News Items

The US Department of Energy (DOE) recently announced a $38 million funding opportunity for National Laboratories in support of critical research and development priorities regarding developing an electricity grid that provides secure, resilient, flexible, sustainable, affordable, and equitable electricity. This Grid Modernization Initiative (GMI) funding will be used to develop and support the deployment of concepts, tools, and technologies to improve national cybersecurity, better integrate all sources of electricity and energy storage, and more. GMI expects to make awards for projects on Cybersecurity for Architectures, Standards, and Practices (CASP), Quantum Facilities for Computing, Sensing, and Security (qFACSS), and other topics. The CASP project focuses on assessing and developing cybersecurity technical architectures, standards, and guidelines to protect the electric utility infrastructure during the transition to and operation on a decarbonized grid. The qFACSS project focuses on using existing and near-term quantum computing, sensing, and security technologies to address the grid's vulnerabilities and growing complexity. This article continues to discuss the initiative to secure the power grid.

The US Department of Energy reports "CESER Supports DOE's $38 Million Funding Opportunity to Secure the Grid of the Future"

KillNet, the pro-Russian hacker group notorious for launching Distributed Denial-of-Service (DDoS) attacks, will offer its services to private and state sponsors, according to Killmilk, the group's leader. "KillNet's altruism has come to an end," the group's leader announced on the Telegram channel the gang uses to publicize its latest attacks. Since Russia invaded Ukraine on February 24, KillNet has primarily targeted Ukraine-supporting organizations with DDoS attacks. However, recently, the group appears to have surpassed its usual boundaries, leaking stolen data allegedly belonging to thousands of individuals with connections to NATO. The recent statement by Killmilk on Telegram suggests that the gang's hacktivism has turned to profiteering. According to the gang's leader, KillNet will now be known as a "private military hacker company." Nevertheless, Killmilk has promised that KillNet will continue its destructive activities in support of Russia's interests despite going private. Experts have cautioned against underestimating threat actors who primarily launch DDoS attacks, but their effectiveness remains in question as most of KillNet's targets experience a few hours of downtime before resuming normal operations. This article continues to discuss the KillNet gang becoming a private military hacker company and experts' thoughts on this announced change.

Cybernews reports "KillNet: We Are Now a Private Military Corporation"

Security researchers at Cyble have revealed that a new piece of macOS malware named Atomic macOS Stealer, or AMOS, appears to provide a wide range of data theft capabilities, targeting passwords, files, and other types of information. The researchers analyzed a sample of the AMOS malware that was uploaded recently to VirusTotal and which had zero detections on the malware analysis platform at the time of its discovery. It has currently only been detected by one antimalware engine. According to the researchers, the malware, advertised on a Telegram channel, has been offered for $1,000 per month. Its author claims it can steal all passwords from the Keychain, full system information, and files from the compromised computer. It can also allegedly steal passwords, cookies, cryptocurrency wallets, and payment card data from browsers such as Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, and Opera. It can also steal cryptocurrency wallets outside the web browser and from browser extensions. The researchers stated that users of the malware are provided a web-based management interface hosted on a .ru domain, and exfiltrated data can also be sent to specified Telegram channels. The malware is delivered as a .dmg file, and when first executed, it displays a fake prompt to trick the victim into handing over their macOS system password. A researcher from Trellix has also analyzed the malware and noticed that an IP address used by AMOS might be linked to Raccoon Stealer, a piece of malware previously tied to Russian and Ukrainian threat actors. The researchers noted that it is unclear if the malware is signed and how much effort it takes to get it to bypass macOS security features and get it to execute on a system. The researchers stated that in many cases, malware designed to run on macOS may appear to have numerous capabilities, but actually getting it to execute on targeted systems is not an easy task.

