All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of November 28th, 2022. I’ve also included some comments on these stories.
UEFI bugs disabled Secure Boot
Acer has fixed a high-severity vulnerability that could enable local attackers to deactivate UEFI Secure Boot on targeted systems, BleepingComputer reports. The security feature blocks untrusted operating systems bootloaders on multiple laptop models to prevent malicious code like rootkits and bootkits from loading during the startup process.
A vulnerability was found in Acers’ laptops that could lead to the deactivation of Secure Boot. Local attacks could use this vulnerability to bypass the security feature; Secure Boot is used to prevent untrusted bootloaders from operating on systems that have it enabled. To exploit this issue an attacker needs to have high privileges and modify the “BootOrderSecureBootDisable” NVRAM variable to disable Secure Boot. Acer has released an updated version of their BIOS to resolve this issue and the fix with be released in a critical Windows update.
Docker Images contain malicious content
Over 1,600 publicly available Docker Hub images hide malicious behavior, noted BleepingComputer on November 24. This includes cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors.
Caution is required when downloading public Docker Hub images because they may contain malicious content. Malicious images could include cryptocurrency miners, potential backdoors, DNS hijackers, and website redirectors. The researchers at Sysdig used automated scanners on 250,000 Linux images and determined there were 1,652 images that contained malicious content, the most prevalent being crypto miners.
Caution should be urged when downloading publicly available images from Docker Hub. Images should be checked and verified to not include malicious content. Typos should be vetted for when downloading an image. Malicious images can be obtained by simply using an incorrect name.
Android App relaying SMS to create accounts
A fake Android SMS application has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook, reported BleepingComputer this past week. The spoofed app already boasts 100,000 downloads on the Google Play store.
An Android application has been discovered to relay SMS messages for an account creating service. Infected devices are used as rented numbers and are used to verify the user while creating new accounts. To be infected a user needs to install the application and then run the application. The application requests permission to send and read SMS messages. The application then loads a fake loading screen, this allows attackers to send and receive messages. Once the attackers finish, the application will freeze, causing most users to uninstall the application.
Microsoft Defender gains additional protection mechanisms
Microsoft recently announced that built-in protection is generally available for all devices onboarded to Defender for Endpoint, the company's endpoint security platform. Says BleepingComputer, once applied, these default settings provide better protection for enterprise endpoints against emerging threats, including ransomware.
Defender for Endpoint has built-in protection for all onboarded devices. The onboarded devices are more protected against potential threats and ransomware attacks. Built-in protection will include turning on tamper protection and potentially other settings that are coming. Tamper protection prevents changes by locking Microsoft Defender Antivirus to secure default values and will not allow anything to change these settings. Tamper protection will be enabled for all customers, who then receive a notification about the changes.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.