Cyber Security Today, March 3, 2023 – Bootkit can compromise Windows 11, a hacked container found and more

Share post:

Bootkit can compromise Windows 11, a hacked container found and more.

Welcome to Cyber Security Today. It’s Friday, March 3rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

A bootkit being sold to crooks can bypass and corrupt a fully-patched Windows 11 system, say researchers at ESET. Called BlackLotus, it can get around the firmware-based Secure Boot operating system security protection. It exploits a year-old vulnerability that was fixed by Microsoft in its January 2022 Windows update. The problem is exploitation is still possible because the validly signed binaries in the bootkit haven’t been added to what’s called the UEFI revocation list. Once launched this bootkit will disable Windows’ security mechanisms such as Defender and BitLocker. While this bootkit has been sold on underground forums for at least the last four months it seems few threat actors have started using it — so far. ESET urges the UEFI Forum to update its revocation list.

Separately ESET warned that a new custom backdoor is being deployed by what is believed to be a China-aligned group it calls Mustang Panda. It’s a bare-bones backdoor that allows the attacker to execute commands. It uses the MQTT protocol for communications.

Containerized virtual environments with everything an application needs to run are efficient. But they are still vulnerable to cyber-attacks. The latest example was discovered by researchers at Sysdig. They found a containerized workload that was hacked, then leveraged to perform a privilege escalation into an AWS account to steal the victim company’s proprietary software and credentials. It started with the attacker exploiting an internet-facing service in a self-managed Kubernetes cluster hosted inside an AWS cloud account. They got an employee’s temporary username and password through instance metadata. Then because that user had excessive access permissions the attacker could get the credentials of others and move on. One lesson: Give an employee more access than they need to resources and a successful attacker will take advantage. A second lesson: Strong detections and alerts are needed in containerized environments.

Attention Linux administrators: The SysUpdate malware that until now has only run on Windows machines can now run on Linux boxes, according to Trend Micro. It is believed to have been created by a threat actor researchers call Lucky Mouse or Iron Tiger. This malware can take screenshots, find, delete and rename files, upload and download files among other things. The new version also can communicate through DNS text requests.

Fast-food chain Chick-fil-A has begun notifying customers their personal data was exposed between December 18th and February 12th. The attacker used login credentials stolen from an unnamed third party. The stolen information may have included names, email addresses, the last four digits of credit/debit card numbers and mobile pay numbers. If customers saved personal information to their accounts such as the month and day of their birth that would have been stolen, too.

I’ve reported before about data breaches stemming from the compromise of the GoAnywhere managed file transfer service. Hatch Bank in the U.S. is now notifying almost 140,000 customers who borrowed or applied to borrow money that some of their data was accessed at the end of January. The Bleeping Computer news site says the Clop ransomware gang claims responsibility for compromising the file transfer service. That claim hasn’t been verified.

Most listeners know — I hope — to hover over links they get in emails and text messages as one way to confirm they go to a legitimate website. This is especially important if the link is shortened. However, hovering is not foolproof. Scammers have ways to disguise a fake full link. The most recent way is by making the full URL look like it goes to or involves LinkedIn. LinkedIn, of course, is a trusted brand. According to researchers at Malwarebytes, people are getting email messages that look like they came from Amazon about renewing their Prime service. But the goal is to steal Gmail, Microsoft and other passwords. The scam works like this: In the email messages there’s an Update Now button to update your supposed Prime account. Hovering over the button shows a shortened link that includes the word LinkedIn. Click on it and you get redirected to a website that looks like an Amazon login page. Victims who enter their email address and password as requested get sent to a so-called Security Checkup page where they are asked to fill in personal information — which goes to the crooks. This works because of a website redirect service that LinkedIn offers. Don’t be fooled by this scam.

That’s it for now. But later today the Week in Review podcast will be available. My guest will be University of Calgary cybersecurity professor Tom Keenan. He’ll talk about artificial intelligence and ChatGPT. That show will be available after 3 pm. Eastern time

Links to details about podcast stories are in the text version at ITWorldCanada.com.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, March 3, 2023 – Bootkit can compromise Windows 11, a hacked container found and more first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

40 thousand routers compromised: Hashtag Trending for Wednesday, March 27th, 2024

A new cyberthreat is taking down home routers. Germany passes a law insisting on end to end encryption. Reports expose the craziness of tech hiring practices, the US government has had it with SQL injection attacks and Elon Musk gets a smackdown from a federal judge as we see more from the X files –

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Apple gets hammered by the EU again: Hashtag Trending for Tuesday, March 26, 2024

Apple gets hammered by the EU once again while there’s a threat in the US of breaking up the big tech giants. Google appears to have another problem AI implementation, Steve Wozniak is back as an unlikely critic of the TikTok ban, a new open source AI that runs on your computer an an Amazon

CIOs complain of “application sprawl” – Hashtag Trending, Monday March 25th, 2024

Apple may get an unexpected penalty from the US Governments new lawsuit, survey of CIOs complains of application sprawl but proposes that the way to get out of it is “more applications”, 1% of employees cause 89% of data loss events and information surfaces about some potentially enormous developments in AI in the coming months.

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways