Cyber Security News

RedAlert, LILITH, and 0mega, 3 new ransomware in the wild 

Security Affairs - Fri, 07/15/2022 - 03:26
Cyble researchers warn of three new ransomware operations named Lilith, RedAlert and 0mega targeting organizations worldwide.

Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega.

RedAlert (aka N13V) targets both Windows and Linux VMWare ESXi servers of target organizations. The name RedAlert comes after a string with the same name in the ransom note. Unlike other ransomware operations, RedAlert only accepts ransom payments in Monero.

RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. It appends a  “.crypt[Random number]” extension to the filenames of encrypted files.

The Lilith ransomware is written in C/C++ and targets 64-bit Windows systems. The malware appends the “.lilith” extension to the filenames of encrypted files. The threat actors behind this operation adopt a double extortion model.

“Upon execution, Lilith ransomware initially searches for a list of hardcoded processes in the file and terminates its execution if any of them are running on the target’s machine. This step ensures that these processes do not block access to the files to be encrypted.” reads the analysis published by Cyble. “The ransomware searches for files to encrypt on the local system by enumerating the file directories using FindFirstFileW() and FindNextFileW() API functions. It ignores the file extensions such as EXE, DLL, and SYS and excludes a list of directory and file names from the encryption process.”

The Lilith ransomware encrypts files using a set of cryptographic APIs and a random key generated locally.

The 0mega ransomware is also targeting organizations worldwide using a double-extortion model.

The ransomware operation has been active at least since May 2022 and already claimed to have breached multiple organizations.

Victims of the ransomware reported that the malware adds the .0mega extension to the encrypted file’s names and creates for each victim a customized ransom note named DECRYPT-FILES.txt.

The operators behind this ransomware in some cases included in the ransom note details on how to disclose the attack to business partners and trade associations in case the victim will not pay the ransom.

Source https://id-ransomware.blogspot.com/2022/05/0mega-ransomware.html

Like other ransomware gangs, the operators use a payment negotiation site hosted on the Tor network.

Victims can contact the operators via the negotiation site by uploading the ransom note dropped on their systems, obviously, the note includes a unique identifier.

“Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by TAs besides implementing the requisite security best practices and security controls. Ransomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost productivity. If the victim is unable or unwilling to pay the ransom, the TAs may leak or sell this data online, compromising sensitive user data for businesses and individuals and resulting in a loss of reputation for the affected organization(s).” concludes Cyble. “Throughout 2021 and 2022, we have observed record levels of ransomware activity. While notable examples of this are rebrands of existing groups, newer groups like LILITH, RedAlert, and 0mega are also proving to be potent threats.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post RedAlert, LILITH, and 0mega, 3 new ransomware in the wild  appeared first on Security Affairs.

Categories: Cyber Security News

Mantis Botnet Behind the Largest HTTPS DDoS Attack Targeting Cloudflare Customers

The Hacker News - Fri, 07/15/2022 - 01:16
The botnet behind the largest HTTPS distributed denial-of-service (DDoS) attack in June 2022 has been linked to a spate of attacks aimed at nearly 1,000 Cloudflare customers. Calling the powerful botnet Mantis, the web performance and security company attributed it to more than 3,000 HTTP DDoS attacks against its users. The most attacked industry verticals include internet and telecom, media,
Categories: Cyber Security News

Mantis botnet powered the largest HTTPS DDoS attack in June

Security Affairs - Thu, 07/14/2022 - 14:32
The record-breaking distributed denial-of-service (DDoS) attack recently mitigated by Cloudflare was launched by the Mantis botnet.

In June 2022, DDoS mitigation firm Cloudflare announce it has mitigated the largest HTTPS DDoS attack that was launched by a botnet they have called Mantis.

The Mantis botnet generated 26 million request per second using approximately 5000 hijacked virtual machines and powerful servers.

“The Mantis botnet was able to generate the 26M HTTPS requests per second attack using only 5,000 bots. I’ll repeat that: 26 million HTTPS requests per second using only 5,000 bots. That’s an average of 5,200 HTTPS rps per bot. Generating 26M HTTP requests is hard enough to do without the extra overhead of establishing a secure connection, but Mantis did it over HTTPS.” reads a report published by Cloudflare.

