By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. The APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. "One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data," Kaspersky said. "This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose." First observed by CrowdStrike in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. Kaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore — namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. "Each cluster of activity had a different geographical focus," the researchers said. "The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018." Both BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. What's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. A telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. The initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called DLL search order hijacking before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. Visit OUR FORUM to learn more.

If you're an Nvidia GeForce Now Founder's subscriber, it's likely you're nonplussed over the continued losses to the cloud gaming service's roster. Many notable videogames and publishers have dropped from the service since it launched on February 4, 2020—apparently those holding all the cards are "still figuring out their cloud strategies"—and if that isn't a bad omen of things to come, I don't know what is. Why? Because Nvidia's service offers something akin to the PC gaming experience. It is (theoretically) open to all, it allows you to access the games you already own, and it is more or less a back to basics promise of a half-decent gaming PC in the cloud—it even offers RTX graphics for cheap. Without it, or those other services like it, the future of cloud gaming looks a lot more… exclusive. Nvidia was unlucky in its game streaming rollout. Just as the ball started rolling on its initially successful cloud gaming ambitions, and fresh out of beta, a couple of major publishers (Activision Blizzard, Bethesda Softworks, 2K Games) swiftly dropped out from the service, and even made quite a palaver out of it. It appears as though that sentiment only gained momentum from there. Further games have been pulled from the service since, and while many more have embraced it with open arms, there are some huge games notably missing from its cloud-compatible library. Nvidia's since adopted a less pro-active opt-in approach for developers and publishers on GeForce Now as a result. So what is it that makes Nvidia's service so frowned upon by publishers? I'd have to guess that it's merely the sheer size, scale, and monetary worth of the potential 'platform'. No one batted an eyelid for the many cloud streaming services that came before, despite being much like Nvidia GeForce Now—those that allow a user to hook in their existing libraries and play the games they own across a range of digital storefronts on hardware they couldn't otherwise afford or access. So you'd expect that it wouldn't matter whether you play your game on the hardware you own—a trusty gaming PC—or one that's rented to you and served up out of a server rack. You bought the game, right? That's yours and you get to say how you play it. Well, not so fast. Gaming licenses have never been straightforward. Do you own a game or a license to the game? Well, the answer is actually relatively simple: you own a license that allows you to use someone's software, as they intended. What that End User License Agreement (EULA) means for you, and what you're allowed to do and not allowed to do with it (such as modding), varies between platform and developer. Therein lies the thorn in Nvidia's side, and the stipulation that gives ultimate control to the publisher. And it's only a microcosm of a wider issue—if cloud gaming inherently relies on publishers and developers to specifically allow access to the videogames we own a license to, then it's going to run into burgeoning costs, exclusivity, and a lack of interest from gamers with access to an already fairly simple solution that (mostly) bypasses these issues: a physical gaming PC. For more please visit OUR FORUM.

A major teaching hospital in London, UK, is using the Microsoft HoloLens on its COVID-19 wards to keep doctors safer as they help patients with the virus. Staff at Imperial College Healthcare NHS Trust are wearing the HoloLens with Dynamics 365 Remote Assist using Microsoft Teams to send a secure live video feed to a computer screen in a nearby room, allowing healthcare teams to see everything the doctor treating Covid-19 patients can see while remaining at a safe distance. This has resulted in a fall in the amount of time staff are spend in high-risk areas of up to 83% and it has also significantly reduced the amount of personal protective equipment (PPE) being used, as only the doctor wearing the headset has to dress in PPE by up to 700 items of PPE per ward, per week. James Kinross, a consultant surgeon at Imperial College Healthcare and senior lecturer at Imperial College London, said: “Protecting staff was a major motivating factor for this work, but so was protecting patients. If our staff are ill they can transmit disease and they are unable to provide expert medical care to those who needed it most.”Kinross, who had used the HoloLens for surgery before, noted that it had unique features, such as being a hands-free solution that could be used with PPE, and that it already featured telemedicine capabilities.“It solved a major problem for us during a crisis, by allowing us to keep treating very ill patients while limiting our exposure to a deadly virus. Not only that, but it also reduced our PPE consumption and significantly improved the efficiency of our ward rounds,” he noted. Using Remote Assist, doctors wearing HoloLens on the Covid-19 wards can hold hands-free Teams video calls with colleagues and experts anywhere in the world. They can receive advice, interacting with the caller and the patient at the same time, while medical notes and X-rays can also be placed alongside the call in the wearer’s field of view. “We’re now looking into other areas where we can use HoloLens because it is improving healthcare without removing the human; you still have a doctor next to your bed, treating you,” Kinross said. “Patients like it, too. They are interested in this new piece of technology that’s helping them.” HoloLens is also being used to teach students at Imperial College London’s medical school, regarded as one of the best in the world after the Covid-19 pandemic led to the academic areas to close “practically overnight”, Kinross said. Students can use laptops and mobile devices at home to watch a live feed from lecturers wearing HoloLens and learn about a range of topics including anatomy, surgery, and cardiology. Read more on OUR FORUM.

Today marks the second anniversary of the introduction of the EU's General Data Protection Regulation (GDPR). With privacy in the spotlight at the moment due to COVID-19 tracing apps, we got the views of some industry experts on the effect that GDPR has had on our individual privacy and on the way businesses handle data. "While it's the second anniversary of GDPR, being GDPR-compliant isn't about a point in time," says Steve Grewal CTO of data management firm Cohesity. "Compliance is an on-going process that requires organizations to take the utmost care in managing and protecting personal data. This means minimizing data volumes, reducing data fragmentation, and -- absent standardized policies in the US across all 50 states on personal data and privacy -- taking a proactive approach to ensure data is secure and protected. In 2020, it’s imperative that organizations are good stewards of customer data. Failing to make compliance a key part of an overall data management strategy can severely damage trust and erode brand reputations." Grewal also believes any erosion of privacy due to tracing apps will be temporary, "Just as individuals were asked to trade privacy to access social networks, individuals are being asked to consider a lower level of personal privacy while being under lockdown, as governments are exploring the use of tracking apps to track the spread of the virus. Though Europe's laws are strict, exemptions for public-health crises are written into EU data protection rules. Any use of data must be proportionate and fall away once the crisis has passed." Bob Swanson, a security research consultant at SOAR company Swimlane believes GDPR enforcement has yet to fully bite, "When we look at the introduction of GDPR everyone was focused on proposed fines. But have the actual fines issued lived up to that? No they have not. How you institute change is through collaboration and accountability, specifically among the largest most influential organizations. Take Google for example. Of the millions in fines issued in 2019, the majority of those were issued to Google. However when you compare Google's 2019 issuance of $57 million in fines to annual revenue, some would say this fine more closely resembles a slap on the wrist, versus a mechanism to institute change among the tech giants. These types of organizations will be the ones to truly influence the adoption, adaptation, and staying power of such legislation." Others though think GDPR has been a success. Grant Geyer, chief product officer of operational technology platform Claroty believes, "Just as important as the principles the regulation stands for, the European Union’s global enforcement of blatant and willful violations of the rights of European citizens to have their personal data safeguarded has raised its prominence to the gold standard of data protection regulations worldwide. In today's global economy, GDPR has swiftly created a replicable regulatory blueprint that represents a win for citizens to maintain ownership over their personal data.  That's a sacred right in a digital economy where for many years personal data has been abused and monetized without awareness, consent, or recourse." "It is clear GDPR has so far been a success," says Paul Breitbarth, director, EU policy, and strategy at privacy management company TrustArc. "Companies around the world have become much more aware of the importance of privacy compliance, updating their approach to how their customers’ data is collected, used, and safeguarded." To learn more, visit OUR FORUM.

