Firmware Security | Breaking Cybersecurity News | The Hacker News

The Problem The "2024 Attack Intelligence Report" from the staff at Rapid7 [1] is a well-researched, well-written report that is worthy of careful study. Some key takeaways are:  53% of the over 30 new vulnerabilities that were widely exploited in 2023 and at the start of 2024 were zero-days . More mass compromise events arose from zero-day vulnerabilities than from n-day vulnerabilities. Nearly a quarter of widespread attacks were zero-day attacks where a single adversary compromised dozens to hundreds of organizations simultaneously. Attackers are moving from initial access to exploitation in minutes or hours rather than days or weeks. So the conventional patch and put strategy is as effective as a firetruck showing up after a building has burned to the ground! Of course, patch and put could prevent future attacks, but taking into account that patch development takes from days to weeks [2] and that the average time to apply critical patches is 16 days [3], devices are vulner

Multiple security flaws have been disclosed in Emerson Rosemount gas chromatographs that could be exploited by malicious actors to obtain sensitive information, induce a denial-of-service (DoS) condition, and even execute arbitrary commands. The flaws impact GC370XA, GC700XA, and GC1500XA and reside in versions 4.1.5 and prior. According to operational technology (OT) security firm Claroty, the vulnerabilities include two command injection flaws and two separate authentication and authorization vulnerabilities that could be weaponized by unauthenticated attackers to perform a wide range of malicious actions ranging from authentication bypass to command injection. "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to run arbitrary commands, access sensitive information, cause a denial-of-service condition, and bypass authentication to acquire admin capabilities," the U.S. Cybersecurity and Infrastructure Security

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorized manner. Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro. "When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," Apple said in a Tuesday advisory. In other words, an adversary in physical proximity could exploit the vulnerability to eavesdrop on private conversations. Apple said the issue has been addressed with improved state management. Jonas Dreßler has been credited with discovering and reporting the flaw. It has been patched as part of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8. The development comes two week

Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code. "The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime," supply chain security firm Eclypsium said in a report shared with The Hacker News. "This type of low-level exploitation is typical of firmware backdoors (e.g., BlackLotus ) that are increasingly observed in the wild. Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in

Google has warned that a security flaw impacting Pixel Firmware has been exploited in the wild as a zero-day. The high-severity vulnerability, tagged as CVE-2024-32896 , has been described as an elevation of privilege issue in Pixel Firmware. The company did not share any additional details related to the nature of attacks exploiting it, but noted "there are indications that CVE-2024-32896 may be under limited, targeted exploitation." The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Some of the notable issues patched include denial-of-service (DoS) issue impacting Modem, and numerous information disclosure flaws affecting GsmSs, ACPM, and Trusty.  The updates are available for supported Pixel devices , such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold. Earlier this April, Google resolved

Taiwanese company QNAP has rolled out fixes for a set of medium-severity flaws impacting QTS and QuTS hero, some of which could be exploited to achieve code execution on its network-attached storage (NAS) appliances. The  issues , which impact QTS 5.1.x and QuTS hero h5.1.x, are listed below - CVE-2024-21902  - An incorrect permission assignment for critical resource vulnerability that could allow authenticated users to read or modify the resource via a network CVE-2024-27127  - A double free vulnerability that could allow authenticated users to execute arbitrary code via a network CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130  - A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network All the shortcomings, that require a valid account on NAS devices, have been addressed in QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520. Aliz Hammond of watchTowr Labs has been credited with  discoverin

Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called  BlackTech  as part of a recent cyber attack wave. The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear. Cybersecurity firm Trend Micro is tracking the threat actor under the moniker Earth Hundun, which is known to be active since at least 2007. It also goes by other names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard. "Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis," Trend Micro researchers Cyris Tseng and Pierre Lee  said  in an analysis last week. "In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us

A security flaw impacting the Lighttpd web server used in baseboard management controllers ( BMCs ) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal. While the original shortcoming was  discovered and patched  by the Lighttpd maintainers way back in August 2018 with  version 1.4.51 , the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo. Lighttpd  (pronounced "Lighty") is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources. The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space layout ra

