Secure Boot useless on hundreds of PCs from major vendors after key leak • The Register

Infosec in brief Protecting computer BIOS and the boot process is essential to modern security, but knowing it’s important isn’t the same as taking steps to do so.

Take for example research published last week by security experts from firmware security vendor Binarily. The researchers discovered hundreds PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo, and Supermicro – and components sold by Intel – are using what appears to be a 12-year-old test platform key (PK) leaked in 2022 to protect their UEFI Secure Boot implementations.

“An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the key exchange key database, signature database, and forbidden signature database,” Binarily experts wrote.

And it’s not as if the manufacturers using the incriminated PK had no reason to know that it was unreliable and not intended for use outside the laboratory: it was stated right on the packaging.

“These test keys have strong indications that they are not trusted,” Binarily noted. “For example, the certificate issuer contains the strings ‘DO NOT TRUST’ or ‘DO NOT SHIP.’”

According to Binarily, more than ten percent of the firmware images in its dataset are vulnerable to exploitation with the rogue PK — which was released by American Megatrends International, likely as early as May 2012. The researchers observed that this issue makes this problem “one of the most enduring [supply chain vulnerabilities] of its kind.”

If an attacker were to exploit the PK in an attack, they could execute untrusted code during the boot process, even with Secure Boot enabled.

“This compromises the entire security chain, from firmware to operating system,” Binarily added.

Binarily published a free analysis tool to check systems for vulnerability to what it calls “PKFail.” Running it seems like a smart move. To address this issue, device manufacturers will need to take action.

Critical Vulnerabilities of the Week: This KEV is how old?

We start this week with a new report on a very old vulnerability being exploited in the wild.

According to NIST, a use-after-free vulnerability in Internet Explorer versions 6 through 8 allows remote attackers to execute arbitrary code – first detected and identified in nature in 2012 – is still exploited Today.

If for some reason you still have a machine running IE 6-8, maybe it’s time to put it out to pasture?

Also worth noting is a quartet of vulnerabilities identified in the Berkeley Internet Name Domain 9 DNS system reported last week by the Internet Systems Consortium (CVE-2024-4076, CVE-2024-1975, CVE-2024-1737, CVE-2024-0760).

If exploited, these vulnerabilities can lead to a denial of service. While not as critical as other vulnerabilities, the fact that they are at the DNS level warrants installing these patches as soon as possible.

Another Stalkerware Provider Hacked

It seems we can barely two weeks without another stalkerware provider getting hacked, but here we are. TechCrunch was handed over a bunch of files stolen from Minnesota-based SpyTech last week.

The files, whose authenticity has reportedly been verified, were installed on phones, tablets and computers monitored by SpyTech software, which secretly monitors machines to spy on their users’ activities. Data from more than 10,000 devices has been discovered since 2013.

Oddly enough, SpyTech’s CEO was reportedly unaware of the breach when asked about it, which shows that these stores are more interested in making money than protecting the private data they collect on behalf of their customers.

…and enable multi-factor authentication while you’re at it

Cisco Talos security researchers have published their quarterly report on incident response trends last week, and one surprising trend stands out: About 80% of ransomware incidents in the second quarter occurred in organizations whose systems did not use multi-factor authentication.

And there we thought Snowflake could have taught the world something.

Compromised credentials were the most popular way to gain initial access for the third consecutive quarter, Talos noted — much like what caused all those Snowflake failures.

Ransomware attacks increased 22% from Q1 to Q2, accounting for 30% of all incidents Talos responded to. Given the increase in attacks using stolen credentials and relying on the lack of multi-factor authentication, it might be wise to spend some time this week enabling it for everyone, without exception.

TracFone fined $16 million for three violations

Verizon subsidiary TracFone has agreed to pay $16 million to the FCC to end investigations into a trio of data breaches the company suffered between 2021 and 2023.

According to the FCC, TracFone failed to secure several of its customer database APIs, leading criminals to steal customer account and device information, as well as personally identifiable information. The breaches resulted in “numerous unauthorized deportations.”

Not to be confused with SIM card swapping – another scam that most carriers fail to prevent – ​​number porting involves the complete transfer of a number to another carrier. Both allow attackers to control customers’ devices.

TracFone has been ordered to implement mandatory cybersecurity programs “with new provisions to reduce API vulnerabilities,” as well as protections against SIM swaps and data transfers. ®