Executive Summary

A new UEFI bootkit called BlackLotus (not to be confused with Black Lotus Labs) has become the first publicly known malware with the capability of bypassing secure boot defences, rendering it a serious threat. A bootkit is a malicious program designed to load as early as possible during the boot process, before other security components are loaded and BlackLotus does this by targeting the UEFI which is low level firmware, responsible for booting up most modern computers.

What’s the risk to my business?

Successful exploitation allows an attacker to effectively control the computer and allow them to remotely execute code and gain the highest level of privilege. Successful exploitation requires the attacker to either have remote privileged access, or physical access to the target computer.

Technical Summary

The bootkit exploits CVE-2022-21894, which is a Secure Boot vulnerability. Although patched by Microsoft in January, the vulnerable signed binaries are not on the UEFI revocation list which flags boot files that should not be trusted and as such the malware can run on “patched” systems. Once the bootkit has run successfully, it is engineered to communicate with a command-and-control server, allowing the bootkit to retrieve additional user-mode or kernel-mode malware.

What can I do?

There is currently no known patch and the bootkit can run even on fully patched Windows 11 systems which have Secure Boot enabled. Security controls to mitigate this vulnerability from being exploited should focus on preventing an attacker from obtaining remote privileged access to the device through secure identity and access management, or to prevent unauthorised individuals from having physical access to the device. Black Arrow will continue to monitor the situation, and this alert will be updated when more information is made available.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Research on BlackLotus malware can be found here: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

Details for CVE-2023-21716 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21716

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week 

Half of Regulated Firms See Pandemic Spike in Financial Crime

Around half of firms in the financial services, property and legal sectors have reported rising levels of financial crime over the past 12 months, according to new data from an anti-money laundering (AML) specialist which polled 500 regulated businesses in the UK to better understand the levels of risk facing players in each vertical.

Overall, 48% of respondents said they’d seen a rise in financial crime, and a quarter (26%) admitted they’d been a victim of attacks. Legal firms, including conveyancers, experienced the most significant number of compromises, with a third (33%) saying they had been a victim of financial crime.

The sector is an increasingly attractive target for both state-backed and financially motivated cyber-criminals, given the wealth of sensitive client information that legal practices typically hold. https://www.infosecurity-magazine.com/news/half-firms-pandemic-spike/  

Large Ransom Demands And Password-Guessing Attacks Escalate

ESET released a report that summarizes key statistics from its detection systems and highlights notable examples of its cyber security research.

The latest issue of the report highlights several concerning trends that were recorded by ESET telemetry, including increasingly aggressive ransomware tactics, intensifying brute-force attacks, and deceptive phishing campaigns targeting people working from home who have gotten used to performing many administrative tasks remotely.

Ransomware, showing three major detection spikes during T2, saw the largest ransom demands to date. The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya VSA IT management software, sent shockwaves that were felt far beyond the cybersecurity industry. https://www.helpnetsecurity.com/2021/10/05/large-ransom-demands/

Malicious Hackers Are Exploiting Known Vulnerabilities Because Organizations Aren’t Quick Enough To Patch – Report

Organizations are urged to be more proactive when it comes to protecting against vulnerabilities, after a report found that malicious attackers routinely exploit unpatched systems.

The 2021 Trustwave SpiderLabs Telemetry Report, released this week, found that a huge number of companies are falling foul to cyber-attacks despite having ready access to suitable fixes.

This is happening because malicious actors are using Shodan to scan for networks that are exposed to known vulnerabilities and exploit them before the victim can apply the patch. https://portswigger.net/daily-swig/malicious-hackers-are-exploiting-known-vulnerabilities-because-organizations-arent-quick-enough-to-patch-report  

Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now

Some of the cyber security vulnerabilities most commonly exploited by cybercriminals to help distribute ransomware are years old -- but attackers are still able to take advantage of them because security updates aren't being applied.