SecurityWeek reports: "New 'Atomic macOS Stealer' Malware Offered for $1,000 Per Month"

The security of communication between wireless devices, such as access cards, key fobs, Bluetooth speakers, and more, is essential to maintaining privacy and preventing theft. However, these tools are not foolproof, and it is becoming easier to find information on how to hack, clone, and circumvent these systems. Therefore, computer engineers at the University of Illinois Chicago (UIC) have been researching methods for developing more secure devices. In a new paper, UIC researchers describe a quantum physics-inspired method for improving wireless device identification and securing device-to-device communication. It uses a truly random and unique digital fingerprint to create a nearly unbreakable hardware encryption system. The scientists used a quantum physics theory with mathematical experiments to identify a "divergent exceptional point." Quantum physics describes systems that are difficult or impossible to measure precisely, and a quantum state describes a parameter space or range of possible measurements. There are exceptional points within these states where the system's uncertainty is at its maximum. These points present promise for cryptography because the more uncertain the system is, the more secure it is. This article continues to discuss the research on spectral sensitivity near exceptional points as a resource for hardware encryption.

The University of Illinois Chicago reports "Using Quantum Physics to Secure Wireless Devices"

The threat actors behind RTM Locker have a new ransomware strain capable of infecting Linux systems. Uptycs stated in a new report that the locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by the leaked source code of the Babuk ransomware. Files are encrypted using a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption). Trellix first documented RTM Locker earlier this month, citing the adversary as a private Ransomware-as-a-Service (RaaS) provider. Read The Manual (RTM), a cybercriminal group active at least since 2015, is its source. The group is known for avoiding high-profile targets, such as critical infrastructure, law enforcement, and hospitals, in order to attract the least amount of attention possible. In addition to using affiliates to extort victims, it leaks stolen information if they refuse to pay. Before starting the encryption process, the Linux variant terminates all virtual machines operating on a compromised host, singling out ESXi hosts. The initial infector used to distribute ransomware is currently unknown. This article continues to discuss researchers' findings and observations regarding RTM Locker's first Linux ransomware strain.

THN reports "RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts"

The Chinese Advanced Persistent Threat (APT) hacking group known as Evasive Panda is linked to an attack that distributed the MsgBot malware as part of an automatic update for the Tencent QQ messaging app. Since 2012, the cyberespionage group Evasive Panda has targeted organizations and individuals in China, Hong Kong, Macao, Nigeria, and numerous Southeast and East Asian countries. In January 2022, security researchers at ESET discovered the threat actor's most recent campaign, citing evidence that the operation began in 2020. Most of the campaign's victims are members of an international Non-Governmental Organization (NGO) and reside in the provinces of Gansu, Guangdong, and Jiangsu, indicating a highly targeted approach. According to ESET, the malicious MsgBot malware payload was delivered to victims as a Tencent QQ software update from developer-connected URLs and IP addresses. This indicates two possible attack scenarios: a supply chain attack and an adversary-in-the-middle (AITM) attack. This article continues to discuss the Evasive Panda APT group compromising the Tencent QQ messaging app.

Bleeping Computer reports "Tencent QQ Users Hacked in Mysterious Malware Attack, Says ESET"

In the National Cybersecurity Strategy published on March 1, 2023, the Biden administration committed to improving federal cybersecurity by implementing a Zero Trust Architecture (ZTA) strategy as well as modernizing Information Technology (IT) and Operational Technology (OT) infrastructure. Experts at Carnegie Mellon University have identified zero trust-related issues that warrant further study. By focusing on these areas, government, academia, and industry organizations can collaborate to develop solutions that improve and accelerate ongoing ZTA transformation efforts. Zero trust is a security framework that requires all users, whether inside or outside the organization's network, to be authenticated, authorized, and validated for security configuration and posture prior to gaining or maintaining access to applications and data. CMU has identified eight potential research areas in zero trust. These areas include agreeing on a generally accepted set of basic zero trust definitions, establishing a common view of zero trust, establishing standard zero trust maturity levels, explaining how to progress through zero trust maturity levels, ensuring zero trust supports distributed architectures, and more. The highlighting of these areas of future research raises awareness, fosters collaboration between public and private organizations to address real-world problems, and accelerates the adoption of zero trust in government and industry. This article continues to discuss the potential areas of future research in zero trust.

