Secure Boot useless on hundreds of PCs from major vendors after key leak
Plus: More stalkerware exposure; a $16M TracFone fine; Ransomware victims don't use MFA, and more
Infosec in brief Protecting computers' BIOS and the boot process is essential for modern security – but knowing it's important isn't the same as actually taking steps to do it.
For instance, take the research published last week by security boffins at firmware security vendor Binarily. The researchers found hundreds of PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo and Supermicro – and components sold by Intel – using what appears to be a 12-year old test platform key (PK) leaked in 2022 to protect their UEFI Secure Boot implementations.
"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," Binarily's boffins wrote.
And it's not like the manufacturers using the offending PK didn't have reason to know it was untrusted and not intended for use outside the lab: It said so right on the package.
"These test keys have strong indications of being untrusted," Binarily noted. "For example, the certificate issuer contains the 'DO NOT TRUST' or 'DO NOT SHIP' strings."
According to Binarily, more than ten percent of the firmware images in its dataset are vulnerable to exploitation with the untrusted PK – which was issued by American Megatrends International, possibly as early as May 2012. The researchers observed that makes this issue "one of the longest-lasting [supply chain vulnerabilities] of its kind."
If an attacker were to leverage the PK in an attack, they could run untrusted code during the boot process, even with Secure Boot enabled.
"This compromises the entire security chain, from firmware to the operating system," Binarily added.
Binarily has released a free scanning tool to check systems for vulnerability to what it calls "PKFail". Running it seems a sensible action. As for fixing this issue, device manufacturers will need to step up.
Critical vulnerabilities of the week: That KEV is how old?
We start this week with a new report of a very old vulnerability being exploited in the wild.
According to NIST, a use-after-free vulnerability in Internet Explorer versions 6 through 8 that allows remote attackers to execute arbitrary code – first detected and identified in the wild in 2012 – is still being exploited today.
If, for some reason, you still have a machine running IE 6 to 8, maybe it's time to put it out to pasture?
It's also worth pointing out a quartet of vulnerabilities identified in the Berkeley Internet Name Domain 9 DNS system flagged last week by the Internet Systems Consortium (CVE-2024-4076, CVE-2024-1975, CVE-2024-1737, CVE-2024-0760).
If exploited, these flaws can lead to denial of service. While not as critical as other vulnerabilities, the fact they sit at the DNS level merits getting those patches installed ASAP.
Another stalkerware vendor breached
It seems we can barely go two weeks without another stalkerware vendor being breached, but here we are. TechCrunch was handed a bunch of files stolen from Minnesota-based SpyTech last week.
The files – which were reportedly verified as authentic – were installed on phones, tablets and computers monitored by SpyTech software, which covertly monitors machines to snoop on what their users are doing. Data belonging to more than 10,000 devices was found going back to 2013.
Funnily enough, the CEO of SpyTech reportedly wasn't aware of the breach when asked about it – which just goes to show you these shops are more about making money than protecting the private data they scoop up on behalf of customers.
… And turn on MFA while you're at it
Security researchers at Cisco Talos released their quarterly report on incident response trends last week, and one startling trend stands out: Around 80 percent of ransomware engagements in Q2 occurred at organizations whose systems didn't employ multifactor authentication.
And here we thought Snowflake might have taught the world something.
Compromised credentials have been the most popular way of gaining initial access for the third quarter in a row, Talos noted – just like what caused all those Snowflake failures.
Ransomware engagements as a whole were up 22 percent from the first to second quarter, accounting for 30 percent of all incidents to which Talos responded. Combined with the rise in attacks using stolen credentials and relying on a lack of MFA, maybe it'd be a good idea to spend some time this week enabling it for everyone – no exceptions.
TracFone fined $16 million for trio of breaches
Verizon subsidiary TracFone has agreed to pay the FCC $16 million to end investigations into a trio of data breaches the outfit experienced between 2021 and 2023.
According to the FCC, TracFone failed to secure several of its customer database APIs, resulting in criminals stealing customer account and device information, as well as personally identifiable info. The breaches resulted in "numerous unauthorized port-outs."
Not to be confused with SIM swaps – another scam most carriers are abysmal at preventing – port outs involve transferring a number to a different carrier entirely. Both give attackers control over customer devices.
TracFone has been ordered to implement mandatory cyber security programs "with novel provisions to reduce API vulnerabilities," as well as SIM swap and port out protections. ®