At a glance.
- A proposed standard for digital content attribution.
- Doki backdoor exploits exposed Docker servers.
- RedDelta accused of hacking the Vatican.
- NSO Group spyware in Togo.
- North Korean operators phishing with fake job offers.
- GRUB2 flaw can bypass Secure Boot.
A proposed standard for digital content attribution.
The Content Authenticity Initiative (CAI), a group formed by Adobe, the New York Times, and Twitter to develop a standard for digital content attribution, published a white paper (summarized by Axios) laying out their proposed solution to the problem of deepfakes and other doctored online content. CAI's system focuses on verifying the legitimacy of original content rather than detecting content that's been tampered with. The group's proposal involves implementing technology that generates a set of assertions and a digital signature (called a "claim") each time an image or video is created, altered, posted on social media, or has some other action performed on it. This claim (or a link to the claim) is stored in the file's metadata and form a kind of timeline enabling users to see if and how a file has been altered since its creation. CAI says the standard could be integrated into hardware and software products and implemented by social media platforms.
However, the system doesn't prevent someone from deleting the metadata or taking a screenshot or recording of a file, then modifying it and presenting it as an original. As a result, CAI recommends that its proposed solution be used in combination with other methods, such as similarity detection and trusted timestamps, in order to increase a file's context.
Doki backdoor exploits exposed Docker servers.
Intezer warns that a "completely undetected Linux malware" is using automated, continuous scanning to detect and infect any Internet-exposed Docker servers. The malware, which the researchers have dubbed "Doki," is part of the Ngrok Botnet cryptomining campaign, but the malware in this case isn't a cryptominer.
Doki is a backdoor whose purpose is to gain access to misconfigured Docker API ports and then create its own containers. Intezer says these containers "are configured to bind /tmpXXXXXX directory to the root directory of the hosting server. This means every file on the server’s filesystem can be accessed and even modified, with the correct user permissions, from within the container." The malware has been active for more than six months, but was completely undetected until late July.
Doki uses a previously unobserved method to construct its command-and-control domains. The malware reaches out to an attacker-controlled Dogecoin cryptocurrency wallet address and reads the value of a recent transaction. This value is used to construct a subdomain on the attacker's server, which is used as the malware sample's C2 domain. The researchers explain, "Using this technique the attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet. Since only the attacker has control over the wallet, only he can control when and how much dogecoin to transfer, and thus switch the domain accordingly. Additionally, since the blockchain is both immutable and decentralized, this novel method can prove to be quite resilient to both infrastructure takedowns from law enforcement and domain filtering attempts from security products."
RedDelta accused of hacking the Vatican.
Recorded Future researchers say a Chinese state-sponsored APT, "RedDelta," infiltrated the networks of the Vatican, the Catholic Diocese of Hong Kong, and several other Catholic organizations ahead of the upcoming renewal of the Vatican's controversial provisional agreement, under which the Chinese government was granted more control over the "underground" Catholic Church within the country.
The attackers used well-crafted spearphishing documents to deliver the PlugX malware to the targeted entities. The campaign displayed significant overlaps with previous operations by the threat actor tracked as "Mustang Panda," but Recorded Future attributes it to RedDelta based on several notably distinct TTPs.
The researchers conclude that "[t]he targeting of entities related to the Catholic church is likely indicative of CCP objectives in consolidating control over the 'underground' Catholic church, 'sinicizing religions' in China, and diminishing the perceived influence of the Vatican within China’s Catholic community." They also add that the campaign "demonstrates that China’s interest in control and surveillance of religious minorities is not confined to those within the 'Five Poisons,' exemplified by the continued persecution and detainment of underground church members and allegations of physical surveillance of official Catholic and Protestant churches."
NSO Group spyware in Togo.
Researchers at the University of Toronto's Citizen Lab have found that NSO Group's Pegasus spyware was used against supporters of reform in Togo, including a Catholic bishop, a priest, and two member's of the country's political opposition. The victims were targeted via a WhatsApp vulnerability between April and May of 2019. The researchers have identified one Pegasus operator in Togo, which they suspect is sponsored by the Togolese Government.
North Korean operators phishing with fake job offers.
McAfee researchers describe Operation North Star, a North Korean cyberespionage campaign that targets workers in the defense and aerospace sector with bogus job offers. Pyongyang has used this approach intermittently since 2018. LinkedIn has again been used to communicate the offers, which are subsequently baited with malicious code. McAfee believes the TTPs are sufficiently similar to past campaigns to tie this activity to Hidden Cobra (also known as the Lazarus Group), but the malware and phishing lures are different enough that the researchers conclude the operation "is part of a different activity set."
The researchers aren't sure exactly who the campaign has targeted, but the phishing documents "contained job descriptions for engineering and project management positions in relationship to active defense contracts." These contracts and defense programs include:
- "F-22 Fighter Jet Program"
- "Defense, Space and Security (DSS)"
- "Photovoltaics for space solar cells"
- "Aeronautics Integrated Fighter Group"
- "Military aircraft modernization programs"
GRUB2 flaw can bypass Secure Boot.
Researchers at Eclypsium discovered a buffer overflow vulnerability (CVE-2020-10713), dubbed "BootHole," which affects the GRUB2 bootloader used by the vast majority of Linux systems. It could be exploited to gain the ability to execute arbitrary code even when Secure Boot is enabled. An attacker would need either administrative privileges or physical access to a device to exploit it, however, and Ars Technica points out that if the attacker has those, you’ve got a lot of other problems to worry about. Still, ZDNet observes that "the Secure Boot process was specifically created to prevent even high-privileged admin accounts from compromising the boot process, meaning that BootHole is a major security hole in one of the IT ecosystem's most secure operations."
The problem is located in GRUB2's external configuration file, which isn't signed and can therefore be modified. When this file processes a token that's too long to fit into its buffer, it returns an error message but accepts the token anyway, enabling buffer overflow attacks. The researchers also note that "the UEFI execution environment does not have Address Space Layout Randomization (ASLR) or Data Execution Prevention (DEP/NX) or other exploit mitigation technologies typically found in modern operating systems, so creating exploits for this kind of vulnerability is significantly easier."