Tag Archive for: boot

Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix • The Register

/in


Patch Tuesday May’s Patch Tuesday brings some good and some bad news, and if you’re a glass-half-full type, you’d lead off with Microsoft’s relatively low number of security fixes: a mere 38.

Your humble vulture, however, is a glass-half-empty-and-who-the-hell-drank-my-whiskey kind of bird, so instead of looking on the bright side, we’re looking at the two Microsoft bugs that have already been found and exploited by miscreants. Plus a third vulnerability, which has been publicly disclosed. We’d suggest patching these three stat.

Six of the 38 vulnerabilities are deemed “critical” because they allow remote code execution.

The two that are under active exploit, at least according to Microsoft, are CVE-2023-29336, a Win32k elevation of privilege vulnerability; and CVE-2023-24932, a Secure Boot security feature bypass vulnerability, which was exploited by the BlackLotus bootkit to infect Windows machines. Interestingly enough, BlackLotus abused CVE-2023-24932 to defeat a patch Microsoft issued last year that closed another bypass vulnerability in Secure Boot. Thus Redmond fixed a hole in Secure Boot, and this malware abused a second bug, CVE-2023-24932, to get around that.

CVE-2023-29336 is a 7.8-out-of-10 rated flaw in the Win32k kernel-mode driver that can be exploited to gain system privileges on Windows PCs. 

“This type of privilege escalation is usually combined with a code execution bug to spread malware,” Zero Dan Initiative’s Dustin Childs said. “Considering this was reported by an AV company, that seems the likely scenario here.” 

Redmond credited Avast bug hunters Jan Vojtešek, Milánek, and Luigino Camastra with finding and disclosing the bug.

Time to boot out a threat

Meanwhile, CVE-2023-24932 received its own separate Microsoft Security Response Center (MSRC) advisory and configuration guidance, which Redmond says is necessary to “fully protect against this vulnerability.”

“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled,” MSRC warned. “This is used by threat actors primarily as a persistence and defense evasion mechanism.”

If also noted, however,…

Source…

Intel Boot Guard private keys have reportedly leaked, compromising the security of many computers

/in


It seems like every other day there are scumbags out there perpetrating a new hack, taking advantage of a vulnerability or trying to extort people with ransomware. MSI is the latest victim, with hackers leaking material stolen from a breach of MSI’s systems last month (opens in new tab).

This one has the potential to be serious. According to tweets by Alex Matrosov (opens in new tab), the founder of Binarly (opens in new tab), at least some of the previously stolen 1.5TB of data has been leaked. The data includes private keys, some of which appear to be Intel Boot Guard keys. The leak of such keys doesn’t just affect MSI systems, but those from other vendors too, including Lenovo and Supermicro.

Source…

BlackLotus Secure Boot Bypass Malware Set to Ramp Up

/in


BlackLotus, the first in-the-wild malware to bypass Microsoft’s Secure Boot (even on fully patched systems), will spawn copycats and, available in an easy-to-use bootkit on the Dark Web, inspire firmware attackers to increase their activity, security experts said this week.

That means that companies need to increase efforts to validate the integrity of their servers, laptops, and workstations, starting now.

On March 1, cybersecurity firm ESET published an analysis of the BlackLotus bootkit, which bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot. Microsoft introduced Secure Boot more than a decade ago, and it’s now considered one of the foundations of its Zero Trust framework for Windows because of the difficulty in subverting it.

Yet threat actors and security researchers have targeted Secure Boot implementations more and more, and for good reason: Because UEFI is the lowest level of firmware on a system (responsible for the booting-up process), finding a vulnerability in the interface code allows an attacker to execute malware before the operating system kernel, security apps, and any other software can swing into action. This ensures the implantation of persistent malware that normal security agents will not detect. It also offers the ability to execute in kernel mode, to control and subvert every other program on the machine — even after OS reinstalls and hard drive replacements — and load additional malware at the kernel level.

There have been some previous vulnerabilities in boot technology, such as the BootHole flaw disclosed in 2020 that affected the Linux bootloader GRUB2, and a firmware flaw in five Acer laptop models that could be used to disable Secure Boot. The US Department of Homeland Security and Department of Commerce even recently warned about the persistent threat posed by firmware rootkits and bootkits in a draft report on supply chain security issues. But BlackLotus ups the stakes on firmware issues significantly.

That’s because while Microsoft patched the flaw that BlackLotus targets (a vulnerability known as Baton Drop or CVE-2022-21894), the patch only makes exploitation more difficult — not…

Source…

BlackLotus Malware Bypasses Secure Boot on Windows Machines

/in


Cybercrime
,
Endpoint Security
,
Fraud Management & Cybercrime

First in-the-Wild Bootkit Exploits Microsoft Vulnerability, Boots Up on Windows 11

Prajeet Nair (@prajeetspeaks) •
March 3, 2023    

BlackLotus Malware Bypasses Secure Boot on Windows Machines

Eset researchers discovered the first in-the-wild bootkit malware, called BlackLotus, bypassing security and booting up on fully up-to-date Windows 11 systems.

See Also: OnDemand | Navigating the Difficulties of Patching OT

Security researchers found the Unified Extensible Firmware Interface bootkit in 2022 being sold on hacking forums for $5,000.

Secure Boot is the industry standard for ensuring only trusted operating systems can boot up a computer. BlackLotus malware can run on fully patched Windows 11 systems despite UEFI Secure Boot being enabled. It exploits a vulnerability that is more than 1 year old, tracked as CVE-2022-21894, to bypass UEFI Secure Boot and set up persistence for the bootkit.

Microsoft fixed this vulnerability in its January 2022 patch update, but BlackLotus adds vulnerable binaries to the system in order to exploit it.

A proof-of-concept exploit for this vulnerability has been publicly available since August 2022.

The malware can disable OS security mechanisms such as BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender.

Martin Smolár, a malware analyst at Eset, says UEFI bootkits are very powerful threats. By by gaining complete control over the OS boot process, he says, threat actors can disable “various OS security mechanisms” by “deploying their own kernel-mode or user-mode payloads in early OS startup stages.”

This enables threat actors to operate stealthily…

Source…