Tag Archives: Supermicro

Bloomberg Says China Adds Spy chips to Computers

In 2018 Bloomberg ran a story that claimed that China had embedded tiny microchips on Supermicro computer server processor boards in 2015. Everyone denied it – Supermicro, the intelligence community (IC), China.

Supply chain attacks seem to be everywhere these days and this is another one.

I don’t know if it is true, but why would Supermicro or China admit what what going on. The IC might know but might not want China to know how much they know and when they knew it.

While Bloomberg took a lot of heat for the story at the time, they never gave up on it and continued to investigate.

Well this week Bloomberg wrote chapter two of the story.

They are saying that China targeted Supermicro products for over a decade, that the IC was aware of it and that they kept it quiet because they were studying it and trying to figure out how to counter it.

14 former law enforcement and IC sources confirmed the story to Bloomberg.

According to Bloomberg, the Pentagon detected the chip implant back in 2010. Intel detected that China had hacked it in 2014 and the FBI issued a private warning to multiple companies in 2015 telling them that China had planted a surprise inside their computers.

Bloomberg also says that the Feds got a FISA warrant in 2012 to surveil several Supermicro employees.

And of course, Supermicro issued a new denial.

Would you expect anything else?

Remember also that it is well documented that the NSA did hardware implants for years.

You get to figure it out.

However, I do recommend you dust off that vendor cyber risk management program and see if you are doing all that you can do. Credit: The Register

Security News for the Week Ending September 6, 2019

Cisco: Critical Bug Allows Remote Takeover of Routers

Cisco rated this bug 10 out of 10.  For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request.  So yet another reminder that patching your network gear is critical.  For Cisco, that means having to purchase their maintenance agreement every year.  Source: Threatpost.

USBAnywhere – Especially Places You Don’t Want

Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine.  Like stealing your data, installing malware or even disabling the server entirely.  The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference.  Part of the problem is that almost no one knows who’s motherboard is inside their server.  The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually.  Isn’t that exciting?  Source: The Hacker News.

Remember When we Thought iPhones Were Secure?

Apparently that myth is beginning to get a little tarnished.  In fact, Android zero days are worth more than iPhone attacks.  Why?  Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.

I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs.  All software has bugs.  Practice safe computing, no matter what platform you are using.  Source: Vice.

Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web

When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.

The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable.  But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price.  Does this mean they are working on the other 35 million?  Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too.  Source: Bleeping Computer .

Researchers Claim to Have Hacked the Secure Enclave

CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer.  Intel calls their feature SGX.  Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave.  If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe.  Source: Bruce Schneier.