blog.L4networks.com | Page 2 | L4 Networks Blog

Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us

As reported here in Ars Technica

Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.
Exotic, yes. Rare, no.

On Monday, researchers from Kaspersky profiled CosmicStrand, the security firm’s name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. The find is among only a handful of such UEFI threats known to have been used in the wild. Until recently, researchers assumed that the technical demands required to develop UEFI malware of this caliber put it out of reach of most threat actors. Now, with Kaspersky attributing CosmicStrand to an unknown Chinese-speaking hacking group with possible ties to cryptominer malware, this type of malware may not be so rare after all.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described,” Kaspersky researchers wrote. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”

While researchers from fellow security firm Qihoo360 reported on an earlier variant of the rootkit in 2017, Kaspersky and most other Western-based security firms didn’t take notice. Kaspersky’s newer research describes in detail how the rootkit—found in firmware images of some Gigabyte or Asus motherboards—is able to hijack the boot process of infected machines. The technical underpinnings attest to the sophistication of the malware.

A rootkit is a piece of malware that runs in the deepest regions of the operating system it infects. It leverages this strategic position to hide information about its presence from the operating system itself. A bootkit, meanwhile, is malware that infects the boot process of a machine in order to persist on the system. The successor to legacy BIOS, UEFI is a technical standard defining how components can participate in the startup of an OS. It’s the most “recent” one, as it was introduced around 2006. Today, almost all devices support UEFI when it comes to the boot process. The key point here is that when we say something takes place at the UEFI level, it means that it happens when the computer is starting up, before the operating system has even been loaded. Whatever standard is being used during that process is only an implementation detail, and in 2022, it will almost always be UEFI anyway.

China’s Surveillance State Methods

New York Times excellent investigation into China’s Surveillance State Methods.

https://nyti.ms/3xHUiIX

ESET Helps identify and prevent Industroyer2 from shutting off power to 2 million people in Ukraine

ESET researchers working with Microsoft and Ukraine’s cybersecurity team were able to identify and prevent Industroyer2 from shutting off power to 2 million people.

Key points:

ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company
The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
We assess with high confidence that the APT group Sandworm is responsible for this new attack

A thug, a bully and a murderer

Great “local” Letter to editor from a citizen. We need more like them! Source Daily Chronicle

“A thug, a bully and a murderer.”

Those are the words used by the late Senator John McCain to characterize Russian dictator Vladimir Putin.

“Genius. Wonderful. Very savvy.”

Those are the words of Donald Trump, the leader for the past seven years of Russia and Putin’s Fifth Column in the United States describing Putin’s actions in Ukraine.

Putin’s playbook is Hitler’s playbook. As Hitler claimed ethnic German speakers in Czechoslovakia (Sudetenland), Austria and Poland were minorities being persecuted in those countries (untrue) and he, Hitler was riding to their “rescue” by invading those countries, so Putin claims ethnic Russians in Ukraine are a minority being persecuted. That they are now the victims of “genocide.” That is simply a lie. There is no evidence of that. Putin to the “rescue.”

As Russian tanks prepare to crush the lives and bones of Ukrainians whose only transgression has been to strive for a better future by looking to the democratic countries of Europe and the United States, Donald Trump heaps praise on his master, Vladimir Putin, for his actions. Trump’s words, like those of American and British Fifth Columnists during World War II, are being played in Russia to convince the Russian people that Putin is not a thug, a bully and a murderer.

Yes, Donald Trump is a traitor. He is a traitor to everything America has stood for, if at times imperfectly for the last 240 years. He does not believe in democracy or freedom. He believes in dictatorship. He would like to have in the United States what Vladimir Putin has in Russia. What Adolph Hitler had in Nazi Germany. Absolute power.

How much evidence do his cult followers need? Is that what they want also? This is a war between democracy and autocracy in the United States and in the world. The choices made in the next two years will determine what America and the world will be in this century.

There are many Trump supporters in Lewis County and in the rest of our 3rd Congressional District. Republican candidate Joe Kent heartily embraces Trump and his MAGA anti-Americanism.

Kent and many other Trump supporters are military veterans. They should think long and hard about their support for a man that simply does not believe in the constitutional values of this country. As president he brazenly violated constitutional values. He sneered at them. The Constitution is what those in the military are sworn to protect, not Donald Trump or any other one person.

To those in our 3rd District who embrace a pathological liar and a true scoundrel like Trump I would say by doing so you dishonor yourselves and history will notice. I would also say you are much better people than anything Trump represents.

Note to Marty – both individuals have progressed from Bully to Lunacy. Add power to the mix and you have an extremely dangerous situation.

