A China-linked threat group, UNC5174, has been conducting aggressive cyber campaigns by exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP software. The group is believed to be a former member of Chinese hacktivist collectives and is now acting as a contractor for China’s Ministry of State Security, targeted research institutions, businesses, NGOs, and government organizations. Sophos analysts have also observed an increase in malicious activity involving ScreenConnect, a remote access tool. Threat actors have been leveraging ScreenConnect to launch various attacks and deliver different types of malware, including LockBit ransomware, AsyncRAT, password stealers, and Cobalt Strike payloads.
SolarWinds has become the first software provider to submit the Secure Software Development self-attestation, marking a significant milestone in cybersecurity standards. The self-attestation aligns with U.S. government requirements and supports national cybersecurity initiatives, promoting transparent information-sharing and proactive cybersecurity measures.
A newly discovered vulnerability in Apple’s M-series chips allows attackers to extract secret encryption keys from Macs during cryptographic operations. The flaw, stemming from the microarchitectural design of the chips, cannot be directly patched. Instead, it can only be mitigated by implementing defenses in third-party cryptographic software, which may significantly degrade performance. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application run on the same CPU cluster. The researchers named the attack “GoFetch” and provided insights into the behavior of the chips’ data memory-dependent prefetcher (DMP), which can leak information through cache side channels. Apple M3 chips can disable DMP by enabling data-independent timing (DIT), but this is not possible on M1 and M2 processors.
Why do we care?
I wanted to continue to keep an eye on the ConnectWise ScreenConnect exposure, and this issue appears to be as critical as was implied. I checked with a trusted cybersecurity source, who tells me there’s still significant exposure in the number of servers still unpatched and to assume any unpatched servers are completely owned.
SolarWinds is certainly leaning into being a model student, which is a smart move considering their history. Disclosure: I’m a shareholder.
The M-chip vulnerability is one of those security stories most of us can do very little about. We’ll all be informed, but there is not much to do here for now.
