PKfail Flaw Exposes Secure Boot to Unauthorized Access

Acer, DDoS attacks, Dell, firmware vulnerability, Hackers, Lenovo, Ophtek, PK Fail, secure boot, unauthorized access, , , , , , , , ,
20
Aug 2024

Hundreds of devices from vendors such as Acer, Dell, and Lenovo have been found to be left wide open to threat actors due to untrusted test keys.

These devices have been left compromised due to PKfail, a firmware supply chain vulnerability. On devices where PKfail (short for Platform Key fail) is present, threat actors can install malware with ease. This is because the presence of PKfail means hackers can bypass the Secure Boot process and gain access to the device. Naturally, unauthorized access puts a device at risk of not only being infected with malware, but also suffering data breaches and being hijacked for DDoS attacks.

As the threat of PKfail has affected some of the major PC manufacturers, it’s important we investigate this a little closer.

The Failure of PKfail

Secure Boot is an integral part of any modern PC, ensuring a device’s firmware and operating system is correctly authenticated against a secure key on the machine. The devices at the center of this security failure have, within their system, a test Secure Boot key. This is named “DO NOT TRUST” and is created by American Megatrends International (AMI), a widespread BIOS system used to start up a computer after being powered on.

The intention of the test key was simply that, a test. Vendors using AMI on their systems, for example Lenovo PCs, should have removed this test key before generating a unique Platform Key. This would then protect the BIOS system, prevent Secure Boot from being compromised, and eliminate the threat of unauthorized access via this route. However, this task was missed by numerous vendors, leaving their devices unprotected.

Threat actors, aware of this flaw, could then exploit this workaround for Secure Boot and access the compromised devices without breaking a sweat. By taking control of the machines, the attackers were able to start downloading malware such as CosmicStrand and BlackLotus to the devices. This firmware vulnerability, linked to a June 2024 release as per supply chain security firm Binarly, has affected close to 900 devices, with those affected listed here.

Staying Safe from PKfail

Vendors who have failed to the replace the test key from AMI are being encouraged to immediately rectify this on any systems waiting to be issued. End users of the affected devices should also keep an eye on firmware updates issued by the vendors, prioritizing any which mention the PKfail flaw. Binarly has also given end users a helping hand by creating the pk.fail website, where those at risk can scan firmware binaries to identify any PKfail-vulnerable devices.

PC users, therefore, should be aware of the risk that even newly shipped products, with the latest firmware and patches in place, can be compromised straight out of the box. Forgetting the debacle of the Crowdstrike update debacle, promptly installing updates is one of the best ways to maintain your PC’s security.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

How AI is Revolutionizing Cyber Threats

anti-malware tools, Artificial Intelligence, cyber attacks, Ophtek, phishing training, , , ,
13
Aug 2024

Threat actors are increasingly turning to artificial intelligence (AI) and generative AI technologies to launch cyberattacks against businesses.

Technology is always advancing, and AI represents the future of where technology is likely to head. AI is also a powerful force for good, with countless benefits on offer for society. But it’s also a technology which can be exploited by threat actors. The development of AI means more sophisticated attacks can be launched with more ease and cause more damage. Therefore, businesses need to be on their guard against these new attack methods.

Why is AI So Dangerous?

Creating malware and sending it out into the digital wild is a complex and time-consuming task for threat actors. AI and generative AI remove this obstacle by allowing threat actors to automate complex tasks and generate realistic content e.g. creating malware code automatically and writing realistic phishing emails without spelling mistakes. This means phishing emails, for example, have the potential to become much more engaging and dangerous.

Another area where AI can be subverted is within the realm of vulnerability detection. No longer do threat actors have to spend their time manually analyzing security systems to discover weaknesses. Instead, they can delegate this duty to AI tools which quickly and accurately scan data to highlight vulnerabilities e.g. checking for outdated operating systems and software. The threat actor will then know which vulnerabilities are available to target.

When it comes to generative AI, the potential for successful social engineering attacks is significantly enhanced. This is down to the emergence of deepfakes, a type of content which appears to be genuine but is 100% fake. Deepfakes can take the form of audio, video, and text content to deceive recipients into acting on any call-to-actions at the heart of the content. So, for example, a threat actor could generate a voice note which purports to be a senior executive requesting a password. Deepfakes are already disturbingly realistic, and their authenticity is only going to increase.

How Can You Stay Safe from AI?

The prospect of AI, in terms of cybersecurity attacks, is concerning, but it’s a threat which can be countered. For one thing, the very reasons why threat actors have adopted AI can also be adopted into your defenses. Anti-malware tools such as McAfee are now using AI technology to combat malicious AI-generated content. Additionally, threat detection systems can use AI to analyze traffic patterns and automatically highlight potential threats to your IT infrastructure e.g. recording new and unknown IP addresses accessing the network.

