This week
BlackLotus UEFI rootkit
- Researchers from ESET announced on Wednesday that they’ve identified malware that’s able to circumvent Secure Boot. The malware targets UEFI (Unified Extensible Firmware Interface) — the code that runs when you first power your computer — and can disable advanced protections built into the most recent versions of Microsoft Windows.
- To be successful, the attackers first need administrator access to the device then Secure Boot is circumvented using CVE-2022-21894. By hiding in the UEFI, the malware isn’t visible to typical security tools, and it also has privileged access to all of the device’s functions.
- Unlike previous UEFI malware, which you could thwart by enabling Secure Boot, BlackLotus does not persist after reinstalling the operating system. In future, I’d expect to see this change, making it difficult to remove an infection (the type of persistent access that intelligence agencies covet). This technique may prove attractive to ransomware gangs, who could hold the devices hostage, forcing victims to decide between paying up and replacing their entire fleet of devices.
The FBI is buying location data, avoiding getting a warrant
- The Federal Bureau of Investigation has admitted that it has previously purchased location data on US people, rather than following the process of obtaining a warrant for the information, in a move that privacy experts say is ‘deeply problematic’.
- A ruling previously determined that purchasing location data — typically from brokers and advertisers who hoover up the information from free apps — violated the Fourth Amendment’s guarantee against unreasonable searches. A loophole allows the purchase of data from commercial sources that the FBI, and other government agencies, would otherwise not ‘lawfully’ be able to obtain using a warrant.
Interesting stats
People are better at identifying misinformation if you offer them a small incentive: 10.4/16 the rating of stories accurately identified headlines as true or misinformation in a control group, increasing to 11/16 when a minimal payment incentive was offered, according to researchers from the University of Cambridge.
Other newsy bits
-
DC Health Link: Sensitive personal information of members of Congress and their families may have been exposed after a health insurance marketplace appears to have been compromised. Details of ‘170,000’ DC Health Link customers were put up for sale on a cybercrime forum. It’s unclear how the company was compromised.
-
Cerebral: Telehealth start-up Cerebral is notifying customers that it ‘disclosed’ personal and health assessment data with advertisers like Google, Facebook and TikTok because of embedded tracking code in the company’s website.
-
AT&T breach: AT&T is notifying nine million customers that information on their cellular plans was compromised after an incident at a marketing partner of the American telco.
-
Acronis breach: Data protection business Acronis says 12GB of data was taken from a customer environment using stolen credentials and that none of its products or services is affected.
-
Emotet back: The notorious botnet Emotet has begun sending malicious email again after a three-month break.
-
AI voice scams: Scammers are using artificial intelligence voice synthesis to defraud older people out of their savings. In the write-up in the WSJ, the scam centred around calling parents with a voice mimicking their children saying they were arrested, had their phone confiscated, and needed money to make bail.
-
LLaMA on the loose: This week, Meta’s large language AI model was leaked to an online forum. The model had been shared with AI researchers on a case-by-case basis, is similar to that which powers OpenAI’s popular ChatGPT. Access to the underlying model would allow technically proficient actors to tune the output and avoid any safeguards to prevent it from generating harmful output.
-
Veeam vulnerability: An issue in Veeam’s Backup & Replication service allows unauthenticated users to request encrypted credentials and gain unauthorised access to backup infrastructure.
-
Fortinet vulnerability: A critical, unauthenticated remote code execution (RCE) vulnerability in Fortinet’s FortiOS and FortiProxy software. CVE-2023-25610 scores 9.3/10 and causes a buffer underflow, causing arbitrary code to be executed that may crash the devices.
-
SonicWall: Mandiant researchers say suspected Chinese attackers are exploiting SonicWall Secure Mobile Access 100 devices using malware which also copies itself into firmware updates, helping to achieve long-term persistence.
-
Per-plex’d: CISA haș added a three-year-old vulnerability in Plex Media Server to its list of known exploited vulnerabilities. CVE-2020-5741 is an emote code execution issue that allows an attacker to execute arbitrary Python code. The bug appears to be similar in description to what LastPass says was used to compromise one of its senior engineer’s home network in their most recent data breach.
-
NetWire RAT: The suspected administrator of the NetWire remote access trojan has been arrested, and the domain and web server have been seized in a global law enforcement operation.
-
DoppelPaymer arrests: Two people believed to be core members of the DoppelPaymer ransomware gang have been arrested in Germany and Ukraine. German police say that the group has been responsible for 601 attacks since 2019, including one against the University Hospital in Düsseldorf, which is believed to have led to the first death from a ransomware attack.
-
Ransomware: The 819-bed Hospital Clínic de Barcelona has become victim to RansomHouse group. The attack targeted the hospital’s virtual machine infrastructure and is causing severe disruption.
-
XLL add-ins: Microsoft is blocking XLL add-ins from untrusted locations in Excel by default. The roll out of the change is expected to complete by the end of March.
-
Blackbaud settlement: Customer relationship management software vendor Blackbaud has agreed to a $3 million settlement with the US Securities and Exchange Commission for failing to disclose the severity of data loss during a 2020 ransomware attack (vol. 3, iss. 30). The attack affected thousands of Blackbaud’s customers, including schools, universities and nonprofits. The attack happened in May and was disclosed in July. However, it “failed to disclose the full impact of a ransomware attack despite its personnel learning that earlier public statements about the attack were erroneous” until a September SEC filing due to a lack of procedures and controls.
-
Aviation regulation: The US Transportation Security Administration has issued rules for airports and aircraft operators to improve cyber security within the sector. Building on existing requirements — to appoint a named contact, complete a vulnerability assessment, and develop an incident response plan — those affected must implement better controls to prevent unauthorised access, patch systems, and monitor systems for malicious activity.
-
Cyber stress test: The European Central Bank is to run a cyber resilience exercise with the eleven eurozone banks it supervises. The exercise, due to be completed next year, will require the participants to demonstrate how they would respond and maintain service if the financial system were compromised.
And finally
- Flipping out: Brazil is seizing imports of hacker device Flipper Zero, the ‘multi-tool for geeks’, partly over fears the devices can be used for criminal purposes.