News

Blog

Thursday, June 1st, 2023

Cybersecurity Week in Review (02/06/2023)

Surge in attempted cyberattacks on Irish hospitals poses severe threat

Smarttech247 CEO Raluca Saceanu said cyberattacks can be ‘devastating’ as a new threat emerges on the dark net — ‘Phishing as a Service’ kits tailored to exploit vulnerabilities in the health service.

An increasing trend in attempted cyberattacks on Irish hospitals poses a severe threat, according to a global cybersecurity firm. Just over two years on from the HSE cyberattack, there has been a 60% spike in the number of attempted attacks targeting hospitals and other healthcare services over the past two months. Healthcare organisations are being warned to remain vigilant and prioritise cybersecurity as an attack poses a serious threat to the provision of services, patient care, and data security.

Smarttech247 monitors activity targeting a range of sectors and believes the recent surge in healthcare threats is a cause for great concern. The 2021 attack on the HSE caused havoc for patients, medics, and admin staff with the wide-ranging impacts lasting for months. A new threat has emerged on the dark net involving ‘Phishing as a Service’ kits which are specifically tailored to exploit the vulnerabilities within the health service.

Cybercriminals are taking advantage of the growing dependence on technology within healthcare by exploiting vulnerabilities to gain unauthorised access, disrupt operations and compromise patient data, said Smarttech247 CEO Raluca Saceanu. 

“The consequences of these attacks can be devastating, potentially jeopardising patient care, compromising privacy, and undermining the trust placed in healthcare institutions,” she said. 

Ms Saceanu said Irish hospitals should prioritise cybersecurity by implementing robust security protocols, raising awareness among staff and investing in ongoing training and education. The government should be funding training programs, technological upgrades, and a collaborative platform should be established where threat intelligence can be exchanged, she added.


Source: https://www.irishexaminer.com/news/arid-41150626.html


Capita cyber-attack: 90 organisations report data breaches

Capita runs crucial services for local councils, the military and NHS and runs pensions schemes for firms including Royal Mail and Axa. About 90 organisations have reported breaches of personal information held by Capita after the outsourcing group suffered a cyber-attack. The company, which runs crucial services for local councils, the military and the NHS, experienced the hack, which caused a significant IT outage, in March.

Capita’s systems are used to administer pension funds for several large firms, including Royal Mail and Axa, covering millions of policyholders. The attack prompted the Pensions Regulator (TPR) to write to more than 300 pension funds to ask them to check whether data had been stolen by hackers.

A second data breach emerged in May when it was reported that the London-based firm had left benefits data files in publicly accessible storage, prompting several councils to say they thought their data had been compromised. The Information Commissioner’s Office (ICO) said that about 90 organisations had so far been in contact with it over the two incidents.

In a statement, the ICO expressed concerns of the two incidents and the attack affecting their publicly accessible storage. More inquiries are underway as Capita receives a large number of reports from organisations affected directly by these critical incidents. Capita has made an announcement for organisations that use their services to identify if any data breach has occurred and are seeking more information on it.

As well as administering pension funds, Capita is an important government contractor and holds billions of pounds’ worth of public sector contracts including London’s congestion charge system and disability payment assessment services for the Department for Work and Pensions. Capita is closely working with  specialist advisers and forensic experts to investigate the cyber incident and we have taken extensive steps to recover and secure the data.

If a company decides the incident does not need to be reported, staff need to keep a record of it and be able to explain to the ICO why further reporting was not necessary.

According to Capita, the hack could cost as much as £20m.


Source: – https://www.theguardian.com/business/2023/may/30/capita-cyber-attack-data-breaches-ico


Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

The recently discovered Barracuda zero-day vulnerability CVE-2023-2868 has been exploited to deliver malware and steal data since at least October 2022. The zero-day, tracked as CVE-2023-2868 and described as a remote command injection issue, impacts Email Security Gateway (ESG) appliances running versions 5.1.3.001 through 9.2.0.006. 

