Vulnerabilities found in server firmware, a warning to Docker administrators, and more.
Welcome to Cyber Security Today. It’s Friday, January 19th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Nine vulnerabilities have been found in an open-source reference implementation of a protocol that allows enterprise computers and data centre servers to boot across a network. If exploited these holes could lead to data theft, denial of service attacks and other ugly things. Researchers at Quarkslab say the problems are in TCP/IP stack specification maintained by Tianocore TEE-AN-O-CoRE, a community of developers from software vendors including Microsoft, ARM, American Megatrends, Phoenix Technologies and others that use the project for their firmware implementations. Carnegie Mellon University’s Computer Emergency Response Team (CERT) says IT leaders should look for and install firmware updates from their equipment manufacturers. They should also consider disabling a capability called PXE boot, sometimes called Pixie boot.
Separately, the Carnegie CERT issued a warning that general-purpose graphic processors from AMD, Apple and Qualcomm have a memory leak vulnerability. The hole, discovered by researchers at Trail of Bits, means at attacker with access to a GPU programmable interface can dump local memory. IT managers should watch for security updates from their hardware makers.
Button up your Docker containers. That’s the advice from researchers at Cado Security. Their honeypot recently attracted a piece of malware hunting for vulnerable Docker services. It installs a cryptominer as well as an application called 9hits that threat actors can use to run their attacks from the compromised container. It isn’t clear how this Docker malware is being spread. But the report makes it clear that exposed Docker hosts are a risk to organizations that use them.
American cybersecurity authorities have issued an advisory to help defenders fight the Androxgh0st malware. A threat group has used this malware to create a botnet to steal login credentials for Amazon Web Services, Microsoft Office 365, SendGrid, Twilio and more. Targets also include websites that use the Laravel LARA-VEL web application framework and web servers running certain versions of Apache HTTP Server. The advisory includes indicators of compromise defenders should watch for.
The pressure on IT security leaders in the financial services sector won’t let up this year. That’s according to researchers at Abnormal Security. They note in a report this week that firms in this sector get about 200 advanced phishing attacks per 1,000 mailboxes each week. One of the most common tactics used by threat actors is impersonating a business provider, like a supplier or a software company, and demanding payment for an invoice. Last year that type of attack went up 137 per cent compared to 2022.
Finally, Middle Eastern affairs experts at universities and think tanks should be careful replying to emails. According to Microsoft, they’re being targeted by an Iranian-based threat group it calls Mint Sandstorm. Typically the gang uses custom phishing lures to trick targets into downloading malicious files and gain access to their computers through a backdoor.
Later today the Week in Review podcast will be available. On this show guest commentator David Shipley and I will discuss the recent takeovers of poorly secured accounts on the X platform, and more.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.