BreachForums admin 'Pompourin' sentenced to 20 years of supervised release
Also: Another UEFI flaw found; Kaspersky discovers iOS log files actually work; and a few critical vulnerabilities
Infosec in brief Conor Brian Fitzpatrick – aka "Pompourin," a former administrator of notorious leak site BreachForums – has been sentenced to 20 years of supervised release.
Fitzpatrick was arrested and charged in March 2023. Authorities accused him of running the site, which allegedly facilitated sales of stolen data, hacking tools, and child sexual abuse material. He pled guilty but later breached the terms of his pretrial release and was incarcerated ahead of sentencing.
Last Friday the US District Court for the Eastern District of Virginia ruled [PDF] that Fitzpatrick will spend the next 20 years of his life on supervised release. For the first two years he'll be under home arrest and tracked by a GPS device, and for the first year he's forbidden to use the internet.
Sentencing guidelines meant he could have faced ten years in prison.
– Simon Sharwood
New UEFI flaw found
Another week, another serious security flaw found in BIOS successor UEFI – this time one that should alarm enterprise admins, because it affects systems configured for network booting.
The series of nine vulnerabilities are found in EDK II – an open source implementation of UEFI maintained by TianoCore, according to researchers from Quarkslab that discovered the issue. Dubbed PixieFail, the weaknesses can be exploited through the preboot execution environment (also known as PXE) specification used for network booting.
According to the researchers, the vulnerabilities are specifically found in the NetworkPkg module included in EDK II, which is used by vendors including Arm, Insyde Software, American Megatrends, Phoenix Technologies and Microsoft. Machines using EDK II that boot from a network using PXE – and, most crucially, are configured to use IPv6 – are all vulnerable to exploitation from the vulnerabilities.
IPv6 PXE booting, we note, isn't usually enabled by default. But if you could be affected it's best to check.
As has been well established by previous UEFI exploits like BlackLotus and LogoFail – the latter only just discovered in December – such vulnerabilities can be serious, and there's no exception in the case of PixieFail.
The researchers claim unauthenticated remote attackers could use PixieFail to do all the usual things internet miscreants do – like trigger a denial of service, leak information, remotely execute code, poison DNS caches, hijack network sessions and the like.
Proofs of concept are available, but we've been told there's no real-world exploit out there … yet.
"In the event that an exploit is developed, it would certainly attract the attention of advanced attackers," Boris Larin, principal security researcher at Kaspersky's Global Research and Analysis Team, told us. "Vulnerabilities that allow arbitrary code execution over a network without any user interaction are particularly alarming, as they can lead to devastating consequences."
Fixes are available for affected distributions of EDK II – time to get deploying before someone decides to test this in the real world.
Critical vulnerabilities: Another Chrome zero-day to patch
We covered several critical vulnerabilities this week, like a pair of Citrix NetScaler bugs under active exploit and the resurgence of some years-old vulnerabilities being hit by Androxgh0st malware being used to build a botnet.
Lucky for you that leaves little in the way of other critical vulnerabilities to report. Except these, which nonetheless demand some immediate patch attention:
- CVSS 9.8 – CVE-2023-35078: It's not a new bug, but this authentication bypass vulnerability in Ivanti Endpoint Manager Mobile is under active exploitation, so be sure you're on a version newer than 11.10.
Who'da thunk: iOS log file an easy way to detect Pegasus infections
You'd have to be living under a digital rock to not have heard of Pegasus or Predator, the rather nasty spyware available for iOS and Android devices that's been used by governments around the world to snoop on their perceived enemies.
Those spyware kits are commonly assumed to be nigh-undetectable. But Kaspersky researchers have found a simple solution that – they claim – works consistently to detect Pegasus, Predator and Reign, another similar spyware tool: Log files.
iOS devices' Shutdown.log files, to be precise.
According to Kaspersky researchers, who tested Pegasus for their research but said Predator and Reign use similar filesystem paths, the Pegasus process doesn't shut down cleanly when iOS devices are rebooted, leaving an entry in Shutdown.log with a PID and filesystem path. Given filepaths for the malware are common knowledge, determining whether an infection is present is as simple as rebooting a device and collecting the log, Kaspersky explained.
Python scripts that automate log parsing are available.
Grant money stolen from US government in spearphishing attack
The US Department of Health and Human Services (HHS) was reportedly hit by a spearphishing attack last year that allowed cyber criminals to make off with $7.5 million in grant money.
Reported by Bloomberg, citing unnamed sources within HHS, the thefts allegedly took place between March and November, 2023 and targeted a system for processing grant payments to civilians. According to Bloomberg's sources, the stolen funds were withdrawn from accounts containing money already allocated to five grant recipients, leaving HHS without money to award to the parties.
Particulars of the projects whose grant money was stolen weren't shared, though Bloomberg said $1.5 million of the pot was intended for high-need communities in the US.
The five projects have yet to be funded, Bloomberg's sources claim, and the government has yet to identify the culprits.
The Register has reached out to HHS for confirmation and more details, and will update this story if we hear back. ®