Cybersecurity Chronicles: Quantum Challenges, Huawei Concerns, and the Rising Tide of Crypto Hacks
It’s a beautiful day outside, and you are weighing your options: You could go for a jog in the park, go hike on the mountain, you could ride bike across town, or you could also take the train somewhere interesting, and not just any train, the Cybersecurity Express heading down cyber-crime alley showing you what’s been broiling on the internet. If you fancy the last option, you’re in luck! Climb aboard and see where the Cybersecurity Express will take you this time:
First stop: Quantum proof encryption algorithm cracked by conventional computer in one hour
Second stop: Chinese Huawei equipment could disrupt US nuclear arsenal comms, in theory that is
Third stop: The way hackers are reading your Gmail
Bonus station: Another day, another cryptocurrency hack
Quantum Proof Encryption Algorithm Cracked by Conventional Computer in One Hour
In the wake of quantum computing, The Department of Homeland Security (DHS) in partnership with the Department of Commerce’s National Institute of Standards and Technology (NIST) has released a roadmap to help organizations protect their data and systems of risks related to the advancement of quantum computing technology. As we have already presented this threat in a previous issue , with the quantum technology advances over the next decade, it is expected that most encryption methods that are widely used to protect customer data, complete business transactions, and secure communications will easily be broken. Thus, we must prepare in advance, and it’s a good thing we have decided to do so as one of the late-stage candidate algorithms that was meant to withstand decryption by powerful quantum computers in the future, has been already trivially cracked by using a computer running a single core Intel Xeon CPU (2013 model) in an hour’s time. We are talking about SIKE (Supersingular Isogeny Key Encapsulation), which made it to the fourth round of the Post-Quantum Cryptography (PQC) standardization process initiated by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST). “Each of these systems relies on some sort of math problem which is easy to do in one direction but hard in reverse,” David Jao, one of the co-inventors of SIKE and Chief Cryptographer at Evolution.
The attack was crafted by KU Leuven researchers Wouter Castryck and Thomas Decru. “Ran on a single core, the appended Magma code breaks the Microsoft SIKE challenges $IKEp182 and $IKEp217 in about 4 minutes and 6 minutes respectively. A run on the SIKEp434 parameters, previously believed to meet NIST’s quantum security level 1, took about 62 minutes.” the two researchers said in their paper. It is possible that SIDH can be patched or fixed up to avoid the new attack, but more analysis is required before it’s creators can confidently make a statement about any possible fixes.
While SIKE was positioned as one of the NIST-designated PQC contenders, the previously mentioned research invalidates the algorithm. Other contender algorithms are based on SIDH, such as B-SIDH, and are also broken by the new attack.
Chinese Huawei Equipment Could Disrupt US Nuclear Arsenal Communications
Among the most alarming things the FBI uncovered pertains to Chinese-made Huawei equipment in cell towers near US military bases in the rural Midwest. According to multiple sources familiar with the matter, the FBI determined the equipment could capture and disrupt highly restricted Defense Department communications, including those used by US Strategic Command, which oversees the country’s nuclear weapons. While broad concerns about Huawei equipment near US military installations have been well known, the existence of this investigation and its findings have never been reported. Its origins stretch back to at least the Obama administration and those who spoke of this spoke under the curtain of anonymity. The Chinese government strongly denies any efforts to spy on the US. Huawei in a statement to CNN also denied that its equipment is capable of operating in any communications spectrum allocated to the Defense Department. ”All of our products imported to the US have been tested and certified by the FCC before being deployed there. Our equipment only operates on the spectrum allocated by the FCC for commercial use. This means it cannot access any spectrum allocated to the DOD.” said Huawei
Despite the scandalous actuations, the US government’s refusal to provide evidence to back up its claims that Huawei tech poses a risk to US national security has led some critics to accuse it of xenophobic overreach, but multiple sources familiar with the investigation tell that there’s no question the Huawei equipment has the ability to intercept not only commercial cell traffic but also the highly restricted airwaves used by the military and disrupt critical US Strategic Command communications, giving the Chinese government a potential window into America’s nuclear arsenal. Not to mention that many of the cell towers that are owned by Chinese service providers have HD weather cameras and the FBI is certain that the feed is used by the Chinese to track strategical military movement. In 2020, Congress approved $1.9 billion to remove Chinese-made Huawei and ZTE cellular technology across wide swaths of rural America, but that soon turned in a fiasco because the work is slow and there are not enough funds allocated to reimburse affected telecom companies.
The Way Hackers are Reading Your Gmail
A never-before-seen type of malware that hackers from North Korea have been using to read and download email and attachments from infected users Gmail and AOL accounts, has been uncovered by researchers. The malware, dubbed SHARPEXT, uses a clever method to install a browser extension on the Chrome and Edge browsers.
Being an extension, the malware can’t be detected by the email services, and it doesn’t need to deal with any multifactor authentication because you’re doing the job for it. It doesn’t rely on flaws in Gmail or AOL Mail to get installed. The extension gets installed by way of spear phishing and social engineering where the victim is fooled into opening a malicious document. Installing a browser extension during a phishing operation without the end-user noticing isn’t easy. To get around the browser defenses in order to make this happen, attackers must first extract the following from the computer they’re compromising:
- A copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)
- The user’s S-ID value
- The original Preferences and Secure Preferences files from the user’s system
After modifying the preference files, SHARPEXT automatically loads the extension and executes a PowerShell script that enables DevTools, a setting that allows the browser to run customized code and settings. SHARPEXT allows the hackers to create lists of email addresses to ignore and to keep track of email or attachments that have already been stolen. How can you test to see if you have fallen victim to this? Here are the YARA rule and the IOCs
Another Day, Another Cryptocurrency Hack
In other news, cryptocurrencies have been the fruitful target of hackers lately. This is really no surprise as most of the platforms were built only with profit in mind and minimal regards for security, going to show how important cybersecurity is if it’s considered in early stages of development. Nomad platform, a tool that lets users swap tokens from one blockchain to another, was hacked and the actors managed to get away with almost $200 million in cryptocurrency. Steven Galanis, the co-founder and CEO of the Cameo app, was victim to a crypto hack where several NFTs, including a Bored Ape, and over $70,000-worth of cryptocurrency were stolen from him. His Bored Ape, for which he paid $319.000 was immediately sold for $130,000, talk about a good discount. The Solana ecosystem was exploited via a flaw that allowed an unknown perpetrator to drain funds from over 8,000 wallets where crypto holders stored their funds, amassing at least $5 million worth of SOL, SPL and other Solana-based tokens. This will draw in more need for regulations for the decentralized currencies and will raise further concerns as the anonymity “benefit” of cryptocurrencies turns out to be more helpful for those that want to maliciously profit from these environments. These are just the latest in a long line of fund drains for which there seems to be no end in sight.
There is an end in sight though, for this journey aboard the Cybersecurity Express. Stay safe by applying security to your IT environment and software, as this expense will turn out in more dollars saved in the long run. Hope you enjoyed the ride. We look forward to seeing you aboard next time!
