This month, the cybersecurity landscape has been particularly eventful. From a major Secure Boot vulnerability threatening countless devices, to a groundbreaking yet affordable laser hacking tool developed by researchers, the realm of cybersecurity continues to evolve in unexpected ways. We also witnessed a significant domain migration hijack affecting numerous decentralized finance platforms and an alarming breach of the notorious BreachForums database. Meanwhile, industry giants like CrowdStrike faced a major outage, and an unusual case of inadvertent recruitment of a North Korean hacker sheds light on the evolving threats against security firms.
New/Improved Techniques
Secure Boot Bypass
Secure Boot is a security feature included in the UEFI (Unified Extensible Firmware Interface) of many modern devices such as laptops and desktop computers. It is designed to check the signatures of the operating system and boot drivers during the startup process to ensures that they have not been altered. Secure Boot was designed, implemented, and widely adopted as a response to the emergence of BIOS rootkits (BIOS is the precursor to UEFI). Rootkits are malware tools allowing stealth root access by subverting key protection mechanisms built into operating systems. Secure Boot is considered by Microsoft to be an important part of securing device trust and preventing low-level malware challenges.
Researchers from Binarly revealed this month that they have discovered that the cryptographic key underpinning Secure Boot on hundreds of devices sold by major manufacturers have been compromised. The discovery was made on a public GitHub repository, where a staff member from one of the manufacturers accidentally included the private cryptographic key – albeit encrypted, but with a four-character password. Unsurprisingly, it was no challenge to access the key, which could theoretically be used to sign malicious drivers, and execute malware or malicious code on boot for these devices.
The UEFI firmware updates required to roll out new secure cryptographic keys are up to the individual device manufacturers to release, and the updates cannot generally be performed from within the operating system – requiring manual updating by users for each device.
Unfortunately, while investigating the compromised key the researchers also discovered an additional 21 platform keys used on hundreds more devices that contained the strings DO NOT SHIP and DO NOT TRUST – indicating that these devices shipped with keys were never meant for public release – and that this problem is even more widespread than initially thought.
RayV Lite – $500 Laser Hacking Tool
Two security researchers from NetSPI have created a laser hacking tool using a combination of 3D printing, a Raspberry Pi and off the shelf components costing less than US$500. While the technology and technique are not novel, laser hacking tools range between US$10,000 for low end units, and up to US$150,000 for state-of-the-art tooling.
The initial versions of RayV Lite focuses on laser fault injection – a technique where a light in the form of a precise laser can be fired at individual transistors on a processor, allowing them to flip bits. This is an impressive feat, considering modern chips have transistors as small as 5 nanometres – for perspective, the Covid-19 virus is around 50nm. The researchers were able to build their device so inexpensively by leveraging a finding by researchers at the Royal Holloway University of London, that low powered lasers with longer intervals can be as effective as more powerful lasers using a shorter duration in these types of hardware techniques.
Using their tool, the researchers have been able to target and bypass security checks in an automotive chip’s firmware, and bypass PIN verification for hardware cryptocurrency wallets. The technique does require direct access to the chip in question, so the risk to the public from these techniques is low – however, the risk is real for operators of industrial control systems, automobiles and medical devices – and the international intelligence community will likely leverage this technology more broadly.
Attacks / Threats
[Global] Squarespace Domain Migration Hijack
Attackers have discovered a flaw in Squarespace’s domain migration method that has allowed them to gain control of domain names registered with Google Domains. Squarespace acquired Google Domains in 2023 and has since been attempting to transition close to 10 million domain names, attempting to provide a method that was seamless to their customers.
To facilitate the migration, Squarespace used the data they purchased to pre-link email addresses to domains, assuming their customers would sign up with the same email address in their system. The Squarespace sign-up flow did not require users to complete any email validation when signing up, which means that by guessing the email address, attackers were able to freely claim any domain names associated with addresses who have not yet logged into Squarespace to rightfully claim the domain.