According to Barracuda the vulnerability originated from insufficient input validation of user-provided .tar files, specifically regarding the filenames within the archive. As a result, an attacker could manipulate the formatting of file names in such a way that allows them to remotely execute a system command using Perl’s qx operator, utilising the privileges of the Email Security Gateway product.

Barracuda became aware of attacks targeting its product on May 18 and confirmed the existence of a new vulnerability the next day. A patch was rolled out to ESG devices on May 20 and the vendor released an additional script one day later to contain the incident and neutralise unauthorised access methods. Additional fixes are also being deployed as part of the company’s containment strategy.

The vulnerability only appears to impact the ESG product, specifically a module designed for the initial screening of email attachments. An investigation conducted with the help of Mandiant revealed that CVE-2023-2868 has been exploited in attacks since at least October 2022. The threat actor exploited the zero-day to hack ‘a subset’ of ESG devices and deploy malware that gave them persistent backdoor access. In some cases, data exfiltration was also detected. 

Three types of malware were discovered on compromised Barracuda devices. One of them, named SaltWater, has been described as a trojanized module for the Barracuda SMTP daemon. It allows attackers to upload or download files, execute commands, and use it for proxy or tunnelling purposes. Mandiant is currently analysing the malware for links to known threats.

Another piece of malware involved in the attack is SeaSpy, a persistence backdoor that poses as a legitimate Barracuda service. It monitors traffic and provides backdoor functionality activated by a ‘magic packet’. Mandiant did find some code overlap between this malware and a publicly available backdoor named cd00r. 

The third piece of malware is named Seaside and it has been described as a Lua-based module that also targets the Barracuda SMTP daemon. It receives a command and control (C&C) IP address and port that are passed on to an external binary that establishes a reverse shell. 

Barracuda has shared indicators of compromise (IoCs) for both endpoints and networks, as well as Yara rules that can be used for threat hunting and customers have been advised to ensure that their devices are up to date and to stop using compromised appliances — Barracuda is providing new virtual or hardware appliances to impacted users.


Source: https://www.securityweek.com/barracuda-zero-day-exploited-to-deliver-malware-for-months-before-discovery/


WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection

The premium WordPress plugin ‘Gravity Forms,’ currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection. Gravity Forms is a custom form builder website owners use for creating payment, registration, file upload, or any other form required for visitor-site interactions or transactions. On its website, Gravity Forms claims it is used by a wide variety of large companies, including Airbnb, ESPN, Nike, NASA, PennState, and Unicef. The vulnerability, which is tracked as CVE-2023-28782, impacts all plugin versions from 2.73 and below.

The flaw was discovered by PatchStack on March 27, 2023, and fixed by the vendor with the release of version 2.7.4, which was made available on April 11, 2023. Website administrators using Gravity Forms are advised to apply the available security update as soon as possible. The issue arises from the lack of user-supplied input checks for the ‘maybe_unserialize’ function and can be triggered by submitting data to a form created with Gravity Forms. PatchStack warns of the threat of an unauthenticated user who could pass ad-hoc serialised strings to a vulnerable unserialized call, resulting in an arbitrary PHP object(s) injection into the application scope. This vulnerability could be triggered on a default installation or configuration of the Gravity Forms plugin and only needs a created form that contains a list field.

Despite the potential severity of CVE-2023-28782, PatchStack’s analysts could not find a significant POP (property-oriented programming) chain in the vulnerable plugin, somewhat mitigating the risk. However, the risk remains severe if the same site uses other plugins or themes that contain a POP chain, which isn’t uncommon considering the wide range of available WordPress plugins and themes and the varying levels of code quality and security awareness among developers.

In those cases, exploitation of CVE-2023-28782 could lead to arbitrary file access and modification, user/member data exfiltration, code execution, and more. The plugin vendor fixed the flaw by removing the use of the ‘maybe_unserialize’ function from the Gravity Forms plugin in version 2.74. It is also important to apply any updates across all plugins and themes active on your WordPress site, as security fixes may eliminate attack vectors, like POP chains, that could be leveraged in this case to launch damaging attacks.


