Category Archives: Alert

Security alerts

UEFI Bootkit Virtually Impossible to Remove

Bootkits are designed to be undetectable but typically you can reformat the hard drive and reinstall the operating system or, worst case, you can replace the hard drive to disinfect the computer.

But wait, there is more.

Security researchers from Kaspersky. the Russian cybersecurity company that we can never figure out who’s side they are on, disclosed a new bootkit, code name MoonBounce.

This bootkit does not hide anywhere on the hard drive like most bootkits do. That means that formatting the disk or even replacing hard drive WILL NOT get rid of the malware.

So, if it does not hide on the hard drive, where does it hide?

It infects flash memory called SPI memory on the motherboard by taking advantage of flaws.

There are only two ways to get rid of the malware. One is to reflash the SPI memory, an extremely complex task. The other is to replace the motherboard and destroy the old one. Neither is terribly attractive.

Worse yet, given where it lives in the SPI memory controller, there is no easy way to even detect that it is there.

UEFI was designed as a replacement for the old computer BIOS because the BIOS was not secure. The UEFI uses a number of techniques to secure a chain of trust during the boot process to try and stop malicious code from compromising that process. That all works until hackers find bugs in it.

Kaspersky is aware of three bootkits – this one plus LoJax and MosaicRegressor.

But other researchers have found several more including ESPectre, FinSpy’s UEFI bootkit and others.

Kaspersky says this means that what we once thought was impossible – compromising UEFI – is clearly far from that. Still extremely hard, but not impossible.

MoonBounce, Kaspersky says, is the product of China’s APT41.

I am sure that we will learn more about these very rare incursions over time, so stay tuned.

Credit: The Record

Security News for the Week Ending January 21, 2022

Russia Arrests Some REvil Gang Members

At this point we don’t know who they ticked off, but Putin’s goons arrested 14 people and seized 426 million Roubles (about $5.5 million), $600,000 USD, 500,000 euros, computers and 20 cars. These guys definitely will not be getting a Christmas card from Vlad next year. Credit: Yahoo News

Gas or Electric – Which is Better When You are on a Virginia Highway in a Blizzard

Couldn’t resist the dig on Virginia – the government of which could not figure out recently that ice storms could cause problems and where people were stranded on the Interstate for over 24 hours with no food, water or heat. The question that electric car naysayers have been asking – or really telling – is that if you are in an electric car, stuck in a traffic jam, you are going to run out of juice and have to be towed somewhere to get a charge (vs. putting a few gallons in to your gas tank). If you want to see the details of the argument, go to the link, but at least this analysis says that it is a bit of a toss up because of all of the variables. Credit: Vice

Europe Wants to Create Its Own DNS Infrastructure

The EU doesn’t like anything that it can’t control and especially if it is controlled by companies in the U.S. The project, called DNS4EU, would enable DNS filtering, support all DNS standards and, most importantly, would effectively be under the government’s thumb, meaning that they could tell DNS4EU to block whatever the various governments wanted. Bigger point, EU ISPs won’t be happy to lose the revenue that they get from currently selling their users’ data, so it is unclear whether, unless EU law forces them to use it, they would encourage it. Credit: The Record

More Than Half of Connected Medical Devices Have Critical Vulnerabilities

A new report from Cynerio says that 53% of Internet-connected medical devices analyzed were found to have a known critical vulnerability. In addition a third of bedside healthcare IoT devices have an identified critical risk. This includes missing passes, unsupported operating systems and default passwords left operation. Credit:Cynerio

Some Russian Hackers Worried About Being Arrested

After recent arrests by Russia’s FSB of the REvil hackers, there is some chatter on Russian message boards about not wanting to go to jail. One hacker said that those who expect that Russia would protect them will be greatly disappointed. Some are even suggesting moving to a more favorable (to them) jurisdiction, but there likely aren’t many of those. If Russia continues this then the paranoia will likely increase, which is good for us. Credit: ZDNet

It’s To Protect The Children

Law enforcement has been trying since at least the 1990’s when they jailed and tried to convict Phil Zimmerman for creating an open source encryption program called PGP, to put the encryption genie back in the bottle.

The problem is that encryption is math and math doesn’t care about politics.

If some governments were to ban encryption, there would be other countries where people who really wanted encryption could get it. And, while the math is hard, there are enough books published, enough algorithms available, that smart hackers could write their own.

Governments have been trying for decades to get software developers to create new math – math that allows for strong encryption but also gives law enforcement a master key to look at whatever they want to look at.

After all, if the TSA can’t even secure the physical keys that they use to open people’s suitcases at the airport, how likely is it that they can secure a master encryption key or keys.

So the solution is to scare people – or at least try to scare them.

Fear is a common tactic. Car makers who don’t want people to be able to repair their own cars said that allowing people to do that would embolden sexual predators (Massachusetts, 2017).

They are counting on people being fearful and not knowledgeable. Occasionally it works.

Britain is trying to scare people into giving up their right to privacy. At this point, we do not know whether it will work or not.

Rolling Stone is reporting that the UK government, at taxpayer expense, has hired the world famous advertising agency M&C Saatchi to create a major scare campaign.

According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black.

The UK Home Office said that they hired Saatchi to bring together organizations that “share our concerns about the impact end-to-end encryption would have on our ability to keep children safe“.

