company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Security Breach

LastPass

loading..
loading..
loading..

LastPass Security Breach UPDATE: What You Need to Know

LastPass security breach now involves unauthorized access to customer vault data from the encrypted storage container containing unencrypted & fully-encrypted d...

23-Dec-2022
5 min read

No content available.

Related Articles

loading..

WhatsApp

esurgence of Star Blizzard underscores their adaptability. Despite disruptions i...

A new wave of spear-phishing attacks by the Russian nation-state actor *Star Blizzard* has emerged, targeting WhatsApp accounts of individuals in high-stakes sectors such as government, diplomacy, defense policy, international relations, and Ukraine aid organizations. This campaign, observed in mid-November 2024, underscores the adaptability of cyber threats in a volatile geopolitical landscape. ### **WhatsApp Phishing via Fake Invitations** According to a Microsoft Threat Intelligence report, the attack begins with emails impersonating U.S. government officials. The emails offer an invitation to join a WhatsApp group allegedly dedicated to supporting non-governmental initiatives for Ukraine. The emails include a deliberately broken QR code to encourage recipients to reply and request an alternative link. Respondents are sent a follow-up email containing a *‘t.ly’* shortened link that redirects them to a fake WhatsApp invitation webpage. On this fraudulent page, a new QR code prompts victims to unknowingly link their WhatsApp accounts to the attacker’s device. _“This tactic allows Star Blizzard to access the victim's WhatsApp messages and export them using existing browser plugins designed for WhatsApp Web,”_ Microsoft explained. ### **Why This Campaign Matters** Experts say this operation marks a tactical shift for *Star Blizzard* following a significant disruption in October 2024, when Microsoft and the U.S. Department of Justice seized over 180 domains linked to the group. _“The fact that Star Blizzard pivoted so quickly to exploit social engineering tactics demonstrates how resilient these groups are in the face of countermeasures,”_ said **Lila Martinez**, a cybersecurity analyst at ThreatLens. “It’s no longer just about malware—these attackers are weaponizing trust and human error.” This campaign's implications are profound, particularly for organizations supporting Ukraine during an already fragile geopolitical conflict. Compromised communications could sabotage aid coordination, undermine diplomatic negotiations, or leak sensitive policy discussions. ### **Geopolitical Conflict or Context** The attack coincides with heightened tensions between Russia and Western allies, particularly regarding support for Ukraine. Analysts believe this phishing campaign is part of a larger cyber strategy aimed at destabilizing opposition efforts while advancing Russian interests. _“This isn’t an isolated incident. It’s part of an ongoing effort to exploit vulnerabilities in international aid and diplomacy,”_ noted **Dr. Elena Novikov**, a specialist in cyber warfare at the European Security Institute. ### **Meta Responds** When contacted for comment, WhatsApp’s parent company Meta assured users of their commitment to security. _“We encourage all users to verify the legitimacy of messages and links, especially those involving sensitive topics. Regularly checking linked devices and enabling two-factor authentication are key to staying protected,”_ a Meta spokesperson said. ### **How to Stay Safe** To safeguard against such phishing attacks, cybersecurity experts recommend: 1. **Verify communication sources**: Be wary of unsolicited invitations, especially from unfamiliar contacts. 2. **Check linked devices**: Regularly review the devices connected to your WhatsApp account under the *"Linked devices"* section and remove unauthorized ones. 3. **Enable two-factor authentication**: This adds an extra layer of protection to your account. 4. **Avoid clicking on suspicious links**: Always verify URLs and use trusted sources to access applications or join groups. ### **Looking Ahead** The sophistication of *Star Blizzard’s* campaign reflects the persistent threat posed by state-sponsored cyber actors. As governments and tech companies race to counter such attacks, the responsibility also falls on individuals and organizations to remain vigilant and prioritize cybersecurity practices.

loading..   20-Jan-2025
loading..   3 min read
loading..

UEBI

A flaw exposing UEFI Secure Boot vulnerabilities. Learn how attackers exploit it...