Source: https://www.bleepingcomputer.com/news/security/wordpress-plugin-gravity-forms-vulnerable-to-php-object-injection/


Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

Dental benefits manager of MCNA is informing roughly 9 million individuals that their personal data was compromised in a data breach. Dental benefits manager MCNA has started sending notification letters to roughly nine million individuals to inform them that their personal information might have been compromised in a data breach earlier this year. Operating under the MCNA Insurance Company and Managed Care of North America brands, MCNA is one of the largest dental benefits managers in the US, serving more than 5 million children and adults through its programs.

The data breach, which occurred between February 26 and March 7, impacted both current and former members of certain state Medicaid and Children’s Health Insurance Programs, the company says in the notification letter, a copy of which was submitted to the Maine Attorney General’s Office. During the incident, an unauthorised party accessed multiple systems within MCNA’s network, infected them with malware, and stole personal information stored on them.

The investigation into the attack revealed that the compromised personal information may include names, addresses, phone numbers, birth dates, Social Security numbers, driver’s licence numbers, ID numbers, health insurance information, and information related to dental/orthodontic care.

The amount of exposed personal information, the company says, may differ from individual to individual. While MCNA did not say what type of malware was installed on its systems, the attack was claimed by the LockBit ransomware group in March. Last month, the group published on its leak site roughly 700 gigabytes of data allegedly stolen from the company.

MCNA claims that it is not aware of the stolen information being misused, but it appears that other threat actors may already have the data, meaning that the impacted individuals may be targeted in phishing, identity theft, fraud, and other types of attacks.

To soften the blow, MCNA is offering free credit monitoring services to the impacted individuals, encouraging them to stay alert on possible fraud attempts. MCNA told the Maine Attorney General that more than 8.9 million individuals were impacted by the data breach.


Source: https://www.securityweek.com/personal-information-of-9-million-individuals-stolen-in-mcna-ransomware-attack/


ABB confirms ransomware attack resulted in data theft

The Switzerland-based industrial automation giant said customer systems were not directly impacted. Key services and factories remain operational. The industrial automation giant ABB confirmed it was hit by a ransomware attack earlier this month that resulted in the theft of unspecified data. ABB released a press statement about a threat actor who accessed ABB’s IT environment and deployed ransomware that is not self-propagating, impacting a “limited number” of servers and endpoints.

ABB runs an extensive business spanning 21 divisions with customers in industrial machinery, robotics, manufacturing, oil, gas, renewable energy, automotive, food processing, household products, medical equipment and communications, among other sectors. The enterprise operates in more than 100 countries with about 100,000 employees, with roughly one-fifth of its workforce based in the U.S.

ABB said it contained the attack and its key services, systems and factories are operating, but continues to restore impacted infrastructure and strengthen its defences. An investigation into the nature and scope of data affected by the attack remains underway with assistance from law enforcement, government officials and third-party experts. The company is in the early stages of its investigation of the incident and will continue to assess the extent of its impact.

No customer system was directly impacted, however, ABB has not identified the threat actor behind the attack.


Source: https://www.cybersecuritydive.com/news/abb-confirms-ransomware-data-theft/651531/


Microsoft finds macOS bug that lets hackers bypass SIP root restrictions

Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install “undeletable” malware and access the victim’s private data by circumventing Transparency, Consent, and Control (TCC) security checks. A new vulnerability discovered and reported to Apple by a team of Microsoft security researchers called the flaw (dubbed Migraine) is now tracked as CVE-2023-32369. Apple has patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, released two weeks ago, on May 18. System Integrity Protection (SIP), also known as ‘rootless,’ is a macOS security mechanism that prevents potentially malicious software from altering certain folders and files by imposing restrictions on the root user account and its capabilities within protected areas of the operating system.

