This week’s security snacks:
- UEFI Malware Traversing the Internet
- Phone Carriers Selling Your Real-Time Location
- Don’t Get Breached Like Marriott
UEFI Malware Traversing the Internet
UEFI compromised; rootkit found in the wild; prevent with Secure Boot + apply firmware updates early and often.
A notorious cyber-espionage group (Sednit) has deployed a rootkit successfully targeting UEFI. UEFI is designed to prevent rootkit attacks, so it is very alarming that UEFI has been successfully hacked.
The exploit is called LoJax, and has a fairly typical infection chain:
- Victim downloads a dropper agent (rpcnetp.exe) in response to a phishing email or other trickery
- Exe calls Internet Explorer, which communicates externally to get the UEFI rootkit
- The UEFI rootkit is deployed by exploiting the way firmware vendors allowing remote serial peripheral interface (SPI) flashing
- The system is compromised on boot
For a compromised system, admins can only re-flash the SPI memory or throw out the motherboard according to ESET researcher Frédéric Vachon. However, they can prevent it from happening in the first place by enabling Secure Boot and making sure their UEFI is up to date.
You can find a good writeup, and links to even more info if you want it, in this ThreatPost article: First-Ever UEFI Rootkit Tied to Sednit APT.
Phone Carriers Selling Your Real-Time Location
Somebody who knows your phone number can pay to find out where you are right now.
A journalist (Joseph Cox of Motherboard) was able to pay a bounty hunter to track down the location of somebody’s T-Mobile cell phone for $300.
This in spite of the fact that wireless carriers promised last year they would stop selling data. Whatever the delivery mechanism (wireless carriers, “middlemen,” etc.), it’s clear that real-time location data is available to people who should not have access to it.
Motherboard reports that all the big wireless carriers are still selling real-time location data. The allegation is credible enough that three senators are speaking out against it. No laws currently prevent them from selling the data.
Get more information in Motherboard’s article, Senators Call on FCC To Investigate T-Mobile, AT&T, and Sprint Selling Location Data to Bounty Hunters.
Don’t Get Breached Like Marriott
Last year’s Marriot data breach reveals a few valuable, real-world lessons learned that IT pros should know about.
The infamous breach was perhaps the biggest privacy violation of 2018, exposing half a million peoples’ personal data—including credit card numbers. Here are a few key lessons.
Proactively address cybersecurity risks with acquisitions.
Marriott acquired Starwood in 2016, and the integration was a nightmare, leaving systems vulnerable. In particular, the cobbling together of a variety of databases on the Starwood side is reported to have been troubling.
Treat breached systems as if they are more likely to be breached again (because they are).
In 2015, Starwood announced they had experienced small data breach of their POS systems. Nobody can say if malware remained after that breach, or the systems were attacked newly before the “big breach of 2018.” Either way, a flag had been raised to be extra vigilant on these systems and do doubt Marriott wishes they had paid more attention to it.
Don’t store encryption keys with encrypted data.
Marriott has not ruled out the possibility that they stored both of the AES-128 keys on the same network segment as the data. Obviously, IT security policy should strictly forbid this. It’s a little like leaving your house key taped to the front door, or at least under the mat.
If you want a little more information, you can find it in on Security Boulevard under the title, The Marriott Data Breach: 5 Vital Takeaways to Keep Your Business Safe.