The Good, the Bad and the Ugly in Cybersecurity – Week 24

The Good

With the first half of 2020 more or less behind us, and the U.S. Election season fast approaching in what is already the most turbulent year in decades, it’s good to see cybersecurity being ramped up at the national level. To that end, the National Guard and U.S. Cyber Command have teamed up to provide timely data and response to cyber attacks, from ransomware infections to election security incidents, through its Cyber 9-Line initiative.

Cyber 9-Line uses a common framework to allow rapid reporting of incidents by National Guard units that is fed into USCYBERCOM’s Cyber Nation Mission Force. The CNMF can then diagnose and provide unclassified feedback to help address the incident. While only 12 states have so far completed the registration process, most others are now working through the steps to establish accounts and undertake training. USCYBERCOM have said that defense of the 2020 Election is “the number-one priority of both the command and the National Security Agency”. Cyber 9-Line is expected to play a crucial role in ensuring election integrity.

Meanwhile, over the pond in the UK the Ministry of Defence has also been gearing up to fight off digital attacks with the launch of a new cyber regiment, the 13th Signal Regiment. In a statement, the British Army said that the new outfit would match “cutting edge technology with cyber-fit soldiers to compete and win in the information age.”

The Bad

Remember Meltdown and Spectre? And the side-channel attacks RIDL, Fallout and ZombieLoad? These processor-level vulnerabilities from yesteryear (OK, 2018 and 2019, actually) made it possible for attackers to extract sensitive information as it passed through an Intel CPU’s microarchitectural buffers.

The source of the problem, dubbed Microarchitectural Data Sampling (MDS), was so deeply rooted it wasn’t possible to prevent the buffers leaking; the best Intel could do was update existing processors’ microcode so that buffers would be overwritten whenever the CPU switched to a new security-sensitive task. Intel subsequently released their 8th-gen Whiskey Lake CPUs that were supposed to be resistant to these kinds of MDS attacks. Alas, the bad news is it seems these mitigation strategies didn’t entirely work. New research from two separate teams has shown that even on Whiskey Lake machines, it’s possible to bypass the countermeasures.

SGAxe builds on an earlier attack, CacheOut, and exploits CVE-2020-0549 to steal user data from Security Guard Extensions (SGX) secure enclaves, while CrossTalk makes it possible for attackers to leak data protected in an SGX enclave even if the attacker’s code is running on a different CPU Core to that holding the sensitive data.

The researchers said that “it is almost trivial to apply these attacks to break code running in Intel’s secure SGX enclaves” and that “mitigations against existing transient execution attacks are largely ineffective”.

Intel refers to CrossTalk as Special Register Buffer Data Sampling (SRBDS) and has said that its Atom, Xeon Scalable and 10th Gen Intel Core families of processors are not affected. For processor families that are affected, expect vendors to provide updates in the coming weeks. Patches against an earlier vulnerability, as well as developers following recommended guidelines, should also help to protect against CacheOut and SGAxe, Intel have said.

The Ugly

Human rights defenders, environmentalists, and journalists as well as politicians and CEOs are among tens of thousands that have been targeted by an hitherto unknown hackers-for-hire group dubbed ‘Dark Basin’, according to Citzen Lab, a Canadian research group focused on digital threats to civil society.

American non-profit organizations have been extensively targeted by the Dark Basin group, who also engaged in phishing campaigns against organizations advocating net neutrality and fighting to expose climate denial activities. A partial list of targets who agreed to be named includes:

  • Climate Investigations Center
  • Conservation Law Foundation
  • Center for International Environmental Law
  • Greenpeace
  • Public Citizen
  • Union of Concerned Scientists

The Dark Basin group were uncovered due to their use of a custom URL shortener used in their phishing campaigns. The researchers were able to identify almost 28,000 URLs containing email addresses of targets after they discovered that the shorteners created URLs with sequential shortcodes. The malicious links led to credential phishing sites: attacker-controlled clones of login pages for popular services like Facebook, LinkedIn and Google Mail, among others.

Initially suspecting the threat actor may have been a state-sponsored APT, Citizen Lab unearthed links between the targets and individuals working at a private, Indian-based company called “BellTrox InfoTech Services” and “BellTrox D|G|TAL Security”. While the researchers say they have “high confidence” that BellTrox employees are behind Dark Basin activities, they do not have strong evidence pointing to any party who may have commissioned their hacking activities.