It is fair to say that encryption does make bulk data surveillance harder, but there already is a lot of end-to-end encryption already in place. Open source software like Telegram and Signal and commercial software like Whatsapp are just a couple of examples.

The government says that the plan is to create this media blitz “to make the public uneasy”. In other words, scare them into accepting even more surveillance than they are already under.

One slide from a campaign deck says that most of the public has never heard of end-to-end encryption, adding that “this means that people can be easily swayed”.

They also said that the campaign must not start a privacy vs safety debate, but I don’t think that objective is possible.

The opening phase of the government’s scare campaign is expected to start within days.

However privacy advocates plan to start their own campaign too.

This battle is not going to end anytime soon, but the best defense is an educated public.

If you have questions, please reach out to us.

Security News for the Week Ending January 14, 2022

Hackers Sending Malware Filled USB Sticks in the Mail

Old, tried and true techniques continue to work as hackers have been sending malware-filled USB sticks in the mail and UPS to defense, transportation and insurance companies, hoping someone did not do their security awareness training and plugs the drive into their computer. It just shows that hackers do not need to keep inventing new tricks; the old ones continue to work. Credit: Gizmodo

Norton Installs Cryptomining Software on Users’ Computers

Norton and its sister company Avira, both owned by the same parent, are installing cryptomining software as part of the default install. Norton turns it on automatically since they get 15% of anything you earn, Avira has it off by default. If Norton was still on your approved list (it went off our list years ago), you should probably remove it. Credit: Brian Krebs

White House Hosts Open Source Security Summit

In the wake of the Log4j and other open source software attacks, the White House hosted a summit this week with the likes of Akamai, Amazon, Apache, Apple, Cloudflare, Facebook, Google, IBM and others to discuss how to improve open source security. While no “results” have been announced yet, the fact that the summit was called and led by Anne Neuberger is an acknowledgement that “Houston, we have a problem”. With open source used throughout the IT world including critical infrastructure and many times that software is either not maintained at all or maintained by volunteers – there is no easy solution as there are millions of open source packages. Stay tuned; we might be able to do something for a few of the larger, more important packages. Ultimately, it is both the responsibility and liability for the companies that use open source and that should not be much comfort to anyone. Credit: Data Breach Today

Canon’s Printer DRM Comes Back to Haunt Them

Consumer printer makers make most of their money selling you toner and ink, so years ago they came up with the idea of putting chips in the cartridges to try and stop you from using low cost supplies. But now they can’t get chips so they are making cartridges without the chips, causing their customers’ printers to alarm. As a result, Canon is telling their customers how to break their own DRM. Not to worry though, Canon says they will go back to trying to hurt their competitors when the chip market eases up. Credit: Gizmodo

Car Makers Say Giving Owners Data From Their Cars Will Embolden Sexual Predators

Car owners have been trying for years to force car makers to give them the tools they need to repair their own cars. One of those tools is the data that their cars generate. If car owners could repair their own cars, car makers would lose billions of dollars in revenue. Massachusetts voters overwhelmingly voted in a right to repair law in 2020, even though car makers spent $26 million explaining why letting people repair their own cars was bad, even claiming it would embolden sexual predators. Now they are saying the law is unconstitutional. Anything to try and stop the revenue drain. Credit: Vice

The Latest Supply Chain Risk – Your Desk Phone

Senator Chris Van Hollen (Maryland) wrote a letter to Commerce Secretary Raimondo asking what she planned to do about this security vulnerability – the first we are hearing about it. Raimondo could ban the equipment, just like equipment made by Huawai and others.

Chinese electronics maker Yealink is not a household word like Huawei, but it may soon be.

Yealink’s phones are, apparently, popular in the United States, including at government agencies – federal, state and local, but they might have just a few security concerns.

Van Hollen’s letter references a report by Virginia-based Chain Security that scopes out hardware risk for a living.

The report says that Yealink’s Device Management Platform or DMP is what allows users to make calls and administrators to manage the phones.

HOWEVER, it also allows Yealink to secretly record those calls and also, for computer based phones, to track which websites users are visiting.

Concerned yet?

It turns out that even if you are using a physical phone, if the computer gets to the network through the phone, the phone can still track what websites you are visiting. Actually not CAN track you; rather it should be IS tracking you.

While it is unknown, it is suspected that Yealink is a Sysadmin for the DMP, hence has to power to do anything that any other admin can do.

Yealink’s service agreement requires users (like US Government employees with one of their phones on his or her desk) to accept China’s laws, including a term that allows for the active monitoring of users when required by the ‘national interest’ of China.

The phone also does not digitally sign software updates, so if someone can convince the phone to accept an update, it has no way of knowing whether that update is legitimate or not.

Even scarier is Verizon’s response to this revelation: A Verizon spokesperson said Yealink’s DMP “has been built to meet the custom requirements of Verizon” and that the customization was related to “security; feature management exposure to the devices through the DMP; firmware management and remote diagnostics.”

Does that mean that Verizon is in cahoots with China?

If all of this wasn’t bad enough, the phone sends encrypted messages to China three times a day.

The Commerce Department responded to the Senator saying that they take this stuff seriously.

Whatever the hell that means.

My guess is that this is probably not a lot different than other tech that may be in your office or home – which means that you might want to be more aggressive in reviewing the security of those tech toys.

Credit: Defense One

Security News for the Week Ending January 7, 2022

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading