This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Yaron Levi, CISO, Dolby, and sageinsights.io
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Vulnerability in Apple’s Silicon M-series chips can’t be patched
Academic researchers from a number of U.S. universities together discovered a vulnerability that “allows hackers to gain access to secret encryption keys on Apple computers with Apple’s new Silicon M-Series chipset. This includes the M1, M2, and M3 Apple MacBook and Mac computer models.” The vulnerability lies with prefetchers, which predictively retrieve data before a request to increase processing speed, but which leave an opening for malicious attacks. The researchers have consequently named the attack GoFetch, and they say it is unpatchable because the issue lies with the architecture of the chip itself. A link to the research report is available in the show notes to this episode.
(Mashable and GoFetch paper)
APT31 uses family members to surveil targets
On Monday, U.S. prosecutors unsealed an indictment against seven individuals alleged to be part of the Chinese state-backed hacking group, APT 31. The gang used the unusual tactic of sending malicious emails to family members of their actual targets, typically high-ranking U.S. government officials, politicians and campaign staff. Victims who clicked embedded links revealed a host of device and network info that the hackers then used to target networks belonging to their actual targets. The State Department is offering rewards of up to $10 million for information that helps locate or apprehend any of the seven named Chinese APT 31 members.
The news of the indictment comes as Finnish Police confirmed Tuesday that APT 31 was behind a breach of the country’s parliament disclosed in March 2021. Similarly, as we reported yesterday on Cyber Security Headlines, the UK sanctioned APT31 for breaching their intelligence agency and hacking into the country’s Electoral Commission systems.
(CyberScoop and Bleeping Computer)
MFA bombing attacks target Apple users
Apple customers are reporting being targeted in phishing attacks involving an apparent bug in Apple’s password reset feature. The phishers are using “push bombing” attacks to inundate victim devices with multi-factor authentication (MFA) alerts hoping the victim will approve a password change or login. If the MFA bombing fails, scammers are calling their targets claiming to be from Apple support, including in the caller ID, saying the user’s account is under attack and asking to “verify” a one-time code. Once the phishers obtain the one-time code, they can then reset the account password and lock the user out. Users have unsuccessfully tried to thwart harassing notifications and calls by enabling recovery keys, changing their Apple IDs, and even purchasing new devices. Apple has yet to comment on the apparent bug.
Think tank calls for US military cyber service
A new report from the Foundation for Defense of Democracies calls for a dedicated cyber force in the military. It noted that US Cyber Command currently contends with inefficiencies by dividing labor between multiple service branches. The lack of dedicated cyber focus by all of the services also hurts recruitment efforts. As an example, the Navy didn’t have cyber-specific work roles until last year. The report did not make a specific recommendation for what this cyber force would look like. But co-author retired Rear Admiral Mark Montgomery said the US’s cyber status quo fails to keep up with its enemies’ capabilities.
Thanks to today’s episode sponsor, Varonis
Google recommends scam sites
SEO consultant Lily Ray spotted Google’s new Google Search Generative Experience recommending malicious or otherwise spammy sites in its conversational responses. An investigation by Bleeping Computer found signs these responses were part of the same SEO poisoning campaign, often using the .online top level domain and similar HTML templates. Clicking on the spam sites takes users through a series of redirects, where they get prompted by fake captchas, opt-ins for site notifications, and prompts to install browser extensions. Google said it removed the examples cited and continues to update its “advanced spam-fighting systems.”
Spyware fuels rise in zero-day exploits
Google released a report on exploited zero-days in 2023, it’s first joint zero-day report using resources from its Threat Analysis Group and Mandiant. It found a 50% increase on the year in exploited zero-days in the wild, with 97 observed in the year. Of the 58 exploits the researchers could attach motivations to, espionage actors accounted for 82%, with the remaining financially motivated. The report saw a significant rise in zero-days used by Chinese-linked groups, the first observed zero-day from a Belarusian state sponsored group, a rise in exploits from commercial spyware vendors to target browsers and mobile devices, as well as several exploits targeted third party components that threat actors could exploit across multiple apps.
Facebook snooped on encrypted Snapchat traffic
As part of a class action lawsuit against Meta, a federal court in California released new documents, detailing how in 2016, the company then called Facebook launched “Project Ghostbusters’ ‘ to obtain Snapchat app traffic to understand user behavior. Facebook used its Onavo VPN service to push software kits to iOS and Android that could intercept traffic to specified domains, describing it in emails as a “man-in-the-middle” approach. Facebook later expanded this to Amazon and YouTube. The company shut down Onavo after TechCrunch reported it paid teenagers to collect their web activity.