Tag Archive for: Bypasses

BlackLotus Malware Bypasses Secure Boot on Windows Machines

/in


Cybercrime
,
Endpoint Security
,
Fraud Management & Cybercrime

First in-the-Wild Bootkit Exploits Microsoft Vulnerability, Boots Up on Windows 11

Prajeet Nair (@prajeetspeaks) •
March 3, 2023    

BlackLotus Malware Bypasses Secure Boot on Windows Machines

Eset researchers discovered the first in-the-wild bootkit malware, called BlackLotus, bypassing security and booting up on fully up-to-date Windows 11 systems.

See Also: OnDemand | Navigating the Difficulties of Patching OT

Security researchers found the Unified Extensible Firmware Interface bootkit in 2022 being sold on hacking forums for $5,000.

Secure Boot is the industry standard for ensuring only trusted operating systems can boot up a computer. BlackLotus malware can run on fully patched Windows 11 systems despite UEFI Secure Boot being enabled. It exploits a vulnerability that is more than 1 year old, tracked as CVE-2022-21894, to bypass UEFI Secure Boot and set up persistence for the bootkit.

Microsoft fixed this vulnerability in its January 2022 patch update, but BlackLotus adds vulnerable binaries to the system in order to exploit it.

A proof-of-concept exploit for this vulnerability has been publicly available since August 2022.

The malware can disable OS security mechanisms such as BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender.

Martin Smolár, a malware analyst at Eset, says UEFI bootkits are very powerful threats. By by gaining complete control over the OS boot process, he says, threat actors can disable “various OS security mechanisms” by “deploying their own kernel-mode or user-mode payloads in early OS startup stages.”

This enables threat actors to operate stealthily…

Source…

Network Pivots, Patch Bypasses: Exploits Hit Hard …

/in


An analysis of 50 vulnerabilities finds a spectrum of risk, from widespread vulnerabilities exploited by a variety of attackers to serious issues that will likely be exploited in 2021.

In 2020, security teams had to endure a great deal of chaos — not just from the events caused by the pandemic, but by a significant series of changes in the vulnerability landscape, according to Rapid7.

In its “2020 Vulnerability Intelligence Report,” released today, the security firm documented 50 vulnerabilities representing shifts that defenders had to contend with. Fourteen vulnerabilities were exploited by nation-state actors and cybercriminals in indiscriminate campaigns that impacted a wide variety of organizations, 16 vulnerabilities were used in targeted attacks by sophisticated actors, and 20 flaws have not yet been seen in the wild but are expected to be used by attackers in their campaigns.

The company delves into the threats to offer defenders a better understanding of what constituted dangerous vulnerabilities in 2020, says Caitlin Condon, manager of software engineering at Rapid7.

“There was a pervasive feeling in the information-security community, especially among defenders, that the sky was falling nearly all the time,” she says. “It is often very difficult for the people in charge of security to look at all the research materials and all the artifacts — at all the information about a vulnerability — and determine why a vulnerability may matter or not matter for their risk model.”

In the report, Rapid7 breaks down the threats into flaws exploited indiscriminately in widespread attacks (28%), security issues — often, zero-day vulnerabilities — used in targeted attacks (32%), and vulnerabilities the company considers to be impending threats (40%).

Among the most serious threats were attacks on network and security appliances that allowed the attacker to pivot from outside the network to the internal network. So-called network pivots were discovered in Citrix NetScaler, SonicWall SonicOS, Palo Alto Networks PAN-OS, and the Sophos XG Firewall.

“For many network defenders, June 29 through July 29, 2020 was a particularly nightmarish stretch of an already challenging year: No…

Source…

Bypasses malicious app security system and was downloaded more than 10,000 times

/in


Malware on Google Play: Bypasses malicious app security system and was downloaded more than 10,000 times

The application under consideration is a device for photographing food and creating an alarm. An alert was issued by Predo, a company specializing in mobile security, and the app was removed from the Google Play store on 18 January.

According to Predio, the application managed to bypass the Play Protect scanning engine by hiding malicious code inside an encrypted file in a folder named 0OO00l111l1l. To gauge the sophistication of the system, the application was able to know if it was running on an emulator, so it would not run the code inside that folder, so it would not be easily searchable.

In addition, the application is related to Joker, a malware found in over 1700 applications on Google Play, which has also been removed.

The Daily Food Diary sought some very peculiar permission when it started, running in the background and started when the cell phone was on, so that its data collection operations were never interrupted. The application continuously asked to access the contacts available on the device and even manage the call, rejecting any incoming calls so as not to interrupt their operation.

If you have a daily food diary installed on your phone, it is highly recommended that you remove it immediately.

Source…