Carnegie Mellon University reports "8 Areas of Future Research in Zero Trust"

The cyberattack that targeted irrigation systems in Israel is suspected to be part of an annual "hacktivist" campaign. The hackers targeted farms and water treatment facilities. A dozen farms failed to heed a warning from the National Cyber Directorate to disable certain remote connections before the hacking campaign struck. There was a temporary deactivation of automated irrigation systems. The cyberattack is part of an annual campaign called "OpIsrael," which targets the country in April with Distributed Denial-of-Service (DDoS) attacks and attempted breaches. The campaign was initiated in 2013 by hackers operating under the banner of Anonymous. It has never been attributed to a specific group or country, but it has always conveyed pro-Palestinian sentiment and has been praised by Hamas spokespersons. The cyberattack campaign appears to present new targets of opportunity each year. This year, the threat actors have focused on irrigation systems. The Galil Sewage Corporation was one of the targeted wastewater processors that was compromised, and the company reports that the cyberattack affected several controllers for about one day and disrupted some treatment processes. This article continues to discuss the OpIsrael campaign and its recent targets.

CPO Magazine reports "Irrigation Systems in Israel Hit With Cyber Attack That Temporarily Disabled Farm Equipment"

Critical infrastructure is riddled with cyber vulnerabilities, but the issue is which vulnerabilities must be mitigated first. MITRE is debuting its Infrastructure Susceptibility Analysis (ISA) that identifies and prioritizes mitigations by exploring how adversaries compromise infrastructure and what is required to stop them. MITRE is also releasing the MITRE Caldera for OT tool, which enables security teams to conduct automated adversary emulation exercises specifically aimed at Operational Technology (OT). Many organizations need help assessing risk and prioritizing their OT system cybersecurity efforts. The coverage provided by a traditional IT strategy without an OT-specific solution is insufficient. Based on the OT system's vulnerability to adversaries and its current architecture, MITRE's ISA methodology prioritizes risks accordingly. Using risk-based context, ISA expands on current threat intelligence approaches to help organizations reduce risk in operational environments. MITRE developed the ISA methodology using several existing MITRE capabilities and research areas, such as MITRE ATT&CK for ICS, CAPEC, and Threat-Informed Failure Scenario Development, to create a new model that enables asset owners to assess the most likely adversary kill chains. The outcome is a multi-step, evolving process that helps organizations understand the potential technical effects of cyberattacks. These technology-specific insights are combined with threat information to produce actionable intelligence for OT systems. This article continues to discuss MITRE's new cyber risk analysis and adversarial emulation tools aimed at bolstering the security of critical infrastructure.

MITRE reports "MITRE Debuts Cyber Risk Analysis & Adversarial Emulation Tools to Secure Critical Infrastructure"

Stellantis' French automobile brand Peugeot exposed its customers in Peru, a South American country with a population of roughly 34 million. Although the country is not a particularly significant market for the automaker, this discovery is yet another example of how well-known brands fail to secure sensitive data. The Cybernews research team found an exposed environment file (.env) on the official Peugeot store for Peru on February 3. The exposed file contained a full MySQL database Uniform Resource Identifier (URI), a unique sequence of characters identifying a resource, and the username and password to access it. The file also contained a JSON Web Token (JWT) passphrase and the locations of private and public keys, in addition to a link to the site's git repository and a Symfony application secret. This article continues to discuss the exposed environment file hosted on the official Peugeot store for Peru and the potential impact of this leak.

