Platypus attack abuses RAPL mechanism to steal data from CPUs

Platypus is a novel software-based power side-channel attack on Intel server, desktop and laptop CPUs. Using this technique attacker could be able to extract secrets from a device, like cryptographic keys. How does it work exactly? Check our newest Security Center issues.

New Platypus attack can steal data from Intel CPUs

Platypus is a new attack method that can extract data from Intel CPUs. Nice name, right? The attack technique has been named after the platypus animal’s ability to sense electrical current with its bill. This is also an acronym for “Power Leakage Attacks: Targeting Your Protected User Secrets”.

The attack targets the RAPL interface of Intel processors. RAPL, which stands for Running Average Power Limit, is a component that allows firmware or software applications to monitor power consumption in the CPU and DRAM. RAPL, which effectively lets firmware and software apps read how much electrical power a CPU is pulling in to perform its tasks, is a system that has been used for years to track and debug application and hardware performance.

The Platypus attack can be used to determine what data is being processed inside a CPU by looking at values reported via the RAPL interface. Attackers could observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values – data loaded in the CPU. These can be encryption keys, passwords, sensitive documents, or any other type of information.

Accessing this kind of data is normally protected by a slew of security systems, such as kernel address space layout randomization (KASLR) or hardware-isolated trusted execution environments (TEEs), like Intel SGX. However, Platypus allows an attacker to bypass all these security systems by looking at variations in power consumption values.

According to the research team, Platypus attacks work on Linux systems the best. This is because the Linux kernel ships with the powercap framework, a universal driver for interacting with RAPL interfaces and other power capping APIs, allowing easy reads of power consumption values. Attacks on Windows and macOS are also possible, but in these cases, the Intel Power Gadget app must be installed on the attacked devices to allow the attackers to interact with the RAPL interface.

Patches available

Platypus works against Intel server, desktop, and laptop CPUs. Intel has also confirmed that some mobile and embedded CPUs are also impacted. The chipmaker has released today microcode (CPU firmware) updates to block Platypus attacks, which the company has made available to industry partners to include in their products’ next security updates.

The Linux kernel has also shipped an update. The update restricts access to the RAPL interface only to apps with elevated privileges, making attacks harder to pull off from inside low-level apps.


Ragnar Locker operators take out Facebook ads to force Campari into paying the ransom

It looks like the Ragnar Locker ransomware operators are improving their extortion technique and started running Facebook advertisements to make pressure on their victims and force them to pay the ransom. Like a double-extortion ransomware tactic was not enough trouble…

The Italian liquor company Campari Group had the chance to experience this first-hand. Ragnar Locker ransomware gang breached the Campari Group’s network on Nov. 3 and claims to have stolen 2 TB of unencrypted files before encrypting the infected systems. The threat actors demanded a $15 million ransom to provide a decryptor to recover the files.

There was this 1(st) Facebook Ads Campaign

The ad – titled “Security breach of Campari Group network” – went on to say Ragnar Locker Team had offloaded two terabytes of information and would give the Italian firm until 6 p.m. EST today (Nov. 10) to negotiate an extortion payment in exchange for a promise not to publish the stolen files.

The ad was paid for by Hodson Event Entertainment, an account tied to Chris Hodson, a deejay based in Chicago. The unauthorized campaign – the account has been hacked – reached approximately 7,150 Facebook users, and generated 770 clicks.

It’s not clear whether this was an isolated incident, or whether the fraudsters also ran ads using other hacked accounts. Facebook said the company is still investigating the incident.

Some ransomware groups have become especially aggressive of late. They started to call victims asking when they are going to pay or have their data leaked. This new extortion tactic also demonstrates the continuous evolution of the ransomware extortion model. It seems likely we will continue to see more of such schema in the future.

Source: 12

Intel in fire: flaws in Privileged Management Apps expose machines to attack

The Intel Support Assistant is the latest Windows utility to be found that could expose millions of computers to privilege-escalation attacks through file manipulation and symbolic links (through the way the program interacts with files).

