 For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months. Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows. It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks. Drivers typically allow computers to work with printers, cameras, or other peripheral devices—or to do other things such as provide analytics about the functioning of computer hardware. For many drivers to work, they need a direct pipeline into the kernel, the core of an operating system where the most sensitive code resides. For this reason, Microsoft heavily fortifies the kernel and requires all drivers to be digitally signed with a certificate that verifies they have been inspected and come from a trusted source. Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel. Even after a developer patches the vulnerability, the old, buggy drivers remain excellent candidates for BYOVD attacks because they’re already signed. By adding this kind of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time. BYOVD has been a fact of life for at least a decade. Malware dubbed "Slingshot" employed BYOVD since at least 2012, and other early entrants to the BYOVD scene included LoJax, InvisiMole, and RobbinHood. Over the past couple of years, we have seen a rash of new BYOVD attacks. One such attack late last year was carried out by the North Korean government-backed Lazarus group. It used a decommissioned Dell driver with a high-severity vulnerability to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium. In a separate BYOVD attack a few months ago, cybercriminals installed the BlackByte ransomware by installing and then exploiting a buggy driver for Micro-Star’s MSI AfterBurner 4.6.2.15658, a widely used graphics card overclocking utility. Microsoft has touted these protections since at least March 2020, when the company published this post promoting "Secured Core" PCs, which have HVCI enabled right out of the box. Microsoft presented Secured Core PCs (and HVCI in general) as a panacea for in-the-wild BYOVD attacks, stemming either from buggy drivers or "wormhole" drivers (those which are vulnerable by design). The post went on to say that "Microsoft threat research teams continuously monitor the threat ecosystem and update the list of drivers that [are] in the Microsoft-supplied blocklist. This blocklist is pushed down to devices via Windows update." A few months later, Microsoft Senior VP of Enterprise and OS Security David Weston tweeted that by turning on these protections, Windows users were safe from an ongoing BYOVD attack that had recently made the rounds. Full details can be found on OUR FORUM.  Data privacy, as you know was one of the most discussed topics in 2020. Today, there is no limit to the amount of our personal data that is being circulated across various online platforms. The popularity of smartphones, social media, mobile apps, and many other inbuilt software applications within the phone has made us knowingly compromise on our data privacy to a certain extent. The global pandemic in 2020 has made it mandatory for every individual to depend on various mobile apps and social media for their daily needs. These tech gadgets and devices that were the choice of a few got extended to be a part of daily habitual behavior. We have seen all these platforms guaranteeing the privacy of our data, but also hear stories of data breaches happening every day, around the world by the same platforms. So, one question lingers around in our minds. Is data privacy in today’s world a myth? Isn’t there any foolproof data security solution to ensure complete data privacy across online platforms? Let’s discuss some common issues affecting our data privacy so that we remain vigilant to them in the future. The internet offers a wide variety of services and apps to make our life comfortable, facilitate easy communication, and for entertainment purposes as well. But, to use these services, everyone needs to accept some ‘terms of use’ specified by the service provider. It’s a fact that 99.9% of users don’t read these terms before accepting them, which results in them being unaware of their privacy being targeted. Even the technologically literate youths are compelled to accept them, otherwise, they won’t be able to enjoy the features of the service. Thus, our personal data gets shared with various companies for marketing and advertising purposes. This is the way apps and social media thrive by offering ‘free service’ to the public. Most people think that hackers target the highest levels like government departments, financial organizations, and VIPs like politicians or company CEOs. But, as they are more vigilant to such cyber threats, hackers also target common people. More often they try to access higher-level data of an organization through phishing emails and ransomware targeted at lower-level employees. This can be more prevalent in a remote work scenario that has become the ‘new normal’ in a post-pandemic era. Lean more by visiting OUR FORUM.  Intel has confirmed that a source code leak for the UEFI BIOS of Alder Lake CPUs is authentic, raising cybersecurity concerns with researchers. Alder Lake is the name of Intel's 12th generation Intel Core processors, released in November 2021. On Friday, a Twitter user named 'freak' posted links to what was said to be the source code for Intel Alder Lake's UEFI firmware, which they claim was released by 4chan. The link led to a GitHub repository named 'ICE_TEA_BIOS' that was uploaded by a user named 'LCFCASD.' This repository contained what was described as the 'BIOS Code from project C970.' The leak contains 5.97 GB of files, source code, private keys, change logs, and compilation tools, with the latest timestamp on the files being 9/30/22, likely when a hacker or insider copied the data. BleepingComputer has been told that all the source code was developed by Insyde Software Corp, a UEFI system firmware development company. The leaked source code also contains numerous references to Lenovo, including code for integrations with 'Lenovo String Service', 'Lenovo Secure Suite', and 'Lenovo Cloud Service.' At this time, it is unclear whether the source code was stolen during a cyberattack or leaked by an insider. However, Intel has confirmed Tom's Hardware that the source code is authentic and is its "proprietary UEFI code." While Intel has downplayed the security risks of the source code leak, security researchers warn that the contents could make it easier to find vulnerabilities in the code. "The attacker/bug hunter can hugely benefit from the leaks even if leaked OEM implementation is only partially used in the production," explains hardware security firm Hardened Vault. "The Insyde’s solution can help the security researchers, bug hunters (and the attackers) find the vulnerablity and understand the result of reverse engineering easily, which adds up to the long-term high risk to the users." Positive Technologies hardware researcher Mark Ermolov also warned that the leak included a KeyManifest private encryption key, a private key used to secure Intel's Boot Guard platform. Stay informed by visiting OUR FORUM often. |
Latest Articles
|