Researchers have identified an exceptionally critical vulnerability, CVE-2024-7344, that undermines UEFI Secure Boot, a cornerstone security mechanism designed to ensure the integrity of the system boot process. This vulnerability enables malicious code execution during the boot sequence, even when Secure Boot is active, jeopardizing countless modern systems' security posture. The impacted systems span a broad spectrum of UEFI-based devices, significantly elevating the risks of deploying UEFI bootkits such as Bootkitty or BlackLotus. The ramifications of this discovery are profound. Secure Boot, integral to protecting the boot chain, becomes ineffective when exploited, leading to unauthorized code execution. This raises severe security concerns across industries relying on UEFI-based devices, as attackers can compromise systems without triggering conventional security mechanisms. ### In-Depth Analysis of CVE-2024-7344 #### Vulnerability Context The vulnerability emanates from a defective UEFI application, signed by Microsoft’s widely trusted Microsoft Corporation UEFI CA 2011 certificate. This enables attackers to circumvent Secure Boot by executing unsigned binaries during startup. The vulnerability affects multiple recovery software suites, including but not limited to: - **Howyar SysReturn** (versions prior to 10.2.023\_20240919) - **Greenware GreenGuard** (versions prior to 10.2.023-20240927) - **Radix SmartRecovery** (versions prior to 11.2.023-20240927) - **Sanfong EZ-back System** (versions prior to 10.3.024-20241127) - **WASAY eRecoveryRX** (versions prior to 8.4.022-20241127) - **CES NeoImpact** (versions prior to 10.1.024-20241127) - **SignalComputer HDD King** (versions prior to 10.3.021-20241127) #### Root Cause and Technical Insights The crux of the vulnerability lies in the usage of a custom PE loader, bypassing standard UEFI functions such as `LoadImage` and `StartImage`. This flawed implementation allows the execution of unsigned UEFI binaries from a specifically crafted file named `cloak.dat`, rendering Secure Boot policies ineffective. #### Exploitation Mechanism Meticulous investigation revealed that the `cloak.dat` file, part of the vulnerable recovery software, contains an encrypted UEFI binary. Instead of leveraging UEFI’s integrity checks, the custom loader decrypts and executes the binary directly. The steps to exploit this vulnerability include: 1. **Replacing the Bootloader**: Attackers substitute the system’s default bootloader with the compromised `reloader.efi` binary. 2. **Deploying Malicious Payloads**: A crafted `cloak.dat` file containing unsigned binaries is placed on the EFI System Partition (ESP). 3. **Executing the Payload**: Upon reboot, the malicious binary executes without adherence to Secure Boot policies. The attack requires elevated privileges (e.g., local administrator rights on Windows or root access on Linux) but is feasible across systems trusting Microsoft’s third-party UEFI certificate. ### UEFI Secure Boot: A Comprehensive Overview UEFI Secure Boot ensures the integrity of the boot process by validating binaries against two key databases: 1. **db**: Lists trusted certificates and hashes authorized for execution. 2. **dbx**: Enumerates revoked certificates and hashes, explicitly forbidding their execution. Most UEFI devices ship with Microsoft’s certificates preloaded to maintain compatibility with major operating systems. However, this reliance on Microsoft centralizes control over boot security, exposing potential systemic vulnerabilities when these certificates are compromised. ### Coordinated Disclosure and Remediation Timeline The responsible disclosure process ensured swift vendor responses and mitigation measures. Key milestones include: - **2024-07-08**: Discovery of the vulnerability by researchers. - **2024-07-09**: Reporting to CERT Coordination Center (CERT/CC). - **2024-08-05**: CERT/CC engages affected vendors. - **2024-08-20**: Initial patches reviewed; additional flaws identified. - **2024-09-23**: Disclosure rescheduled to align with remediation timelines. - **2025-01-14**: Vulnerable binaries revoked in Microsoft’s Patch Tuesday update. This coordinated effort underscores the importance of collaboration between researchers, CERTs, and vendors in addressing security threats efficiently. ### Mitigation Strategies and Detection Mechanisms #### Applying UEFI Revocations Users are strongly advised to update their systems with the latest UEFI revocations from Microsoft. Verification steps include: **Windows Systems**: ```powershell [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011' [BitConverter]::ToString((Get-SecureBootUEFI dbx).bytes) -replace '-' -match 'cdb7c90d3ab8833d5324f5d8516d41fa990b9ca721fe643fffaef9057d9f9e48' ``` **Linux Systems**: ```bash dbxtool --list | grep 'cdb7c90d3ab8833d5324f5d8516d41fa990b9ca721fe643fffaef9057d9f9e48' ``` #### Strengthening UEFI Configurations 1. **Customized Secure Boot Policies**: Tailor Secure Boot settings to restrict unauthorized access. 2. **EFI Partition Protections**: Limit access to the EFI System Partition through managed permissions. 3. **Remote Attestation**: Leverage TPM for remote validation of boot configurations. ### Implications and Recommendations CVE-2024-7344 exemplifies systemic vulnerabilities in the UEFI ecosystem, driven by opaque third-party signing processes. To enhance security, stakeholders must advocate for greater transparency and stringent review protocols in UEFI application signing. Microsoft’s upcoming UEFI certificate updates provide a pivotal opportunity to address these challenges. For detailed inquiries, contact [threatintel@researchteam.com](mailto\:threatintel@researchteam.com) or visit [Threat Intelligence page](https://www.researchteam.com).

loading..   18-Jan-2025
loading..   4 min read
loading..

