Risky Biz News: AMI Platform Key leak undermines Secure Boot on 800+ PC models
08:08 Share

Secure boot undermined by a key leak, Google fixes an email validation bypass in workspace signups, a new threat actor is going after Selenium testing service, and CrowdStrike says 97% of affected systems are back online. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 29th of July, and this podcast episode is brought to you by no-code automation platform, Times.

In today's top story, more than 800 models of motherboard are using a leaked default key for Secure Boot. Firmware security firm Binary discovered widespread use of the default platform key earlier this year. Binary says using a default platform key is bad enough, but the key was also accidentally leaked online via a GitHub repository in 2023.

This leak opens the door for threat actors to develop rootkits that can be signed with the platform key and made to look like legitimate firmware and kernel drivers. Binary says 10 vendors have used the default platform key from BIOS maker American Megatrends in their products. They range from server manufacturers like Supermicro to consumer-grade laptop makers like Dell, HP and Lenovo.

In other news, Google has fixed a security flaw that allowed threat actors to register Workspace accounts on domains they didn't own. The bug resided in the Workspace platform email verification process. Attackers abused the bug to sign up to Workspace domains with unrelated email addresses.

The attackers then abused the sign in with Google feature to access accounts associated with that domain on third party services. According to Brian Krebs, the bug has been exploited since June. Google says it detected abuse on a few thousand workspace accounts.

A new threat actor named Selenium Grid is abusing Selenium software testing servers to gain access to underlying cloud infrastructure. The attacks target Selenium Grid, a server-based version of the software that can allow developers to run tests in parallel across multiple machines. Cloud security firm Wiz says the threat actor is abusing the Selenium WebDriver API to install cryptocurrency miners.

Wiz says the attacks are possible because Selenium Grid ships the API with authentication disabled by default. There are currently more than 17,000 Selenium Grid servers that appear to run unprotected APIs online.

The European Commission has told member states in a private document to curb their spyware operations after a wave of Pegasus and Candy Roo incidents. The Commission has also told governments that national security can't be used as a universal excuse. The document comes as the EU PEGA Commission has found rampant abuse of spyware in some countries such as Poland, Greece and Hungary.

CrowdStrike CEO George Kurtz says the company has recovered 97% of Windows systems impacted by a recent IT outage. The exec credited the quick turnaround to the development of a new automation recovery technique. In the meantime, Microsoft has also published its own incident report of the CrowdStrike outage. The OS maker has confirmed the security firm's findings that the blue screen of death error was caused by a memory safety bug in the CrowdStrike kernel driver.

The city of Columbus in Ohio says it's working to restore IT systems in the aftermath of a security breach that took place last week. Officials say the outage impacts resident-facing IT services and may take some time to restore. Columbus is the capital of Ohio, the 14th largest city in the US with almost a million residents. The incident is suspected to be another ransomware attack.

A hacker group has leaked the personal information of Israeli athletes competing in the Paris Olympic Games. The data contained names, login credentials, military status and blood test results. A pro-Palestinian group named Zeus published the data in a telegram channel ahead of the Olympic Games opening ceremony.

Cryptocurrency exchange Gemini has disclosed a data leak after one of its banking partners suffered a security breach. Gemini says a threat actor gained access to one of the bank's internal collaboration tools. The exchange believes the intruder may have had access to transactional data for several days. This includes names as well as bank accounts and routing numbers.

A threat actor has leaked the details of 5.7 million users who registered on acting and modelling job site Explore Talent. The data allegedly comes from a security breach that took place last year. The leak appears to cover more than half of the site's 11 million registered users. The data includes full names, addresses, email addresses and phone numbers.

Two US senators have urged the FTC to investigate carmakers for violations of consumer privacy laws. Senators Ron Wyden and Edward J. Markey say carmakers have used deceptive techniques to trick drivers into sharing car data. The data was sold to insurance companies that used it to increase rates for drivers based on how they drove, even if they had not caused any accidents.

Wyden and Markey say some automakers showed a complete lack of respect for their customers' privacy, selling their driving history for mere pennies. For example, Hyundai sold car data for $0.61 per car, while Honda sold it for $0.26 per car.

Social media company X has added an option to allow training its Grok AI on user data, which is on by default. X took the action without any formal warning, which may be a privacy violation in some countries. The feature can be disabled, but only from the web interface.

A US judge has sentenced a Nigerian man to 12 years and seven months in prison for his role in a cyber scam campaign. Officials say 42-year-old Bamidel Omotosho bought stolen credentials from the former Ecstatic marketplace and used them to gain access to remote systems. One of Omotosho's victims was the Employees Retirement System of Texas, from where he diverted pension payments.

U.S. prosecutors say Omotosho and his co-conspirators stole more than $2 million.

Security firm Group IB says that a threat actor named the GXC team has become one of the largest players on the Spanish-speaking cybercrime scene. The group launched in January 2023 and is known for selling phishing kits, Android malware and AI-powered scam tools. The group's services primarily target Spanish-speaking users with a focus on phishing Spanish banks and governmental bodies.

Group IB says GXC members are also involved in the sale of stolen credentials and are also providing programming skills for other groups.

BlackBerry's security team says it found new infrastructure believed to be linked to Indian cyber espionage group Sidewinder. Clues in the infrastructure set up suggest the group is targeting ports and maritime facilities located in the Mediterranean Sea and the Indian Ocean. BlackBerry believes the campaign is focused on espionage and intelligence gathering and not destructive attacks.

And finally, Exodus Intelligence has found three major vulnerabilities in web-uso hosting panels. The issues include an authentication bypass, a command injection vulnerability in the FTP management functionality, and a command injection in the password reset functionality. The first vulnerability can be exploited remotely and allows full server compromise. It received a rating of 10 out of 10 on the CBSS Severity Scale.

And that is all for this podcast edition. Today's show was brought to you by our sponsor, Tynes. Find them at Tynes.com. Thanks to your company.