Security – Page 5

Code found online exploits LogoFAIL to install Bootkitty Linux backdoor

Biz & IT, bootkitty, Linux, logofail, Security, uefi, unified extensible firmware interface / 9u50fv / November 29, 2024

Normally, Secure Boot prevents the UEFI from running all subsequent files unless they bear a digital signature certifying those files are trusted by the device maker. The exploit bypasses this protection by injecting shell code stashed in a malicious bitmap image displayed by the UEFI during the boot-up process. The injected code installs a cryptographic key that digitally signs a malicious GRUB file along with a backdoored image of the Linux kernel, both of which run during later stages of the boot process on Linux machines.

The silent installation of this key induces the UEFI to treat the malicious GRUB and kernel image as trusted components, and thereby bypass Secure Boot protections. The final result is a backdoor slipped into the Linux kernel before any other security defenses are loaded.

Diagram illustrating the execution flow of the LogoFAIL exploit Binarly found in the wild. Credit: Binarly

In an online interview, HD Moore, CTO and co-founder at runZero and an expert in firmware-based malware, explained the Binarly report this way:

The Binarly paper points to someone using the LogoFAIL bug to configure a UEFI payload that bypasses secure boot (firmware) by tricking the firmware into accepting their self-signed key (which is then stored in the firmware as the MOK variable). The evil code is still limited to the user-side of UEFI, but the LogoFAIL exploit does let them add their own signing key to the firmware’s allow list (but does not infect the firmware in any way otherwise).

It’s still effectively a GRUB-based kernel backdoor versus a firmware backdoor, but it does abuse a firmware bug (LogoFAIL) to allow installation without user interaction (enrolling, rebooting, then accepting the new MOK signing key).

In a normal secure boot setup, the admin generates a local key, uses this to sign their updated kernel/GRUB packages, tells the firmware to enroll the key they made, then after reboot, the admin has to accept this new key via the console (or remotely via bmc/ipmi/ilo/drac/etc bios console).

In this setup, the attacker can replace the known-good GRUB + kernel with a backdoored version by enrolling their own signing key without user interaction via the LogoFAIL exploit, but it’s still effectively a GRUB-based bootkit, and doesn’t get hardcoded into the BIOS firmware or anything.

Machines vulnerable to the exploit include some models sold by Acer, HP, Fujitsu, and Lenovo when they ship with a UEFI developed by manufacturer Insyde and run Linux. Evidence found in the exploit code indicates the exploit may be tailored for specific hardware configurations of such machines. Insyde issued a patch earlier this year that prevents the exploit from working. Unpatched devices remain vulnerable. Devices from these manufacturers that use non-Insyde UEFIs aren’t affected.

Code found online exploits LogoFAIL to install Bootkitty Linux backdoor Read More »

Found in the wild: The world’s first unkillable UEFI bootkit for Linux

Biz & IT, bootkit, malware, Security, uefi / Kelly Newman / November 27, 2024

Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines.

Researchers at security firm ESET said Wednesday that Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.

The ASCII logo that Bootkitty is capable of rendering. Credit: ESET

Be prepared

Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines.

“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.”

A rootkit is a piece of malware that runs in the deepest regions of the operating system it infects. It leverages this strategic position to hide information about its presence from the operating system itself. A bootkit, meanwhile, is malware that infects the boot-up process in much the same way. Bootkits for the UEFI—short for Unified Extensible Firmware Interface—lurk in the chip-resident firmware that runs each time a machine boots. These sorts of bootkits can persist indefinitely, providing a stealthy means for backdooring the operating system even before it has fully loaded and enabled security defenses such as antivirus software.

The bar for installing a bootkit is high. An attacker first must gain administrative control of the targeted machine, either through physical access while it’s unlocked or somehow exploiting a critical vulnerability in the OS. Under those circumstances, attackers already have the ability to install OS-resident malware. Bootkits, however, are much more powerful since they (1) run before the OS does and (2) are, at least practically speaking, undetectable and unremovable.

Found in the wild: The world’s first unkillable UEFI bootkit for Linux Read More »

QNAP firmware update leaves NAS owners locked out of their boxes

Biz & IT, firmware updates, NAS, network attached storage, QNAP, Security, Tech / DJ Henderson / November 26, 2024

A recent firmware pushed to QNAP network attached storage (NAS) devices left a number of owners unable to access their storage systems. The company has pulled back the firmware and issued a fixed version, but the company’s response has left some users feeling less confident in the boxes into which they put all their digital stuff.

As seen on a QNAP community thread, and as announced by QNAP itself, the QNAP operating system, QTS, received update 5.2.2.2950, build 20241114, at some point around November 19. After QNAP “received feedbacks from some users reporting issues with device functionality after installation,” the firm says it withdrew it, “conducted a comprehensive investigation,” and re-released a fixed version “within 24 hours.”