Cybersecurity researchers at Qualys examined the Common Vulnerabilities and Exposures (CVEs) most used in ransomware attacks in recent years. They found that some of these vulnerabilities have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain vulnerable to ransomware attacks. https://www.zdnet.com/article/ransomware-cyber-criminals-are-still-exploiting-years-old-vulnerabilities-to-launch-attacks/

How Insurers Play a Big Role in Spurring Cyber Crime

Ransomware extracted $18 billion in payments last year, and it’s expected there will be an attack every 11 seconds by this year’s end, a problem that some security experts and academic researchers say is exacerbated by the system meant to protect against cybercrime: the insurance industry.

Organizations with cyber insurance are more than twice as likely to pay ransoms as those without, according to a global survey commissioned by UK-based cyber security and software firm Sophos of 1,823 companies, governments, health systems, and other organizations that had been hit by ransomware. This is one of the first times such data have been gathered that show the extent of the relationship between cyber insurance and ransomware payments. Critics say that relationship helps fuel a ransomware economy that the federal government estimates causes $445 billion in damages to the global economy every year. https://www.barrons.com/articles/ransomware-attack-cyber-insurance-industry-51633075202

Why Today’s Cyber Security Threats Are More Dangerous

Over the past two years, the rise of big-ticket ransomware attacks and revelations of harmful software supply chain infections have elevated cyber security to the top of governments’ and corporate agendas.

The opportunities for threat actors are growing faster than firms are able to mitigate them.

Unlike 20 years ago, when even extensive IT systems were comparatively standalone and straightforward, the interdependencies of systems now make dealing with and defending against threats a much more difficult proposition. The core problems being complexity and interdependence and neither are going away because that is what is providing organisations with the flexibility, functionality and all these other critical functions that they need. https://www.csoonline.com/article/3635097/why-today-s-cybersecurity-threats-are-more-dangerous.html

How Fraudsters Can Use The Forgotten Details Of Your Online Life To Reel You In

You may think you’ve been careful, but a determined scammer can probably find enough to manipulate you. https://www.theguardian.com/money/2021/oct/03/how-fraudsters-can-use-the-forgotten-details-of-your-online-life-to-reel-you-in  

One In Three IT Security Managers Don’t Have A Formal Cybersecurity Incident Response Plan

Regardless of industry, information security incidents have become more of a targeted threat for businesses, increasing in amount and efficacy, according to a new report.

Of all the security incidents identified by over 900 surveyed employees at U.S. businesses, the three most threatening incidents were: increasingly severe ransomware attacks, more effective phishing schemes, and rampant reusing of passwords.

·         Respondents reported phishing emails have nearly tripled in effectiveness over the past two years. Phishing emails are rapidly becoming more difficult to spot and thus far more destructive.

·         Over the past year, ransomware attacks have increased by 25%. Ransom demands were significantly higher than average for businesses in specific industries, such as banking and financial services and construction, with higher payouts.

·         The report found that password reuse is strongly associated with higher incidences of security breaches. Reported account takeovers were three times as common among people who reuse passwords as those who don’t.

Alarmingly, 23% of the IT security managers surveyed say their company doesn’t have protocols in place to report a suspected cyberattack and 33% don’t have a formal cybersecurity incident response plan. https://www.helpnetsecurity.com/2021/10/06/response-plan-cybersecurity/  

Cyber Security Best Practices Lagging, Despite People Being Aware Of The Risks

The National Cybersecurity Alliance and CybSafe announced the release of a report which polled 2,000 individuals across the U.S. and UK. The report examined key cybersecurity trends, attitudes, and behaviours ahead of Cybersecurity Awareness Month this month.

The daily headlines of data breaches and ransomware attacks is a testament to the problem getting worse, yet most people aren’t aware of the simple steps they can take to be a part of the solution. It’s critical to have a deeper understanding of both the challenges we face and the prevailing attitudes and behaviors among the public.