Wonder What Happens When Autocrats Run Things?

The autocrat in mind is neither a “genius” or “savvy” – just one that rejigged the rules it give himself absolute power and without the mechanism for recall. Sound familiar?

Indeed, the person who called him a “genius”..savvy” was the same person that was and still is trying to execute the same same playbook and rejig things to give himself absolute power.

Look, democracy may not be perfect, but it is a whole lot better than the results that spring forth when autocrats and dictators reign.

Oh, in case you missed it, the short answer to question “Wonder What Happens When Autocrats Run Things?” Answer: Ukraine 24 January 2022 and January 6, 2021. Both are ongoing, and cooler democratic heads need to put an stop to both.

QR Codes Can Be Dangerous to Your Cyber Health

Like using QR codes? Maybe think again. It is as bad, or maybe worse, than clicking on an unverified link in an email.

“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”

See the FBI Public Service Announcement at https://www.ic3.gov/Media/Y2022/PSA220118 for more information.

Trojan Teddy Bears??

It seems that some malefactors are sending out unsolicited packages to all manor of organizations with what looks like a USB “thumb drive” in them (reportedly some have the logo “LilyGO”) along with things like bogus gift cards, teddy bears and the like. Of course good security practices dictate that one should never plug it in such a “present” – you never know what the USB device might contain. In this case these devices, when plugged into a computer system, cause the USB device to automatically inject a series of keystrokes in order to download and execute a malware payload – including ransomware.

Apparently this has been going on since at least August.

Some Security News to Start the year

Here are few things

Apache Log Bug (s….) Bad things come in threes: Apache reveals another Log4J bug Third major fix in ten days is an infinite recursion flaw rated 7.5/10 see https://www.theregister.com/2021/12/19/log4j_new_flaw_cve_2021_45105/

And IoT not getting any better: Security vendor F-Secure has faked a COVID test result on a Bluetooth-equipped home COVID Test. Thankfully the vendor’s since fixed the device. see https://www.theregister.com/2021/12/22/ellume_home_covid_test_cracked/

Happy Birthday to KrepsOnSecurity! Maybe “celebrate” is too indelicate a word for a year wracked by the global pandemics of COVID-19 and ransomware. Especially since stories about both have helped to grow the audience here tremendously in 2021. But this site’s birthday also is a welcome opportunity to thank you all for your continued readership and support, which helps keep the content here free to everyone. Keep up the fine work Brian! More here: https://krebsonsecurity.com/

Happy New Year

Can’t say I will be any better at posting stuff this year. Just not enough time./..

Instagram – The Return of the Barbie Doll

What exactly are we talking about here? Say you’re a 13-year-old girl who is beginning to feel anxious about your appearance, who has followed some diet influencers online. Instagram’s algorithm might suggest more extreme dieting accounts with names such as “Eternally starved,” “I have to be thin” and “I want to be perfect.” …“As these young women begin to consume this eating disorder content, they get more and more depressed,” she said. “It actually makes them use the app more. And so they end up in this feedback cycle where they hate their bodies more and more.”…

Mark Zuckerberg participated in the ritual of ranking girls too. When he was experimenting before building Facebook, as a student at Harvard, he put his female classmates’ photos on his now-notorious “Facemash” website, where students could rank and compare the students’ headshots based on how hot they were. He wrote at the time, “I almost want to put some of these faces next to pictures of farm animals and have people vote on which is more attractive.”…

Many of these messages are conveyed under the guise of health or wellness, but Facebook’s leaked research suggests that this charade does less to promote health than to damage it. No school health class or parental reassurance is a match for the might of these powerful tech platforms, combined with entire industries that prey on girls’ insecurities. Girls themselves often know Instagram is not good for them, but they keep coming back.

That’s because social media is addictive. Writing in The Atlantic, Derek Thompson called it “attention alcohol,” explaining, “Like booze, social media seems to offer an intoxicating cocktail of dopamine, disorientation, and, for some, dependency.” We are supposed to protect minors from products like this, not dish it out.

…

But more telling than what Silicon Valley parents say is what they do. Many of them have long known that technology can be harmful: That’s why they’ve often banned their own children from using it.

Ultimately, Instagram is just a vicious messenger. But the cesspool of content fueling it? That comes from us.

Fill Op Ed Here in NYT

Well it may be easy to shift the blame to parents, but as a parent, it is wrong footed. You can try to keep kids screen time down, but he influence creeps in sideways via peers. We always had peers growing up, but never the turbo charged razor targeted advertising that spills out of big tech.