The community thread sees many more users of different systems having problems than the shortlist (“limited models of TS-x53D series and TS-x51 series”) released by QNAP. Issues reported included owners being rejected as an authorized user, devices reporting issues with booting, and claims of Python not being installed to run some apps and services.

QNAP says affected users can either downgrade their devices (presumably to then upgrade once more to the fixed update) or contact support for help. Response from QNAP support, as told by users on forums and social media, has not measured up to the nature of losing access to an entire backup system.

QNAP firmware update leaves NAS owners locked out of their boxes Read More »

Spies hack Wi-Fi networks in far-off land to launch attack on target next door

advanced persistent threats, Biz & IT, hacking, Security, tradecraft / DJ Henderson / November 23, 2024

While stalking its target, GruesomeLarch performed credential-stuffing attacks that compromised the passwords of several accounts on a web service platform used by the organization’s employees. Two-factor authentication enforced on the platform, however, prevented the attackers from compromising the accounts.

So GruesomeLarch found devices in physically adjacent locations, compromised them, and used them to probe the target’s Wi-Fi network. It turned out credentials for the compromised web services accounts also worked for accounts on the Wi-Fi network, only no 2FA was required.

Adding further flourish, the attackers hacked one of the neighboring Wi-Fi-enabled devices by exploiting what in early 2022 was a zero-day vulnerability in the Microsoft Windows Print Spooler.

The 2022 hack demonstrates how a single faulty assumption can undo an otherwise effective defense. For whatever reason—likely an assumption that 2FA on the Wi-Fi network was unnecessary because attacks required close proximity—the target deployed 2FA on the Internet-connecting web services platform (Adair isn’t saying what type) but not on the Wi-Fi network. That one oversight ultimately torpedoed a robust security practice.

Advanced persistent threat groups like GruesomeLarch—a part of the much larger GRU APT with names including Fancy Bear, APT28, Forrest Blizzard, and Sofacy—excel in finding and exploiting these sorts of oversights.

Volexity’s post describing the 2022 attack provides plenty of technical details about the compromise on the many links in this sophisticated daisy chain attack flow. There’s also useful advice for protecting networks against these sorts of compromises.

Spies hack Wi-Fi networks in far-off land to launch attack on target next door Read More »

Microsoft president asks Trump to “push harder” against Russian hacks

china, Cybersecurity, Fancy Bear, hacking, microsoft, russia, Security, syndication / Beth Washington / November 22, 2024

Smith testified before the US Senate in September that Russia, China, and Iran had stepped up their digital efforts to interfere in global elections this year, including in the US.

However, Microsoft’s own security standards have come under fire in recent months. A damning report by the US Cyber Safety Review Board in March said its security culture was “inadequate,” pointing to a “cascade… of avoidable errors” that last year allowed Chinese hackers to access hundreds of email accounts, including those belonging to senior US government security officials, that were hosted on Microsoft’s cloud systems.

Microsoft chief executive Satya Nadella has said in response that the company would prioritize security “above all else,” including by tying staff remuneration to security.

The company is also making changes to its Windows operating system to help its customers recover more quickly from incidents such as July’s global IT outage caused by CrowdStrike’s botched security update.

Beyond cyber security, Smith said it was “a little early” to determine the precise impact of a second Trump administration on the technology industry. Any anticipated liberalization of M&A regulation in the US would have to be weighed up against continued scrutiny of dealmaking in other parts of the world, he said.

Smith also reiterated his plea for the US government to “help accelerate exports of key American digital technologies,” especially to the Middle East and Africa, after the Biden administration imposed export controls on AI chips, fearing the technology could leak to China.

“We really need now to standardize processes so that American technology can reach these other parts of the world as fast as Chinese technology,” he said.

Microsoft president asks Trump to “push harder” against Russian hacks Read More »

The Case for Security.txt

Security / 9u50fv / November 12, 2024

error code: 502

The Case for Security.txt Read More »

Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Biz & IT, cybercrime, Interpol, police, Security / 9u50fv / November 7, 2024

An international coalition of police agencies has taken a major whack at criminals accused of running a host of online scams, including phishing, the stealing of account credentials and other sensitive data, and the spreading of ransomware, Interpol said recently.

The operation, which ran from the beginning of April through the end of August, resulted in the arrest of 41 people and the takedown of 1,037 servers and other infrastructure running on 22,000 IP addresses. Synergia II, as the operation was named, was the work of multiple law enforcement agencies across the world, as well as three cybersecurity organizations.

A global response

“The global nature of cybercrime requires a global response which is evident by the support member countries provided to Operation Synergia II,” Neal Jetton, director of the Cybercrime Directorate at INTERPOL, said. “Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime. INTERPOL is proud to bring together a diverse team of member countries to fight this ever-evolving threat and make our world a safer place.”

Among the highlights of Operation Synergia II were:

Hong Kong (China): Police supported the operation by taking offline more than 1,037 servers linked to malicious services.

Mongolia: Investigations included 21 house searches, the seizure of a server and the identification of 93 individuals with links to illegal cyber activities.

Macau (China): Police took 291 servers offline.

Madagascar: Authorities identified 11 individuals with links to malicious servers and seized 11 electronic devices for further investigation.

Estonia: Police seized more than 80GB of server data, and authorities are now working with INTERPOL to conduct further analysis of data linked to phishing and banking malware.

The three private cybersecurity organizations that were part of Operation Synergia II were Group-IB, Kaspersky, and Team Cymru. All three used the telemetry intelligence in their possession to identify malicious servers and made it available to participating law enforcement agencies. The law enforcement agencies conducted investigations that resulted in house searches, the disruption of malicious cyber activities, the lawful seizures of servers and other electronic devices, and arrests.

Law enforcement operation takes down 22,000 malicious IP addresses worldwide Read More »

Suspect arrested in Snowflake data-theft attacks affecting millions

Biz & IT, Data breaches, infostealers, Security / Mike M. / November 5, 2024

Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers. Credit: Mandiant

None of the affected accounts used multifactor authentication, which requires users to provide a one-time password or additional means of authentication besides a password. After that revelation, Snowflake enforced mandatory MFA for accounts and required that passwords be at least 14 characters long.

Mandiant had identified the threat group behind the breaches as UNC5537. The group has referred to itself ShinyHunters. Snowflake offers its services under a model known as SaaS (software as a service).

“UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024,” Mandiant wrote in an emailed statement. “In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”

Mandiant said a co-conspirator, John Binns, was arrested in June. The status of that case wasn’t immediately known.

Besides Ticketmaster, other customers known to have been breached include AT&T and Spain-based bank Santander. In July, AT&T said that personal information and phone and text message records for roughly 110 million customers were stolen. WIRED later reported that AT&T paid $370,000 in return for a promise the data would be deleted.

Other Snowflake customers reported by various news outlets as breached are Pure Storage, Advance Auto Parts, Los Angeles Unified School District, QuoteWizard/LendingTree, Neiman Marcus, Anheuser-Busch, Allstate, Mitsubishi, and State Farm.

KrebsOnSecurity reported Tuesday that Moucka has been named in multiple charging documents filed by US federal prosecutors. Reporter Brian Krebs said specific charges and allegations are unknown because the cases remain sealed.

Suspect arrested in Snowflake data-theft attacks affecting millions Read More »

Hundreds of code libraries posted to NPM try to install malware on dev machines

code libraries, malware, Security, typosquatting / Kelly Newman / November 4, 2024

The IP address returned by a package Phylum analyzed was: hxxp://193.233.201[.]21: 3001.

While the method was likely intended to conceal the source of second-stage infections, it ironically had the effect of leaving a trail of previous addresses the attackers had used in the past. The researchers explained:

An interesting thing about storing this data on the Ethereum blockchain is that Ethereum stores an immutable history of all values it has ever seen. Thus, we can see every IP address this threat actor has ever used.

On 2024-09-23 00: 55: 23Z it was hxxp://localhost: 3001

From 2024-09-24 06: 18: 11Z it was hxxp://45.125.67[.]172: 1228

From 2024-10-21 05: 01: 35Z it was hxxp://45.125.67[.]172: 1337

From 2024-10-22 14: 54: 23Z it was hxxp://193.233[.]201.21: 3001

From 2024-10-26 17: 44: 23Z it is hxxp://194.53.54[.]188: 3001

When installed, the malicious packages come in the form of a packed Vercel package. The payload runs in memory, sets itself to load with each reboot, and connects to the IP address from the ethereum contract. It then “performs a handful of requests to fetch additional Javascript files and then posts system information back to the same requesting server,” the Phylum researchers wrote. “This information includes information about the GPU, CPU, the amount of memory on the machine, username, and OS version.”

Attacks like this one rely on typosquatting, a term for the use of names that closely mimic those of legitimate packages but contain small differences, such as those that might occur if the package was inadvertently misspelled. Typosquatting has long been a tactic for luring people to malicious websites. Over the past five years, typosquatting has been embraced to trick developers into downloading malicious code libraries.

Developers should always double-check names before running downloaded packages. The Phylum blog post provides names, IP addresses, and cryptographic hashes associated with the malicious packages used in this campaign.

Hundreds of code libraries posted to NPM try to install malware on dev machines Read More »

Here are 3 science-backed strategies to rein in election anxiety

2024 election, anxieities, anxiety, health, Mental Health, Security, syndication / 9u50fv / November 3, 2024

In this scenario, I encourage my patients to move past that initial thought of how awful it will be and instead consider exactly how they will respond to the inauguration, the next day, week, month, and so on.

