BrakTooth flaws / LockFile ransomware / Malware hides in AMD, NVIDIA GPUs

Welcome to Security Center – our weekly update on the most devastating cyberattacks, high-severity vulnerabilities, and biggest data leaks – precisely selected by our editors.

Don’t miss it out! Sign up now and have it delivered to your inbox each Monday to start a week safe and sound. Additionally, you will receive a portion of the hottest company news and access to selected technical articles written by our experts with advice and tricks for more effective protection of your IT infrastructure.

In the meantime, let’s check what happened in the cyber-world last week.

New BrakTooth flaws leave millions of Bluetooth-enabled devices vulnerable

“BrakTooth” (Norwegian word for a “crash”) is a name given to 16 security weaknesses span across 13 Bluetooth chipsets from 11 vendors such as Intel, Qualcomm, Zhuhai Jieli Technology, and Texas Instruments. Vulnerabilities apply to over 1,400 commercial products, including laptops, smartphones, programmable logic controllers, and IoT devices. The most severe of the 16 bugs is CVE-2021-28139. The flaw enables an attacker to inject arbitrary code on vulnerable devices, including erasing its NVRAM data. Other vulnerabilities could result in the Bluetooth functionality getting entirely disabled via arbitrary code execution, or cause a denial-of-service condition in laptops and smartphones employing Intel AX200 SoCs. Additionally, the third collection of flaws discovered in Bluetooth speakers, headphones, and audio modules could be abused to freeze and even completely shut down the devices, requiring the users to manually turn them back on.

Read more

LockFile ransomware uses never-before seen encryption to avoid detection

LockFile is novel ransomware that uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs. Ransomware encrypts every 16 bytes of a file, but it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable. It also causes a situation in which some ransomware protection solutions don’t notice it because an encrypted document looks statistically very similar to the unencrypted original.  The ransomware first exploits unpatched ProxyShell flaws and then uses what’s called a PetitPotam NTLM relay attack to seize control of a victim’s domain. The threat hides its nefarious activities by forgoing the need to connect to a command-and-control center to communicate. Once it has encrypted all the documents on the machine, LockFile disappears without a trace, deleting itself with a PING command. After the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.

Read more

Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs

Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. While the method is not new and demo code has been published before, projects so far came from the academic world mostly. But this time, the proof-of-concept (PoC) was sold on a hacker forum. The seller provided only an overview of their method, saying that it uses the GPU memory buffer to store malicious code and to execute it from there. The project also works only on Windows systems that support versions 2.0 and above of the OpenCL framework for executing code on various processors, GPUs included. The post also mentioned that the author tested the code on graphics cards from Intel (UHD 620/630), Radeon (RX 5700), and GeForce (GTX 740M(?), GTX 1650). On August 25, the seller posted information that they had sold the PoC without disclosing the terms of the deal. It looks like cybercriminals are undergoing a transition to a new sophistication level for their attacks.

Read more

More IT security must-reads

  1. Attackers are attempting to exploit recently patched Atlassian Confluence CVE-2021-26084 RCE (Security Affairs)
  2. WhatsApp Photo Filter Bug Allows Sensitive Info to Be Lifted (Threat Post)
  3. Cisco fixes critical authentication bypass bug with public exploit (Bleeping Computer)
  4. How to block Windows Plug-and-Play auto-installing insecure apps (Bleeping Computer)
  5. QNAP will patche OpenSSL flaws in its NAS devices (Security Affairs)
  6. Gutenberg Template Library & Redux Framework Bugs Plague WordPress Sites (Threat Post)
  7. This is why the Mozi botnet will linger on (ZDNet)
  8. LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files (Threat Post)
  9. Android game developer EskyFun exposed 1 million gamers to hackers (Hack Read)