.@lavados, @lunkw1ll, and I gave a talk with the title "Rowhammer in the Wild - Large-Scale Insights from FlippyRAM" at the 39th Chaos Communication Congress (#39c3). In our #FlippyRAM study, we investigated the prevalence of the #Rowhammer effect. If you are interested, the video is already online: https://media.ccc.de/v/39c3-rowhammer-in-the-wild-large-scale-insights-from-flippyr-am

Der Podcast gastiert auf dem 39. Chaos Communication Congress und hat drei illustre Gäste geladen. Linus Neumann, #CCC-Sprecher, erzählt vom Digital Independence Day und wie es (hoffentlich) Mode werden könnte, sich Stück für Stück aus den Klauen der Internetgiganten zu lösen. Bianca Kastl berichtet von alten und neuen Sicherheitsproblemen der elektronischen Patientenakte #ePA, wie es so weit kommen konnte und ob wenigstens Besserung in Sicht ist.

Florian Adamsky erklärt die #Sicherheitslücke #Rowhammer und wie praktikabel Angriffe über diese Lücke sind – denn dazu hat er mit Kollegen im vergangenen Jahr das Experiment #FlippyR.AM gestartet.

Passwort - der Podcast von heise security: Passwort vom 39c3 zu digitaler Unabhängigkeit, kranken Akten und behämmertem Speicher

Webseite der Episode: https://passwort.podigee.io/48-passwort-vom-39c3-zu-digitaler-unabhangigkeit-kranken-akten-und-behammertem-speicher

Mediendatei: https://audio.podigee-cdn.net/2289062-m-235860fe847517442bcf6306aa74bfda.mp3?source=feed

@christopherkunz
@syt
#39C3

The #Rowhammer talk at #CCC is basically a tradition at this point.

So obviously it has returned to #39C3 and if I understood it right their conclusion was that 12.5% of RAMs (that they tested) are vulnerable to automated #Rowhammer attacks. Ouch!

#CCC #hacking #security

#39c3 #RAM #RAMprice #FlippyRAM #RowHammer

If you are interested in the results of our #flippyram #rowhammer study, which we presented last year at #38c3, we (@lavados, @lunkw1ll and me) will be presenting our findings in Room One at 23:00 at #39c3.

@c1t @lunkw1ll @lavados Have fun with your #Rowhammer talk at #39c3! 🙂

New Phoenix Attack bypasses Rowhammer Defenses in DDR5 Memory.

A team of researchers in the Computer Security Group [COMSEC] at ETH Zurich University in Switzerland and Google created a new DDR5 Rowhammer attack they call Phoenix, which can flip bits in memory chips to enable malicious activity.

https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf

#phoenix #rowhammer #ddr5 #memory #attack #it #security #privacy #engineer #media #tech #news

Security Week 2539: эффективная атака Rowhammer на модули памяти DDR5

Исследователи из Швейцарской высшей технической школы в Цюрихе опубликовали научную работу , в которой продемонстрировали эффективную атаку типа Rowhammer на модули памяти стандарта DDR5. Атака Rowhammer впервые была предложена в 2014 году. Тогда исследователи воспользовались физическими свойствами микросхем DRAM: оказалось, что значение в определенной ячейке можно изменить путем многократного обращения к соседним рядам ячеек. На тот момент исследование было проведено для модулей памяти стандарта DDR3, но позднее выяснилось, что и для DDR4 атака также актуальна. Так как атаки Rowhammer эксплуатируют фундаментальные принципы работы микросхем памяти, были разработаны специальные меры противодействия. Технология, известная как Target Row Refresh, принудительно обновляет содержимое ячеек, если замечает многократные обращения к соседним рядам, что значительно затрудняет проведение атаки. В результате модули памяти стандарта DDR5 считались защищенными от Rowhammer с момента поступления в продажу в 2020 году и вплоть до 2024 года, когда еще одно исследование ETH Zurich показало возможность принудительной смены значения в ячейках. Но реально успешной эта атака была против лишь одного модуля памяти из десяти исследованных. Новая атака Phoenix сработала для всех 15 протестированных модулей, а кроме того, исследователи показали несколько вариантов практических атак с использованием данной уязвимости.

