Bootkit can compromise Windows 11, a hacked container found and more.
Welcome to Cyber Security Today. It’s Friday, March 3rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
A bootkit being sold to crooks can bypass and corrupt a fully-patched Windows 11 system, say researchers at ESET. Called BlackLotus, it can get around the firmware-based Secure Boot operating system security protection. It exploits a year-old vulnerability that was fixed by Microsoft in its January 2022 Windows update. The problem is exploitation is still possible because the validly signed binaries in the bootkit haven’t been added to what’s called the UEFI revocation list. Once launched this bootkit will disable Windows’ security mechanisms such as Defender and BitLocker. While this bootkit has been sold on underground forums for at least the last four months it seems few threat actors have started using it — so far. ESET urges the UEFI Forum to update its revocation list.
Separately ESET warned that a new custom backdoor is being deployed by what is believed to be a China-aligned group it calls Mustang Panda. It’s a bare-bones backdoor that allows the attacker to execute commands. It uses the MQTT protocol for communications.
Containerized virtual environments with everything an application needs to run are efficient. But they are still vulnerable to cyber-attacks. The latest example was discovered by researchers at Sysdig. They found a containerized workload that was hacked, then leveraged to perform a privilege escalation into an AWS account to steal the victim company’s proprietary software and credentials. It started with the attacker exploiting an internet-facing service in a self-managed Kubernetes cluster hosted inside an AWS cloud account. They got an employee’s temporary username and password through instance metadata. Then because that user had excessive access permissions the attacker could get the credentials of others and move on. One lesson: Give an employee more access than they need to resources and a successful attacker will take advantage. A second lesson: Strong detections and alerts are needed in containerized environments.
Attention Linux administrators: The SysUpdate malware that until now has only run on Windows machines can now run on Linux boxes, according to Trend Micro. It is believed to have been created by a threat actor researchers call Lucky Mouse or Iron Tiger. This malware can take screenshots, find, delete and rename files, upload and download files among other things. The new version also can communicate through DNS text requests.
Fast-food chain Chick-fil-A has begun notifying customers their personal data was exposed between December 18th and February 12th. The attacker used login credentials stolen from an unnamed third party. The stolen information may have included names, email addresses, the last four digits of credit/debit card numbers and mobile pay numbers. If customers saved personal information to their accounts such as the month and day of their birth that would have been stolen, too.
I’ve reported before about data breaches stemming from the compromise of the GoAnywhere managed file transfer service. Hatch Bank in the U.S. is now notifying almost 140,000 customers who borrowed or applied to borrow money that some of their data was accessed at the end of January. The Bleeping Computer news site says the Clop ransomware gang claims responsibility for compromising the file transfer service. That claim hasn’t been verified.
Most listeners know — I hope — to hover over links they get in emails and text messages as one way to confirm they go to a legitimate website. This is especially important if the link is shortened. However, hovering is not foolproof. Scammers have ways to disguise a fake full link. The most recent way is by making the full URL look like it goes to or involves LinkedIn. LinkedIn, of course, is a trusted brand. According to researchers at Malwarebytes, people are getting email messages that look like they came from Amazon about renewing their Prime service. But the goal is to steal Gmail, Microsoft and other passwords. The scam works like this: In the email messages there’s an Update Now button to update your supposed Prime account. Hovering over the button shows a shortened link that includes the word LinkedIn. Click on it and you get redirected to a website that looks like an Amazon login page. Victims who enter their email address and password as requested get sent to a so-called Security Checkup page where they are asked to fill in personal information — which goes to the crooks. This works because of a website redirect service that LinkedIn offers. Don’t be fooled by this scam.
That’s it for now. But later today the Week in Review podcast will be available. My guest will be University of Calgary cybersecurity professor Tom Keenan. He’ll talk about artificial intelligence and ChatGPT. That show will be available after 3 pm. Eastern time
Links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
