Novel PACMAN Side-Channel Attack Can Defeat Apple's M1 Chip Defense Against Vulnerabilities

IT service provider of two German energy companies paralyzed by 'hacker attack,' Election equipment in Georgia county may have been compromised, 70+ Indian websites defaced, much more

Jun 13

blue, red, and green Pac-Man wall painting — Photo by Kiryl Sharkouski on Unsplash

Researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) developed a novel side-channel attack called PACMAN that can defeat a feature in Apple’s powerful M1 chip known as pointer authentication, which acts as a last line of defense against typical software vulnerabilities.

The attack demonstrates that pointer authentication can be defeated without leaving a trace. Moreover, PACMAN utilizes a hardware mechanism, so no software patch can ever fix it. The team showed that it's possible to guess a value for the pointer authentication code (PAC) and reveal whether the guess was correct or not via a hardware side channel. Because there are only so many possible values for the PAC, they found that it's possible to try them all to find the correct one.

However, PACMAN can only take an existing bug that pointer authentication protects against and unleash that bug's true potential for use in an attack by finding the correct PAC. PACMAN cannot compromise a system without an existing software bug. (Rachel Gordon / MIT News)

The IT service provider of the Darmstadt energy supplier Entega and Stadtwerke Mainz has been paralyzed by a hacker attack. Entega says around 2,000 employees and the company's websites are affected. One of the employees is a"victim of a criminal hacker attack.”

An Entega spokesperson said that the operational infrastructure that Entega operates with its electricity, gas, and water networks is protected separately and is not affected. The websites of Mainz mobility, the Mainz public utility company, the Mainzer Netze Gesellschaft, and the Taubertsbergbad are offline, although, like Entega, the company says its operational technology systems remain unaffected. (Hessenschau)

Related: Heise Online, CyberNews, SWR

In the strongest indication yet that the security of election equipment in Coffee County, Georgia, may have been compromised following Donald Trump’s loss, Benjamin Cotton, founder of the digital forensics firm CyFIR who has aided efforts by election deniers to investigate the 2020 vote said in a recent court document that he had “forensically examined” the voting system used in the county.

Former county elections official Misty Hampton had opened her offices to a man who was active in the election-denier movement to help investigate after the 2020 vote. Benjamin wrote in the court document that he had examined Dominion Voting Systems used in several jurisdictions. Among them were Coffee County, Mesa County, Colo., and Maricopa County, Ariz., where he worked as a contractor on a Republican-commissioned ballot review. (Emma Brown and Amy Gardner / Washington Post)

Mark Jacob @MarkJacob16

Illegal interference with election systems is rare. When it happens, it’s almost always the Republicans doing it. Court filing offers new evidence of post-election breach in Coffee County, Ga.A cybersecurity executive who has aided efforts by election deniers to investigate the 2020 vote said in a recent court document that he had “forensically examined” the voting system used in Coffee County, Ga., the strongest indication yet that the security of election equipment there may have been…washingtonpost.com

Following negative comments against Prophet Muhammad by Indian politician Nupur Sharma, the hacktivist group DragonForce Malaysia launched several website defacements against the Indian government and private websites.

Among the 70 targeted sites are the Indian embassy, the e-portal of the Indian Council of Agriculture Research, and the National Institute of Agriculture Extension Management. The hackers posted a message that said, “For you is your religion and for me is my religion.” The statement also provoked all Muslim hackers worldwide to campaign against India. (Karan Sharma / Mashable India)

Researchers at Zscaler say that the Iranian Lycaeum APT hacking group, also known as Hexane or Spilrin, is using a new .NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors.

Zscaler’s analysis says that the backdoor is based on the DIG.net open-source tool to carry out "DNS hijacking" attacks, execute commands, drop more payloads, and exfiltrate data. DNS hijacking is a redirection attack that relies on DNS query manipulation to take a user who attempts to visit a legitimate site to a malicious clone hosted on a server under the threat actor's control. (Bill Toulas / Bleeping Computer)

A company called Phreesia, which makes software used by more than 2,000 clinics and hospitals across the United States to streamline check-ins, replacing the clipboard and photocopied forms with screens on a website or app, is mining user data for pharmaceutical companies so they can advertise to users who fill out Phreesia’s forms.