Cybernews reports "Peugeot Leaks Access to User Information in South America"

Security researchers at Palo Alto Network's Unit 42 have observed the threat actor known as Alloy Taurus deploying a new variant of the PingPull malware targeting Linux systems. The researchers believe Alloy Taurus is a Chinese advanced persistent threat (APT) group focusing on espionage campaigns and has been active since at least 2012. This group has historically targeted telecommunications companies operating across Asia, Europe, and Africa. The researchers stated that in recent years, they have also observed the group expand their targeting to include financial institutions and government entities. As part of the new campaign, the security researchers said they also saw Alloy Taurus targeting individuals in South Africa and Nepal. Most vendors initially identified the Linux sample observed by the researchers as benign. However, further analysis revealed that it matched the communication structure, parameters, and commands of the known PingPull malware. The researchers noted that the malicious tool is designed to communicate with its command-and-control (C2) server using encrypted data and can receive and execute commands from the server. The results of these commands are then sent back to the server for further action. The researchers stated that this Linux variant of PingPull malware uses the same AES key as the original Windows PE (Preinstallation Environment) variant for encrypting its communication with the C2 server. While investigating the C2 domain of the PingPull Linux variant, the researchers also identified an additional sample that communicated with the same domain. This malware was found to be a backdoor, which the team called Sword2033. The backdoor supports three essential functions: uploading and downloading files to and from the system, and executing commands. The researchers noted that these commands are identical in value and functionality to those used by the PingPull malware. Further analysis of the C2 infrastructure revealed links to Alloy Taurus activities. The researchers noted that the identification of a Linux variant of PingPull malware and the recent use of the Sword2033 backdoor suggests that the group continues to evolve its operations in support of its espionage activities.

Infosecurity reports: "Alloy Taurus Hackers Update PingPull Malware to Target Linux Systems"

According to security researchers at Expel, over half (52%) of UK IT decision-makers (ITDMs) expect security team members to leave within the year due to burnout. The researchers polled 500 ITDMs from organizations of all sizes for their study. The researchers noted that nearly half (48%) of respondents claimed that alert fatigue impacts their teams. This typically occurs in security operations (SecOps) teams when they are unable to prioritize multiple alerts from disparate tools. As a result, 93% of respondents said they've regularly missed personal commitments because of their jobs, while a third (34%) said this happens most or all of the time. Over half (52%) agreed that their team spends too much time dealing with unnecessary cybersecurity notifications. The researchers stated that security remains a significant challenge for UK firms. Respondents were most concerned about the impact of malware (43%), followed by ransomware (38%), phishing (38%), and business email compromise (25%), although just 14% said the same about nation states. The researchers stated that worryingly, on average, 27% of security budgets went unspent in 2022, amounting to around $66,000 per firm. A fifth (21%) of respondents spent 50% or less of their budgets.

Infosecurity reports: "UK Cyber Pros Burnt Out and Overwhelmed"

SoS Musings #72 -

Making the Move to Memory-Safe Programming Languages

The National Science Foundation (NSF) has awarded a $1.2 million grant to a team of Michigan State University (MSU) researchers to continue enhancing the security of cellular 911 calls. Customers benefit from improved coverage and faster service as the nation's cellular networks and technological infrastructure continue to develop. However, these advancements also present new opportunities for cybercriminals to exploit security vulnerabilities. Researchers from the College of Engineering at MSU have been concerned with the security of cellular 911 calls. They want to advance the technology for protecting next-generation services over cellular networks from the design phase to the implementation phase. This grant will allow Guan-Hua "Scott" Tu and Li Xiao, MSU professors of computer science and engineering, to continue expanding their work on securing cellular 911 calls. At the 28th Annual International Conference on Mobile Computing and Networking (MobiCom) in October 2022, Tu and Xiao's team presented work titled "Uncovering Insecure Designs of Cellular Emergency Services (911)." This presentation highlighted vulnerabilities in the systems implemented in the US that allow anyone to connect to emergency services from a mobile phone. The team demonstrated that these vulnerabilities could be exploited to cause various issues, including allowing attackers to hijack cell services, send spam to customers, and even prevent 911 callers from reaching dispatchers. This article continues to discuss the project to continue reducing cybersecurity risks to protect cellular 911 calls.

