Ransomware in your CPU – PSW #874

Paul Asadoorian

1. Google introduces Advanced Protection mode for its most at-risk Android users

   I've been waiting for this, looks awesome, similar to iOS Lockdown mode, Advanced Protection provides:

   • The inability to connect to 2G networks, which lack encryption protections preventing over-the-air monitoring of voice and text-messaging communications
   • No automatic connections to insecure Wi-Fi networks, such as those using WEP or no encryption at all
   • The enabling of the Memory Tagging Extension, a relatively new form of memory management that’s designed to provide an extra layer of protection against use-after-free exploits and other memory-corruption attacks
   • Automatically locking when offline for extended periods
   • Automatically powering down a device when locked for prolonged periods to make user data unreadable without a fresh unlock
   • Intrusion logging that writes system events to a fortified region of the phone for use in detecting and diagnosing successful or attempted hacks
   • JavaScript protections that shut down Android’s JavaScript optimizer, a feature that can be abused in certain types of exploits
2. CVE Foundation eyes year-end launch following 11th-hour rescue of MITRE program
   • The CVE program’s near-shutdown was a wake-up call, exposing the fragility of relying on a single funder for critical cybersecurity infrastructure.
   • Efforts are underway to diversify funding and governance, with the CVE Foundation expected to launch by December 2025.
   • The future of vulnerability management may become more decentralized, with increased international and private-sector involvement, but there are concerns about potential fragmentation if multiple competing systems arise
   • The CVE Foundation was established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, which is a critical global resource for identifying and cataloging cybersecurity vulnerabilities. The Foundation’s mission is to maintain CVE as a free, publicly available, and globally trusted index for vulnerabilities, reducing the risk of fragmentation in vulnerability identification and ensuring that the program is not dependent on a single government or funding source. By moving to a diversified funding model-including grants, sponsorships, donations, and an endowment-the Foundation aims to provide stable, neutral, and transparent stewardship for the CVE Program, supporting its continued growth and innovation
3. Branch Privilege Injection Vulnerability Threatens Intel Processors

   Researchers at ETH Zurich discovered Branch Privilege Injection (CVE-2024-45332), a new Spectre v2 attack exploiting race conditions in Intel CPUs' branch predictors. This vulnerability bypasses hardware defenses like eIBRS and IBPB that were designed to block cross-privilege data leaks, enabling attackers to read privileged memory (e.g., kernel data) from unprivileged user processes.

   • Asynchronous updates: Intel's branch predictors update after instructions retire, creating a window where privilege switches (e.g., user→kernel) occur before updates complete.
   • Misclassification: In-flight branch predictor updates during privilege transitions are tagged with the new privilege level, allowing user-controlled predictions to execute speculatively in kernel mode.
   • Leaks arbitrary kernel memory at 5.6 KiB/s with 99.8% accuracy on Ubuntu 24.04 (default mitigations enabled).
   • Affects all Intel CPUs since 2017 (7th-gen Kaby Lake to 13th-gen Raptor Lake), but not AMD/ARM.
   • Microcode update: Intel released patches introducing ~2.7% overhead on Alder Lake.
   • Software workarounds: Options include disabling indirect branch prediction (1.6–8.3% overhead) or using Retpoline

   Github with PoCs: https://github.com/comsec-group/bprc

4. Multiple Security Issues in Screen

   The OpenSUSE security team identified six critical vulnerabilities in GNU Screen versions 4.9.1 and 5.0.0, including a local root exploit affecting systems that install Screen with setuid-root privileges.

   • CVE-2025-23395 (Critical): Local root exploit in Screen 5.0.0 via logfile_reopen(), allowing unprivileged users to create/overwrite files in privileged locations (e.g., /etc/profile.d) by manipulating logfile paths. Affects Arch Linux and NetBSD (which install Screen 5.0.0 as setuid-root by default).
   • CVE-2025-46802: TTY hijacking during multi-user session attachment, enabling attackers to temporarily modify TTY permissions to 0666 and intercept/forge input.
   • CVE-2025-46803: Screen 5.0.0 defaults to creating world-writable PTYs (mode 0622), exposing terminals to unauthorized writes.
   • CVE-2025-46804: Information leak via error messages in setuid-root contexts, allowing attackers to probe file/directory existence in privileged paths.
   • CVE-2025-46805: Race condition in signal handling, potentially enabling denial-of-service or integrity violations.
5. Four Hackers Caught Exploiting Old Routers as Proxy Servers

   This is a page right out of my 2010 Brucon talk on using embedded devices to take over the world. The attackers must have watched my talk because:

   • I talk about using routers exposed to the Internet to make money and gain power
   • I also discussed how to target routers of ISPs in a particular region, as you can control that region and take advantage of the same vulnerabilities or mis-configurations on routers of the same model deployed by the ISP (in the current case, its Oklahoma).
   • They sold them as proxy servers: "over 7,000 compromised proxies worldwide, with subscriptions priced between $9.95 and $110 monthly." - a great way to monetize
   • They took this to the NEXT LEVEL: "court documents estimate that the Anyproxy network alone comprised tens of thousands of devices, generating recurring income through automated billing systems."

   You can find my talk here: https://youtu.be/CrHifNseIMQ?si=WDT6TX79g-dN0lOS ("Embedded System Hacking and My Plot To Take Over The World)" - I even make a plea to ISPs to block ports, such as 80, from the Internet. ISPs did not listen.

6. Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw

   Successful exploitation of these vulnerabilities we talked about last week. Looks like, at a high level, attackers were just maintaining a foothold and doing recon. Its very important to remove these systems from the Internet and make sure they are patched regardless of which network they are on.

7. A First Glimpse of the Starlink User Ternimal
   • Love it when it works out this way after desoldering the MMC and dumping it: "Once extracted, we discovered that most of the firmware contents were unencrypted, revealing the boot chain (excluding BootROM), kernel, and the unencrypted portions of the filesystem."
   • This is a A LOT of work, and no details are provided, just the user running a script to do the Qemu emulation: "For convenient ongoing analysis of the UTA, DARKNAVY built a basic QEMU-based emulation environment for the Rev3 firmware" - I am not a bit skeptical about this post, mostly because I want the script...
   • This was also interesting: "During device initialization, if the system identifies itself as a user terminal, the initialization script automatically writes 41 SSH public keys into /root/.ssh/authorized_keys. Notably, port 22 on the UTA remains open to the local network at all times. Having such a large number of unknown login keys on a user product certainly raises eyebrows."

   Not much else was provided, but now I want one to reverse it...

8. Critical Vulnerabilities in Mitel SIP Phones Let Attackers Inject Malicious Commands

   This looks interesting to play around with:

   CVE-2025-47188, a critical command injection vulnerability in Mitel SIP phones, has been publicly disclosed but limited exploit details are currently available. Here's what security analysts should prioritize for threat analysis: CVSS 9.8 Critical: Remote attackers can execute arbitrary commands without authentication due to improper parameter sanitization Impact: Enables configuration data theft/modification and potential device disruption Affected Devices: Mitel 6800/6900/6900w Series SIP Phones and 6970 Conference Unit.

   Looks like you can get these on Ebay for $50 :)

9. Decrypting Firmware: Uncovering Hidden Threats Through Binary Reverse Engineering with Hopper

   It's not always this easy, but it's a neat tutorial. I've not used Hopper, but several other tools could be used here. In fact, curious what Ghidra with LLM extensions would find. Not sure where this binary came from that was analyzed, but something has a TELNET backdoor with the following: "The pseudo-code revealed a critical vulnerability: sending the command HELODBG to the device triggers an unauthenticated telnet shell."

10. Supercharging Ghidra: Using Local LLMs with GhidraMCP via Ollama and OpenWeb-UI

    This is neat:

    "LLMs like Claude or fine-tuned local models (e.g., ToolACE-2-Llama-3.1) parse user requests (e.g., “rename suspicious functions”) and generate structured commands (JSON) for Ghidra."

    Example tasks:

    • Automatically renaming functions/variables.
    • Identifying cryptographic patterns.
    • Generating decompilation summaries
11. How I ruined my vacation by reverse engineering WSC

    Amazing research:

    • What is Windows Security Center (WSC)? - WSC is a part of Windows that manages and reports the status of security features like antivirus, firewall, and more.
    • Antivirus programs interact with WSC through a COM API (a way for programs to communicate on Windows) to register themselves as the system’s security provider.
    • Why Reverse Engineer WSC? - The author previously made a tool ("no-defender") that tricks Windows into thinking another antivirus is installed, causing Windows Defender to disable itself. * * * This was done by mimicking what real antivirus programs do when they register with WSC.
    • After the original project was taken down (due to legal complaints from an antivirus vendor), the author wanted to create a new version without using code from other antivirus products
12. Zero Day Initiative — CVE-2024-44236: Remote Code Execution vulnerability in Apple macOS

    "A serious security flaw was found in Apple’s macOS computers. This flaw could let hackers take control of a Mac just by getting someone to open a specially crafted file related to color settings (called an ICC profile). The problem was in a built-in tool that helps manage images and colors on Macs."

Sam Bowne

1. Age Verification in the European Union: The Commission’s Age Verification App

   he European Commission has commissioned an age verification app, to be used for restricted online services. After downloading the app, a user would request proof of their age. For this crucial step, the Commission foresees users relying on a variety of age verification methods, including national eID schemes, physical ID cards with biometrics, etc.

   Once the user would access a website restricting content for certain age cohorts, the platform would request proof of the user’s age through the app. The app would optionally use Zero Knowledge Proofs, a modern advanced cryptographic system that can offer a “yes-or-no” claim (like above or below 18) to a verifier without exposing all the user's information.

   Many jurisdictions in the USA and elsewhere would like to age-gate social media, pornography, and other online resources, but the technical ability to do that has been lacking. This EU system may serve as a model for others, if it works out well. The EFF raises many thorny privacy concerns about age verification, and it will be important to see what the real consequences of this system are.

2. FBI: End-of-life routers hacked for cybercrime proxy networks

   The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. The routers are old models from Linksys, Cradlepoint, and Cisco.

3. DOGE software engineer’s computer infected by info-stealing malware

   The presence of credentials in leaked "stealer logs" indicates his device was infected.

4. Kickidler employee monitoring software abused in ransomware attacks

   Ransomware operations are using legitimate Kickidler employee monitoring software for reconnaissance, tracking their victims' activity, and harvesting credentials after breaching their networks. It can capture keystrokes, take screenshots, and create videos of the screen.

5. You think ransomware is bad now? Wait until it infects CPUs

   Rapid7 threat hunter wrote a PoC. No, he's not releasing it. He wrote proof-of-concept code for ransomware that hides in the computer's processor. There are some indications that criminals are moving toward this end goal, from the UEFI bootkits that go back to 2018 and are now sold on cyber-crime forums to allow miscreants to bypass Secure Boot and embed malware into the firmware, surviving operating system reboots. More recently, the 2022 Conti leaks indicated that the ransomware gang's developers were working on firmware ransomware.

6. ASUS DriverHub flaw let malicious sites run commands with admin rights

   DriverHub is ASUS's official driver management tool that is automatically installed on the first system boot when utilizing certain ASUS motherboards. Once installed, the tool remains active and running in the background via a local service on port 53000, continually checking for important driver updates. This allows DriverHub to download and run .exe files from ".asus.com" URLs without user confirmation.