UEFI Holes and Windows TCO
-
Tom's Hardware ☛ Firmware flaw affects numerous generations of Intel CPUs — UEFI code execution vulnerability found for Intel CPUs from 14th Gen Raptor Lake to 6th Gen Skylake CPUs, and TPM will not save you
The specific Phoenix SecureCore UEFI firmware vulnerability that prompted this posting is referred to as "UEFIcanhazbufferoverflow" by Eclypsium, which is just a funny way of pointing out that this is a buffer overflow exploit. The specific method in which the "UEFIcanhazbufferoverflow" exploit works is by using an unsafe call to the "GetVariable" UEFI service.
By making unsafe calls, a stack buffer overflow can be created, allowing for arbitrary code to be executed. In the BIOS or its modern counterpart, the UEFI, even a buffer overflow allows for full-system access and control to be gained very quickly, and the consequences of that happening can be challenging to remove from a PC permanently. Sometimes, it may even be impossible without replacing the machine entirely— and that's not counting passwords and such that may become compromised and still need changing between machines.
-
The Register UK ☛ Phoenix UEFI bug affects long list of Intel chip families
Security shop Eclypsium just published its account of CVE-2024-0762 (CVSSv3: 7.5) after disclosing it to Phoenix Technologies, whose UEFI firmware is affected. Phoenix Technologies provides UEFI/BIOS device firmware for Windows laptops, tablets, desktops and servers.
The researchers originally found the buffer overflow bug in Lenovo's ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen devices and soon discovered the same flaw affected multiple Intel chip families going back to Kaby Lake in 2017.
-
Windows TCOe
-
TechCrunch ☛ Security bug allows anyone to spoof Microsoft employee emails
A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets.
As of this writing, the bug has not been patched. To demonstrate the bug, the researcher sent an email to TechCrunch that looked like it was sent from Microsoft’s account security team.
-
Axios ☛ CDK Global, Change Healthcare cyberattacks highlight risks of sector-specific tech vendors
Flashback: CDK is the latest victim in a long series of cyberattacks this year that started with just one tech vendor and rippled out to hundreds, if not thousands, of incidents throughout one sector.
-
New York Times ☛ CDK Global Cyberattack Disrupts Car Sales in U.S. and Canada
The provider, CDK Global, said it was targeted in two attacks on Wednesday, prompting the company to shut down its systems to prevent the loss of customer data and to allow testing and other measures to restore its services.
-
Silicon Angle ☛ Hacking group Qilin leaks data stolen from UK medical testing provider Synnovis
The U.K.’s healthcare system, the National Health Service, said today that law enforcement agencies are working to verify the data. “The National Crime Agency and National Cyber Security Centre are working to verify the data included in the files published by the criminals,” the NHS detailed in a statement. “These files are not simple uploads and so investigations of this nature are highly complex and can take weeks if not longer to complete.”
Synnovis is a joint venture between the NHS and Synlab AG, a Munich-based provider of medical testing services. It processes blood tests for four London hospitals. A ransomware attack on June 3 saw a hacker group download data from the company’s network and disrupt some of its internal systems.
-
Threat Source ☛ Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia
The LNK-based infection chain begins with a malicious RAR file that contains a Windows shortcut file (LNK) and a hidden folder. This folder contains multiple components, including a malicious executable launcher, a legitimate executable, a malicious DLL loader, an encrypted SpiceRAT masquerading as a legitimate help file (.HLP) and a decoy PDF. The table below shows an example of the components of this attack chain and the description.
When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine. After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder.
-