Tuesday21 March 2023

Sean Kalinich

Sean Kalinich

The Security Group Binarly has disclosed 16 high-severity vulnerabilities in different implementations of UEFI firmware in HP Enterprise devices. The list of affected devices includes Laptops, Desktops, POS (point-of-sale) and edge computing nodes. The vulnerabilities range in severity from 7.5 to 8.8 putting them square in the high-severity range. The discovery also may affect additional manufacturers via a reference code match that has led to AMD’s firmware driver (AgesaSmmSaveMemoryConfig). This AMD reference code means that some vulnerabilities may exist across the entire computing ecosystem.

Linux, often thought of as a more secure alternative to Microsoft, has not had an easy year. We have seen vulnerabilities that affect the iSCSI subsystem, the Extended Berkeley Packet Filter, the Polkit pkexec component bug and now two Kernel bugs. The latest one, dubbed “dirty pipe” It is a method that could allow a “local” user to overwrite read-only files including SUID flies.

Supply chain attacks are always a concern when it comes to device manufacture and distribution. If an attacker can compromise a part of the supply or management chain, they can affect a large part of the market with relatively minimal effort. The SolarWinds supply chain attack is a perfect example of this type of attack that successfully compromised multiple businesses with only one real “attack”. Now security researchers have disclosed a new group of vulnerabilities in PTC’s Axeda software that allow them to attack the devices after distribution.

In early February, rumors about a potential acquisition of Mandiant by Microsoft started to circle the internet. The response was not positive with many feeling that it was allowing the fox to run the chicken coop. Although unpopular the rumor did make sense on a few levels. However, regardless of whether the rumors were true or not, Microsoft is not buying Mandiant; Google is. Yes, Google is scooping up Mandiant for a cool $5.4 Billion.

Earlier today we reported that the same group that hit NVIDIA and stole source code along with employee logins also hit Samsung and stole around 190GB of source code data related to how galaxy mobile devices operate. The data, according to the Lapsus$ group, covers the bootloader for the trust zone and trusted apps, how galaxy devices encrypt data and other code operating fundamentals.

Mozilla is urging users to update to the latest version of Firefox after two vulnerabilities (CVE-2022-26485 and CVE-2022-26486) have been found to be actively exploited in the wild. Both vulnerabilities are listed as use-after-free vulnerabilities. This type of vulnerability relies on issues in determining which part of an application is responsible for cleaning up used memory. By leveraging this an attacker can set up a situation where they can re-use a part of memory that was freed up by a legitimate process.

The Lapsus$ group, the same ones that broke into NVIDIA and Stole corporate data and had their attack VM encrypted, appear to have also broken into Samsung. Lapsus$ has leaked what they claim to be source code for several sensitive applications include apps that run in the Trust Zone on Samsung Mobile Devices.

As mobile devices continue to be a focus for attackers, we are hearing that there is new banking malware in the Google Play Store. The new malware belongs to a the SharkBot family and, according to researchers, is also a new generation thanks to included features found inside. The biggest difference between SharkBot and other banking malware is that SharkBot allows the developers to steal money in a highly automated fashion.

IoT devices in general are the bane of most security teams. Typically, they lack basic security features and are complicated at best to keep patched. Much of this is due to the process needed to patch them and the rest of due to vendors being slow to push out the updated/patched images. To further complicate this, in the medical world you have the demand for 100% uptime and the ever-popular FDA exclusions that far too many vendors operate under. This usually means that on any given day Medical IoT devices are an attack surface waiting to be attacked.

In one of the “odder” breaches that we have covered, NVIDIA has confirmed it was the victim of a breach that resulted in the loss of data. Information about the breach first crossed our paths about a week ago, but much of the information was speculation and some of the claims seemed very unusual. One of the most unusual was a claim by the alleged hacking group LAPSUS$ that NVIDIA had actually hacked them back.

Page 6 of 210