Weekly Security News – 11th December 2023

Welcome to this week’s Security News. 

If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack

A new attack, named LogoFAIL by researchers, has been identified, impacting hundreds of Windows and Linux computer models from various hardware manufacturers. This attack involves the execution of malicious firmware early in the boot-up sequence, providing a high level of control over vulnerable systems. What makes LogoFAIL particularly concerning is its ease of execution, the wide range of affected consumer- and enterprise-grade models, and its ability to bypass traditional defense mechanisms. The attack can be remotely carried out in post-exploit situations using techniques that are difficult for standard endpoint security products to detect. Additionally, LogoFAIL can circumvent defenses like Secure Boot, Intel’s Secure Boot, and similar protections designed to prevent bootkit infections. This vulnerability underscores the need for enhanced security measures to protect against such sophisticated attacks.

Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software

Unauthorized websites distributing trojanized versions of cracked software have been identified as a source of infection for Apple macOS users, introducing a new Trojan-Proxy malware. Kaspersky security researcher Sergey Puzan noted that this type of malware can be exploited by attackers to generate income through the creation of proxy server networks or to carry out criminal activities on behalf of victims, including launching attacks on websites, companies, and individuals, as well as engaging in illicit transactions. The cybersecurity firm found evidence suggesting that the malware is a cross-platform threat, with artifacts linked to Windows and Android discovered in association with pirated tools.

New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices

A serious Bluetooth security flaw, identified as CVE-2023-45866, could potentially allow attackers to take control of Android, Linux, macOS, and iOS devices. This flaw is an authentication bypass issue that lets attackers connect to vulnerable devices without user confirmation and inject keystrokes to execute code. The flaw was discovered by security researcher Marc Newlin and reported to the software vendors in August 2023. The attack works by tricking the target device into believing it’s connected to a Bluetooth keyboard, exploiting an “unauthenticated pairing mechanism” in the Bluetooth specification.

LogoFAIL attack can install UEFI bootkits through bootup logos

A set of security vulnerabilities named LogoFAIL has been identified, impacting image-parsing components in UEFI code from multiple vendors. These vulnerabilities, identified by researchers at the firmware supply chain security platform Binarly, have the potential to be exploited for hijacking the booting process execution flow and delivering bootkits. The vulnerabilities specifically affect image parsing libraries used by vendors to display logos during the booting routine, and they have a widespread impact on x86 and ARM architectures. The security risks arise from branding elements that introduce unnecessary vulnerabilities, allowing for the execution of malicious payloads by injecting image files into the EFI System Partition (ESP). This poses a significant threat to the security of the boot process and, consequently, the overall system.

Cyber Attacks

Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan

A suspected Chinese-speaking threat actor has been linked to a malicious campaign that targets the Uzbekistan Ministry of Foreign Affairs and South Korean users. The campaign uses a remote access trojan called SugarGh0st RAT. This activity, which started no later than August 2023, uses two different infection sequences to deliver the malware. The malware is a customized variant of Gh0st RAT (also known as Farfli).

New Threat Actor ‘AeroBlade’ Emerges in Espionage Attack on U.S. Aerospace

An unidentified threat actor, tracked as AeroBlade by the BlackBerry Threat Research and Intelligence team, has been linked to a cyber espionage attack on a U.S. aerospace organization. The attacker used spear-phishing, sending a weaponized document via email that contained a remote template injection technique and malicious VBA macro code, to deliver the payload. The origin of the attack and its success are currently unknown.


Meta begins rolling out end-to-end encryption across Messenger and Facebook

Meta, Facebook’s parent company, has initiated the rollout of end-to-end encryption for Messenger and Facebook, as announced on Thursday. The encryption is based on the Signal protocol, known for its strong security features, and Meta’s proprietary Labyrinth protocol. Loredana Crisan, Meta’s vice-president for Messenger, mentioned that the development of these new features took years, involving a comprehensive rebuild of the app from the ground up. End-to-end encryption enhances user privacy by ensuring that only the intended recipients can access the content of their messages, providing an additional layer of security to user communications.

Microsoft Will Eventually Start Charging You for Windows 10 Security Updates

Microsoft has announced that Windows 10, released a decade ago, will reach its end of life on October 14, 2025. Although the current version, 22H2, will continue receiving monthly security updates until the end date, users will be required to pay for access to security fixes and bug hunts after that. Microsoft will introduce an “Extended Security Update” program, allowing both businesses and individual users to purchase subscriptions for continued access to monthly security updates. While details about individual user subscriptions are yet to be provided, businesses can acquire yearly ESU subscriptions.

Ransomware-as-a-Service: The Growing Threat You Can’t Ignore

Ransomware attacks have emerged as a substantial and widespread threat in the constantly evolving field of cybersecurity. A notable trend within this landscape is the rise of Ransomware-as-a-Service (RaaS). This development has significantly impacted the cybercrime landscape by empowering individuals with limited technical skills to execute highly damaging attacks. RaaS represents a form of cybercriminal collaboration, where malicious actors provide the tools and infrastructure for others to conduct ransomware attacks, contributing to the proliferation of this type of cyber threat.

Hacking the Human Mind: Exploiting Vulnerabilities in the ‘First Line of Cyber Defense’

In the field of cybersecurity, humans are often the main targets for attackers. These attackers have honed their skills to exploit human characteristics, manipulating emotional triggers and biases to influence behavior and breach security, both personal and organizational.