Multiple decentralised finance platforms were affected, having their DNS records updated to point towards replica phishing pages, and were eventually able to gain control of their domains.
Squarespace have since updated their sign-up flow to require email verification, with owners of domains registered with Google Domains advised to create an account with Squarespace and enable multifactor authentication.
[US / Global] BreachForums Database Leak
A complete database backup for the notorious darkweb site, BreachForums, has been leaked online. The site was taken down by the FBI in May of this year, notably straight after the site was used to leak data stolen from Europol. The original owner, an American man known online as Pompompurin, was arrested in 2023.
While on bail from his arrest, it is believed that Pompompurin had sold the database backup for a small sum of money to a threat group ShinyHunters, who then attempted to sell the database for US$150,000. Another threat actor, called Emo, is responsible for the leak – although it is unclear how they obtained the backup. What is clear is the motive for the leak, which occurred as a response to Emo’s ban from the current iteration of the site, run by ShinyHunters.
The database has been confirmed to be a complete backup of the forum, and although it was created in late 2022 it contains a trove of information, including hashed passwords, cryptocurrency addresses, forum posts, and private messages.
Naughty List
CrowdStrike – Worldwide Outage
In mid-July, CrowdStrike released an update that caused millions of user endpoints and servers worldwide running the CrowdStrike Falcon application to bluescreen and become unbootable.
The issue was caused by a newly introduced sensor capability to provide visibility into novel attack techniques that abuse certain windows mechanisms. Released in February, the sensor received its first update in March, with three additional updates in April, which performed as expected. Unfortunately, comfortable that the previous updates had proceeded smoothly, CrowdStrike pushed another less tested update out in July that contained 21 input fields, while the sensor expected only 20 fields. This caused an out-of-bounds memory read during validation, which crashed the kernel – preventing the device from booting. The crashes continued on each boot as the validation attempted to run.
An out-of-bounds memory read or write is where a program attempts to access an area of memory outside of what it was supposed to be allocated – generally causing the program to crash. Windows has prevention mechanisms to prevent this from occurring, but CrowdStrike runs as part of the boot process, where these protections are not available. A fix was distributed swiftly by CrowdStrike; however, it was challenging for devices to receive – as upon boot, the device would effectively enter a race condition to receive the new update vs the current update being validated, causing the machine to crash. A second fix was also provided, but strangely required CrowdStrike customers to opt in to receive it. This fix provided much better odds in the race condition on start-up – and was effective for any remaining customers. Manual remediation physically at the device was also an option that many organisations chose.
The issue affected half of all Fortune 500 companies, banks, airlines, hospitals and government departments globally, with the full cost of the outage yet to be fully calculated. CrowdStrike have taken a 40% hit to their stock price, face legal repercussions from their shareholders, and have called into question disaster recovery planning and existing automated software update methodologies worldwide.
Accidentally Hiring North Korean Hackers? – More Likely Than You Think
The US-based security awareness training company KnowBe4 revealed that they had unwittingly hired a North Korean state sponsored actor who had attempted to load malware onto the company’s network. In a statement, KnowBe4 indicated that they had detected the activity and removed the users access before any damage was caused, and that no data had been compromised or exfiltrated.
The North Korean man used an AI enhanced image in the job application, and made it through 4 rounds of video interviews, as well as passing background and reference checks, to be hired as a principal software engineer. As soon as the man received his company-provided Apple MacBook, he immediately began attempting to load malware triggering a number of alarms. The KnowBe4 SOC identified the activity and suspecting that the user may be an insider threat or nation state actor, blocked his access. When attempting to contact the user, they initially responded before completely ghosting the company.
This incident shows how aggressive nation states are towards the west and are willing to build out infrastructure to get their actors hired into western security companies. This highlights the need for robust hiring practises for protective security organisations, and the importance of effective security monitoring even when controls are in place.