Google has announced support for what's called a  V8 Sandbox  in the Chrome web browser in an effort to address memory corruption issues. The sandbox, according to V8 security technical lead Samuel Groß,  aims  to prevent "memory corruption in V8 from spreading within the host process." The search behemoth has  described  V8 Sandbox as a lightweight, in-process sandbox for the JavaScript and WebAssembly engine that's designed to mitigate common V8 vulnerabilities. The idea is to limit the impact of V8 vulnerabilities by restricting the code executed by V8 to a subset of the process' virtual address space ("the sandbox") and isolating it from the rest of the process. Shortcomings affecting V8 have accounted for a significant chunk of the zero-day vulnerabilities that Google has  addressed  between  2021  and  2023 , with as many as 16 security flaws discovered over the time period. "The sandbox assumes that an attacker can arbitrarily and conc

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies. The high-severity zero-day vulnerabilities are as follows - CVE-2024-29745  - An information disclosure flaw in the bootloader component CVE-2024-29748  - A privilege escalation flaw in the firmware component "There are indications that the [vulnerabilities] may be under limited, targeted exploitation," Google  said  in an advisory published April 2, 2024. While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they "are being actively exploited in the wild by forensic companies." "CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking," they  said  in a series of posts on X (formerly Twitter). "Forensic companies are rebooting devices in After First U

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed. The audacious supply chain compromise, tracked as  CVE-2024-3094  (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund alerted to the  presence  of a  backdoor  in the data compression utility that gives remote attackers a way to sidestep secure shell authentication and gain complete access to an affected system. "I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise," Freund said in a post shared on Mastodon. "Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc." "Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was  felled by law enforcement  as part of an operation codenamed Dying Ember. The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia's Main Directorate of the General Staff (GRU), is known to be active since at least 2007. APT28 actors have "used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools," the authorities  said  [PDF]. The adversary's use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospita

A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains. Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4. "Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020," the firmware security company  said  in a report shared with The Hacker News. The development comes as threat actors are capitalizing on a number of security flaws discovered in Ivanti Connect Secure, Policy Secure, and ZTA gateways to  deliver  a  wide range of malware , including web shells, stealers, and backdoors. The vulnerabilities that have come under active exploitation in recent months comprise CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also  disclosed  another bug

Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface ( UEFI ) specification used widely in modern computers. Collectively dubbed  PixieFail  by Quarkslab, the  nine issues  reside in the TianoCore EFI Development Kit II ( EDK II ) and could be exploited to achieve remote code execution, denial-of-service (DoS), DNS cache poisoning, and leakage of sensitive information. UEFI firmware – which is responsible for  booting the operating system  – from AMI, Intel, Insyde, and Phoenix Technologies are impacted by the shortcomings. EDK II incorporates its own TCP/IP stack called  NetworkPkg  to enable network functionalities available during the initial Preboot eXecution Environment ( PXE , pronounced "pixie") stage, which allows for management tasks in the absence of a running operating system. In other words, it is a client-server interface to  boot a

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code on affected systems. Romanian cybersecurity firm Bitdefender, which  discovered  the flaw in Bosch BCC100 thermostats last August, said the issue could be weaponized by an attacker to alter the device firmware and implant a rogue version. Tracked as  CVE-2023-49722  (CVSS score: 8.3), the high-severity vulnerability was addressed by Bosch in November 2023. "A network port 8899 is always open in BCC101/BCC102/BCC50 thermostat products, which allows an unauthenticated connection from a local WiFi network," the company  said  in an advisory. The issue, at its core, impacts the WiFi microcontroller that acts as a network gateway for the thermostat's logic microcontroller. By exploiting the flaw, an attacker could send commands to the thermostat, including writing a malicious updat

Google is highlighting the role played by  Clang sanitizers  in hardening the security of the cellular baseband in the  Android operating system  and preventing specific kinds of vulnerabilities. This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer ( UBSan ), a tool designed to catch various kinds of undefined behavior during program execution. "They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities," Ivan Lozano and Roger Piqueras Jover  said  in a Tuesday post. The development comes months after the tech giant said it's  working with ecosystem partners  to increase the  security of firmware  that interacts with Android, thereby making it difficult for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband. IntSan and BoundSan are two of the  compi

A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS. Of the 14 flaws – collectively called  5Ghoul  (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities. "5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers  said  in a study published today. As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google. The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated