The Register

BLACK HAT ASIA Infosec outfit SentinelOne found malware that tries to induce errors in engineering and physics simulation software and therefore represents an attempt at sabotage, and suggests it was created years before the Stuxnet worm that aimed to destroy Iran’s uranium enrichment centrifuges. The company’s Vitaly Kamluk discussed the malware in a talk at the Black Hat Asia conference today. SentinelOne has also published a blog post about the malware. Kamluk told the conference the discovery came about after he wondered if known nation-state-espionage tools like Flame, Animal Farm, and Project Sauron were the first of their kind. All three shared use of the Lua language and virtual machine, so he went looking for similar software. That search led to a malware sample uploaded to VirusTotal in 2016 that includes a reference to “fast16”. Kamluk’s analysis of the sample suggested the techniques its developers employed were not typical of 2016-era malware. SentinelOne researchers also recalled that the infamous ShadowBroker malware trove that appeared in 2016 and which was later linked to the United States National Security Agency, contained a reference to fast16. SentinelOne thinks fast16 came into existence around 2005, based on clues in the code and the fact it won’t run on anything more recent than Windows XP – and even then only on a single-core CPU. Intel shipped its first multi-core consumer CPUs in 2006. The researchers analyzed the sample and found it tries to install a worm and deploy a driver called fast16.sys. The driver includes a routine that alters the output of floating-point calculations and also goes looking for “precision calculation tools in specialised domains such as civil engineering, physics and physical process simulations.” The researchers think fast16 targeted three high-precision engineering and simulation suites that were used in the mid-2000s: “LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling.” Iran is thought to have used LS-DYNA in its nuclear weapons program. Kamluk hypothesized that fast16’s purpose was to cause errors in calculations run by engineering simulation software, perhaps leading to real-world problems. And he asserted that fast16 was a cyberweapon that preceded Stuxnet by five years. “In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits,” Kamluk wrote with SentinelOne colleague Juan Andrés Guerrero-Saade. “It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today.” In his talk, Kamluk said he’s disclosed his work to the vendors of the engineering applications fast16 targets, because he feels they may want to check the output of their products for evidence that the malware produced incorrect calculations. “Maybe there are more discoveries to come?” he concluded. Kamluk tearfully dedicated his talk to friend and colleague Sergey Mineev, who he said was responsible for finding many enormously significant APTs, without seeking attention for the significance of his work, and passed away in March. ®

FAST16 could be the first cyberweapon, and its effects could be with us today

Black Hat Asia  Infosec outfit SentinelOne found malware that tries to induce errors in engineering and physics simulation software and therefore represents an attempt at sabotage, and suggests it was created years before the Stuxnet worm that aimed to destroy Iran’s uranium enrichment centrifuges.…

BLACK HAT ASIA Developers of rented internet of things infrastructure – stuff like public EV chargers and shared e-bikes – are prioritizing user convenience over security, and leaving themselves exposed to wide-scale denial of service attacks on their services. That frightening thesis was the subject of a Friday talk at the Black Hat Asia conference, delivered by Hetian Shi, a hardware and IoT security researcher at China’s Tsinghua University. Shi told the conference the very nature of rented IoT services means they have a unique security problem: Anyone can access devices and examine them for vulnerabilities. The researcher conducted his probes with permission, and disclosed the results ethically – for which we should all be thankful because he discovered that some rentable devices include either a debugging port or a UART connector that makes examining their operations an uncomplicated task for an educated attacker. His own efforts yielded evidence of shared authentication keys in device firmware, and backend services that don’t properly authenticate users. The researcher also investigated the apps that rentable IoT providers publish so consumers can access their services and again found weak security that allowed him to do things like create phantom clients that rentable IoT services could not distinguish from actual customers. Using phantom clients makes it possible for an attacker to charge cars or rent scooters at zero cost. Shi said the techniques he’s developed can also compromise personal information by exposing rentable IoT services’ back ends. He’s created a tool called “IDScope” that makes it possible to exploit many of the flaws he found and during his talk demonstrated it by running the iOS app for a Chinese provider of public electric vehicle charging stations. Shi asked the audience to nominate a Chinese city – Shanghai was the popular choice – and then looked up available chargers in People’s Square, a major shopping and recreation district. The app produced a list of chargers and which ones were available to use. Shi asked the audience to choose which of the available chargers he should attack, noted the ID number for that charger listed in the app, entered that number into a script. A second or two later, the icon in the app for that charger changed color from green – which denotes availability for charging – to the grey hue that indicates a disabled port. The app was in Chinese and your correspondent can’t read that language so I can’t say with certainty what I witnessed, but the demo drew spontaneous applause from others in the audience – and plenty of people here at Black Hat have come from the Chinese-speaking world. Shi thinks the techniques he created also make it possible to deny service, and do so at scale – creating the possibility of taking out an entire city’s network of EV chargers. And not just in China: The researcher tested 11 apps published by European providers of shared bikes and scooters, and found similar problems - suggesting his findings will be applicable elsewhere. He theorized that the flaws he found are the result of developers trying to build services that users find convenient, at the expense of security. ®

Demonstrated in China, probably applicable elsewhere

Black Hat Asia  Developers of rented internet of things infrastructure – stuff like public EV chargers and shared e-bikes – are prioritizing user convenience over security, and leaving themselves exposed to wide-scale denial of service attacks on their services.…

Legit-looking website, camera-on interviews, jokes about backdoors ... it worked

EXCLUSIVE  It all started with a LinkedIn message, as so many employment scams do these days.…

All the Typhoons, everywhere, all at once

A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations, according to a joint 10-country advisory.…

Push to protect minors risks hitting everyone online

Proton's boss has waded into the age verification fight with a warning that sounds less like child safety and more like an identity checkpoint for the entire internet.…

Wins $300M deal over Salesforce, IBM because of 'integration with existing USDA systems,' among other things

Palantir has won a $300 million contract from the US Department of Agriculture (USDA) to support the National Farm Security Action Plan (NFSAP) and modernize how USDA delivers services to America's farmers.…

World's largest biomedical dataset lifted and shifted on Chinese mega marketplace

Breaking  Details of volunteers of UK-based Biobank, which describes itself as the custodian of the world's most comprehensive biomedical dataset, are for sale on Chinese ecommerce site Alibaba.…

Windows Admin Center flaws mean on-prem can attack cloud, and vice-versa

Black Hat Asia  Israeli researchers found a series of flaws in Microsoft's Windows Admin Center (WAC) and suggest this shows hybrid cloud management tools are a two-way attack surface that users don't spend enough time worrying about.…

Orgs can now buy UK cyber agency engineered commercial gadget, but details are slim

GCHQ's cyber arm has entered the hardware game with its first device designed to prevent cyberattacks on display devices.…

Keeping it simple for the developers can lead to very complex headaches later

PWNED  Welcome back to PWNED, the column where we celebrate the people who’ve taught us how not to secure a server. If you’ve ever tied your own shoelaces together, then tripped over them, or attempted to dive into a swimming pool but hit your head on the diving board, we’ll be talking about your cyber equivalent.…

NCSC passes judgment: passkeys pass muster, passwords fail

The UK's National Cyber Security Centre (NCSC) has officially endorsed passkeys as the default authentication standard, marking the first time the agency has told consumers to move away from passwords entirely.…

Plus, the payload references 'TeamPCP/LiteLLM method'

Yet another npm supply-chain attack is worming its way through compromised packages, stealing secrets and sensitive data as it moves through developers' environments, and it shares significant overlap with the open source infections attributed to TeamPCP last month.…

Hackpocalypse deferred

Anthropic's Mythos model is purportedly so good at finding vulnerabilities that the Claude-maker is afraid to make it available to the general public for fear that criminals will take advantage. But early analysis shows that Mythos may not be as dangerous as some would have you believe.…

Along with a bunch of new services to make sure those same agents don't cause chaos

Google Cloud chief operating officer Francis deSouza has summed up his company's security strategy du jour as follows: "You need to use AI to fight AI."…

Gov admits 'incident' as forum sellers boast of fresh haul covering up to a third of the population

France's National Agency for "Secure" Documents is explaining a potential data spill just as crooks online claim they've nicked a third of the country's ID information.…

Judges say cops face-slurping not a problem under current human rights laws

London's Metropolitan Police Service (MPS) has survived a legal challenge that attempted to curb its rollout of live facial recognition (LFR) technology across the capital.…

Gartner sees accelerating growth in IT spending, powered by cloud and AI infrastructure investment

A day after the International Energy Agency (IEA) said the US/Israel/Iran war was creating the worst energy crisis ever faced by the ‌world, Gartner increased its growth forecasts for global IT spending by nearly three percentage points.…

Mozilla CTO says AI means developers finally have a chance to get on top of security

The Mozilla Foundation has revealed it tested Anthropic’s bug-finding “Mythos” AI model and feels the results it experienced represent a watershed moment for software defenders.…