Security Digest 7E6-19

Here are this week’s highlights in cybersecurity:

Syslogk Linux rootkit uses magic packets to trigger the Rekoobe backdoor. Based on an old open-source rootkit, adore-ng, Syslogk loads itself as a kernel module and is able to hide directories and network traffic. The backdoor based on TinySSH executes when the rootkit receives a special TCP packet. More
Chinese Advanced-Persistent Threat group called Gallium extended its targeting beyond telecommunication companies to also include financial institutions and government entities. Recently the group began using a new remote access trojan named PingPull with the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control (C2). ICMP is used to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic. More
Unfixed Travis CI bug exposes thousands of secret developer access tokens. These can be extracted from log files that are viewable in clear-text via Travis API. More
Iranian state-sponsored threat actor Lyceum is using a new custom .NET-based backdoor in recent campaigns directed against the Middle East. The malware leverages “DNS Hijacking” in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements. More
Last week, Cloudflare detected and mitigated a 26 million request per second (rps) Distributed Denial of Service attack (DDoS), the largest HTTPS DDoS attack on record. Requests were generated by a botnet of only 5,036 devices, each generating 5,200 rps at peak. The vendor has been tracking another much larger but less powerful botnet of over 730,000 devices which was able to generate only 1 million rps, i.e. roughly 1.3 rps on average per device. This smaller botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers. More
New Tesla hack allows thieves to register their own keys by abusing a flaw in the authorization mechanism used by the NFC key. All that’s required is to be within range of the car during the 130-second window of it being unlocked with an NFC card. If a vehicle owner uses the phone app to unlock the car, the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla’s phone-as-a-key app. More
Hertzbleed is a new family of side-channel attacks: frequency side channels. An attacker can abuse the issue to extract cryptographic keys from remote servers that were previously believed to be secure. Hertzbleed takes advantage of the fact that dynamic frequency scaling of modern x86 CPUs depends on the data being processed. This means that the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436. Researchers demonstrated impact using a chosen-ciphertext attack against the SIKE post-quantum algorithm to perform full key extraction via remote timing, despite SIKE being implemented as “constant time”. More
An international law enforcement operation (dubbed First Light 2022) led by Interpol has seized 50 million dollars and arrested over 2000 people involved in social engineering scams worldwide. More
A new strain of Android malware, MaliBot, is targeting mainly online banking customers in Spain and Italy and has the ability to steal credentials, cookies, multi-factor authentication (MFA) codes, cryptocurrency wallets, SMSs and display fake overlays. More