Michigan State University reports "Making Emergency Calls More Secure"

Charming Kitten is an Iranian nation-state group that has targeted multiple victims in the US, Europe, the Middle East, and India with a novel malware called BellaCiao. BellaCiao, discovered by Bitdefender Labs, is a "personalized dropper" capable of delivering other malware payloads onto a victim machine in response to commands from an actor-controlled server. The cybersecurity company stated that each sample collected was linked to a specific victim and contained hard-coded information such as specially crafted subdomains, a company name, and an associated public IP address. Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm, TA453, and Yellow Garuda, is an Advanced Persistent Threat (APT) group associated with the Islamic Revolutionary Guard Corps (IRGC). Over the years, the group has deployed backdoors in systems belonging to various industry verticals using multiple techniques. Microsoft linked the threat actor to retaliatory attacks against critical infrastructure entities in the US between late 2021 and mid-2022, which involved custom malware such as harmPower, Drokbk, and Soldier. This article continues to discuss Charming Kitten's use of the BellaCiao malware and the history of the APT group.

THN reports "Charming Kitten's New BellaCiao Malware Discovered in Multi-Country Attacks"

According to GuidePoint Security, the increase in reported ransomware victims during the first quarter of 2023 reflects the continued prevalence of ransomware as a global, industry-agnostic threat. The report is based on data from publicly available resources, including the threat groups themselves, as well as an analysis of the ransomware threat landscape. The GuidePoint Research and Intelligence Team (GRIT) tracked 849 publicly posted ransomware victims claimed by 29 threat groups during the first quarter. The most recent report from GRIT reveals a 27 percent increase in public ransomware victims compared to the first quarter of 2022 and a 25 percent increase compared to the fourth quarter of 2022. Manufacturing, technology, education, banking and finance, and healthcare organizations continue to account for the majority of ransomware victims that have been posted publicly. LockBit remains the most prolific ransomware threat group, but Clop has taken the lead due to its rapid and extensive exploitation of a file-sharing application vulnerability. Vice Society continues to be the most effective group targeting the education sector, supporting the claim that certain groups maintain a consistent targeting profile. GRIT's analysis reveals an increase in the use of novel coercive tactics by multiple prolific ransomware groups that follow the "double extortion" model of operations. This article continues to discuss key findings from the GuidePoint GRIT Q1 2023 Ransomware Report.

Help Net Security reports "New Coercive Tactics Used to Extort Ransomware Payments"

The Zero Day Initiative (ZDI) threat-hunting team observed the Mirai botnet attempting to exploit a vulnerability, tracked as CVE-2023-1389 with a CVSS score of 8.8, also known as ZDI-CAN-19557/ZDI-23-451 in TP-Link Archer AX21 Wi-Fi routers. The flaw is an unauthenticated command injection vulnerability in the locale Application Programming Interface (API) of the web management interface used in the TP-Link Archer AX21 router. The cause of the problem is the lack of input sanitization in the locale API managing the router's language settings. As a result, a remote attacker can trigger the issue to inject commands that should be executed on the device. The vulnerability was disclosed to ZDI for the first time during Pwn2Own Toronto 2022. Team Viettel and Qrious Security reported exploits for LAN and WAN interface accesses. TP-Link released a firmware update in March to fix multiple vulnerabilities, including CVE-2023-1389. ZDI reported that threat actors began exploiting the vulnerability after the public release of the fix, with initial attacks focusing on Eastern Europe. Threat actors are exploiting the vulnerability by sending a specially crafted request to the router that includes a command payload as part of the country parameter. Then, the attackers send a second request that causes the command to be executed. This article continues to discuss a new Mirai botnet variant exploiting the ZDI-CAN-19557/ZDI-23-451 vulnerability in TP-Link Archer AX21 Wi-Fi routers.