As phishing emails are one of the main beneficiaries of AI, it makes sense to strengthen your employee training in this area. Not only should this be an integral part of IT inductions for new staff, but solidifying this knowledge with regular refresher training is crucial for protecting your network. The effectiveness of this training can be evaluated by running random phishing email tests, whereby a ‘fake’ phishing email is randomly sent to staff to determine if they can identify the malicious nature of it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malware Cluster Bombs: A New Threat

anti-malware tools, anti-virus software, Cluster Bombs, compressed cabinet files, KrakenLabs, malicious emails, malware, Ophtek, Phishing, software updates, Unfurling Hemlock, WEXTRACT.EXE, , , , , , , , , , ,
06
Aug 2024

A malware infection is always bad news but imagine being infected with multiple strains at once. Welcome to the new threat of malware cluster bombs.

Researchers at the cybersecurity firm KrakenLabs have revealed the dangers of a new malware technique launched by Unfurling Hemlock, a new threat actor group. Their malware cluster bombs have been verified as active in at least 10 countries, but most Unfurling Hemlock’s targets have been US-based. This attack has also been active for some time, with evidence of the earliest infections going back to February 2023.

The mere concept of malware cluster bombs is enough to worry any IT professional, so that’s why we’re going to delve a bit deeper and discuss how you can keep your IT systems safe.

Understanding Unfurling Hemlock’s Attack

This new attack starts, as with many malware attacks, through malicious emails or malware loaders. It would appear, perhaps to cover their own tracks, Unfurling Hemlock are paying other hackers to distribute their malware. The initial attack is focused around a malicious file named WEXTRACT.EXE. Within this executable is a collection of compressed cabinet files, each of which contains a strain of malware.

The final part of the attack comes when all of the malicious files have been extracted and are executed in reverse order. Each cluster bomb is believed to contain multiple strains of malware, so while the number is varied, the impact is always significant. Among these malware strains are a cocktail of different attacks, with botnets, backdoors, and info stealers all detected so far. Unfurling Hemlock’s ultimate aim, aside from causing digital chaos, is unknown, but KrakenLabs believe the threat actor may be harvesting sensitive data to sell.

The malware cluster bomb approach is innovative and effective for two reasons: the opportunities for monetization are increased and the multiple strains in use mean that persistence is enhanced. Ultimately, dropping ten strains of malware onto one device is more likely to provide opportunities for threat actors than a single strain.

Staying Safe from Malware Cluster Bombs

It’s clear that malware cluster bombs represent a serious threat to your IT infrastructure, and that’s why you need to keep your defenses secure. You can put this into action by following these best practices:

  • Regular Software Updates: ensure that all software, including operating systems and applications, is regularly updated and patched. Automated patch management tools can help make this easier, and Windows allows you to set automatic updates for Microsoft apps. Regular updates protect against known vulnerabilities and exploits which malicious actors often target with malicious files.
  • Antivirus and Anti-malware Solutions: always use reputable antivirus and anti-malware software across your network. These tools should be regularly updated to recognize and handle the latest threats. High-level security solutions will provide real-time protection, scanning, and removal of malicious files. This is conducted by regular scans and monitoring to ensure potential threats are detected and dealt with promptly.
  • Employee Education: carry out regular training sessions for employees to recognize phishing attempts, suspicious emails, and other potential threats. Training should include best practices for safe internet use, identifying social engineering tactics, and reporting suspicious activities. Your employees are your first line of defense, so it’s crucial you reduce the likelihood of attacks due to human error.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Polyfill Website Compromised with Malicious JavaScript

antivirus software, DNS Filtering, Malicious JavaScript, Ophtek, Polyfill, secure firewall, , , , , ,
30
Jul 2024

The Polyfill.io website has been caught up in a supply chain attack, with the result that malicious JavaScript is now being supplied through the site.

Along with sites such as Bootcss and BootCDN, Polyfill has been compromised by threat actors and transformed into a malicious site. Typically, Polyfill was a treasure trove of JavaScript code which allowed the use of contemporary JavaScript functions in older browsers. The Polyfill domain was sold to a new firm at the start of 2024, and it appears the infected code was inserted into the JavaScript shortly after this. With Polyfill supplying JavaScript code to an estimated 110,000 websites, the potential for damage is high.

Understanding the Polyfill Attack

Unsuspecting web developers are downloading JavaScript code from Polyfill and incorporating it into their websites, under the understanding it will help their sites load in older browsers. However, the malicious JavaScript code now hosted on Polyfill does something very different. As JavaScript will be activated once a user loads an infected website, this means the malware is then downloaded to that user’s PC.

