Proprietary Software Leftovers

posted by Roy Schestowitz on Mar 04, 2023

• Another ransomware-related lawsuit settles: Preferred Home Care

  As DataBreaches reported in March 2021, this was a ransomware attack claimed by REvil threat actors in January 2021.

• Ransomware group behind Indigo [breach] says it released stolen employee data, but nothing has appeared yet [iophk: Windows TCO]

  On Wednesday night, Canada's largest bookstore chain said it would not agree to payment demands from an online group claiming affiliation with ransomware site LockBit, because it could not guarantee the money wouldn't "end up in the hands of terrorists."

• BlackLotus bootkit can bypass Windows 11 Secure Boot: ESET

  A Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus is found to be capable of bypassing an essential platform security feature, UEFI Secure Boot, according to researchers from Slovakia-based cybersecurity firm ESET.

  BlackLotus uses an old vulnerability and can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled, the researchers found.

• Windows Secure Boot evaded by BlackLotus malware

  Such evasion of Secure Boot protections is enabled by BlackLotus' exploitation of CVE-2022-21894, which has been addressed by Microsoft in January 2022, and will also allow the deactivation of other security systems, including Windows Defender, Hypervisor-protected Code Integrity, and BitLocker, to facilitate User Account Control evasion, according to an ESET report. BlackLotus then proceeds to distribute a kernel driver that would prevent the removal of bootkit files, as well as an HTTP downloader, which would facilitate payload execution following contact with the command-and-control server, the report showed.

• Dangerous BlackLotus bootkit can be used to hijack Windows 11 PCs

  Besides running on systems with UEFI Secure Boot enabled, the bootkit can even disable built-in security mechanisms in Windows including BitLocker, HVCI and even Windows Defender. BlackLotus also leaves a kernel driver and an HTTP downloader on infected systems which allows it to communicate with a command and control (C&C) server to retrieve additional malware.

  While updating to the latest version of an operating system can usually keep you protected, this bootkit exploits a vulnerability tracked as CVE-2022-21894 (opens in new tab) which has already been fixed. However, as vulnerable UEFI binaries still haven’t been revoked, BlackLotus can “stealthily operate on systems with UEFI Secure Boot enabled” according to ESET.

• BlackLotus bypasses Secure Boot, Microsoft Defender, VBS, BitLocker on updated Windows 11

  It’s capable of running on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.

  It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.

• Danish hospitals latest target of DDoS attacks on NATO-backed countries

  A relatively new hacking group known as Anonymous Sudan targeted nine Region H hospitals in Denmark with DDoS attacks late on Feb. 26, bringing down their website for several hours.