SIP operates under the principle that only processes signed by Apple or those possessing special entitlements, such as Apple software updates and installers, should be authorised to alter macOS-protected components. It’s also important to note that there’s no method to disable SIP without restarting the system and booting off of macOS Recovery (the built-in recovery system)—which requires having physical access to an already compromised device.

However, Microsoft’s researchers found that attackers with root permissions could bypass SIP security enforcement by abusing the macOS Migration Assistant utility, a built-in macOS app that uses the systemmigrationd daemon with SIP-bypassing capabilities stemming from its com.apple.rootless.install.heritable entitlement. The researchers demonstrated that attackers with root permissions could automate the migration process with AppleScript and launch a malicious payload after adding it to SIP’s exclusions list without restarting the system and booting from macOS Recovery.

The Microsoft Threat Intelligence team identified two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks by focussing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement.

Arbitrary SIP bypasses come with significant risks, especially when exploited by malware creators, as it enables malicious code to have far-reaching effects, including creating SIP-protected malware that can’t be removed via standard deletion methods. They also greatly expand the attack surface and could allow attackers to tamper with system integrity through arbitrary kernel code execution and potentially install rootkits to hide malicious processes and files from security software.

Bypassing SIP protection also enables a complete bypass of Transparency, Consent, and Control (TCC) policies, enabling threat actors to replace TCC databases and granting unrestricted access to the victim’s private data. This is not the first such macOS vulnerability reported by Microsoft researchers in recent years, with another SIP bypass dubbed Shrootless reported in 2021, allowing attackers to perform arbitrary operations on compromised Macs, escalate privileges to root, and potentially install rootkits on vulnerable devices.


Source: https://www.bleepingcomputer.com/news/security/microsoft-finds-macos-bug-that-lets-hackers-bypass-sip-root-restrictions/


Major Massachusetts Health Insurer Hit by Ransomware Attack, Member Data May Be Compromised

The second-largest health insurer in Massachusetts was the victim of a ransomware attack in which sensitive personal information as well as health information of current and past members may have been compromised.

Company officials of the second-largest health insurer in Massachusetts revealed that they were the victim of a ransomware attack in which sensitive personal information as well as health information of current and past members may have been compromised. An ongoing investigation indicated that from March 28 until April 17, members’ addresses, phone numbers, birthdates, Social Security numbers, medical history, treatment, dates of service, provider names and other information may have been compromised.

The not-for-profit company said it was not aware of any misuse of the information. It did not say how many people might be affected however, they are working closely with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.

Point32Health also contacted the FBI but did not say whether it had paid a ransom or not. Law enforcement agencies, school systems, energy infrastructure and health systems have been victims of such attacks in recent years. The Harvard Pilgrim breach affected systems used to service members, brokers and providers, and some functions remained down.

The Harvard Pilgrim breach affected systems used to service members, brokers and providers, and some functions remained down. An  internal IT and business validations are underway and once this process is complete, alongside thorough security screenings, some of the company’s processes will become available in a phased fashion.


Source: https://www.securityweek.com/major-massachusetts-health-insurer-hit-by-ransomware-attack-member-data-may-be-compromised/


Small Utilities, Hospitals Struggle With Newer Cyberthreats

Lack of Money, Expertise Creates Big Challenges for Small Infrastructure Providers. Small electric utilities, wastewater facilities and hospitals struggle with defending their organisations against emerging cyberthreats given their meagre resources, U.S. government officials told a congressional oversight panel. Slightly fewer than 100,000 drinking water systems and 16,000 wastewater systems serve the United States and its territories, and their customer bases range in size from more than 8 million to just 500 people, said David Travers, head of the Environmental Protection Agency’s Water Infrastructure and Cyber Resilience Division.

Failure to adopt best practices by the utilities poses a significant risk in the water sector and is fairly evident both from an industry survey which reveals how most utilities have not taken any steps to protect their operation and from cyber incidents at water systems significantly increased due to poor cybersecurity practices.

