Tag: Compromising

Intel Boot Guard private keys have reportedly leaked, compromising the security of many computers

May 7, 2023/in Computer Security

It seems like every other day there are scumbags out there perpetrating a new hack, taking advantage of a vulnerability or trying to extort people with ransomware. MSI is the latest victim, with hackers leaking material stolen from a breach of MSI’s systems last month (opens in new tab).

This one has the potential to be serious. According to tweets by Alex Matrosov (opens in new tab), the founder of Binarly (opens in new tab), at least some of the previously stolen 1.5TB of data has been leaked. The data includes private keys, some of which appear to be Intel Boot Guard keys. The leak of such keys doesn’t just affect MSI systems, but those from other vendors too, including Lenovo and Supermicro.

Boot Guard is a cryptography technology designed to protect PCs from executing fake UEFI firmware or modified BIOS. Should an attacker bypass these checks, they could gain full access to a system, access secure data or use it for any number of scummy purposes.

The use of UEFI keys is especially concerning given the risk of so-called secondary downloads. Using traditional phishing or email delivery techniques, any malware developed subsequent to a firmware update using these keys would appear to be genuine, and antivirus software would ignore it.

Your next machine

Best gaming PC (opens in new tab): The top pre-built machines from the pros
Best gaming laptop (opens in new tab): Perfect notebooks for mobile gaming

The release of the data comes after a group calling itself Money Message claimed responsibility for the breach of MSI’s internal systems (via Bleeping Computer (opens in new tab)). The group demanded a $4,000,000 payment from MSI. The release of the data would suggest that MSI didn’t pay up.

The fallout from this leak will take time to analyze, not to mention the time it could take to develop mitigations. We can expect statements from the relevant parties in the coming days.

In the meantime, take care and avoid downloading any BIOS, firmware, or system apps from anywhere other than the official sites. That goes for all system software, not just MSI’s.

Source…

FBI Warns That Cuba Ransomware Gang Made $44 Million After Compromising 49 Critical Infrastructure Entities in Five Sectors

December 17, 2021/in Internet Security

The Federal Bureau of Investigation (FBI) warned that the Cuba ransomware gang earned more than $43.9 million in ransom after compromising at least 49 critical infrastructure entities.

Despite its name, cyber forensic experts believe that the Cuba ransomware gang is based in Russia, a country suspected of harboring most cybercriminals.

According to the FBI, Cuba ransomware gang victims include (but are not limited to) organizations in the financial, government, healthcare, manufacturing, and information technology sectors.

The FBI noted that Cuba ransomware actors had demanded up to $74 million in ransom payments.

Cuba ransomware gang partners with Hancitor malware operators

The FBI traced Cuba ransomware infection to Hancitor malware that leverages phishing campaigns, Microsoft Exchange vulnerabilities, compromised credentials, and brute-forcing remote desktop protocol (RDP) tools.

The malware gang adds compromised devices to a botnet to run a malware-as-a-service (MaaS) infrastructure and shares it with other ransomware groups.

“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the FBI wrote.

McAfee noted the lack of any evidence in April to connect the two groups, suggesting that the collaboration was a new partnership.

FBI publishes the indicators of compromise and TPPs employed by the Cuba ransomware gang

The FBI released the indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) employed by the ransomware gang to assist organizations to defend against Cuba ransomware attacks.

According to the FBI flash alert, the Cuba ransomware gang employs legitimate Windows services such as PowerShell, PsExec, etc, and Windows admin privileges to execute their malware before dropping a Cobalt Strike beacon.

Additionally, the malware drops two additional payloads “pones.exe” to steal passwords and “krots.exe” to write to the temporary “TMP” file. The file contains API calls related to memory injection.

“One of the initial PowerShell script functions…

Source…

National Rise In Ransomware Attacks Becoming ‘National Security Threat,’ Compromising Coloradans’ Personal Data – CBS Denver

May 29, 2021/in Internet Security

(CBS4) – Nationwide, cyberattacks against major corporation are on the rise. Specifically, ransomware attacks are becoming the new type of breach, in which hackers take company computer systems hostage in exchange for big payouts, and CBS4 Investigates found these attacks are hitting people in the Centennial state.

(credit: CBS)

Holly Parker, of Fruita, got a letter in the mail last fall, saying some of her personal information may have been compromised as a result of a ransomware attack. Cybercriminals had infiltrated Blackbaud, a company that stores data for hospitals and schools across the country.

READ MORE: Trail Ridge Road Opens, But Snowy Conditions At High Elevations Could Lead To Weekend Closures

SCL Health’s hospitals in Colorado were just a few of those compromised. Holly and her family have been patients at SCL Health’s St. Mary’s Hospital in Grand Junction for years.

“That’s one place that you don’t expect your stuff to be compromised by,” Parker said.

According to SCL Health, patient Social Security numbers were encrypted, so that data was protected, but names, birthdays, and addresses were compromised. For some other businesses Blackbaud serves, criminals were able to access social security numbers and financial information.

Blackbaud paid the ransom to the hackers, in exchange for assurance the data wouldn’t be exposed, which is something the FBI advises against, because there’s no guarantee the hackers will stay true to their word.

Now, a nationwide class action lawsuit has been filed against Blackbaud. At least one Colorado resident has joined, because her information was compromised when the attack hit a school she had attended in the past.

Parker says she’s considering joining, as well.

“I think they should be held accountable, because you’ve screwed around with credit, and people’s stuff,” Parker said.

The attack on Blackbaud is just one example in the rise of cyberattacks nationwide. A recent HIPAA Journal study found there was a 25% increase in health care data breaches in 2020.

These attacks aren’t just stealing personal information, they’re also infiltrating the crucial systems we rely on every day.

In May, the Colonial…

Source…