Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Safeguards against f ...

 Business

What could be worse than a ransomware attack on your company? Only an incident that hits your companys clients, I guess. Well, thats exactly what happened to MSI — the large Taiwanese manufacturer of laptops, video adapters and motherboards. In the beginning of April, word got out that the company was attacked by a   show more ...

new ransomware gang called Money Message; a while later the extorters published a portion of the stolen information on the darknet; then, in May, researchers discovered the most disturbing aspect to the leak — that private firmware-signing keys and Intel Boot Guard keys had been make public. MSI went public regarding the leak, but presented very little information — even omitting the subject of keys completely. Here, we try to give you a bit more context… Boot Guard keys, and how they protect your computer Even before its operating system boots up, your computer performs many preparatory operations upon instructions from a motherboard chip. In the past, the mechanism was called BIOS, until it was replaced by the expandable UEFI architecture. UEFI code is stored in the firmware, but extra modules can be loaded from a special hard-drive partition. Next, UEFI boots up the operating system itself. If UEFI is maliciously modified, the operating system, user apps and all security systems will start up under the control of the malicious code. The attackers will be able to circumvent all further layers of defense, including BitLocker, Secure Boot and the OS-level security systems, such as anti-viruses and EDR. Referred to as BIOS-level implants (sometimes also hardware bootkits), such threats are very hard to detect — and even harder to get rid of: you cant purge your PC of them even by replacing your hard drive with a brand new one. Computer and OS vendors have developed a variety of safeguards to make it as difficult as possible for threat actors to devise such dangerous threats. First, to update firmware and make additions to UEFI one needs an app signed by the vendor: Intel BIOS Guard doesnt allow updating UEFI from untrusted apps or using unsigned firmware. Second, theres a hardware verification mechanism called Boot Guard. The technology checks the signature of the opening part of UEFI (IBB — Initial Boot Block) and aborts the computer boot if the firmware has been tampered with. Boot Guards cryptographic keys used to verify these protection mechanisms are stored in a special write-once memory, meaning they cant be deleted or rewritten (in turn meaning they cant be falsified or replaced), while at the same time they cant be revoked if compromised! Whats so dangerous about an MSI key leak? A firmware-signing keys leak may allow threat actors to create update utilities and rogue firmware capable of successfully passing verifications with the potential to update microprograms on MSI motherboards. Such keys can be revoked, so after a while (actually, were talking months if not years!) the problem will become irrelevant — if legitimate updates are applied in a secure way. The situation is much worse with Boot Guard keys, since these cant be revoked. Moreover, according to Binarly, these keys can be used even in some products manufactured by vendors other than MSI. This disrupts the secure-boot trust chain for all products relying on these keys, leaving device owners with no other option but to ramp up third-party protective measures and keep using them that way until the products cease being used. Tips for MSI device users First off, check if your computers are endangered. If you have an MSI computer or laptop, the threat is there, but even computers from other vendors may have MSI motherboards. Heres how you can check this: Type System Information into the Windows search line to locate and run it Under System summary scroll down to Motherboard manufacturer or BaseBoard manufacturer. If it says MSI or Micro-Star International, the threat is relevant to you. Please note that MSI makes hundreds of products, and the leaked keys dont affect them all. The longest list of products affected by the threat is here, but we cannot attest to its completeness or accuracy. Your best bet would be to take extra care and proceed from the assumption that all current MSI boards can be targeted by attackers. If exposed to the threat, you should be extremely mindful of the risk when updating your proprietary utilities, drivers, and firmware. Download these only from the official website www.msi.com by manually typing the address into the browser — not by following links from e-mails, messenger threads or other websites. We also recommend you to watch out for updates on the MSI website: these shouldnt be ignored. Its quite possible that MSI will devise a way to revoke some of the leaked keys or otherwise prevent their use. In addition, make sure not to use an MSI computer as administrator, and make sure that its equipped with reliable protection against phishing and malware . Tips for IT administrators The risk of UEFI implants based on the MSI leaks is in a way compensated by the complexity of their installation, which involves having administrative access to a target computer plus a bunch of conspicuous firmware update apps. So the issue could be mitigated by suppressing these apps at group policy level and by making sure that the principle of least privilege is enforced on all the computers within your organization. However, its likely that in the future specialized hacker tools will come into play that will use stolen keys and sufficient obfuscation to conceal firmware updates. To reduce this risk, consider experimenting with detection of leaked keys on corporate machines — a recommendation more suited to companies employing threat hunters in their information-security task-force. Of course, the problem can also be eased through proper general practices: integrated network and endpoint protection, timely updating of business apps, and a system policy for patch management. Tips for developers The MSI example highlights how it is unacceptable in terms of information security and DevSecOps to keep secrets (especially ones difficult to rotate) on computers either next to or inside the code that uses them. There are dedicated solutions for centralized secret management — for example, HashiCorp Vault — but even smaller developers can afford a simple protection system of their own, such as encrypted removable drive storage connected only for as long as it takes to publish an app. As to companies the size of MSI, they should keep their confidential data — such as app and driver signing keys, let alone firmware signing keys — in specialized signature generation hardware units (HSM) or at least within a special secure perimeter on computers completely isolated from the rest of the network.

