Robin’s Newsletter #179

21 November 2021. Volume 4, Issue 47
Rowhammer returns. Intel chips vulnerable to physical debug attack. Tesla owners locked out. How a bank runs their PKI.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

A couple of hardware security bits of news…

New Rowhammer technique bypasses DDR4 protections

Rowhammer techniques exploit the physical design of RAM by ‘hammering’ the physical rows of chips inside to manipulate neighbouring chips and flip bits from 0 to 1, or visa-versa. Our understanding of the technique has increased a lot since the research was first released (vol. 1, iss. 23) and the latest paper, from the computer security group at ETH Zurich, explains how it is possible to achieve bit flips despite hardware protections in DDR4 type memory. While traditionally chips had been targeted in rows (hence the name) and protected by a mitigation called ‘Target Row Refresh’ (TRR). The new research shows the same effect can be achieved with non-uniform, frequency-based patterns. ECC (error correcting code)) -capable RAM, such as those used by Amazon, Microsoft and Google in their cloud platforms, makes exploitation much more difficult.,

Developer mode accessible on Intel CPUs, allows retrieval of TPM key

Pentium, Celeron and Atom CPUs contain a vulnerability that allows an attacker with physical access to install malicious firmware and run the chip in debug mode. Once in this mode the ‘fuse encryption key’ (unique to each chip and used to generate other cryptographic keys) can be obtained, allowing onward decryption of the trusted platform module (TPM) and other protections built on top of the Secure Enclave such as Bitlocker hard disk encryption.

Interesting stats

7.5% increase in cases that NCSC has helped organisations in the 12 months to August 2021, with the flagship Active Cyber Defence programme contributing 2.3M cyber-enabled commodity campaign take-downs, 442 (4.2x previous year) NHS-branded phishing campaigns, and 80 copy-cat NHS apps (PDF)

$25.5M+ made by Conti ransomware gang since July 2021, according to Prodaft

Other newsy bits

Tesla outage leaves cars unable to start

Tesla drivers were locked out and unable to start their cars after the car manufacturers app experienced an outage. While key fobs to the electric cars are provided for owners to unlock and start their cars, users can opt to just use their smartphone for these functions. Approximate 500 users reported the issue, with Elon Musk tweeting “we will take measures to ensure this doesn’t happen again”

Memento ransomware switches to WinRar

Canny outsourcing move, genius tactic, or developer fail? The Memento ransomware group has been seen using WinRar — software for creating compressed (ahem) zip files — to encrypt copies of victims’ data after their encryption malware kept getting flagged by detection tools.

Long reads

Joe Tidy’s piece on Evil Corp

BBC cyber report Joe Tidy has been on the hunt for Evil Corp in Russia and has an interesting write up on an interaction with Maxim Yukabets’ father. It’s a good background and history on the ransomware group.

How a bank runs its PKI infrastructure

Private key infrastructure is important to digital security. The keys are used to sign messages, encrypt and decrypt data and more. It’s most widely known as ‘the padlock’ behind visiting HTTPS websites. Were an attacker able to get their hands on the digital keys to a bank, they’d be able to impersonate them, steal money and cause a lot of mischief. Monzo has published a blog going into the details behind how they keep the root certificate of their private key infrastructure (PKI) secure. H/t Paul!

In brief

Attacks, incidents & breaches

  • California Pizza Kitchen suffers a data breach, leaks Social Security numbers of over 100,000 current and former staff
  • Firefox cookies database for 4,500 developers appear to have been accidentally checked in to publicly accessible GitHub repos
  • It took UK ISP Sky Broadband 17 months to roll out a fix to a DNS rebinding vulnerability in its consumer wireless routers

Threat intel

  • Emotet botnet back on the scene 10 months after Europol seized C&C servers ([vol. 4, iss. 5](Robin’s Newsletter #137)) and then mass-uninstalled the malware ([vol. 4, iss. 18](Robin’s Newsletter #150)). It is being delivered by TrickBot infections
  • Alibaba ECS (Elastic Cloud Service) instances run as root, making them a target for crypto mining malware
  • Ransomware gangs are now rich enough to buy 0-day exploits more traditionally associated with nation-state attackers, says Digital Shadows, following increased discussion on cybercrime forums. I’m less convinced about this: ransomware events are, by their nature, high profile and disruptive, increasing the likelihood that the (very expensive!) exploit will be detected and mitigated quickly.
  • New side channel attack revives DNS cache-poisoning attacks against Linux-based servers
  • US, Australia, UK point finger at Iran for ‘ongoing’ campaign of attacks against critical infrastructure and use of ransomware,
  • New version of BrazKing Android banking trojan discovered by IBM Trusteer being, with victims being lured to install the malicious app via smashing messages

Security engineering

  • CISA has released incident and vulnerability response playbooks for federal civilian executive branch organisations (PDF)

Internet of Things


  • Asian travel company RedDoorz fined SG$74K ($54K) by Singapore’s data protection commission (the largest ever penalty) for a data breach caused by leaving the firms AWS access key in their Android app
  • New method for using time-of-flight (ToF) sensors on modern smartphones to detect hidden cameras


  • UK managed service providers (MSPs) and cloud providers may be required to adopt a framework such as NCSC’s Cyber Assessment Framework as Department for Digital, Culture, Media and Sport (DCMS) consultation draws to a close
  • Robotics, AI, computer hardware, space and quantum tech are listed amongst seventeen areas that will be covered by the UK National Security and Investment Act 2021 that comes into force this January
  • US financial regulators set 36-hour reporting requirement on banks to report IT system failures, interruptions and other incidents

Mergers, acquisitions and investments

Three unicorns this week:

  • Container and DevOps security company Lacework has announced a $1.3B Series D funding round to expand go to market and product development
  • Passwordless startup Stytch raises $90M Series B, $1B valuation as over 4,000 developers signup to platform
  • Cloud managed security service Expel has closed a $140M Series E funding round, also topping a $1B valuation

And finally

Supply chain attacks

The state of security: “We must defend the chicken wing supply chain”

A sign on the counter of a fast-food restaurant reading “Dear Valued Customers: Chicken Wings & Cheesy Crust Are Currently Out of Stock Due to a Recent Cyberattack Which Has Affected Imports We Apologise For The Inconvenience”

H/t Chip Ressel


  Robin's Newsletter - Volume 4

  Rowhammer Emotet National Cyber Security Centre (NCSC) Tesla Monzo Private Key Infrastructure (PKI) Zero-day National Security and Investment Act 2021