The vulnerability was disclosed by access-security firm CyberArk during an 18-month effort to seek out specific types of patterns that could lead to vulnerabilities and gaining system privileges on victim’s computer by malware or local attacker. Which by the way has resulted in a series of security notices from CyberArk and advisories from affected firms about privilege-escalation vulnerabilities in a passel of system utilities.

In this case, the Intel Support Assistant interacts insecurely with nonprivileged data and directories, giving attackers the ability to execute code as the privileged program by modifying a nonprivileged file. The attack only requires a malicious program or user to copy malicious code to a directory used by the utility. 

“To trigger the ability is pretty simple: You abuse some of the features of the Intel Support Assistant, and through that, you can escalate into a system account” –  says Eran Shimony, a security researcher at CyberArk – “And, if you have local admin, then it is pretty much game over.”

The researcher notified Intel of the latest vulnerability more than a year ago. The company needed time to inform all of its partners and work together on a fix. The notification of the vulnerability (CVE-2020-22460) came on Nov. 10.

How to stay safe? Specialists urge developers to be aware of this particular class of flaws. They should always protect the directories and files used by privileged programs from modification — whether creation, deletion, or manipulation — by regular users. Also, the coders should always execute specific operations at the least privilege needed to manipulate local files, by adopting the appropriate role.

This is not the first time that the Intel Support Assistant has been a vehicle for privilege escalation. In early September, the company also issued a notice that a similar scenario — a user exploiting file permissions — can lead to escalation of privilege.


‘Ghimob’ banking trojan goes global and spies on 153 Android mobile apps

Security researchers have discovered a new Android banking malware that can spy and steal data from 153 Android applications. Named Ghimob, the trojan is believed to have been developed by the same gang behind the Astaroth (Guildma) Windows malware, according to Kaspersky. 

The group uses email or malicious sites to redirect users to websites promoting Android apps (but not Play Store itself). These apps mimicked official apps and brands, such as Google Defender, Google Docs, WhatsApp Updater, or Flash Update. If users were careless enough to install the apps despite all the warnings shown on their devices, the malicious apps would request access to the Accessibility service as a final step in the infection process.

If this was granted, the apps would search the infected phone for a list of 153 apps for which it would show fake login pages in an attempt to steal the user’s credentials. At the beginning there were fake apps of Brazilian banks but now you can find banking brands from Europe and America. 

Furthermore, Ghimob also added an update to target cryptocurrency exchange apps in attempts to gain access to cryptocurrency accounts, with Ghimob following a general trend in the Android malware scene that has slowly shifted to target cryptocurrency owners.

After any phishing attempt was successful, all collected credentials were sent back to the Ghimob gang, which would then access a victim’s account and initiate illegal transactions.

Ghimob’s features actually copy the make-up of other Android banking trojans, such as BlackRock or Alien but its wide range of targeted locations seems pretty worrying.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Google patches two more Chrome zero-days (ZDNet)
2. Nvidia Warns Windows Gamers of GeForce NOW Flaw (ThreatPost)
3. Muhstik botnet adds Oracle WebLogic and Drupal exploits (Security Affairs)
4. Flaws in Privileged Management Apps Expose Machines to Attack (Dark Reading)
5. Ubuntu’s Gnome desktop could be tricked into giving root access (Bleeping Computer)
6. Ransomware operators use fake Microsoft Teams updates to deploy Cobalt Strike (Security Affairs)
7. New worming botnet Gitpaste-12 infecting IoT devices, Linux servers (Hack Read)
8. Google Chrome to block JavaScript redirects on web page URL clicks (Bleeping Computer)
9. CRAT Aims To Plunder Your Endpoints (Talos Intelligence)
10. ModPipe malware decrypts Oracle point-of-sale database passwords (Bleeping Computer)