Malware, Vulnerability management

ExpressLRS Protocol, Pi Pico W Wireless, Apple v. Spyware, & Lenovo UEFI Flaws – PSW #747

In the Security News for this week: Raspberry Pi Pico W Adds Wireless, Apple expands commitment to protect users from mercenary spyware, UK health authorities slammed for WhatsApp use in pandemic, Three UEFI Firmware flaws found in tens of Lenovo Notebook models, & a Hack Allows Drone Takeover Via ‘ExpressLRS’ Protocol!

Full episode and show notes

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Matthew Garrett on Twitter - According to Lenovo, laptops being shipped with Secure Cored PCs will not trust the Microsoft 3rd party CA by default, you will have to go into the BIOS and enable it. This means if you are running Linux and want Secure Boot, you have to go into the BIOS and enable it. I don't see the security benefits here.
  2. 2. Three UEFI Firmware flaws found in tens of Lenovo Notebook models - "The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” wrote ESET in a series of tweets. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call."
  3. 3. Microsoft announced the general availability of Windows Autopatch feature - Sounds like what many large organizations are already doing: "A robust update process leverages update deployment rings. The Windows Autopatch feature works dynamically creating 4 testing rings, each of them representative of all the diversity in an enterprise. The updates are initially tested on a small set of devices, then if the installation creates no problems, the installation is extended to increasingly larger sets, with an evaluation period at each progression. “The ‘test ring’ contains a minimum number of representative devices. The ‘first’ ring is slightly larger, containing about 1% of all devices under management. The ‘fast’ ring contains about 9% of endpoints, with the rest assigned to the ‘broad’ ring.” continues the announcement."
  4. 4. Vulnerability in AWS IAM Authenticator for Kubernetes could allow user impersonation, privilege escalation attacks - "Researcher Gafnit Amiga of Lightspin detailed in a blog post how an attacker can send two different variables with the same name but with different uppercase and lowercase characters – for example, they are able to send both ‘Action’ and ‘action’. Amiga explained: “Since both [variables in the vulnerable code] are… ‘ToLower’, the value in the queryParamsLower dictionary will be overridden while the request to AWS will be sent with both parameters and their values."
  5. 5. Sneaky New Orbit Malware Backdoors Linux Devices
  6. 6. New ‘Retbleed’ Speculative Execution Attack Affects AMD and Intel CPUs - "Retbleed aims to hijack a return instruction in the kernel to gain arbitrary speculative code execution in the kernel context. With sufficient control over registers and/or memory at the victim return instruction, the attacker can leak arbitrary kernel data." The core idea, in a nutshell, is to treat return instructions as an attack vector for speculation execution and force the returns to be predicted like indirect branches, effectively undoing protections offered by Retpoline." and updating: "Windows operating system uses IBRS by default, so no update is required," Intel said in an advisory, noting it worked with the Linux community to make available software updates for the shortcoming."
  7. 7. Hack Allows Drone Takeover Via ‘ExpressLRS’ Protocol
  8. 8. Microsoft pauses once-touted macro security change
  9. 9. Apple previews Lockdown Mode, a new extreme security feature
  10. 10. ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks – Lumen
  11. 11. Maastricht University wound up earning money from its ransom payment
  12. 12. The Mars Express spacecraft is finally getting a Windows 98 upgrade
  13. 13. HACKERS: Matthew Lillard A.K.A. Cereal Killer Interview - https://m.youtube.com/watch?v=WaEudnuQBOM
  14. 14. A New, Remarkably Sophisticated Malware Is Attacking Routers
  15. 15. Dynamic analysis of firmware components in IoT devices
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. UK health authorities slammed for WhatsApp use in pandemic - The UK Information Commissioner's Office (ICO) on Monday issued a reprimand and called for a review of how and whether messaging services should be used for government business practices, after finding widespread and potentially dangerous use of private email, WhatsApp and other messaging tools by officials at the Department of Health and Social Care (DHSC).
  2. 2. Hackers can unlock Honda cars remotely in Rolling-PWN attacks - Researchers say they have discovered that various modern Honda vehicles have a vulnerable (medium-severity) rolling code mechanism (CVE-2021-46145) they have dubbed "Rolling-PWN" that allows individuals to remotely unlock the doors and start the car's engine. Researchers found that the counter in Honda vehicles is resynchronized when the car vehicle gets lock/unlock commands in a consecutive sequence. This causes the car to accept codes from a previous session, which should have been invalidated.
  3. 3. AWS patches ‘one bug, three vulnerabilities’ authentication error - Kubernetes code enabled privilege escalation. An error in one line of code in an AWS authentication component has created a trio of security bugs. CVE-2022-2385, the bug is a mistake in parameter validation – the code doesn’t check the capitalization of parameters passed to it.
  4. 4. OpenSSL version 3.0.5 fixes a flaw that could potentially lead to RCE - The OpenSSL development team has released a fix to address a high-severity memory corruption flaw (CVE-2022-2274) affecting the OpenSSL library that could be exploited by attackers to perform remote code execution. Affects 3.0.4, update to 3.0.5
  5. 5. Hacktivists claiming attack on Iranian steel facilities dump tranche of ‘top secret documents’ - The group claiming responsibility for cyberattacks on multiple Iranian steel facilities last month posted almost 20 gigabytes (GB) of data on July 7, 2020, which included corporate documents showing that the facilities are affiliated with Iran's Islamic Revolutionary Guard Corp.
  6. 6. QNAP warns of new Checkmate ransomware targeting NAS devices - NAS vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data. QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.
prestitial ad