Feb 22, 2024NewsroomQuantum Computing / Encryption

Apple has announced a new post-quantum cryptographic protocol called PQ3 that it said will be integrated into iMessage to secure the messaging platform against future attacks arising from the threat of a practical quantum computer.

“With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps,” Apple said.

The iPhone maker described the protocol as “groundbreaking,” “state-of-the-art,” and as having the “strongest security properties” of any cryptographic protocol deployed at scale.

PQ3 is the latest security guardrail erected by Apple in iMessage after it switched from RSA to Elliptic Curve cryptography (ECC), and by protecting encryption keys on devices with the Secure Enclave in 2019.

While the current algorithms that underpin public-key cryptography (or asymmetric cryptography) are based on mathematical problems that are easy to do in one direction but hard in reverse, a potential future breakthrough in quantum computing means classical mathematical problems deemed computationally intensive can be trivially solved, effectively threatening end-to-end encrypted (E2EE) communications.

The risk is compounded by the fact that threat actors could conduct what is known as a harvest now, decrypt later (HNDL) attack, wherein encrypted messages are stolen today in hopes of decoding them at a later point in time by means of a quantum computer once it becomes a reality.

In July 2022, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) chose Kyber as the post-quantum cryptographic algorithm for general encryption. Over the last year, Amazon Web Services (AWS), Cloudflare, Google and Signal have announced support for quantum-resistant encryption in their products.

Apple is the latest to join the post-quantum cryptography (PQC) bandwagon with PQ3, which combines Kyber and ECC and aims to achieve Level 3 security. In contrast, Signal, which introduced its own PQXDH protocol, offers Level 2 security, which establishes a PQC key for encryption.

This refers to an approach where PQC is “used to secure both the initial key establishment and the ongoing message exchange, with the ability to rapidly and automatically restore the cryptographic security of a conversation even if a given key becomes compromised.”

The protocol, per Apple, is also designed to mitigate the impact of key compromises by limiting how many past and future messages can be decrypted with a single compromised key. Specifically, its key rotation scheme guarantees that the keys are rotated every 50 messages at most and at least once every seven days.

Support for PQ3 is expected to start rolling out with the general availability of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 next month.

Cupertino’s iMessage security upgrade follows the tech giant’s surprise decision to bring Rich Communication Services (RCS) to its Messages app later this year, marking a much-needed shift from the non-secure SMS standard.

It also said it will work towards improving the security and encryption of RCS messages. It’s worth noting that while RCS does not implement E2EE by default, Google’s Messages app for Android uses the Signal Protocol to secure RCS conversations.

While the adoption of advanced protections is always a welcome step, it remains to be seen if this is expanded beyond iMessage to include RCS messages.

Jan 01, 2024NewsroomEncryption / Network Security

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection’s security by breaking the integrity of the secure channel.

Called Terrapin (CVE-2023-48795, CVSS score: 5.9), the exploit has been described as the “first ever practically exploitable prefix truncation attack.”

“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it,” researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk said.

SSH is a method for securely sending commands to a computer over an unsecured network. It relies on cryptography to authenticate and encrypt connections between devices.

This is accomplished by means of a handshake in which a client and server agree upon cryptographic primitives and exchange keys required for setting up a secure channel that can provide confidentiality and integrity guarantees.

However, a bad actor in an active adversary-in-the-middle (AitM) position with the ability to intercept and modify the connection’s traffic at the TCP/IP layer can downgrade the security of an SSH connection when using SSH extension negotiation.

“The attack can be performed in practice, allowing an attacker to downgrade the connection’s security by truncating the extension negotiation message (RFC8308) from the transcript,” the researchers explained.

“The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks in OpenSSH 9.5.”

Another crucial prerequisite necessary to pulling off the attack is the use of a vulnerable encryption mode such as ChaCha20-Poly1305 or CBC with Encrypt-then-MAC to secure the connection.

“In a real-world scenario, an attacker could exploit this vulnerability to intercept sensitive data or gain control over critical systems using administrator privileged access,” Qualys said. “This risk is particularly acute for organizations with large, interconnected networks that provide access to privileged data.”

The flaw impacts many SSH client and server implementations, such as OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear, prompting the maintainers to release patches to mitigate potential risks.

“Because SSH servers and OpenSSH in particular are so commonly used throughout cloud-based enterprise application environments, it’s imperative for companies to ensure they have taken appropriate measures to patch their servers,” Yair Mizrahi, senior security researcher of security research at JFrog, told The Hacker News.

“However, a vulnerable client connecting to a patched server will still result in an vulnerable connection. Thus, companies must also take steps to identify every vulnerable occurrence across their entire infrastructure and apply a mitigation immediately.”

Dec 29, 2023NewsroomMalware / Endpoint Security

Microsoft on Thursday said it’s once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.

“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence team said.

It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The changes have gone into effect in App Installer version 1.21.3421.0 or higher.

The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.

At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity –

• Storm-0569, an initial access broker which propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and handoff the access to Storm-0506 for Black Basta ransomware deployment.

• Storm-1113, an initial access broker that uses bogus MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which acts as a conduit for a variety of stealer malware and remote access trojans.

• Sangria Tempest (aka Carbon Spider and FIN7), which uses Storm-1113’s EugenLoader to drop Carbanak that, in turn, delivers an implant called Gracewire. Alternatively, the group has relied on Google ads to lure users into downloading malicious MSIX application packages from rogue landing pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.

• Storm-1674, an initial access broker that sends fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the TeamsPhisher tool, urging recipients to open PDF files that, when clicked, prompts them to update their Adobe Acrobat Reader to download a malicious MSIX installer that contains SectopRAT or DarkGate payloads.

Microsoft described Storm-1113 as an entity that also dabbles in “as-a-service,” providing malicious installers and landing page frameworks mimicking well-known software to other threat actors such as Sangria Tempest and Storm-1674.

In October 2023, Elastic Security Labs detailed another campaign in which spurious MSIX Windows app package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader dubbed GHOSTPULSE.

This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant took the same step to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft said.