Extortion

Explore the PowerSchool data breach affecting millions of students and teachers....

The education technology sector experienced a major setback as PowerSchool, a leading provider of school records software, suffered a cyberattack compromising the personal data of millions of students and teachers. The breach, occurring in December, has raised concerns about data security and privacy within K-12 school systems across the United States, particularly due to its vast scale and the historical depth of the compromised data. Unlike many cyberattacks, this incident affected records spanning over a decade, exposing systemic vulnerabilities in how educational data is stored and protected. With PowerSchool’s software supporting over 60 million students, the incident has left educational institutions grappling with the fallout. ### Scale of the Breach Sources within affected school districts confirmed that hackers accessed vast troves of sensitive information, including historical data on students and teachers. This information reportedly dates back as far as the 2009-2010 school year for some districts. Compromised data includes names, addresses, Social Security numbers, some medical information, grade data, and other personally identifiable information (PII). A school district representative disclosed, “In our case, the attackers gained access to all historical student and teacher data. This breach extends far beyond current records, affecting anyone whose information has ever been stored in the PowerSchool system.” Logs from some districts revealed that unauthorized access began even earlier than PowerSchool’s official timeline of late December. ### Insufficient Security Measures One major concern highlighted by this incident is the lack of basic cybersecurity measures. According to affected districts, PowerSchool’s compromised system lacked multi-factor authentication (MFA), a critical layer of defense against cyberattacks. Without MFA, attackers could easily use stolen credentials to access sensitive systems, as there were no additional barriers like verification codes or biometric checks to prevent unauthorized logins. This glaring security lapse likely facilitated the breach, allowing hackers to infiltrate and extract data with minimal resistance. While PowerSchool spokesperson Beth Keebler confirmed that the company employs MFA in its operations, she declined to elaborate on its implementation or the specific systems protected. Experts argue that the absence of robust security measures, particularly in systems handling such sensitive information, underscores a systemic vulnerability in the education technology sector. Mark Racine, CEO of RootED Solutions, emphasized in a blog post that this breach affects not only current PowerSchool customers but also former customers, significantly expanding the scale of impacted individuals. ### Affected Districts and Data Exposure Several districts have publicly confirmed the breach’s impact on their data. For instance, the Menlo Park City School District reported unauthorized access to personal details of all current students and staff as well as historical records dating back over a decade. Similarly, the Rancho Santa Fe School District revealed that teachers' login credentials were also compromised, potentially endangering ongoing educational processes. These examples underscore the tangible effects of the breach on both operational and personal levels within the affected communities. The Menlo Park City School District in California revealed that all current and historical data on students and staff had been accessed. Similarly, the Rancho Santa Fe School District reported that the attackers gained access to teachers’ credentials for the PowerSchool system. Other districts are reporting affected student numbers that are four to ten times higher than current enrollment, further highlighting the magnitude of the breach. PowerSchool’s FAQ for customers indicated that while the type of stored data varies by district and state requirements, the breach included significant PII. Despite this, Keebler stated that the company’s ongoing review suggests most affected customers did not have Social Security numbers or medical information exfiltrated. ### PowerSchool’s Response PowerSchool claims to have taken “appropriate steps” to prevent the dissemination of stolen data, asserting that the compromised information has been deleted without further replication. Experts suggest that implementing robust encryption, regular security audits, and advanced access controls like multi-factor authentication could have minimized the risk of such breaches. Furthermore, clear communication about the specific measures taken and evidence supporting the deletion claims would bolster trust among stakeholders. Without such transparency, questions about the effectiveness of PowerSchool’s response are likely to persist. However, the company has not disclosed specific measures taken or provided evidence to support its claim. “While our data review remains ongoing, we have identified the schools and districts whose data was involved and are working to notify impacted individuals,” said Keebler in a statement. PowerSchool declined to publicly share the names of affected districts, adding to frustrations over transparency. ### Larger Implications The breach raises critical questions about the security of sensitive data in educational systems. Legislative changes, such as mandating comprehensive data encryption standards and requiring multi-factor authentication across all edtech platforms, could significantly reduce vulnerabilities. Additionally, implementing stricter data retention policies and ensuring regular compliance audits for educational institutions could help address these security concerns effectively. With more districts relying on technology to manage records, the need for stringent cybersecurity measures has never been greater. Experts advocate for mandatory adoption of practices like MFA, encryption, and regular security audits to protect data. Moreover, this incident highlights the risks of retaining extensive historical data without robust safeguards. School districts must reassess their data retention policies and invest in secure infrastructure to prevent similar breaches in the future.

loading..   17-Jan-2025
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958