Cognitive flexibility allows you to explore how you will cope, even in the face of a negative outcome, helping you feel a bit less out of control. If you’re experiencing a lot of anxiety about the election, try thinking through what you’d do if the undesirable candidate takes office—thoughts like “I’ll donate to causes that are important to me” and “I’ll attend protests.”

Choose your actions with intention

Another tool for managing your anxiety is to consider whether your behaviors are affecting how you feel.

Remember, for instance, the goal of 24-hour news networks is to increase ratings. It’s in their interest to keep you riveted to your screens by making it seem like important announcements are imminent. As a result, it may feel difficult to disconnect and take part in your usual self-care behavior.

Try telling yourself, “If something happens, someone will text me,” and go for a walk or, better yet, to bed. Keeping up with healthy habits can help reduce your vulnerability to uncontrolled anxiety.

Post-Election Day, you may continue to feel drawn to the news and motivated to show up—whether that means donating, volunteering, or protesting—for a variety of causes you think will be affected by the election results. Many people describe feeling guilty if they say no or disengage, leading them to overcommit and wind up overwhelmed.

If this sounds like you, try reminding yourself that taking a break from politics to cook, engage with your family or friends, get some work done, or go to the gym does not mean you don’t care. In fact, keeping up with the activities that fuel you will give you the energy to contribute to important causes more meaningfully.

Shannon Sauer-Zavala, Associate Professor of Psychology & Licensed Clinical Psychologist, University of Kentucky. This article is republished from The Conversation under a Creative Commons license. Read the original article.

Here are 3 science-backed strategies to rein in election anxiety Read More »

As North Korean troops march toward Ukraine, does a Russian quid pro quo reach space?

ICBM, military space, North Korea, russia, Science, Security, Space, Ukraine / Beth Washington / November 2, 2024

Earlier this week, North Korea apparently completed a successful test of its most powerful intercontinental ballistic missile, lofting it nearly 4,800 miles into space before the projectile fell back to Earth.

This solid-fueled, multi-stage missile, named the Hwasong-19, is a new tool in North Korea’s increasingly sophisticated arsenal of weapons. It has enough range—perhaps as much as 9,320 miles (15,000 kilometers), according to Japan’s government—to strike targets anywhere in the United States.

The test flight of the Hwasong-19 on Thursday was North Korea’s first test of a long-range missile in nearly a year, coming as North Korea deploys some 10,000 troops inside Russia just days before the US presidential election. US officials condemned the missile launch as a “provocative and destabilizing” action in violation of UN Security Council resolutions.

The budding partnership between Russia and North Korea has evolved for several years. Russian President Vladimir Putin has met with North Korean leader Kim Jong Un on multiple occasions, most recently in Pyongyang in June. Last September, the North Korean dictator visited Putin at the Vostochny Cosmodrome, Russia’s newest launch base, where the leaders inspected hardware for Russia’s Angara rocket.

In this photo distributed by North Korean state media, a Hwasong-19 missile fires out of a launch tube somewhere in North Korea on October 31, 2024. Credit: KCNA

The visit to Vostochny fueled speculation that Russia might provide missile and space technology to North Korea in exchange for Kim’s assistance in the fight against Ukraine. This week, South Korea’s defense minister said his government has identified several areas where North Korea likely seeks help from Russia.

“In exchange for their deployment, North Korea is very likely to ask for technology transfers in diverse areas, including the technologies relating to tactical nuclear weapons technologies related to their advancement of ICBMs, also those regarding reconnaissance satellites and those regarding SSBNs [ballistic missile submarines] as well,” said Kim Yong-hyun, South Korea’s top military official, on a visit to Washington.

As North Korean troops march toward Ukraine, does a Russian quid pro quo reach space? Read More »

Thousands of hacked TP-Link routers used in years-long account takeover attacks

Biz & IT, botnets, microsoft, password spraying, Security, tp-link / 9u50fv / November 2, 2024

Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday.

The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777.

Account compromise at scale

In July and again in August of this year, security researchers from Serbia and Team Cymru reported the botnet was still operational. All three reports said that Botnet-7777 was being used to skillfully perform password spraying, a form of attack that sends large numbers of login attempts from many different IP addresses. Because each individual device limits the login attempts, the carefully coordinated account-takeover campaign is hard to detect by the targeted service.

On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to track the botnet—is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” because the botnet—now estimated at about 8,000 strong on average—takes pains to conceal the malicious activity.

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Some of the characteristics that make detection difficult are:

The use of compromised SOHO IP addresses
The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.

Thousands of hacked TP-Link routers used in years-long account takeover attacks Read More »