The main impact of this malicious JavaScript is a combination of data theft and clickjacking (where a user is tricked into clicking an element on a page). Some of the infected scripts also redirect users to malicious sites containing further malware, sports betting websites, and pornographic content. The attack has been significant, with notable victims affected including Intuit and the World Economic Forum.

The infected code has been difficult to analyze as security researchers have found it’s protected by high levels of obfuscation. By generating payloads which are specific to HTTP headers and only activating on certain devices, the malicious JavaScript has been difficult to pin down and examine. The attack has also been significant enough for Google to start banning Google Ads linking to the infected sites.

Protecting Your PCs from Polyfill

If your organization has used code from Polyfill.io in the past, it’s time to remove this code from your website. This is simplest and most effective way to minimize the threat to your visitors. Nonetheless, there’s much more you can do to stay safe from malicious websites:

  • Use Strong Firewall and Antivirus Solutions: you can protect against malicious websites by using comprehensive firewall and antivirus software, such as AVG and McAfee. These tools filter out harmful traffic, block access to known malicious sites, and detect suspicious activities. This combination of protection prevents malware infections and data breaches which can originate from unsafe web pages.
  • Employ DNS Filtering: access to malicious websites can be blocked at a network level by using DNS filtering services. By filtering out dangerous domains and websites known for malware distribution or phishing, these services provide an additional layer of security, preventing users from visiting harmful sites and protecting the integrity of your IT infrastructure.
  • Employee Education: training your employees to recognize phishing attempts, avoid suspicious links, and understand the importance of secure browsing habits is crucial. Regularly updated cybersecurity training programs ensure your staff can identify and avoid potential threats, reducing the risk of falling victim to malicious websites.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

CrowdStrike Causes Unprecedented Global IT Outage

Cloud Storage, CrowdStrike, cybersecurity, Ophtek, Updates, vulnerability, Windows update, , , , , ,
23
Jul 2024

One of the world’s biggest ever IT failures has caused chaos for major IT infrastructures all over the world. And it was all thanks to a CrowdStrike update.

The damage was caused by a content update for Windows issued by CrowdStrike, a major player when it comes to cybersecurity firms. However, rather than providing an enhanced experience for Windows users, it resulted in many users finding that their PCs crashed. The ‘blue screen of death’ was a common sighting and numerous applications were rendered unusable. The CrowdStrike glitch wasn’t restricted to a small number of individuals either, it went all away the round and affected major organizations.

Understanding the CrowdStrike Flaw

CrowdStrike has been providing security solutions since 2011, and it now offers a wide range of security services. These are provided through cloud-based platforms and have seen CrowdStrike’s profile rise significantly. However, their recent update for their application Falcon Sensor – which analyzes active processes to identify suspicious activity – is responsible for the worldwide outage of IT systems.

Falcon Sensor runs within Windows and, as such, interacts directly with the Windows operating system. Falcon Sensor’s main objective is to protect IT systems from security attacks and system failures, but their latest update achieved the complete opposite. As a result of faulty code within the update, Falcon Sensor malfunctioned and compromised the systems it had been installed on. This led to IT systems crashing and unable to be rebooted.

CrowdStrike were quick to identify the fault as a result of their update, and reassured the global community this was not a global cyberattack. With the fault identified and isolated, CrowdStrike rapidly developed a fix. But the damage had already been done, and many systems remained offline due to the disruption.

Who Was Affected by the CrowdStrike Glitch?

The impact of the faulty CrowdStrike update was of a magnitude rarely seen in the IT world. With many IT infrastructures relying on Windows, countless systems crashed all over the world. Airport services were badly hit, and lots of airlines had to ground their planes due to IT issues. Banks and credit card providers were also affected, and numerous organizations were unable to take card payments as a result. Healthcare services, too, felt the full impact of the glitch and struggled to book appointments and allocate staff shifts.

The Aftermath of the CrowdStrike Disaster

Disruption to IT systems was still evident days after the CrowdStrike incident, and it’s expected this disruption will continue. Matters weren’t helped by the simultaneous failure of Microsoft Azure, a cloud computing platform, which also created a major outage.

While the outages were caused by a technical glitch, CrowdStrike issued an announcement the day after that cybercriminals may be targeting affected systems. Evidence in Latin America indicated CrowdStrike customers were being targeted by a malicious ZIP archive which contains HijackLoader, a module used to install various strains of malware.

Final Thoughts

Ultimately, this digital catastrophe was caused by a faulty piece of code, and Microsoft currently estimate it affected 8.5 million Windows devices. It could easily happen again and reinforces the need for good backup protocols, such as the 3-2-1 backup method. The CrowdStrike glitch may have been unforeseen, but with the correct preparation, you can minimize the impact of future incidents on your IT systems.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 4 5 9