Infosec in brief Protecting computer BIOS and the boot process is essential to modern security, but knowing it’s important isn’t the same as taking steps to do so.
Take, for example, the study published last week by security experts at firmware security vendor Binarily. The researchers found that hundreds of PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo, and Supermicro — as well as components sold by Intel — were using what appears to be a 12-year-old test platform key (PK), leaked in 2022, to protect their UEFI Secure Boot implementations.
“An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the key exchange key database, signature database, and forbidden signature database,” Binarily experts wrote.
And it’s not as if the manufacturers using the incriminated PK had no reason to know that it was unreliable and not intended for use outside the laboratory: it was stated right on the packaging.
“These test keys have strong indications that they are not trusted,” Binarily noted. “For example, the certificate issuer contains the strings ‘DO NOT TRUST’ or ‘DO NOT SHIP.’”
According to Binarily, more than ten percent of the firmware images in its dataset are vulnerable to exploitation with the rogue PK — which was released by American Megatrends International, likely as early as May 2012. The researchers observed that this issue makes this problem “one of the most enduring [supply chain vulnerabilities] of its kind.”
If an attacker were to exploit the PK in an attack, they could execute untrusted code during the boot process, even with Secure Boot enabled.
“This compromises the entire security chain, from firmware to operating system,” Binarily added.
Binarily has released a free scanning tool to check systems for vulnerability to what it calls “PKFail.” Running it seems like a smart move. To fix this problem, device manufacturers will need to take action.
Critical Vulnerabilities of the Week: This KEV is how old?
We start this week with a new report on a very old vulnerability being exploited in the wild.
According to NIST, a use-after-free vulnerability in Internet Explorer versions 6 through 8 that allows remote attackers to execute arbitrary code – first detected and identified in 2012 – is still being exploited today.
If for some reason you still have a machine running IE 6-8, maybe it’s time to put it out to pasture?
Also worth highlighting is a quartet of vulnerabilities identified in the Berkeley Internet Name Domain 9 DNS system reported last week by the Internet Systems Consortium (CVE-2024-4076, CVE-2024-1975, CVE-2024-1737, CVE-2024-0760).
If exploited, these vulnerabilities can lead to a denial of service. While not as critical as other vulnerabilities, the fact that they are at the DNS level warrants installing these patches as soon as possible.
Another Stalkerware Provider Hacked
It seems like we can barely go two weeks without another stalkerware vendor getting hacked, but here we are. TechCrunch received a set of files stolen from SpyTech, a Minnesota-based company, last week.
The files, whose authenticity has reportedly been verified, were installed on phones, tablets and computers monitored by SpyTech software, which secretly monitors machines to spy on their users’ activities. Data from more than 10,000 devices has been discovered since 2013.
Oddly enough, SpyTech’s CEO was reportedly unaware of the breach when asked about it, which shows that these stores are more interested in making money than protecting the private data they collect on behalf of their customers.
…and enable multi-factor authentication while you’re at it
Cisco Talos security researchers released their quarterly Incident Response Trends Report last week, and one surprising trend stands out: About 80% of ransomware attacks in the second quarter occurred at organizations whose systems didn’t use multi-factor authentication.
And we thought maybe Snowflake had taught the world something.
Compromised credentials were the most popular way to gain initial access for the third consecutive quarter, Talos noted — much like what caused all those Snowflake failures.
Ransomware attacks increased 22% from Q1 to Q2, accounting for 30% of all incidents Talos responded to. Given the increase in attacks using stolen credentials and relying on the lack of multi-factor authentication, it might be wise to spend some time this week enabling it for everyone, without exception.
TracFone fined $16 million for three violations
Verizon subsidiary TracFone has agreed to pay $16 million to the FCC to end investigations into a trio of data breaches the company suffered between 2021 and 2023.
According to the FCC, TracFone failed to secure several of its customer database APIs, leading criminals to steal customer account and device information, as well as personally identifiable information. The breaches resulted in “numerous unauthorized deportations.”
Not to be confused with SIM swaps, another scam that most carriers fail to prevent, number porting involves the complete transfer of a number to another carrier. Both methods allow attackers to control customers’ devices.
TracFone has been ordered to implement mandatory cybersecurity programs “with new provisions to reduce API vulnerabilities,” as well as protections against SIM swaps and data transfers. ®
.jpg)
.webp)
0 Comments