Travers testified before a House Energy and Commerce subcommittee panel alongside Puesh Kumar of the Department of Energy and Brian Mazanec of the Health and Human Services Department. The EPA has provided one-on-one technical assistance to hundreds of smaller water and wastewater systems, and subject matter experts have identified gaps in cybersecurity best practices and implemented remediation actions tailored to the resources and goals of the utility entities. The agency in March said it will start assessing cybersecurity as a factor in periodic safety assessments.

The EPA focuses on best practices such as strong and unique passwords rather than recommending resource-intensive interventions. Travers said the EPA also offers ‘train the trainer’ programs to third parties such as the National Rural Water Association and the Department of Agriculture’s Rural Community Assistance Program, which often serve as a source of technical expertise.

The Energy Department provides tools to smaller utilities that help them both gauge their existing cyber posture and make investment decisions, said Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response. The department’s rural and municipal utility grant program delivers cybersecurity technical assistance and funding directly to rural cooperatives and waste utilities nationwide.

Deputy director for the Office of Preparedness talks about the industry best practices developed for small, medium and large hospital systems by the Health and Human Services Department and emphasises the need to focus on safety and health impacts for smaller, rural hospitals located in an area where there aren’t multiple hospitals and less ability to divert and where incidents can be more severe. There was also a mention of new tailored tools specifically for the sector.


Source:https://www.govinfosecurity.com/small-utilities-hospitals-struggle-newer-cyber-threats-a-22086


Personal Information, Banking Records of Nearly 40,000 Marines, Sailors Involved in Data Breach

U.S. Marine Corps officials are investigating after the personal information of approximately 39,000 personnel including Marines, sailors and civilians working within the Department of Defense was involved in a data breach discovered May 12. The Marine Corps said the breach occurred when an unencrypted email was sent from within Camp Pendleton-based Combat Logistics Regiment 17, part of the 1st Marine Logistics Group, to administrators of the Defense Travel System.

The unencrypted email sent May 9 contained variations of personal information including the full names, last four digits of Social Security numbers, and contact information of personnel, including phone numbers, email addresses as well as residential and mailing addresses, according to a May 19 notification letter sent by J. S. McCalmont, the Commanding Officer of Combat Logistics Regiment 17.

A Marine Corps spokesperson in a statement revealed no indication of any PII (personally identifying information) gone outside of official government channels and the proactive involvement of leaders of 1st Marine Logistics Group to identify individuals who may have been affected by this incident. Additional security measures are being implemented to prevent further unauthorised disclosures and new protocols are being adopted to ensure all PII is protected according to J. S. McCalmont.


Source: https://www.nbcsandiego.com/news/local/personal-information-banking-records-of-nearly-40000-marines-sailors-involved-in-data-breach/3234061/


Pegasus spyware detected in Armenia and Azerbaijan

The controversial Pegasus spyware has reared its ugly head once more, this time in the context of a protracted border dispute between Armenia and Azerbaijan, where it was allegedly used to spy on dissidents and political figures in both countries. Digital rights group Access Now announced today that it suspects Pegasus was used by Azerbaijan to target the Apple devices of at least a dozen people in Armenia between October 2020 and December 2022, in connection with an ongoing border conflict with Armenia over the disputed Nagorno-Karabakh territory.

Access Now believes Pegasus was also used by Azerbaijan on its own citizens. Further research with fellow human rights groups Amnesty International and Forbidden Stories suggested that 245 Azerbaijanis may have been targeted.This emphasises the fact that spyware can be used for domestic espionage as well as keeping tabs on targets abroad. Access Now says there is “substantial evidence” to suggest that Azerbaijan is using Pegasus against dissident “reporters, editors, or media company owners, human rights defenders, lawyers, opposition figures, and academics” on its own territory. 

On the other hand, Access Now does not believe Armenia is using Pegasus but instead a rival form of spyware known as Predator, provided by what it describes as a “mercenary” group called Cytrox. Like its rival, Predator has been linked to human rights abuses around the world and was also the subject of EU scrutiny, according to the Access Now report.