However, HIPAA requires users to opt into this data mining, although it’s unclear if users understand they have the right to decline the ad targeting. (Geoffrey Fowler / Washington Post)

domestic infant supply chain manager @realworldrj

This is bullshit washingtonpost.com/technology/202…

Google released updates for Chrome to fix seven security vulnerabilities, including four classed as high risk, discovered in the browser.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert saying the attackers could exploit the vulnerabilities in Google Chrome for Windows, Mac and Linux "to take control of an affected system.” (Danny Palmer / ZDNet)

Related: CISA, Forbes

Gaylyn Morris tracked her boyfriend Andre Smith to an Indianapolis bar using an Apple AirTag, and after a heated confrontation with him and another woman killed him by running over him with her car.

Despite new designs implemented by Apple in AirTag to protect against unwanted tracking, those safety features are not entirely reliable, particularly for people who use Android devices. Morris was arrested and accused of murder. Arrest records show that she is being held without bond. (Lindsey Bever / The Washington Post)

Related: Indianapolis Star

Eva @evacide

Covertly tracking your partner’s location because you think they are cheating on you is abuse. Full stop. Every single time.

She tracked her boyfriend using an AirTag — then killed him, police sayGaylyn Morris, 26, is accused of murdering her boyfriend, Andre Smith — tracking him with an Apple AirTag and driving over him with her car, police say.washingtonpost.com

PyPI packages 'keep,' 'pyanxdns,' and 'api-res-py' were found to contain a backdoor due to malicious 'request' dependency within some versions.

Although most versions of the 'keep' project use the legitimate Python module requests for making HTTP requests, 'keep' v.1.2 contains 'request' (without s), which is malware. It’s unclear if the problem was caused by a typographical error, self-sabotage, or hijacked maintainer accounts. CVEs were issued last week for the vulnerable versions. (Ax Sharma / Bleeping Computer)

Ciberconsejo @ciberconsejo

PyPI packages 'keep,' 'pyanxdns,' 'api-res-py' were found to be containing a backdoor due to the presence of malicious 'request' dependency within some versions. @cibernicola_es @Infogon

PyPI package ‘keep’ mistakenly included a password stealerPyPI packages ‘keep,’ ‘pyanxdns,’ ‘api-res-py’ were found to contain a password-stealer and a backdoor due to the presence of malicious ‘request’ dependency within some versions.bleepingcomputer.com

A new Google Chrome browser extension, Vytal, prevents webpages from using programming APIs to find your geographic location leaked, even when using a VPN.

Even though a VPN will hide the IP address of a user’s device and thus its physical location, it is possible to use JavaScript functions to query information directly from a web browser to find a visitor's general geographic location. A developer called z0ccc shared the new Vytal Google Chrome extension on Y Combinator's Hacker News, asking readers to provide feedback on the functionality. (Lawrence Abrams / Bleeping Computer)

Related: Github, Chrome Web Store, Ycombinator

Researchers at Confiant discovered what they call the most technically sophisticated threat targeting web3 users after the infamous Lazarus Group, a cluster of activities they call SeaFlower.

This extensive campaign has a strong relationship with a Chinese-speaking entity yet to be uncovered. SeaFlower aims to modify web3 wallets with backdoor code that ultimately exfiltrates the seed phrase. The targeted wallets include Coinbase, MetaMask, TokenPocket, and imToken. Users lured into downloading SeaFlower backdoored wallets will eventually lose their funds. (taha aka "lordx64" / Confiant)

bored taha @lordx64

As promised, my blogpost is finally out Meet SeaFlower intrusion set. Lot to come this part 1 will show how they sideload backdoored iOS #web3 wallets like MetaMask and CoinBase and how they inject Malicious react native bundles, crazy stuff 😨@zachxbt 👀 blog.confiant.com/how-seaflower-…

How SeaFlower 藏海花 installs backdoors in iOS/Android web3 wallets to steal your seed phraseDuring the course of our work at Confiant, we see malicious activity on a daily basis. What matters the most for us is the ability to:blog.confiant.com

Detectives from Nigeria’s Special Fraud Unit (SFU), Ikoyi, arrested Odeleye Oluwabukola Moses, alias Beedel, for allegedly defrauding five firms and a government agency of N816 million (around $1.97 million) in a business email compromise (BEC) scheme using forged purchase orders.

The suspect, the Managing Director/Chief Executive Officer of Beedel Strategic Investment Co. Nigeria Limited, is alleged to have defrauded five multinational companies operating in Nigeria and one federal government agency. (Eugene Agha / Daily Trust)

Related: Ikoyi

Metacurity