Too often people are forgotten in cybersecurity conversations and this is borne out by cyber crime being more common among Millenials and Gen Z, and the public not embracing cyber security best practices.

The report also found that many users had limited access to cyber training, with  64% of respondents having no access to cybersecurity training, while 27% of those who do have access choose not to use it. https://www.helpnetsecurity.com/2021/10/07/cybersecurity-best-practices-lagging/

Threats

Ransomware

• Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now | ZDNet

• Ransomware: Police Arrest Two In Operation Against 'Prolific' Gang That Targeted Big Businesses | ZDNet

• Revil Alone Accounts For A Significant Portion Of Q2 2021 Ransomware Attacks | Techspot

• Behind the Crypto Broker Accused of Enabling Ransomware Hackers - Bloomberg

• Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack – Sophos News

• US Ransomware Law Would Require Victims To Disclose Ransom Payments Within 48 Hours | ZDNet

• Ransomware Group FIN12 Aggressively Going After Healthcare Targets (thehackernews.com)

Other Social Engineering

• Smishing On The Rise - Infosecurity Magazine (Infosecurity-Magazine.Com)

Malware

• Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012 (thehackernews.com)

• 91.5% Of Malware Arrived Over Encrypted Connections During Q2 2021 - Help Net Security

IOT

• IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft | Threatpost

BYOD

• NCSC: Revoke Admin Access for BYOD Users Immediately - Infosecurity Magazine (infosecurity-magazine.com)

• BYOD Security Warning: You Can't Do Everything Securely With Just Personal Devices | ZDNet

Vulnerabilities

• Patch Apache HTTP Servers Now to Avoid Zero Day Exploit - Infosecurity Magazine (infosecurity-magazine.com)

Data Breaches/Leaks

• The Telegraph Exposed A 10tb Database With Subscriber Data - Security Affairs

Cryptocurrency/Cryptojacking

• Hackers Rob Thousands Of Coinbase Customers Using MFA Flaw (Bleepingcomputer.Com)

Insider Threats

• Fired IT Admin Revenge-Hacks School By Wiping Data, Changing Passwords (Bleepingcomputer.Com)

Dark Web

• Over A Billion Facebook Users Have Data Sold On The Dark Web | Techradar

Nation State Actors

• Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users (thehackernews.com)

• Microsoft: 58% of Nation-State Cyber Attacks Come From Russia (darkreading.com)

• Google Warns 14,000 Gmail Users Targeted By Russian Hackers (Bleepingcomputer.Com)

• Solarwinds Hack Saw Russia Steal Us Anti-Spy Probe Details • The Register

• A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries (thehackernews.com)

• New Study Links Seemingly Disparate Malware Attacks to Chinese Hackers (thehackernews.com)

• Iranian APT Targets Aerospace And Telecom Firms With Stealthy ShellClient Trojan | CSO Online

Cloud

• How Should Banks Grapple With Regulation When Crafting Their Cloud Strategy? (finextra.com) 

Reports Published in the Last Week

• Russian Cyber Attacks Pose Greater Risk To Governments And Other Insights From Microsoft’s Annual Report - Microsoft On The Issues 

Other News

• Patch Management Complexity Increased By Remote Work Is Putting Organizations At Risk - Help Net Security

• The Cyber Security Issues Organizations Deal With Remain Complex And Numerous - Help Net Security

• Security Experts Aghast At The Scale Of Twitch Hack: 'This Is As Bad As It Could Possibly Be' | PC Gamer

• Botnet Abuses TP-Link Routers For Years In SMS Messaging-As-A-Service Scheme - The Record By Recorded Future

• Company That Routes SMS For All Major US Carriers Was Hacked For Five Years | Ars Technica

• New £5 Billion GCHQ Digital Warfare Centre Capable Of 'Cyber Attacks' Set For Lancashire - Lancslive

• Superhero Passwords Pose Serious Risk to Personal, Enterprise Accounts | SecurityWeek.Com

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.