At a glance.
- "Pantsdown" in QCT Baseboard Management Controllers.
- ChromeLoader warning.
- Conti's ongoing story.
- Ransomware's effect on SpiceJet.
- CISA adds to Known Exploited Vulnerabilities Catalog.
- Kyiv honors Google.
"Pantsdown" in QCT Baseboard Management Controllers.
Eclypsium this morning published research into the susceptibility of Quanta Cloud Technology (QCT) servers to exploitation via the "Pantsdown" Baseboard Management Controller (BMC) flaw. "This vulnerability can provide an attacker with full control over the server including the ability to propagate ransomware, stealthily steal data, or disable the BMC or the server itself. Additionally, by gaining code execution in the BMC, attackers could steal the BMC credentials, which could allow the attack to spread to other servers in the same IPMI group," Eclypsium wrote in their report. Patches are expected soon, and Eclypsium notes that the most recent versions of affected QCT products have a secure boot capability that should serve to mitigate risk in the meantime.
Eclypsium's executive summary offers some useful reflections on the business implications of moving to the cloud, and of the security issues one needs to remain aware of in doing so. Cloud services are still susceptible to firmware issues that arise in their hardware. As Eclypsium puts it:
- "These services still run on hardware: “somebody else’s” hardware, but hardware just the same,"
- "Hardware cannot run without firmware: complex custom code provided by the manufacturer and a multitude of suppliers," and
- "Firmware contains the same misconfiguration, vulnerabilities, and weaknesses that application and operating system code does: it’s just more complex, less accessible, and less understood by practitioners in the field who often have a hands-off approach to firmware."
Warning on ChromeLoader.
Red Canary researchers describe ChromeLoader, a browser hijacker that modifies browser settings and redirects victims to advertisement websites. The malware is hidden inside what appears as a cracked video game or pirated movie or TV show. The malware uses PowerShell to inject itself into the browser and add a malicious extension to it, which can be seen in PowerShell, and this is how, Red Canary explains, ChromeLoader was discovered. The PowerShell script allows for other malware to come in undetected and gain a hold on personal browser information.
The Conti ransomware gang may have splintered, perhaps acting on the old corporate raider or dissident shareholder premise that a business can "unlock value" by breaking itself up. OODA Loop suggests as much, with its headline "Is the Conti Ransomware Gang Stronger Apart Than Together?" But Conti data dumps have continued. The Record reports that the gang, or a part of it, or a reorganizing successor, has "published all of the data it stole during a January attack on the government servers of Linn County, Oregon."
Ransomware at SpiceJet.
The BBC reports that the Indian airline reports that it's been able to restore its affected IT systems, and that flights, whose delays had continued into yesterday, were now operating normally. The Loadstar reports, however, that passenger complaints continue, and that disruption to operations also affected the airline's freight unit. Disgruntled passengers suggest that corporate communications should play an important role in incident response. CNBC discusses lessons others might learn from the incident, and notes that even a partially successful ransomware attempt can have a very bad effect on a business.
CISA's Known Exploited Vulnerabilities Catalog expands, again.
Feds take note. The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday added thirty-four more vulnerabilities to its Known Exploited Vulnerabilities Catalog, bringing the total of new entries for this week to seventy five. US Federal civilian Executive agencies are expected to scan for and fix the vulnerabilities, and to report completion by June 15th.