https://habr.com/ru/companies/kaspersky/articles/949356/

#иб #rowhammer #phoenix #ddr5

@lunkw1ll presented our paper with the title "Epistemology of Rowhammer Attacks: Threats to Rowhammer Research Validity" at #ESORICS25. The problem that we see there is lack of real-world #Rowhammer attacks which contradicts the number of Rowhammer publications from academia. For more info, you will find a pre-print of our paper here: https://florian.adamsky.it/research/publications/2025/2025-Epistemology_of_Rowhammer_Attacks_preprint.pdf

The first one is titled "Epistemology of Rowhammer Attacks: Threats to Rowhammer Research Validity," in which we analyze 32 offensive Rowhammer research papers and found six threats to the validity and relevance of #Rowhammer research results, and give multiple examples. The second one is titled "Verifying DRAM Addressing in Software," in which we show a novel method to reliably verify DRAM addressing functions and function components entirely in software.

I am packing for my trip tomorrow to Toulouse for 30th European Symposium on Research in Computer Security (#ESORICS25). We are presenting two papers there about our #Rowhammer research—another great collaboration with @lavados and his team.

It's been a packed 24 hours in the cyber world, with major disruptions to phishing operations, nation-state actors leveraging AI, significant breaches impacting critical infrastructure and financial services, and a notable resentencing in a high-profile cybercrime case. Let's dive in:

Recent Cyber Attacks and Breaches 🚨

- UK telco Colt Technology Services is still reeling from an August cyberattack, with recovery efforts now expected to stretch into late November. The Warlock ransomware group is claiming responsibility, and the incident is suspected to have originated from SharePoint exploits.
- The Jaguar Land Rover (JLR) cyberattack continues to send "shockwaves" through the UK automotive supply chain, with supplier Autins reporting a 55% share price drop and production halts. This highlights the significant economic security implications of attacks on critical industrial players.
- Venture capital firm Insight Partners has begun notifying over 12,000 individuals about a ransomware breach that occurred in October, with servers encrypted in January. The attack, initiated via a sophisticated social engineering campaign, led to the exfiltration of sensitive personal, banking, and tax information.
- SonicWall has warned customers to reset credentials after a security breach of its MySonicWall.com platform exposed firewall configuration backup files. Threat actors used brute-force attacks to access these files, which contain encrypted passwords and other data that could significantly aid firewall exploitation.
- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Salesloft Drift OAuth tokens. This extensive data theft, linked to the "Scattered Lapsus$ Hunters" collective, involved scanning source code for secrets and exfiltrating sensitive customer support ticket data.

💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/uk_telco_colts_cyberattack_recovery/
🗞️ The Record | https://therecord.media/jlr-cyber-shockwave-auto-sector
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/vc-giant-insight-partners-warns-thousands-after-ransomware-breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-reset-credentials-after-MySonicWall-breach/
🤫 CyberScoop | https://cyberscoop.com/sonicwall-cyberattack-customer-firewall-configurations/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/

Threat Actor Activity and AI in Cybercrime 🕵️

- Microsoft and Cloudflare have successfully disrupted RaccoonO365, a major Phishing-as-a-Service (PhaaS) operation, by seizing 338 domains and associated infrastructure. The financially motivated group, tracked as Storm-2246, stole over 5,000 Microsoft 365 credentials from 94 countries, often preceding malware and ransomware attacks.
- The notorious Scattered Spider group has resurfaced, shifting its focus to the financial sector despite recent claims of "going dark" alongside other cybercrime groups. ReliaQuest observed a targeted intrusion against a US banking organisation, where initial access was gained via social engineering and Azure AD self-service password reset, followed by lateral movement and credential dumping.
- North Korean Kimsuky hackers (APT43) are leveraging OpenAI's ChatGPT to generate deepfake military ID cards for phishing campaigns targeting South Korean defence institutions. This demonstrates a growing trend of nation-state actors using generative AI to create highly convincing forgeries and enhance social engineering tactics.
- The RevengeHotels group is also employing AI to boost its attacks on hotels, primarily in Brazil and Latin America, using phishing emails to deliver the VenomRAT remote access trojan. The use of large language models has enabled the hackers to produce cleaner, more structured malicious code, making their payment card data theft campaigns more effective.

📰 The Hacker News | https://thehackernews.com/2025/09/raccoono365-phishing-network-shut-down.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/microsoft-and-cloudflare-disrupt-massive-raccoono365-phishing-service/
📰 The Hacker News | https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html
💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/scattered_spider_bank_attack/
🗞️ The Record | https://therecord.media/north-korea-kimsuky-hackers-phishing-fake-military-ids-chatgpt
🗞️ The Record | https://therecord.media/hackers-payment-data-guests-steal

New Vulnerability: DDR5 Rowhammer ⚠️

- Researchers from Google and ETH Zurich have discovered a new class of Rowhammer vulnerability, dubbed "Phoenix" (CVE-2025-6202), affecting DDR5 memory modules. This attack, while computationally expensive, can corrupt data in adjacent memory cells, posing a risk to data integrity and potentially enabling privilege escalation.
- The vulnerability stems from repeatedly accessing specific rows of memory cells, which can degrade data in neighbouring cells, a known issue that DDR5 was thought to be more resistant to without additional refresh management commands.
- While AMD has released a BIOS update to protect systems using its processors, the discovery highlights the ongoing challenge of securing modern memory architectures and the need for system builders to implement robust defences like JEDEC's Per-Row Activation Counting (PRAC).

💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/ddr5_dram_rowhammer/

Legal and Regulatory Developments ⚖️

- The founder of BreachForums, Conor Brian Fitzpatrick (Pompompurin), has been resentenced to three years in prison for his role in running the cybercrime forum and possessing child sexual abuse material (CSAM). This follows an appeals court vacating his initial lenient sentence of 17 days time served.
- Fitzpatrick pleaded guilty to access device conspiracy, access device solicitation, and possession of CSAM, and has agreed to forfeit over 100 domain names, electronic devices, and cryptocurrency. The resentencing underscores the severity of his crimes, which involved facilitating the sale of over 14 billion individual records.

📰 The Hacker News | https://thehackernews.com/2025/09/doj-resentences-breachforums-founder-to.html
💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/breachforums_founder_prison/

Data Privacy Win Against Big Tech 🔒

- A California federal judge has rejected Meta's attempt to overturn a jury verdict finding the tech giant liable for illegally obtaining sensitive reproductive health data from millions of women via the Flo period tracking app. The ruling confirms Meta directly acquired user communication content in real-time without proper consent.
- The judge's unusually harsh wording called Meta's attempt to nullify the verdict "improper," reinforcing the significance of this case as one of the first major verdicts on how big tech handles sensitive health data. This could pave the way for further litigation and increased scrutiny of data collection practices.

🗞️ The Record | https://therecord.media/judge-rejects-meta-attempt-overturn-flo-privacy-lawsuit

Linux Arm64 and UEFI Secure Boot 🐧

- The adoption of UEFI Secure Boot for Linux on Arm64 devices presents a more fragmented landscape compared to x86, primarily due to the diversity of Arm chip manufacturers and their firmware implementations. While the UEFI specification is architecture-independent, its practical application varies significantly.
- Many Arm devices rely on the u-boot bootloader, which offers UEFI compliance but requires users to create and deploy their own certificates and keys, unlike the x86 world where Microsoft-signed shims are common.
- While some Linux distributions like Debian, Ubuntu, and SUSE offer out-of-the-box Secure Boot support on Arm with Microsoft keys, others like Fedora and RHEL require manual certificate deployment or disabling Secure Boot initially, highlighting ongoing integration challenges.

💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/uefi_secure_boot_for_linux/

#CyberSecurity #ThreatIntelligence #Ransomware #Phishing #AI #NationState #APT #Vulnerability #Rowhammer #DDR5 #DataBreach #IncidentResponse #Cybercrime #Legal #DataPrivacy #Linux #UEFI #InfoSec

Sicherheitsforscher haben mit "Phoenix" eine #Rowhammer-Attacke entwickelt, die alle DDR5-Schutzmaßnahmen umgeht. In nur 109 Sekunden kann Root-Zugriff auf Desktopsysteme erlangt werden. #DDR5 #Cybersecurity https://winfuture.de/news,153658.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Who has two thumbs and said percussive ram attacks wouldn't go anywhere??

👍🏻 This guy! 👎🏻

https://thehackernews.com/2025/09/phoenix-rowhammer-attack-bypasses.html

#rowhammer #ddr5

It's been a busy 24 hours in the cyber world with significant updates on supply chain attacks, ongoing major breaches, critical vulnerability research, and important regulatory shifts. Let's dive in:

JLR Cyberattack Continues to Cause Major Disruption 🚗
- Jaguar Land Rover (JLR) has extended its global production shutdown until at least September 24th, bringing the total downtime to nearly four weeks following a cyberattack.
- The incident, claimed by "Scattered Lapsus$ Hunters," has led to significant financial losses (estimated £5-10 million daily) and temporary layoffs across JLR's extensive supply chain.
- JLR confirmed data theft, highlighting the severe business continuity and economic security implications, with calls for government support for affected workers.
🗞️ The Record | https://therecord.media/jaguar-land-rover-another-week-shutdown-cyberattack
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/16/jlr_global_shutdown/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/jaguar-land-rover-extends-shutdown-after-cyberattack-by-another-week/

Google LERS Portal Accessed by Threat Actors 🚨
- Google confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) portal, used by government agencies to request user data.
- The "Scattered Lapsus$ Hunters" group, also linked to the JLR attack, posted screenshots claiming access to LERS and the FBI's NICS, though Google states no requests were made or data accessed via the fraudulent LERS account.
- This incident, coupled with the group's "retirement" announcement (met with skepticism by analysts), underscores the persistent threat of sophisticated social engineering and credential compromise against high-value targets.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/16/google_confirms_crims_accessed_lers/

Self-Propagating Worm Hits npm Supply Chain ⛓️
- An ongoing, worm-style supply chain attack, dubbed 'Shai-Hulud,' has compromised at least 187 npm packages, including some from CrowdStrike's npm namespace.
- The attackers are using a self-propagating mechanism: malicious bundle.js scripts are injected into packages, which then use the legitimate TruffleHog tool to scan developer machines for secrets (e.g., AWS, GitHub, npm tokens).
- Stolen credentials are used to create GitHub Actions workflows and exfiltrate data, and valid npm tokens are then abused to update other packages by the same maintainer, perpetuating the attack. Developers should audit environments, rotate tokens, and pin dependencies.
📰 The Hacker News | https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/16/npm_under_attack_again/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/

FileFix Social Engineering Delivers StealC Infostealer 🎣
- A new variant of the FileFix social engineering attack is actively tricking victims into running the StealC information stealer malware via fake Facebook security alerts.
- Unlike previous ClickFix variants, FileFix leverages a web browser's file upload feature, prompting users to copy and paste a malicious command into File Explorer's address bar, which then executes a multi-stage PowerShell script.
- The attack uses steganography, embedding a second-stage payload within seemingly innocuous JPG images downloaded from Bitbucket, making detection harder and allowing for flexible payload changes.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/16/filefix_attacks_facebook_security_alert/
📰 The Hacker News | https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealC.html

SlopAds Android Ad Fraud Ring Disrupted 📱
- A massive ad fraud operation, "SlopAds," involving 224 Android apps with 38 million downloads, has been disrupted by Google after generating 2.3 billion daily ad bids at its peak.
- The apps used sophisticated evasion tactics, including steganography to conceal a malicious "FatModule" APK within PNG images, and conditional fraud execution (only activating if installed via an ad click).
- The FatModule created hidden WebViews to navigate to attacker-owned game and news sites, continuously serving ads to generate fraudulent impressions and clicks, highlighting the evolving sophistication of mobile ad fraud.
📰 The Hacker News | https://thehackernews.com/2025/09/slopads-fraud-ring-exploits-224-android.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/google-nukes-224-android-malware-apps-behind-massive-ad-fraud-campaign/

RaccoonO365 Phishing Kit Disrupted by Microsoft & Cloudflare 🚫
- Microsoft, with Cloudflare's help, has disrupted RaccoonO365, a rapidly growing subscription phishing kit used to steal Microsoft 365 credentials, seizing 338 associated websites.
- The service, led by Nigerian national Joshua Ogundipe, offered kits for $365/month, targeting up to 9,000 emails daily, bypassing MFA, and stealing credentials from 5,000 victims in 94 countries.
- The operation highlights the increasing sophistication of phishing-as-a-service, with RaccoonO365 recently advertising an AI-backed service to scale attacks, underscoring the need for robust MFA and user awareness.
🗞️ The Record | https://therecord.media/microsoft-cloudflare-disrupt-raccoono365-credential-stealing-tool
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/16/microsoft_cloudflare_shut_down_raccoono365/

Phoenix RowHammer Attack Bypasses DDR5 Protections 💥
- Academics from ETH Zürich and Google have unveiled "Phoenix" (CVE-2025-6202), a new RowHammer attack variant capable of bypassing advanced Target Row Refresh (TRR) protections on SK Hynix DDR5 memory chips.
- The attack can reliably trigger bit flips on DDR5 devices, leading to a privilege escalation exploit that obtains root on a standard desktop system in as little as 109 seconds.
- This research confirms that on-die ECC is insufficient and end-to-end RowHammer attacks are still viable on DDR5, recommending increased refresh rates (3x) as a mitigation for unpatchable DRAM devices.
📰 The Hacker News | https://thehackernews.com/2025/09/phoenix-rowhammer-attack-bypasses.html

Apple Backports Zero-Day Patches to Older Devices 🍎
- Apple has released security updates for older iPhones and iPads (iOS/iPadOS 15.8.5 / 16.7.12) to backport patches for CVE-2025-43300, a zero-day out-of-bounds write vulnerability in Image I/O.
- This flaw was previously exploited in "extremely sophisticated attacks against specific targeted individuals," often chained with a WhatsApp zero-click vulnerability (CVE-2025-55177).
- While Apple's latest OS updates (iOS/iPadOS 26, macOS 26) address numerous other vulnerabilities without active exploitation warnings, this backport ensures critical protection for a wide range of older, unsupported devices.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-patches-to-older-iphones-and-ipads/
🤫 CyberScoop | https://cyberscoop.com/apple-security-updates-september-2025/

China Imposes Strict 1-Hour Cyber Incident Reporting Deadline 🇨🇳
- From November 1st, China's Cyberspace Administration (CAC) will enforce new rules requiring network operators to report "serious" cyber incidents within 60 minutes, and "particularly major" events within 30 minutes.
- "Particularly major" incidents include data loss threatening national security, leaks of over 100 million personal records, or outages of key government/news sites for over 24 hours, with penalties for non-compliance.
- This stringent deadline, significantly shorter than Europe's 72-hour rule, will force Chinese organisations to invest heavily in real-time monitoring and rapid response capabilities.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/16/china_1hour_cyber_reporting/

US Lawmakers Extend Key Cyber Programs 🏛️
- A short-term government funding bill proposes extending the 2015 Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program for another seven weeks, until November 21st.
- This temporary reprieve aims to give House and Senate lawmakers more time to align on long-term renewals for these critical initiatives, which provide legal safeguards for threat intelligence sharing and support local cyber defences.
- The Senate's proposed version of the threat-sharing legislation is expected to differ from the House's, potentially offering a shorter renewal and fewer safeguards for private entities.
🗞️ The Record | https://therecord.media/house-lawmakers-move-to-extend-two-cyber-laws

FBI Cyber Division Personnel & Arrests Under Scrutiny 🇺🇸
- A contentious Senate Judiciary Committee hearing saw Senator Dick Durbin warn of potential 50% personnel cuts to the FBI's cyber division under the Trump administration, despite increasing foreign threats.
- FBI Director Kash Patel countered, stating that cyber-related arrests have risen by 42% (409 arrests) and convictions by 169% compared to the previous year, asserting no diversion of resources from critical cyber missions.
- The debate highlights ongoing concerns about the FBI's resource allocation and its ability to combat nation-state threats, ransomware, and AI-generated election interference amidst political scrutiny.
🤫 CyberScoop | https://cyberscoop.com/senators-fbi-director-patel-clash-over-cyber-division-personnel-arrests/

Microsoft to Remove WMIC from Windows 11 25H2 💻
- Microsoft has announced that the Windows Management Instrumentation Command-line (WMIC) tool will be removed after upgrading to Windows 11 25H2 and later versions.
- IT administrators are advised to transition to Windows PowerShell for WMI tasks, as WMIC has been deprecated since Windows Server 2012 and Windows 10 21H1.
- This removal aims to reduce system complexity and boost security by eliminating a common "living-off-the-land binary" (LOLBIN) exploited by malware for tasks like deleting Shadow Volume Copies or disabling antivirus.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-wmic-will-be-removed-after-windows-11-25h2-upgrade/

BreachForums Founder Resentenced to Three Years Prison ⚖️
- Conor Brian Fitzpatrick, alias "Pompompurin," founder of the notorious BreachForums hacking forum, has been resentenced to three years in prison after his initial lenient sentence was overturned.
- Fitzpatrick pleaded guilty to conspiracy to commit access device fraud, solicitation, and possession of child sexual abuse material, but violated pretrial release conditions by using unmonitored internet access and expressing a lack of remorse.
- The resentencing underscores the severity of operating such platforms, which facilitated the trade of stolen data from over 330,000 members and 14 billion individual records.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-admin-resentenced-to-three-years-in-prison/
🤫 CyberScoop | https://cyberscoop.com/conor-fitzpatrick-resentenced-pompompurin-breachforums/

Check Point Acquires AI Security Firm Lakera 🤝
- Check Point Software Technologies is acquiring Lakera, an AI security platform, to deliver an "end-to-end AI security solution" for enterprises, with the deal expected to close in Q4 2025.
- Lakera's platform offers real-time protection for AI applications, with high detection rates and low false positives, and operates Gandalf, an adversarial AI network generating over 80 million attack patterns.
- This acquisition reflects a growing trend of established cybersecurity companies expanding into AI security to address new attack vectors like data exposure and model manipulation introduced by generative AI and LLMs.
🤫 CyberScoop | https://cyberscoop.com/check-point-lakera-acquistion-ai-security/

#CyberSecurity #ThreatIntelligence #SupplyChainAttack #npm #Ransomware #DataBreach #ZeroDay #Vulnerability #RowHammer #Phishing #SocialEngineering #Malware #AdFraud #AndroidSecurity #RegulatoryCompliance #GovernmentCyber #FBI #AI #InfoSec #CyberAttack #IncidentResponse

Tiens, la recherche de l'EPFZ "Phoenix" (CVE-2025-6202) montre que des DIMM DDR5 (produites entre le 2021-1 et 2024-12) de SK Hynix, un de plus grand fabricant mondial de DRAM restent vulnérables au Rowhammer malgré des contre-mesures avancées intégrées dans la puce.

"Phoenix: Rowhammer Attacks on DDR5 with Self-Correcting Synchronization"
👇
https://comsec.ethz.ch/research/dram/phoenix/
⬇️
https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf
⬇️
https://github.com/comsec-group/phoenix

Les chercheurs ont trouvé deux nouveaux schémas d’attaque et une méthode de synchronisation qui contournent les protections intégrées au DRAM.
Les bit-flips obtenus sont exploitables : lecture/écriture arbitraire via PTE, vol de clés RSA/SSH, et escalation vers root (moyenne ≈ 5 min 😵 ). L’ECC embarquée ne suffit pas.
Les auteurs recommandent et démontrent qu’un refresh ×3 empêche Phoenix de provoquer des bit-flips sur leurs tests, au prix d’une surcharge de perf mesurée (+~8%).

Modules DRAM non patchables — risque long terme selon les scenarios de la menace sur nos différents datacenters ou ordis...

PoC
👇
https://github.com/comsec-group/phoenix/tree/main/poc

https://vulnerability.circl.lu/vuln/CVE-2025-6202

#CyberVeille #DDR5 #DIMM #Phoenix #Hynix #Rowhammer #CVE_2025_6202

Interesting blog post by Google on their research collaboration with Antmicro and ETH Zurich on understanding #Rowhammer and studying mitigations.

TLDR: Target Row Refresh mitigations on DDR5 don't work and can bypassed. Cryptographic integrity is needed.

https://security.googleblog.com/2025/09/supporting-rowhammer-research-to.html

DDR5 memory isn’t as secure as we thought. The new Phoenix attack tricks advanced defenses, flipping bits in minutes and exposing a whole new threat to data integrity. Curious how modern tech is being outsmarted?

https://thedefendopsdiaries.com/understanding-the-phoenix-attack-a-new-threat-to-ddr5-memory/

#phoenixattack
#rowhammer
#ddr5memory
#cybersecurity
#dataintegrity

New Hardware Based 'ONEFLIP' Attack Can Hijack AI Models by Flipping a Single Memory Bit

#AI #AISecurity #Cybersecurity #Rowhammer #ONEFLIP #HardwareSecurity

https://winbuzzer.com/2025/08/25/new-hardware-based-oneflip-attack-can-hijack-ai-models-by-flipping-a-single-memory-bit-xcxwbn