Security Affairs reports "A New Mirai Botnet Variant Targets TP-Link Archer A21"

Researchers have further explored the world of car hacking. A new type of vehicle theft is spreading across the US. To gain access to a vehicle's control system, criminals can use small devices, which are sometimes hidden within seemingly harmless Bluetooth speakers or mobile phones. This allows thieves with little technical knowledge to steal cars without the key, sometimes in as little as 15 seconds. With the devices available for purchase online for a few thousand dollars, the entry barrier for stealing even the most expensive luxury vehicles has been drastically lowered. Ken Tindell, CTO of the vehicle cybersecurity company Canis Labs, and Ian Tabor, Tindell's colleague in automotive cybersecurity, published their research on these devices. Tabor purchased a reverse engineering device after suspecting that car thieves used one to steal his Toyota RAV4 last year. Tabor discovered devices that target Jeeps, Maseratis, and other vehicle brands. They detailed a Controller Area Network (CAN) injection attack that works by sending fake messages appearing to be from the vehicle's smart key receiver. The underlying issue is that these messages are trusted without verification. Once the thieves have accessed the necessary cables by removing the headlights, they can send these messages using their devices. This article continues to discuss new research on car hacking.

Motherboard reports "The Car Thieves Using Tech Disguised Inside Old Nokia Phones and Bluetooth Speakers"

Google recently published the results of a nine-month audit of Intel Trust Domain Extensions (TDX), which resulted in the discovery of ten security defects. Providing hardware isolated virtual machines, TDX has been added to some Intel Xeon Scalable CPUs to support confidential computing by isolating sensitive resources from the hosting environment. Google Cloud Security and Project Zero researchers, working together with Intel engineers, focused on identifying any vulnerabilities in Intel's technology before it entered production. The researchers identified 81 potential attack vectors and ten confirmed vulnerabilities. Nine of the defects were addressed in the TDX code, while the tenth issue required changes to the guide for writing a BIOS to support TDX. Intel also made five defense-in-depth changes. Google stated that the vulnerabilities could lead to arbitrary code execution, cryptographic weaknesses, denial-of-service conditions, and weaknesses in debug or deployment facilities. No CVE identifiers were issued for the discovered bugs, but Intel did assess their severity and assigned a CVSS score of 9.3 to an incorrect handling of interrupts when the Authenticated Code Module (ACM) transitioned from the privileged execution context to an untrusted context. The flaw could be exploited to execute arbitrary code within the privileged ACM execution mode, compromising both TDX integrity and the security of any deployed virtual machines. All confirmed issues were mitigated before the production release of the 4th gen Intel Xeon Scalable processors. According to Google, only two of the identified vulnerabilities were memory safety issues, with logical bugs representing the most common type of identified flaws. Google also discovered design-level and implementation issues in pre-release code, and Intel decided to release the reviewed code in open source so that further reviews could be performed.

SecurityWeek reports: "Google Audit Finds Vulnerabilities in Intel TDX"

Yellow Pages Canada has recently discovered that it has been the victim of a cyberattack. The company stated that a data breach affected some employee and business customer data, though the company did not specify what type of data in particular. The company noted that based on their investigation to date, they have reason to believe that the unauthorized third party stole certain personal information from servers containing YP employee data and limited data relating to their business customers. The company stated that they have been notifying impacted individuals and reporting to all appropriate privacy regulatory authorities regarding this incident. Yellow Pages did not provide further information about the attack. The infamous threat group Black Basta has claimed responsibility for the cyberattack, saying it involved ransomware and the publication of some data over the weekend.

Infosecurity reports: "Yellow Pages Canada Hit by Cyberattack, Black Basta Claims Credit"

Cybersecurity researchers will reveal how they took control of a European Space Agency (ESA) satellite in what is considered the world's first ethical satellite hacking exercise. Experts from the French defense giant Thales, together with members of the ESA team, will provide an explanation of the attack scenario at the CYSAT conference in Paris. Documents have revealed that China is developing similar capabilities to assume control of what it considers hostile satellites. According to one document, China plans to surpass conventional communications jamming, which blocks satellite-to-terrestrial terminal signals. The attackers would instead mimic the operator signals, potentially allowing them to gain control of a satellite and render it incapable of supporting communications, weapons, intelligence, surveillance, and reconnaissance systems. The demonstrative hack was orchestrated specifically for the CYSAT conference in order to illustrate the effects that real-world cyberattacks could have on civilian space systems. It targeted ESA's OPS-SAT, a shoebox-sized nanosatellite launched in December 2019 that contains an experimental computer ten times more powerful than any ESA spacecraft currently in operation. OPS-SAT is designed to address the risks associated with live-testing mission control systems. Thales stated that ESA maintained access to the satellite's systems throughout the exercise, allowing a return to normal operation following the drill. This article continues to discuss the ethical satellite hacking exercise.

The Record reports "Hackers to Show They Can Take Over a European Space Agency Satellite"

Researchers have discovered a new side-channel attack impacting multiple generations of Intel CPUs. It allows data leakage via the EFLAGS register. Researchers from Tsinghua University, the University of Maryland, and a computer lab operated by the Chinese Ministry of Education discovered the new side-channel attack that differs from most other side-channel attacks. Rather than relying on the cache system like many other side-channel attacks, this new attack exploits a vulnerability in transient execution that enables the extraction of secret data from user memory space via timing analysis. The attack functions as a side-channel for Meltdown, a critical security vulnerability discovered in 2018 that affects many x86-based microprocessors. Meltdown exploits a performance optimization feature known as "speculative execution" to allow attackers to circumvent memory isolation mechanisms and access passwords, encryption keys, and other private data stored in kernel memory. Meltdown has been mitigated by software patches, microcode updates, and hardware redesigns, but no solution has addressed the issue in its entirety, and the most recent attack method may work on fully patched systems depending on hardware, software, and patch configurations. The new side-channel attack described in a technical paper involves a vulnerability in the modification of the EFLAGS register in transient execution, which affects the timing of Jump On Condition Code (JCC) instructions. This article continues to discuss the new side-channel attack impacting multiple generations of Intel CPUs.

Bleeping Computer reports "Intel CPUs Vulnerable to New Transient Execution Side-Channel Attack"

Certain campaigns previously attributed to the Russian Advanced Persistent Threat (APT) group Turla were carried out by what appears to be a different group that researchers have dubbed "Tomiris." Turla, also known as Snake, Venomous Bear, and Ourobouros, is a notorious threat actor with connections to the Russian government. Over the years, it has used zero-day vulnerabilities, legitimate software, and other techniques to install backdoors in the systems of militaries, governments, diplomatic entities, and technology and research organizations. In one example, its Kazuar backdoor was linked to the SolarWinds compromise. However, not everything is Turla. Researchers have published evidence that attacks previously attributed to Turla were actually perpetrated by Tomiris, a completely different group with different tactics, techniques, and procedures (TTPs) and affiliations. This article continues to discuss researchers' findings on the separate, but in some ways overlapping, Russian-language APTs.

Dark Reading reports "Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers"

A US commercial and defense shipbuilder with ties to the government was hit by a ransomware attack on April 12. Fincantieri Marine Group (FMG) stated that it experienced a cybersecurity incident that caused a temporary disruption to certain computer systems on its network. The company, a subsidiary of Italy-based Fincantieri SpA, also clarified that it has no evidence that employees' personal information was affected. Carol Volk, chief marketing officer at cybersecurity solution provider BullWall, stated that this ransomware attack on the Fincantieri Marinette Marine shipyard disrupted operations across the shipyard by rendering data on network servers unusable, impacting critical CNC (Computer Numerical Control) manufacturing machines. The investigation is still ongoing.

Infosecurity reports: "US Navy Contractor Fincantieri Marine Group Hit by Cyberattack"