Experts consider Mantis as the evolution of the Meris botnet, which is composed of MikroTik devices, but Mantis includes a variety of VM platforms and supports running various HTTP proxies to perform the attacks. 

Cloudflare reported that the Mantis was involved in attacks against one thousand of its customers. Over the past month, Mantis was used to launch over 3,000 HTTP DDoS attacks against Cloudflare customers.

Most of the Mantis attacks targeted organizations in the Internet & Telecommunications industry (36%), followed by News, Media & Publishing industry (15%), Gaming (12%), and Finance (10%).

Most of the targeted organizations are located in the US (20%), followed by Russia-based companies (15%), while less than five percent included Turkey, France, Poland, Ukraine, and more.

Mantis is considered by the experts the most powerful botnet to date, for this reason, it will be likely convolved in many other attacks in the next months.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Mantis)

The post Mantis botnet powered the largest HTTPS DDoS attack in June appeared first on Security Affairs.

Categories: Cyber Security News

The new Retbleed speculative execution attack impacts both Intel and AMD chips

Security Affairs - Thu, 07/14/2022 - 12:38
Researchers warn of a new vulnerability, dubbed Retbleed, that impacts multiple older AMD and Intel microprocessors.

ETH Zurich researchers Johannes Wikner and Kaveh Razavi discovered a new vulnerability, dubbed Retbleed, that affects multiple older AMD and Intel microprocessors. An attacker can exploit the flaw to bypass current defenses and perform in Spectre-based attacks.

The Retbleed vulnerability is tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel).

“Retbleed (CVE-2022-29900 and CVE-2022-29901) is the new addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions.” reads the report about this issue. “This means a great deal, since it undermines some of our current Spectre-BTI defenses.”

Experts pointed out that many operating systems use a defense mechanism called retpoline, which works by replacing indirect jumps and calls with returns. Retpolines were first devised in 2018 to prevent Spectre-BTI attacks. The experts discovered that it is possible to exploit return instructions as an attack vector for speculation execution and predict the statements like indirect branches.

However, experts discovered that it is possible to exploit Retbleed due to the following issues:

  • It is possible to trigger the microarchitectural conditions, on both AMD and Intel CPUs, that forces returns to be predicted like indirect branches. The experts developed custom tools to discover locations in the Linux kernel where these conditions are met.
  • it is possible to inject branch targets that reside inside the kernel address-space, even as an unprivileged user. Even though we cannot access branch targets inside the kernel address-space — branching to such a target results in a page fault — the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it’s to a kernel address.

Intel. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation, we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in previous work.” explained the experts. “AMD. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited — and there are tons of them.”

Both Intel ([1] [2]) and AMD chipmakers addressed the issue with the release of software patches.

Below is a video PoC of Retbleed leaking kernel memory on Intel and AMD CPUs:

The experts published a research paper about Retbleed that will be presented at USENIX Security 2022. You can find the source code of Retbleed on our Github..

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, chip)

The post The new Retbleed speculative execution attack impacts both Intel and AMD chips appeared first on Security Affairs.

Categories: Cyber Security News

Former CIA Engineer Convicted of Leaking 'Vault 7' Hacking Secrets to Wikileaks

The Hacker News - Thu, 07/14/2022 - 11:06
Joshua Schulte, a former programmer with the U.S. Central Intelligence Agency (CIA), has been found guilty of leaking a trove of classified hacking tools and exploits dubbed Vault 7 to WikiLeaks. The 33-year-old engineer had been charged in June 2018 with unauthorized disclosure of classified information and theft of classified material. Schulte also faces a separate trial on charges related to
Categories: Cyber Security News

State-Backed Hackers Targeting Journalists in Widespread Espionage Campaigns

The Hacker News - Thu, 07/14/2022 - 08:29
Nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware as part of a series of campaigns since early 2021. "Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated
Categories: Cyber Security News

A Simple Formula for Getting Your IT Security Budget Approved

The Hacker News - Thu, 07/14/2022 - 08:21
Although there is a greater awareness of cybersecurity threats than ever before, it is becoming increasingly difficult for IT departments to get their security budgets approved. Security budgets seem to shrink each year and IT pros are constantly being asked to do more with less. Even so, the situation may not be hopeless. There are some things that IT pros can do to improve the chances of
Categories: Cyber Security News

Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices

The Hacker News - Thu, 07/14/2022 - 06:54
Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple's operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware. "An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional
Categories: Cyber Security News

Former CIA employee Joshua Schulte was convicted of Vault 7 massive leak

Security Affairs - Thu, 07/14/2022 - 06:17
Former CIA programmer, Joshua Schulte, was convicted in a US federal court of the 2017 leak of a massive leak to WikiLeaks.

The former CIA programmer Joshua Schulte (33) was found guilty in New York federal court of stealing the agency’s hacking tools and leaking them to WikiLeaks in 2017.

The huge trove of data, called “Vault 7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure. The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

The hacking tools developed by the US cyber spies can target mobile devices, desktop computers, and IoT devices such as routers and smart TVs.

The arsenal used by the Central Intelligence Agency hackers was composed of hacking tools developed by the CCI’s Engineering Development Group (EDG).

The developers at EDG are tacked for developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses. The CIA has dozens of zero-day exploit codes in its arsenal that can be used to target almost any platform, from Windows and Linux PC, to Android and iOS mobile devices.

In middle May 2018, both The New York Times and The Washington Post, revealed the name of the alleged source of the Vault 7 leak, the man who passed the secret documents to Wikileaks. According to his LinkedIn profile, Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016.

Schulte was identified a few days after WikiLeaks started leaking the precious dumps.

Schulte was arrested for possession of child pornography, he was charged with three counts of receipt, possession and transportation of child pornography in August 2017.

The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.

In November 2018, Joshua Adam Schulte faced new charges included in a new indictment filed in Manhattan federal court, he was charged with the unlawful transmission and attempted unlawful transmission of national defense secrets from prison.

In February 2018, the layers of the former CIA employee asked the court for a mistrial, in this case, they claimed the prosecutors withheld evidence that could exonerate his client during the trial in the Manhattan federal court.

Now Schulte was convicted and prosecutors said that the man was aware of the damage his conduct caused to homeland security.

“Joshua Adam Schulte was a CIA programmer with access to some of the country’s most valuable intelligence-gathering cyber tools used to battle terrorist organizations and other malign influences around the globe.  When Schulte began to harbor resentment toward the CIA, he covertly collected those tools and provided them to WikiLeaks, making some of our most critical intelligence tools known to the public – and therefore, our adversaries.” states US Attorney Damian Williams after the conviction. “Moreover, Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm.  Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history.”

“Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless,” US Attorney Damian Williams said in a statement after the conviction.

The leak had “a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm,” said Williams..

Schulte is also charged with pornography charges and is facing a separate trial.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Vault7)

The post Former CIA employee Joshua Schulte was convicted of Vault 7 massive leak appeared first on Security Affairs.

Categories: Cyber Security News

Microsoft published exploit code for a macOS App sandbox escape flaw

Security Affairs - Thu, 07/14/2022 - 05:24
Microsoft published the exploit code for a vulnerability in macOS that can allow an attacker to escape the sandbox.

Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.

“Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.” reads the post published by Microsoft.

Microsoft reported the issue to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. Apple addressed the CVE-2022-26706 flaw on May 16, 2022. 

“An access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.” reads the description of this issue.

An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.

The Apple App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.

Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.

“We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix.” reads the post. “Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.”

The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix “~$.” . 

The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.

In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the “com.apple.quarantine” extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.

“Our POC exploit thus became simply as follows:

  1. Drop a “~$exploit.py” file with arbitrary Python commands.
  2. Run open –stdin=’~$exploit.py’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.continues the post.

The researchers also developed a shorted version of the exploit code that can be included in a Twitter post:

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, macOS)

The post Microsoft published exploit code for a macOS App sandbox escape flaw appeared first on Security Affairs.

Categories: Cyber Security News

Pakistani Hackers Targeting Indian Students in Latest Malware Campaign

The Hacker News - Thu, 07/14/2022 - 05:15
The advanced persistent threat (APT) group known as Transparent Tribe has been attributed to a new ongoing phishing campaign targeting students at various educational institutions in India at least since December 2021. "This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users," Cisco Talos said in a report shared with The Hacker News.
Categories: Cyber Security News

VMware fixed a flaw in vCenter Server discovered eight months ago

Security Affairs - Thu, 07/14/2022 - 03:42
VMware addressed a high-severity privilege escalation flaw, tracked as CVE-2021-22048, in vCenter Server IWA mechanism.

VMware addressed a high-severity privilege escalation flaw, tracked as CVE-2021-22048 (CVSSv3 base score of 7.1.), in vCenter Server ‘s IWA (Integrated Windows Authentication) mechanism after eight months since its disclosure.

The vulnerability can be exploited by an attacker with non-administrative access to vulnerable vCenter Server deployments to elevate privileges to a higher privileged group.

“The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism.” reads the advisory published by the company. “A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.”

The CVE-2021-22048 flaw affects multiple vCenter Server versions, including 6.5, 6.7, and 7.0. VMware addressed the flaw with the release of vCenter Server 7.0 Update 3fm which only addresses the vulnerability for servers running the latest release.

The company provided a workaround for this issue, suggesting switching to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA).

The CVE-2021-22048 flaw was reported by CrowdStrike researchers Yaron Zinar and Sagi Sheinfeld on November 10th, 2021.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, privilege escalation)

The post VMware fixed a flaw in vCenter Server discovered eight months ago appeared first on Security Affairs.

Categories: Cyber Security News

Qakbot operations continue to evolve to avoid detection

Security Affairs - Wed, 07/13/2022 - 14:29
Experts warn that operators behind the Qakbot malware operation are improving their attack chain in an attempt to avoid detection.

Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads.

The threat continues to evolve implementing new attack vectors to evade detection, Zscaler Threatlabz researchers warn. The experts spotted a significant uptick in the spread of Qakbot malware over the past six months using several new techniques. 

“Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0  to trick victims into downloading malicious attachments that install Qakbot.” reads the analysis published by Zscaler. “Other more subtle techniques are being deployed by threat actors to prevent automated detection and raise the odds that their attack will work, including obfuscating code, leveraging multiple URLs to deliver the payload, using unknown file extension names to deliver the payload, and altering the steps of the process by introducing new layers between initial compromise, delivery, and final execution.”

The attacks observed by Zscaler employed malicious messages using ZIP archive file having embedded files such as Microsoft Office files, LNK, and Powershell.

ThreatLabz reported that the attackers are using various different file names to disguise attachments designed to deliver Qakbot. Common file names used in the recent campaigns include a description, generated numbers, and dates (i.e. Compensation-1172258432-Feb-16.xlsb, Compliance-Report-1634724067-Mar-22.xlsb). The files also feature common keywords for finance and business operations the attempt to trick victims into believing that they are everyday business documents.

“Once the user clicks “Enable Content” to view the attachment, the macro is activated to look for a subroutine with a pre-defined function, in this case starting with auto_open777777. In the next step of the sequence, the URLDownloadToFile function is imported and called to download  the malicious Qakbot Payload and drop it into the C:\ProgramData\ location on the victim’s machine with the filename .OCX which is actually Qakbot DLL.” continues the analysis. “Then WinAPI EXEC from Excel4Macro directly executes the malicious payload or loads the payload using regsvr32.exe.”

The experts also observed the use of PowerShell to download the malicious code and a switch from regsvr32.exe to rundlll32.exe to load the malicious payload in the attempt to evade detection.

Zscaler researchers highlight the importance of the human factor for the success of these attacks, it recommends that organizations train users to properly manage attachments, avoiding to open attachments sent from untrusted or unknown sources. The experts also recommend users to verify URLs in their browser address bar before entering credentials.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Qakbot operations continue to evolve to avoid detection appeared first on Security Affairs.