The 2020 conflict over the Nagorno-Karabakh region that lies between Armenia and Azerbaijan was brought to a ceasefire in November of that year, but the dispute has resurfaced since then. Access Now says the ceasefire allowed Azerbaijan to retain territorial gains made during the brief but bloody war, prompting a political meltdown in defeated Armenia and an alleged military coup that led to the dissolution of the parliamentary government there in 2021.

Around the same time, hostilities between the two countries resumed, during which period Access Now says it observed “over 30 successful Pegasus infections” targeting the dozen Armenian victims. This is far from the first time Pegasus has been implicated in human rights infringements. At least 14 EU countries including Hungary and Poland have been accused of using Israeli firm NSO Group’s notorious spyware for various purposes that include stifling dissent and silencing journalists.


Source: https://cybernews.com/cyber-war/pegasus-spyware-nso-armenia-azerbaijan/


Dark Pink APT Group Leverages TelePowerBot and KamiKakaBot in Sophisticated Attacks

The threat actor known as Dark Pink has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. This includes educational entities, government agencies, military bodies, and non-profit organisations, indicating the adversarial crew’s continued focus on high-value targets.

Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with attacks targeting entities primarily located in East Asia and, to a lesser extent, in Europe. The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts.

The Singapore-headquartered company said it also identified a new GitHub account associated with the account that contains PowerShell scripts, ZIP archives, and custom malware which were committed between January 9, 2023, and April 11, 2023.

Besides using Telegram for command-and-control, Dark Pink has been observed exfiltrating stolen data over HTTP using a service called webhook[.]site. Another notable aspect is the use of an Microsoft Excel add-in to ensure the persistence of TelePowerBot within the infected host. Dark Pink, its espionage motives notwithstanding, remains shrouded in mystery. That said, it’s suspected that the hacking crew’s victimology footprint could be broader than previously assumed.

The fact that the adversary has been linked to only 13 attacks (counting the five new victims) since mid-2021 indicates an attempt to maintain a low profile for stealthiness. It’s also a sign of the threat actor carefully selecting their targets and keeping the number of attacks at a minimum to reduce the likelihood of exposure.


Source: https://thehackernews.com/2023/05/dark-pink-apt-group-leverages.html


Spyware Found in Google Play Apps With Over 420 Million Downloads

Antivirus company Doctor Web has identified spyware in over 100 Android applications that had more that 421 million cumulative downloads in Google Play. The malicious module, which Doctor Web named ‘SpinOk’, is distributed as a marketing SDK. On victims’ devices, it can collect information about files, can send files to the attackers, and can steal clipboard content. The SpinOk module offers mini games, tasks, and alleged prizes to maintain users’ interest in the applications.

Upon execution, the SDK connects to the command-and-control (C&C) server and sends a trove of device information, including data from sensors, which allows it to detect emulator environments. The server response contains a lot of URLs used to display advertising banners via WebView. Additionally, the module can collect a list of files in specified directories, check for the presence of specific files and directories, upload files from the device, and copy or substitute clipboard content.

The malicious module and modifications were identified in a total of 101 applications in Google Play. Google has been notified and has removed some of the apps. In some cases, only certain versions contained the malicious SDK. Some of the most popular applications containing the malicious module include Noizz (over 100 million installations), Zapya (over 100 million installations – the code was present in versions 6.3.3 to 6.4), VFly (over 50 million downloads), MVBit (more than 50 million installations), and Biugo (over 50 million downloads). Doctor Web has published a full list of infected applications.


Source: https://www.securityweek.com/spyware-found-in-google-play-apps-with-over-420-million-downloads/


Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that’s installed on over five million sites. The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in November 2012. Jetpack revealed in an advisory that the vulnerability can be used easily by authors on any website to manipulate any files in the WordPress installation. And to remediate the bug, Jetpack has released 102 new versions of Jetpack.

