology. It is a hardware interface developed by Intel (in cooperation with Apple) that allows users to consolidate data transfer, charging and video peripherals into a single connector. The technology has also been widely adopted with varying PCs such as Dell, HP and Lenovo.
To launch the Thunderspy attack, one would need physical access to the device. However, the attack can be launched in minutes, and only involves use of a Thunderbolt-equipped computer, a screwdriver and some portable hardware. Attackers could then bypass security measures and access data – even if the target device is locked and its drive encrypted.
Based on a slew of flaws related to Thunderbolt protocol security measures, Björn Ruytenberg, a security researcher, developed nine Thunderspy attack scenarios for how the vulnerabilities could be exploited by a malicious entity to access victims’ systems – even with the industry standards in place. The flaws include: Inadequate firmware verification schemes, weak device authentication scheme, use of unauthenticated device metadata, downgrade attack using backwards compatibility, use of unauthenticated controller configurations, SPI flash interface deficiencies and a lack of Thunderbolt security on Boot Camp.
Thunderspy attack: accessing memory lane
These vulnerabilities affect Thunderbolt versions 1, 2 and 3, and can be exploited to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally, obtain PCIe connectivity to perform DMA attacks. DMA-based attacks let attackers compromise targeted computers in a matter of seconds just by plugging malicious hot-plug devices – such as an external network card, mouse, keyboard, printer, or storage – into Thunderbolt port or the latest USB-C port.
In a video proof of concept, Ruytenberg demonstrated one of the Thunderspy attacks that could be launched in minutes.
Intel told the researcher it was aware of the flaws and wouldn’t be issuing further mitigations beyond kernel DMA protection. The researcher and chip maker exchanged some back and forth regarding the notification of affected parties – but only five companies. For its part, Intel recommends Thunderbolt port users check with their system manufacturers to determine whether their system has mitigations incorporated. How to protect yourself? Remember to always avoid leaving your devices unattended or power off the system completely, or at least consider using hibernation instead of sleep mode.
Ramsey, the new cyber-espionage framework can to collect and exfiltrate sensitive data from air-gapped networks
The researchers at ESET discovered the first Ramsay component earlier this year when a file uploaded to VirusTotal caught their attention. The telemetry shows it only has a small pool of victims, which more or less means that the framework is still in development. But the low visibility of victims could also be attributed to the discovery that Ramsay’s targeted systems are in air-gapped networks not connected to the Internet. It is clear that Ramsay is a new form of malware.
The fact that it’s designed to operate without Internet connectivity indicates it is built to be used in highly restricted environments, or air-gapped systems, which typically protect high-value information. The framework is built to run for a long period of time, during which it monitors removable drives and network shares for new documents to steal until an exfiltration happens – Dorais-Joncas explains.
Unlike most malware, Ramsay does not have a network-based C&C communication protocol, nor does it try to connect to a remote host for communications. It scans all network shares and removable drives for potential control files. Researchers found three versions of Ramsay, all of which were built to collect Word documents. The first version looked for Word documents but in more recent iterations, Ramsay also searches for PDF files and ZIP archives.
Plan first, then attack. Ramsay operators seem to be trying different attack techniques. There are few documented attack vectors like old exploits for Windows flaws from 2017 and deployment of malicious applications delivered via phishing emails. This is another proof that attackers have a prior understanding of victims’ environments and choose tools accordingly
Did you get hit by ransomware? Hackers now demand an extra payment to delete stolen files
Hackers have taken a new business tactic. They not only demand a ransom for a decryptor but also demand a second ransom not to publish files stolen in an attack.
The world is changing. Once open a time ransomware operators have been claiming to steal data before encrypting a company’s network and then threatening to release the data if a victim does not pay. It wasn’t until November 2019, though, that the Maze ransomware operators actually followed through with this threat and publicly released stolen files. And today Ako ransomware operators now demand two ransoms. As an example, Ako has published the data for one of their victims and stated that they received a $350,000 payment for the decryptor, but released the files anyway after not receiving a payment to delete stolen files. For now, this double-extortion tactic is only used on certain victims depending on the size of the company and the type of data that was stolen. This second extortion demand ranges from $100,000 to a maximum of $2,000,000, which is on top of the ransomware’s decryption price.
Astaroth malware hides C&C servers in YouTube channel descriptions
Over the past year, the Astaroth infostealer trojan has evolved into one of today’s stealthiest malware strains, containing a slew of anti-analysis and anti-sandbox checks to prevent security researchers from detecting and analyzing its operations.
This malware was first spotted in the wild in September 2018 and has continued to evolve. The trojan still relies on email campaigns for distribution, fileless execution, and living off the land (LOLbins), but it has also gained two new major updates recently.
The first is a new, quite large collection of anti-analysis and anti-sandbox checks. The malware runs these checks before it executes to make sure it runs on a real computer, and not inside a sandbox environment, where it could be analyzed by security researchers.
Moreover, Astaroth now uses YouTube channel descriptions to hide the URL for its command and control (C2) servers as one of the methods. After Astaroth infects a victim, the trojan connects to a YouTube channel, from where it retrieves the channel description field. The field contains encrypted and base64-encoded text with the URLs of its command and control server. After decoding the text, Astaroth connects to these URLs to receive new instructions and to send stolen information for future storage. Even if YouTube takes down the channels, Astaroth shifts to another system to obtain its C&C servers.
This method of hiding the location of the C&C server on YouTube is not new. It’s been used before by Janicab and Statinko.
For now, this trojan is only active in Brazil. If it ever gets unleashed onto the entire world, the trojan could cause a serious number of infections due to its complexity but also due to its rapid rate at which the trojan evolves.
Madonna, Drake, Lady Gaga and other celebrities’ data taken in the ransomware attack
A popular law firm that works with several A-list celebrities, including Lady Gaga, Drake and Madonna, has been hit by a REvil ransomware attack. Hackers are now threatening to publish the 756 gigabytes of stolen data – including non-disclosure agreements, client contracts and personal correspondence. As a proof, a limited amount of data has been posted on their Tor leak site.
The New York-based firm, Grubman Shire Meiselas & Sacks, offers legal services to the entertainment and media industries. Among their clients are Madonna, Drake, Lady Gaga, Nicki Minaj, Bruce Springsteen, Christina Aguilera, Mariah Carey, Jessica Simpson and a lot more.
According to researchers, cybercriminals hit the law firm using the REvil ransomware (also known as Sodinokibi). The information allegedly stolen includes clients’ phone numbers, email addresses, personal correspondence, contracts, and non-disclosure agreements made with ad and modelling firms.
While it’s not known how the company was first infected, REvil is known to use RDP attacks, malspam as well as other attack mechanisms to initially target companies, he added.
Now the company has to reasons to pay – get the decryption key and stop crooks from publishing stolen data. This has led to a demand of over $1 mln!
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Data leak, phishing security flaws disclosed in Oracle iPlanet web server (ZDnet)
2. Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases (The Hacker News)
3. PrintDemon vulnerability impacts all Windows versions (ZDNet)
4. Vulnerability Spotlight: Remote code execution vulnerabilities in Adobe Acrobat Reader (Telos Intelligence)
5. Hackers’ private chats leaked in stolen WeLeakData database (Bleeping Computer)
6. Securing Linux’s master sysadmin command: Sudo (ZDNet)
7. Huawei denies involvement in buggy Linux kernel patch proposal (ZDNet)
8. Microsoft Patch Tuesday Tops 100 CVEs For Third Month (Infosecurity Magazine)
9. Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia (We Live Security)
10. Top 10 most exploited vulnerabilities list released by FBI, DHS CISA (Naked Security)