 Malware and Vulnerabilities

Experts at Symantec observed that the operators behind the emerging Buhti ransomware have apparently abandoned their own customized malware and instead utilized the leaked versions of the LockBit and Babuk ransomware families to target both Windows and Linux operating systems. This competent threat can not be underestimated and calls for proactive defense strategies.

 Trends, Reports, Analysis

Losses to fraud reported by Britain's financial services sector exceeded $1.5 billion in 2022. So says a new study from UK Finance, a London-based trade association for Britain's banking and financial services sector.

 Feed

Pydio Cells versions 4.1.2 and below implement the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid   show more ...

signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross site scripting vulnerability.

 Feed

Pydio Cells versions 4.1.2 and below suffer from a privilege escalation vulnerability. It allows users, by default, to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

 Feed

Ubuntu Security Notice 6121-1 - It was discovered that Nanopb incorrectly handled certain decode messages. An attacker could possibly use this cause a denial of service or expose sensitive information. It was discovered that Nanopb incorrectly handled certain decode messages. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

 Feed

Ubuntu Security Notice 6120-1 - Several security issues were discovered in the SpiderMonkey JavaScript library. If a user were tricked into opening malicious JavaScript applications or processing malformed data, a remote attacker could exploit a variety of issues related to JavaScript security, including denial of service attacks, and arbitrary code execution.

 Feed

Ubuntu Security Notice 6119-1 - Matt Caswell discovered that OpenSSL incorrectly handled certain ASN.1 object identifiers. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. Anton Romanov discovered that OpenSSL incorrectly handled AES-XTS cipher   show more ...

decryption on 64-bit ARM platforms. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04.

 Feed

Ubuntu Security Notice 6115-1 - Max Chernoff discovered that LuaTeX did not properly disable shell escape. An attacker could possibly use this issue to execute arbitrary shell commands.

 Feed

Ubuntu Security Notice 6116-1 - It was discovered that hawk incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

 Feed

Ubuntu Security Notice 6114-1 - Yeting Li discovered that nth-check incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

 Feed

Ubuntu Security Notice 6113-1 - It was discovered that Jhead did not properly handle certain crafted images while processing the Exif markers. An attacker could possibly use this issue to crash Jhead, resulting in a denial of service.

 Feed

Gentoo Linux Security Advisory 202305-33 - Multiple vulnerabilities have been found in OpenImageIO, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.4.6.0 are affected.

 Feed

Gentoo Linux Security Advisory 202305-35 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions greater than or equal to 102.10.0:esr are affected.

 Feed

Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.

 Feed

A new open source remote access trojan (RAT) called DogeRAT targets Android users primarily located in India as part of a sophisticated malware campaign. The malware is distributed via social media and messaging platforms under the guise of legitimate applications like Opera Mini, OpenAI ChatGOT, and Premium versions of YouTube, Netflix, and Instagram. "Once installed on a victim's device, the

 Feed

Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week. The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year,

 Feed

Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic. "Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created," Trend Micro said in a report published last week. "These

 Feed

In this day and age, vulnerabilities in software and systems pose a considerable danger to businesses, which is why it is essential to have an efficient vulnerability management program in place. To stay one step ahead of possible breaches and reduce the damage they may cause, it is crucial to automate the process of finding and fixing vulnerabilities depending on the level of danger they pose.

2023-05
Aggregator history
Tuesday, May 30
MON
TUE
WED
THU
FRI
SAT
SUN
MayJuneJuly