While there is no evidence the issue has been exploited in the wild, it’s not uncommon for flaws in popular WordPress plugins to be leveraged by threat actors looking to take over the sites for malicious ends. This is not the first time severe security weaknesses in Jetpack have prompted WordPress to force install the patches.

In November 2019, Jetpack released version 7.9.1 to fix a defect in the way the plugin handled embed code that had existed since July 2017 (version 5.1). The development also comes as Patchstack revealed a security flaw in the premium Gravity Forms plugin that could allow an unauthenticated user to inject arbitrary PHP code. The issue (CVE-2023-28782) impacts all versions from 2.7.3 and below. It has been addressed in version 2.7.4, which was made available on April 11, 2023.


Source: https://thehackernews.com/2023/06/urgent-wordpress-update-fixes-critical.html


Gigabyte Motherboards Found to Have Backdoor Functionality, Posing Security Risks

In a recent discovery by firmware and hardware security company Eclypsium, it has come to light that hundreds of motherboard models manufactured by Gigabyte, a prominent Taiwanese computer components giant, contain backdoor functionality that could pose significant risks to organisations. The revelation has raised concerns about the security of millions of devices worldwide.

Eclypsium researchers detected the backdoor functionality based on suspicious behaviour associated with it, triggering an alert within the company’s platform. Upon further investigation, they found that the firmware installed on numerous Gigabyte systems includes a Windows binary file that is executed during the boot-up process of the operating system. This file then proceeds to download and execute an additional payload obtained from Gigabyte servers.

What makes this discovery even more alarming is that the payload is downloaded over an insecure connection, either through HTTP or improperly configured HTTPS. Furthermore, the legitimacy of the downloaded file is not verified, making it susceptible to tampering or exploitation.

While there is currently no evidence to suggest that this backdoor has been utilised for malicious purposes, Eclypsium highlights the possibility that it may be a malicious backdoor planted within Gigabyte systems. This could have occurred either through the actions of a malicious insider or due to a compromise in the company’s infrastructure. Another potential concern is that the backdoor might have been introduced somewhere within the supply chain.

Even if the backdoor functionality is determined to be legitimate, Eclypsium warns that it could still be exploited by threat actors. Skilled hackers often take advantage of such tools in their attacks. UEFI rootkits, for instance, have been known to leverage firmware vulnerabilities to ensure the persistence of Windows malware on compromised systems. Additionally, removing these types of firmware backdoors can prove to be challenging.

It’s worth noting that Gigabyte products have been targeted in the past by threat actors, who have employed sophisticated UEFI rootkits in their attacks. These incidents emphasise the importance of maintaining robust security measures and promptly addressing vulnerabilities to safeguard against potential exploitation. As the situation unfolds, it is crucial for Gigabyte users to remain vigilant and stay informed about any recommended security updates or patches provided by the company. Organisations and individuals should prioritise the installation of firmware updates as they become available to mitigate the risks posed by this backdoor functionality. By taking proactive steps to address these vulnerabilities, users can help ensure the security of their systems and data.


Source: https://voiceofciso.com/gigabyte-motherboards-found-to-have-backdoor-functionality-posing-security-risks/?fbclid=IwAR0pgaUoFegrtc7E0D7tBPMdY_FK87uwvqAeGAQcmmsxqm-7shhI-Qgx4Qg


Italian Ministry hit by “heavy cyberattack”

Italy’s Ministry of Industry said its website and applications were out of order after being hit by a “heavy cyberattack” early Friday morning. Technicians were working to “mitigate the consequences,” the Ministry said in a statement released shortly after the attack. So far, there is no sign of any data being compromised, according to the statement. 

The Ministry said it could not predict when website activities would be back to normal. The agency said it was in close contact with the National Cybersecurity Agency to reduce any inconvenience for citizens and businesses.


Source: https://cybernews.com/news/italian-ministry-hit-by-heavy-cyberattack/


Smarttech247

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021