Categories: Cyber Security News

Three UEFI Firmware flaws found in tens of Lenovo Notebook models

Security Affairs - Wed, 07/13/2022 - 10:46
IT giant Lenovo released security fixes to address three vulnerabilities that impact the UEFI firmware shipped with over 70 product models.

The multinational technology company Lenovo released security fixes to address three vulnerabilities that reside in the UEFI firmware shipped with over 70 product models, including several ThinkBook models.

A remote attacker can trigger these flaws to execute arbitrary code on the vulnerable systems in the early stages of the boot avoiding the detection of security features.

The three buffer overflow vulnerabilities in UEFI firmware, tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, were discovered by researchers from ESET.

Below is the list of vulnerabilities in Lenovo Notebook BIOS reported in the vendor’s advisory:

  • CVE-2022-1890: A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
  • CVE-2022-1891: A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
  • CVE-2022-1892: A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.

The root cause of the flaws is the insufficient validation of DataSize parameter, which is passed to the UEFI Runtime Services function GetVariable. Threat actors can exploit the flaw by creating a specially crafted NVRAM variable, triggering the buffer overflow of the Data buffer in the second GetVariable call.

“The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” wrote ESET in a series of tweets. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call.”

These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6 pic.twitter.com/HC5ow6KTN0

— ESET research (@ESETresearch) July 13, 2022

ESET researchers pointed out that the issues are “typical UEFI “double GetVariable” vulnerability” that can also be identified in the firmware code by assessing it with IDA plugin efiXplorer @binarly_io. However, ESET did not find the three vulnerabilities by using this plugin because they were not covered by the plugin at the time of discovery.

Owners of affected devices are highly recommended to update to the latest firmware version. The list of models affected by the three issues and the firmware updates are reported in the Lenovo Advisory.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Lenovo)

The post Three UEFI Firmware flaws found in tens of Lenovo Notebook models appeared first on Security Affairs.

Categories: Cyber Security News

New 'Retbleed' Speculative Execution Attack Affects AMD and Intel CPUs

The Hacker News - Wed, 07/13/2022 - 10:22
Security researchers have uncovered yet another vulnerability affecting numerous older AMD and Intel microprocessors that could bypass current defenses and result in Spectre-based speculative-execution attacks. Dubbed Retbleed by ETH Zurich researchers Johannes Wikner and Kaveh Razavi, the issues are tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel), with the chipmakers releasing 
Categories: Cyber Security News

U.S. FTC Vows to Crack Down on illegal Use and Sharing of Citizens' Sensitive Data

The Hacker News - Wed, 07/13/2022 - 07:55
The U.S. Federal Trade Commission (FTC) warned this week that it will crack down on tech companies' illegal use and sharing of highly sensitive data and false claims about data anonymization. "While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly-disguised online
Categories: Cyber Security News

New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models

The Hacker News - Wed, 07/13/2022 - 07:47
Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain three security flaws in its UEFI firmware affecting over 70 product models. "The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features," Slovak cybersecurity
Categories: Cyber Security News

Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations

The Hacker News - Wed, 07/13/2022 - 06:26
Microsoft on Tuesday disclosed that a large-scale phishing campaign targeted over 10,000 organizations since September 2021 by hijacking Office 365's authentication process even on accounts secured with multi-factor authentication (MFA). "The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC)
Categories: Cyber Security News

5 Questions You Need to Ask About Your Firewall Security

The Hacker News - Wed, 07/13/2022 - 06:23
Often, organizations think of firewall security as a one-and-done type of solution. They install firewalls, then assume that they are "good to go" without investigating whether or not these solutions are actually protecting their systems in the best way possible. "Set it and forget it!" Instead of just relying on firewalls and assuming that they will always protect their businesses from cyber
Categories: Cyber Security News

Researchers Uncover New Variants of the ChromeLoader Browser Hijacking Malware

The Hacker News - Wed, 07/13/2022 - 04:51
Cybersecurity researchers have uncovered new variants of the ChromeLoader information-stealing malware, highlighting its evolving feature set in a short span of time. Primarily used for hijacking victims' browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter
Categories: Cyber Security News

Pages