Just days after the monthly Patch Tuesday Windows security update, unpatched system file zero-day vulnerabilities have been publicly disclosed. Every month, Microsoft fixes a bunch of security vulnerabilities across the product range on Patch Tuesday. The latest round of fixes has already been and gone, addressing a total of 111 security vulnerabilities. Some sixteen of these were rated as critical, and, crucially, there were no zero-days. A zero-day vulnerability is one that remains unpatched by the vendor, leaving a window of opportunity for those who would exploit it using a zero-day attack. That's good news. The bad news is that no less than four new zero-days affecting Microsoft Windows have now been publicly disclosed. Three of them impact a core Windows system file. Trend Micro's Zero Day Initiative (ZDI) is a bug bounty program founded in 2005 which encourages the reporting of zero-day vulnerabilities by financially rewarding security researchers. "We make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw, which leaves researchers free to go find other bugs," the about ZDI page states. It also says that no technical details about any vulnerability are made public until the vendor has released a patch. ZDI gives vendors a 120-day window in which to address the vulnerability, after which a "limited advisory," which includes mitigation advice, is published if a patch has not been forthcoming. The Microsoft Windows zero-days that were publicly disclosed in such a fashion on May 19 mostly impact a core Windows system file called splwow64.exe, which is a printer driver host for 32-bit apps. The Spooler Windows OS (Windows 64-bit) executable enables 32-bit applications to be compatible with a 64-bit Windows system. CVE-2020-0915, CVE-2020-0916, and CVE-2020-0986 all impact that splwow64 Windows system file. All three are classified as high on the CVE severity scoring system with a 7.0 rating. If exploited by an attacker, these vulnerabilities would allow them to escalate privileges on the targeted Windows computer. "The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer," the ZDI advisory states, "An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity."Learn more about this zero-day vulnerability by visiting OUR FORUM.

Huawei Technologies Co. warned the latest U.S. curbs on its business will inflict a “terrible price” on the global technology industry, inflaming tensions between Washington and Beijing while harming American interests. China’s largest technology company said it will be “significantly affected” by a Commerce Department decree barring any chipmaker using American equipment from supplying Huawei without U.S. government approval. That means companies like Taiwan Semiconductor Manufacturing Co. and its rivals will have to cut off the Chinese company unless they get waivers -- effectively severing Huawei’s access to cutting-edge silicon it needs for smartphones and networking gear. Washington’s decision drew condemnation from Beijing, which regards Huawei as a national champion because of its success in dominating global networking technology. China and Huawei have threatened retaliation but Rotating Chairman Guo Ping on Monday refrained from commenting on a possible Beijing response -- a departure from just two months ago when the company warned Washington risked opening a “pandora’s box” and Chinese countermeasures if it chose to go ahead with additional restrictions. “Our business will significantly be impacted,” Guo said at a company briefing with analysts in Shenzhen. “Given the changes in the industry over the past year, it dawned on us more clearly that fragmented standards and supply chains benefit no one. If further fragmentation were to take place, the whole industry would pay a terrible price,” he added. Huawei is still assessing the potential fallout of the latest restrictions and couldn’t predict the impact on revenue, for now, Guo said. On Monday, a swathe of Huawei’s suppliers from TSMC to AAC Technologies Holdings Inc. plunged in Asian trading. Guo was far less vocal than colleague Richard Yu, who runs the consumer division responsible for smartphones. The outspoken executive said the restrictions that ostensibly aim to allay U.S. cybersecurity concerns are really designed to safeguard American dominance of global tech. “The so-called cybersecurity reasons are merely an excuse,” Yu, head of the Chinese tech giant’s consumer electronics unit, wrote in a post to his account on messaging app WeChat earlier on Monday. “The key is the threat to the technology hegemony of the U.S.” posed by Huawei, he added. Yu also posted a link to a Chinese article circulating on social media with part of its headline asking: “Why Does America Want to Kill Huawei?” Follow this and more news on Huawei on OUR FORUM.

 

Translate